Breitbart has a recent story noting the probability that some of Hillary Clinton’s FOIA’d emails contain the names of serving CIA officers. Breitbart comes to this conclusion by pointing to the FOIA exemptions identified by the government team charged with redacting portions of the emails.

Here’s the legal background: In many cases, the Clinton email classification reviewers invoked exemption “B3” to delete email addresses and names from Secretary Clinton’s messages. FOIA exemption (b)(3) is for information that is protected from disclosure by statute. Because there are a lot of different statutes, it’s not uncommon for the government to identify which statute it is relying upon. Thus, the redactions highlighted by Breitbart are marked with the shorthand descriptor “B3 CIA PERS/ORG,” which implies that it is invoking a statute that protects the names of Agency officials. This is confirmed by an Agency explanation that it relies on this exemption to carry out “the Director’s statutory obligations to protect from disclosure intelligence sources and methods, as well as the organization, functions, names, official titles, salaries, or numbers of personnel employed by the Agency, in accord with the National Security Act of 1947 and the CIA Act of 1949, respectively.”

[interstitial_link url="http://www.washingtonpost.com/video/politics/8-takeaways-from-the-inspector-generals-report-on-hillary-clintons-emails/2016/05/25/f39b5d0e-22aa-11e6-b944-52f7b1793dae_video.html"]VIDEO: 8 takeaways from the Inspector General’s report on Hillary Clinton’s emails[/interstitial_link]

In short, it does seem likely that some of Secretary Clinton’s homebrew emails mentioned Agency officials whose names are protected by law.

It’s possible to make too much of this. While this story confirms how insouciant Hillary Clinton was about endangering classified information on the poorly secured server, we already knew that. And insouciance isn’t necessarily a knowing violation of law. Secretary Clinton may say that she didn’t know the people named in the messages were CIA officers.

Actually, there’s something more troubling and more urgent buried in this story: It could be the FOIA security reviewers themselves who are disclosing CIA identities.

Here’s how: Start with the entirely plausible view that foreign intelligence services discovered and rifled Hillary Clinton’s server. If so, those services already have copies of all her emails. But the emails don’t tell the foreign service which people named in her traffic are Agency officers. For CIA officers serving abroad as State Department officials, being named in the Secretary of State’s email traffic won’t necessarily blow their cover.

Until now. Unhappily, the classification reviewers seem to have given a key to anyone who has the unredacted messages by using “B3 CIA PERS/ORG” whenever they redact names associated with the CIA. So if the foreign service simply compares the messages stolen from the Clinton server to the redacted message released by the government — presto! — the CIA names just fall off the page.

Why did the reviewers do that? Two possibilities occur to me. (1) Maybe they have absolute confidence that no foreign agency was able to obtain access to the unredacted messages, in which case their invocation of “B3 CIA PERS/ORG” is perfectly safe. Or (2) maybe they’re just doing their job the way they’ve always done it, flagging every applicable FOIA exemption for the sake of completeness, without giving any thought to the risks created by that policy in this particular case.

My money is on the second explanation.

If so, the current procedure is boneheaded, and every new FOIA release adds to the risk for CIA employees.

Here’s my suggestion: The classification review team, and if necessary the court overseeing the review team, should make an immediate judgment about whether a prior foreign compromise of the messages is likely or possible. If it is, the government should stop relying on “B3 CIA PERS/ORG” as a ground for redaction. Right away. And if possible, the government and the plaintiffs should delete any references to that exemption in redacted messages that have not yet been released publicly.