Late this afternoon both Politico and ABC filed questionable stories claiming Hillary Clinton violated "clear cut" State Department policy against use of private e-mails. Politico asserted:
The State Department has had a policy in place since 2005 to warn officials against routine use of personal email accounts for government work, a regulation in force during Hillary Clinton’s tenure as secretary of state that appears to be at odds with her reliance on a private email for agency business, POLITICO has learned.
The policy, detailed in a manual for agency employees, adds clarity to an issue at the center of a growing controversy over Clinton’s reliance on a private email account. Aides to Clinton, as well as State Department officials, have suggested that she did nothing inappropriate because of fuzzy guidelines and lack of specific rules on when and how official documents had to be preserved during her years as secretary.
But the 2005 policy was described as one of several “clear cut” directives the agency’s own inspector general relied on to criticize the conduct of a U.S. ambassador who in 2012 was faulted for using email outside of the department’s official system.
The story appears inaccurate because the "clear cut policy" appears to apply to overseas postings, not to the Secretary of State. The provision Politico and ABC relied upon is in fact promulgated by the Diplomatic Security bureau of the State Department -
12 FAM Diplomatic Security. The
purpose of the Handbook is described as follows:
The purpose of this Foreign Affairs Handbook (FAH) is to prescribe uniform
policies, criteria, and standards for the LGP at U.S. Department of State (DOS) installations abroad and to provide guidance on how to initiate and manage a LGP. - FAM 210 [My emphasis]
1 FAM 280 provides that the Assistant Secretary for Diplomatic Security is charged with the responsibility to promulgate 12 FAM:
The Assistant Secretary has overall substantive and coordinating responsibility for the following Department regulatory publications: [. . .] (2) Foreign Affairs Manual (FAM), Volume 12 ―Diplomatic Security and its related Foreign Affairs Handbooks (FAHs) in their entirety
I have not found any indications that Diplomatic Security can promulgate rules applicable to the entire State Department. Politico and ABC are citing
12 FAM 544.3, which states:
It is the Department’s general policy that normal day-to-day operations be conducted on an authorized AIS, which has the proper level of security control to provide nonrepudiation, authentication and encryption, to ensure confidentiality, integrity, and availability of the resident information. The Department’s authorized telework solution(s) are designed in a manner that meet these requirements and are not considered end points outside of the Department’s management control.
But even this policy's application is not clear. For example, 544.3 further provides:
In the absence of a Department-provided secure method, employees with a
valid business need may transmit SBU information over the Internet unencrypted [. . .]
All users who process SBU information on personally owned computers must ensure that these computers will provide adequate and appropriate security for that information. [My emphasis]
Further 12 FAM 544.2 provides:
Where warranted by the nature of the information, employees who will be transmitting SBU information outside of the Department network on a regular basis to the same official and/or most personal addresses [. . .]
On Twitter I have been going at it with Josh Gerstein, the Politico reporter who wrote the piece. He insists that the FAM applies in its entirety to every State Department employee. I think that is clearly wrong. I'll relate our back and forth on the flip.
In response to my challenge to his story, Gerstein tweeted back at me:
This is of course true but irrelevant. The question is not whether some parts of the FAM applied to Clinton, but rather whether 544.3, whatever its actual meaning, applied to the Secretary of State. I think it clearly does not. 12 FAM is titled:
12 FAM Diplomatic Security
12 FAM 010 provides:
The Bureau of Diplomatic Security (DS) is responsible for providing a
secure environment in which to conduct U.S. Government business at Foreign Service posts.
12 FAM 500 is titled "INFORMATION SECURITY."
12 FAM 544 is titled "SBU HANDLING PROCEDURES."
12 FAM 544.3 is titled "Electronic Transmission Via the Internet."
It is possible that the same policy is enunciated in some other FAM that is not promulgated by Diplomatic Security, and applicable to the Secretary of State, but no one has identified such promulgation.
At the very least, Politico and ABC have jumped the gun before they have gotten the story confirmed in a more concrete way. As of now, it is my view the story is inaccurate.