Monday, February 08, 2010

Can government control the way some employees self-publish? Where CIA and previous COPA trial make dots to connect!

This posting may be a little strange: what could a CIA Publications Review Board possibly have to do with COPA? If anything, this argument folds on itself, showing how everything connects to everything else, and how difficult it is to make rules to protect public interests narrowly enough.

Remember that in 2004, the Supreme Court, in its most recent ruling on COPA (before the 2006 trial in Philadelphia) had written (Cornell law link here):
“When plaintiffs challenge a content-based speech restriction, the Government has the burden to prove that the proposed alternatives will not be as effective as the challenged statute.”

Judge Reed echoed that in paragraph 46 of his COPA ruling (see March 22, 2007 on this blog).

What seems less clear is whether government would run into constitutional issues if it restricted a class of people (for example employees of a particular agency) from using some specific form of self-publication at all, across the board, as an additional layer of security or protection of confidentiality or of classified materials. The “free entry” model for Internet self-publishing and blogging could be the most vulnerable, not for the content it publishes, but for the unsupervised and unbounded nature of the risk of the method of distribution. On its face, this does not sound like a “content-based” restriction because no particular content would be removed; instead no content at all could be self-published without supervision on the web. Perhaps a rule like this would have specific fine points: material could be published if it had pre-approval, if it was limited to a private friends’ list and not available to robots (as if government could count on Facebook or social media companies to help make confidentiality policy indirectly), or if the writer had been able to procure media perils insurance, or some combination of these. Or possibly the writer would pass a test showing understanding of confidentiality or have all of his writing debriefed in one session.

There is something like this in existence now, the CIA Publications Review Board. The CIA discusses how it works at this link. The piece is called “Reviewing the Work of CIA Authors: Secrets, Free Speech, and Fig Leaves”, by John Hollister Hedley. He opens in a na├»ve tone, “Business is brisk, as a growing number of former CIA employees seek to become published authors”.

The focus of the article is on books and articles published in a conventional manner through major publishers, not self-publishing. However, at first, the implication would be that a CIA employee or even former employee could not publish anything at all, not even on a personal blog, without preapproval of every posting, an impractical burden. However, in the middle of the article, Hedley writes:

“CIA regulations explain that the review requirement applies to "all writings and scripts or outlines of oral presentations intended for nonofficial publication, including works of fiction, which contain any mention of the CIA, intelligence data or intelligence activities, or material on any subject about which the author has had access to classified information in the course of his or her employment.”

The implication is that a blog posting that is totally unrelated to the CIA employee’s work would not require review. As a matter of epistemology, however, it would be hard for an employee to know for sure that there is no possible connection to his work, given the possibility of steganography, and the pervasive meaning of “connect the dots”. Presumably other security and defense related agencies (NSA, military service branches, etc) would have similar rules, and they could apply in civilian non-defense agencies where confidentiality is an unusually sensitive matter (as with Census).

If an agency told “individual contributor” employees that they could not post at all, that could cripple their speech opportunities during employment and later in life. Courts might find that this amounted to an eventual implicit content-based restriction on free speech, even though it starts out as a restriction on distribution (use of free entry). Agencies could try other means, such as debriefing employees or interviewing them to make sure they understand confidentiality requirements and oaths and possible penalties in depth.

When COPA was tried, social media were relatively new, and there has been little said as to whether it could have been applied to Myspace or Facebook. But social media place some emphasis on meeting people for networking purposes, and “publishing” within a somewhat private list, with privacy standards in flux and determined by the companies, not government. It’s possible to disclose confidential information within this environment, and it’s possible to pass on HTM material also, even though that environment was not a primary concern of COPA. Government employees haven’t, as far as I know, been asked to submit their personal emails or chats for review (what about tweets?), so there seems to be some level of common sense in prospective review of anything an employee in a sensitive position could “publish”.

Update: Feb. 17, 2010

The USDA (Department of Agriculture) has a similar page, called baldly "Pre-Publication Review" here. See the text in red on the first enclosed link (about indirect targeting). But again, logically, the pre-pub review requirement exists for "any material intended for public release that might be based in any way on information you learned through your access to classified information." Note that the USDA policy has much more discussion about the "dangers" of the Internet per-se from search and aggregation than does the CIA page. The sublink below says this about aggregation:

"DoD guidelines also require that judgments about the sensitivity of information take into account the potential consequences of "aggregation." The term "sensitive by aggregation" refers to the fact that information on one site may seem unimportant, but when combined with information from other web sites it may form a larger and more complete picture that was neither intended nor desired. In other words, the combination of information from multiple web sites may amount to more than the sum of its parts. Similarly, the compilation of a large amount of information together on one site may increase the sensitivity of that information and make it more likely that site will be accessed by those seeking information that can be used against us."

Many other federal government agencies, including NASA, refer to this DoD-related page or a similarly worded page.

The National Security Agency (NSA/CSS) has a similar page here. The policy includes Internet postings. But it also says "Publications about gardening, cooking, sports, crafts, etc. do not need to undergo pre-publication review if the only association with the NSA/CSS is the author's current or former affiliation with the Agency: Reminder: Pre-publication review is a lifetime responsibility. Your responsibility does not end when you end your association with NSA/CSS." The potential problem with the "gardening" clause is the "slippery slope": in the public policy world, things are more connected than we realize!

However, a government agency that designs a pre-pub policy carelessly could (unintentionally, perhaps) lock out employees or contractors, even former and departed, from ever having their own Facebook pages, even with privacy settings.

1 comment:

alterego said...

Thanks for the good article here. I know it will help alot of people who needs info like this.

Please do check my blog if you have sometime :
Avatar the LastAirbender Movie