nettime's_purdue_chicken on Fri, 9 Oct 2015 18:19:33 +0200 (CEST)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> Barton Gellman: Classified material in the public domain: what's a university to do?


<https://freedom-to-tinker.com/blog/bgellman/classified-material-in-the-public-domain-whats-a-university-to-do/>

Classified material in the public domain: what's a university to do?

     OCTOBER 8, 2015 
     BARTON GELLMAN 

Yesterday I posted some thoughts about Purdue University's
decision to destroy a video recording of my keynote address at
its Dawn or Doom colloquium. The organizers had gone dark, and a
promised public link was not forthcoming. After a couple of weeks
of hoping to resolve the matter quietly, I did some digging and
decided to write up what I learned. I posted on the web site of
the Century Foundation, my main professional home:

	It turns out that Purdue has wiped all copies of my video and
	slides from university servers, on grounds that I displayed
	classified documents briefly on screen. A breach report was filed
	with the university's Research Information Assurance Officer,
	also known as the Site Security Officer, under the terms of
	Defense Department Operating Manual 5220.22-M. I am told that
	Purdue briefly considered, among other things, whether to destroy
	the projector I borrowed, lest contaminants remain.

I was, perhaps, naive, but pretty much all of that came as a real
surprise.

	Let's rewind. Information Assurance? Site Security?

	These are familiar terms elsewhere, but new to me in a university
	context. I learned that Purdue, like a number of its peers, has a
	"facility security clearance" to perform classified U.S.
	government research. The manual of regulations runs to 141 pages.
	(Its terms forbid uncleared trustees to ask about the work
	underway on their campus, but that's a subject for another day.)
	The pertinent provision here, spelled out at length in a manual
	called Classified Information Spillage, requires "sanitization,
	physical removal, or destruction" of classified information
	discovered on unauthorized media.

Two things happened in rapid sequence around the time I told
Purdue about my post.

	First, the university broke a week-long silence and expressed a
	measure of regret:

	UPDATE: Just after posting this item I received an email from
	Julie Rosa, who heads strategic communications for Purdue. She
	confirmed that Purdue wiped my video after consulting the Defense
	Security Service, but the university now believes it went too
	far.

		"In an overreaction while attempting to comply with regulations,
		the video was ordered to be deleted instead of just blocking the
		piece of information in question. Just FYI: The conference
		organizers were not even aware that any of this had happened
		until well after the video was already gone."

		"I'm told we are attempting to recover the video, but I have not
		heard yet whether that is going to be possible. When I find out,
		I will let you know and we will, of course, provide a copy to
		you."

Then Edward Snowden tweeted the link, and the Century
Foundation's web site melted down. It now redirects to Medium,
where you can find the full story.

I have not heard back from Purdue today about recovery of the
video. It is not clear to me how recovery is even possible, if
Purdue followed Pentagon guidelines for secure destruction.
Moreover, although the university seems to suggest it could have
posted most of the video, it does not promise to do so now. Most
importantly, the best that I can hope for here is that my remarks
and slides will be made available in redacted form -- with
classified images removed, and some of my central points
therefore missing. There would be one version of the talk for the
few hundred people who were in the room on Sept. 24, and for
however many watched the live stream, and another version left as
the only record.

For our purposes here, the most notable questions have to do with
academic freedom in the context of national security. How did a
university come to "sanitize" a public lecture it had solicited,
on the subject of NSA surveillance, from an author known to
possess the Snowden documents? How could it profess to be shocked
to find that spillage is going on at such a talk? The beginning
of an answer came, I now see, in the question and answer period
after my Purdue remarks. A post-doctoral research engineer stood
up to ask whether the documents I had put on display were
unclassified. "No," I replied. "They're classified still." Eugene
Spafford, a professor of computer science there, later attributed
that concern to "junior security rangers" on the faculty and
staff. But the display of Top Secret material, he said, "once
noted,... is something that cannot be unnoted."

Someone reported my answer to Purdue's Research Information
Assurance Officer, who reported in turn to Purdue's
representative at the Defense Security Service. By the terms of
its Pentagon agreement, Purdue decided it was now obliged to wipe
the video of my talk in its entirety. I regard this as a rather
devout reading of the rules, which allowed Purdue to
"realistically consider the potential harm that may result from
compromise of spilled information." The slides I showed had been
viewed already by millions of people online. Even so, federal
funding might be at stake for Purdue, and the notoriously vague
terms of the Espionage Act hung over the decision. For most
lawyers, "abundance of caution" would be the default choice.
Certainly that kind of thinking is commonplace, and sometimes
appropriate, in military and intelligence services.

	But universities are not secret agencies. They cannot lightly
	wear the shackles of a National Industrial Security Program, as
	Purdue agreed to do. The values at their core, in principle and
	often in practice, are open inquiry and expression.

	I do not claim I suffered any great harm when Purdue purged my
	remarks from its conference proceedings. I do not lack for
	publishers or public forums. But the next person whose talk is
	disappeared may have fewer resources.

	More importantly, to my mind, Purdue has compromised its own
	independence and that of its students and faculty. It set an
	unhappy precedent, even if the people responsible thought they
	were merely following routine procedures.

One can criticize the university for its choices, and quite a few
have since I published my post. What interests me is how nearly
the results were foreordained once Purdue made itself eligible
for Top Secret work.

	Think of it as a classic case of mission creep. Purdue invited
	the secret-keepers of the Defense Security Service into one
	cloistered corner of campus ("a small but significant fraction"
	of research in certain fields, as the university counsel put it).
	The trustees accepted what may have seemed a limited burden,
	confined to the precincts of classified research.

	Now the security apparatus claims jurisdiction over the campus
	("facility") at large. The university finds itself "sanitizing" a
	conference that has nothing to do with any government contract.

I am glad to see that Princeton takes the view that "[s]ecurity
regulations and classification of information are at variance
with the basic objectives of a University." It does not permit
faculty members to do classified work on campus, which avoids
Purdue's "facility" problem. And even so, at Princeton and
elsewhere, there may be an undercurrent of self-censorship and
informal restraint against the use of documents derived from
unauthorized leaks.

Two of my best students nearly dropped a course I taught a few
years back, called "Secrecy, Accountability and the National
Security State," when they learned the syllabus would include
documents from Wikileaks. Both had security clearances, for
summer jobs, and feared losing them. I told them I would put the
documents on Blackboard, so they need not visit the Wikileaks
site itself, but the readings were mandatory. Both, to their
credit, stayed in the course. They did so against the advice of
some of their mentors, including faculty members. The advice was
purely practical. The U.S. government will not give a clear
answer when asked whether this sort of exposure to published
secrets will harm job prospects or future security clearances.
Why take the risk?

Every student and scholar must decide for him- or herself, but I
think universities should push back harder, and perhaps in
concert. There is a treasure trove of primary documents in the
archives made available by Snowden and Chelsea Manning. The
government may wish otherwise, but that information is
irretrievably in the public domain. Should a faculty member
ignore the Snowden documents when designing a course on network
security architecture? Should a student write a dissertation on
modern U.S.-Saudi relations without consulting the numerous
diplomatic cables on Wikileaks? To me, those would be abdications
of the basic duty to seek out authoritative sources of knowledge,
wherever they reside.

I would be interested to learn how others have grappled with
these questions. I expect to write about them in my forthcoming
book on surveillance, privacy and secrecy.

#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: http://mx.kein.org/mailman/listinfo/nettime-l
#  archive: http://www.nettime.org contact: nettime@kein.org