FORTUNE — As a reporter I salute my professional colleagues for so thoroughly laying bare the recent U.S. Justice Department inquiry that led to the resignation of C.I.A. Director David Petraeus and a related Defense Department inquiry concerning General John R. Allen, the commander of NATO forces in Afghanistan.
But now that the once white-hot scandal has died down to the “what-was-that-all-about?” stage, some non-journalist readers might be wondering if the probes were handled with appropriate discretion by public officials. As we look back across the wreckage — the invasions of privacy visited upon outstanding public servants and their unquestionably innocent spouses and children in the name of reassuring the public that various theoretically conceivable security breaches and political conspiracies were, in fact, merely theoretical — doesn’t it seem like there ought to be a law curbing this sort of peeping-tomfoolery?
There actually is such a law: the Privacy Act of 1974.
“Virtually all the information that has entered the public domain about these investigations has constituted a violation of law,” says Daniel J. Metcalfe, a professor at American University Washington College of Law who, for 25 years, as a Justice Department official, guided the government-wide administration of both the Privacy Act and the Freedom of Information Act. “There are at least five Privacy Act victims here — one doing double duty as an apparent perpetrator — and the violations have to do with both names and investigatory file content.”
The Petraeus inquiry has startled many Americans by showing how easy it is for the feds to read citizens’ private emails, even those of the C.I.A. Director. While law enforcement officials do have that power under appropriate circumstances, what they are not supposed to do is then go tell The Washington Post what they found in those emails — unless and until the investigation results in formal accusations of wrongdoing.
I asked Metcalfe to take a retrospective stroll with me through the reportage, pointing out along the way all the apparent Privacy Act violations he could detect as they occurred. As a journalist, I often found myself sympathetic to the leaker, whose disclosures provided the public with important explanations for missing pieces of the puzzle.
But the law is intended to prevent collateral damage to innocent — or even marginally guilty — bystanders. “You can think of it as almost a civil liberties issue,” says Metcalfe. By their nature, investigations need latitude to probe the lives of people who will often turn out to have done nothing wrong. Those individuals, in turn, are entitled not to be publicly stigmatized and humiliated. (The Privacy Act makes the United States liable for civil damages caused by violations committed by its officers. Though individual officers do not face personal civil liability, they can face criminal misdemeanor charges.)
Here’s the basic timeline, based on accounts contained in the New York Times, Washington Post, Wall Street Journal, and A.P. stories. The investigation apparently began around May, when Jill Kelley, a Tampa socialite, received harassing emails from a then-unknown source. According to later statements by Kelley’s spokesman, she thought the emails might reflect a potential threat to Petraeus and Allen, whose private comings and goings were referred to in them. Her social acquaintance, F.B.I. special agent Frederick W. Humphries II, agreed with her assessment, and initiated an investigation. At that point, professor Metcalfe says, the identities of Kelley, Petraeus, and Allen, were all supposed to be protected under the Privacy Act. When the inquiry established that the emails were written by Paula Broadwell, Petraeus’s biographer and, for a period, lover, her name too, should have been protected. When questions about Humphries’ own conduct arose, his identity, too, became protected.
The inquiry then appears to have languished, perhaps because it turned up no security breaches or crimes judged worthy of pursuit.
In late September, with the elections drawing near, agent Humphries reportedly became concerned that the inquiry’s findings were being either deep-sixed or postponed for political reasons. Evidently acting as a whistleblower, Humphries shared what he knew with Congressman Dave Reichert, a Republican from Washington State, who then put Humphries in touch with House Majority Leader Eric Cantor, whom Humphries also spoke to. Cantor then brought Humphries’ concerns to the attention of senior FBI officials.
Humphries’ conversations with Reichert and Cantor may have constituted the first Privacy Act breaches, according to Metcalfe. Though the information did not immediately leak out into the press, Metcalfe says, Reichert and Cantor here count as members of the public who aren’t supposed to be given access to the information they got. While an exception to the Privacy Act permits, under various circumstances, informing Congress “as a body” (or one of its houses or committees) about the contents of an inquiry, Metcalfe says, this leak does not come within that exception, he says.
“I’m not concerned with that as a Privacy Act violation,” says Humphries’ counsel, Lawrence Berger, who is the general counsel of the Federal Law Enforcement Officers Association. Berger says the content of any conversations between Humphries and Reichert or Cantor should have remained “protected and confidential” under separate rules governing congressmen’s behavior.
Still, once Reichert and Cantor received the information, they were not bound by the Privacy Act, which gags only Executive Branch employees. This is not statutory oversight, Metcalfe observes, since attempts to prevent congressmen from speaking out might run afoul of the Speech and Debate Clause of the U.S. Constitution. As a consequence, congressmen can sometimes constitute a significant conduit through which otherwise Privacy Act-protected information can lawfully gush out to the public.
Perhaps prodded by Cantor’s inquiries, the F.B.I. finally confronted Petraeus in late October. He admitted the affair, but denied having disclosed any confidential information to Broadwell. On the evening of election night, Tuesday, November 6, the F.B.I. notified Director of National Intelligence James R. Clapper, Jr., of the situation. Clapper recommended to Petraeus that he tender his resignation.
On Thursday, November 8, Petraeus met with President Barack Obama and did just that. The President slept on it, then accepted the resignation the next morning. The C.I.A. announced the resignation that afternoon, Friday, November 9, and Petraeus simultaneously issued a statement acknowledging an affair.
In reporting the resignation, the Washington Post noted that it had been prompted by an FBI investigation and that Petraeus’s lover had been Broadwell. It attributed these details, which were not contained in the official announcements, to “two federal law enforcement officials.” This leak, Metcalfe maintains, appears to have been another Privacy Act violation.
At about the same time, other media organizations, like the Times, were also identifying Broadwell and mentioning the criminal inquiry, though they attributed the information to “Administration and Congressional officials.” (Senior congressional officials and the House and Senate intelligence committees had been lawfully informed about what was happening shortly before the resignation was announced.)
Might it then be possible, I asked Metcalfe, that if Congressional officials were the first to leak Broadwell’s identity, and Administration and law enforcement officials then merely confirmed that information, that there was no “disclosure” and, therefore, no Privacy Act breach?
No, he says. When a reporter is told something about executive branch activity by someone on the Hill, he still doesn’t know how accurate the information is, Metcalfe continues. When he gets confirmation from the law enforcement authorities themselves, he knows he’s on solid ground. So the confirmation can still constitute a prohibited disclosure, he says.
The next morning, on Saturday, November 10, the Post carried an article providing many details of the inquiry. The sources were described as “three senior law enforcement officials.” To the extent those details came from the investigative file, Metcalfe says, the story appears to have constituted yet another Privacy Act violation.
On Sunday, November 11, the New York Times again quoted “law enforcement authorities” who said: “There were hints of possible intelligence and security issues, but they were unproven. You constantly ask yourself, ‘What are the notification requirements? What are the privacy issues?’”
For the officer to have said this to the Times may have constituted yet another violation, according to Metcalfe.
But isn’t it an extenuating circumstance that the F.B.I. was, at this point, taking a great deal of flack due to various unwarranted conspiracy theories. The statements from the “law enforcement officials” were designed to reassure the public that there had been no political cover-up and to explain to Senator Dianne Feinstein, chair of the Senate Intelligence Committee, why she hadn’t been notified much earlier than she was, as she was demanding to know.
“Such a purpose is legally irrelevant,” Metcalfe says.
Late Sunday, the Associated Press identified Kelley for the first time. The scoop came from “a senior U.S. military official . . . who spoke on condition of anonymity because he was not authorized to publicly discuss the investigation.” This leak appears to have constituted still another Privacy Act breach.
Kelley and her husband have retained Abbe Lowell of Chadbourne & Parke to review the disclosure of their identities and other government leaks with an eye to bringing actions under the Privacy Act and other laws. “All the Kelleys did was put law enforcement on notice of strange and illegal behaviors,” says a member of the Kelleys’ legal team. “What law enforcement did in return was to make the Kelleys the focus of media attention — with all the trespassing of their property, abusive phone calls and emails, revelations about their private life, and disruption to their and the children’s lives that caused.”
“This is not how federal law enforcement investigations should work,” says Metcalfe. Would-be tipsters may now ask themselves, he continues, “Do I want to end up like Jill Kelley?”
On Monday morning, November 12, the Journal carried a still more detailed account of the investigation, this time credited to “U.S. officials.” Though the attribution is theoretically broad enough to include Congressmen, its minute-by-minute granularity suggests that it very likely came from law enforcement authorities again.
“The FBI investigation began with five to 10 emails beginning around May and received by Ms. Kelley,” the Journal wrote. “In September, prosecutors and agents began a legal analysis to determine whether there were any charges that could be brought. Among the discussions: whether to interview Ms. Broadwell, who was the focus of the criminal probe, and Mr. Petraeus.”
This leak might have constituted yet another Privacy Act violation, according to Metcalfe.
On Tuesday, November 13, the New York Times reported that General Allen was under investigation for possible “inappropriate communications” with Kelley. This news was attributed to “Defense Secretary Leon Panetta and other officials traveling with him” on a trip to Australia. Panetta referred the matter to the Pentagon’s inspector general, the paper continued, after “a team of military and civilian lawyers reviewed what defense officials say are thousands of pages of documents, including hundreds of emails between General Allen and Ms. Kelley.”
Telling the Times this information may have constituted another Privacy Act violation, according to Metcalfe. (A spokesperson for Panetta declined “to comment on comments attributed to unnamed officials.” He also drew my attention to a transcript of Panetta’s official remarks that day, which does not include any reference to Allen’s being under investigation.)
Finally, on Wednesday, November 14, the Times identified Humphries as the F.B.I. agent who filed Kelley’s original complaint, attributing this news once again to “law enforcement sources.” This leak constituted still another apparent Privacy Act violation — the tenth by my count, and that’s only after sifting through a tiny fraction of the thousands of articles written about the Petraeus probe.
“The content of any information that deals with Mr. Humphries was improperly and illegally leaked to third parties,” says Humphries’ attorney Berger. “End of story.” (He declined comment on whether he plans to sue.)
I sought comment from the Justice Department about the fact that so many reporters had obtained so much seemingly Privacy Act-protected information from “senior federal law enforcement officials,” and about Metcalfe’s opinion that many of these disclosures constituted Privacy Act violations. In response, I received this email from the Department’s public affairs director, Tracy Schmaler:
“Sorry,” it read. “We don’t comment on pending investigations.”