Revelations that the National Security Agency violated federal law or presidential orders in thousands of surveillance "incidents" are whipping up a late-summer firestorm among civil libertarians and US lawmakers, undermining White House efforts to shore up support for the NSA’s sweeping antiterrorism surveillance programs.
Publication of internal NSA documents, by the Washington Post, comes a week after a press conference in which President Obama sought to reassure Americans that the NSA is doing its job lawfully and with oversight. The documents show that the agency regularly scooped up e-mails and phone-call metadata on Americans and US residents without first obtaining federal warrants or other authorization.
During the year spanning from the second quarter of 2011 to the first quarter of 2012, NSA auditors detected 2,776 “incidents” involving “unauthorized collection, storage, access to or distribution of legally protected communications,” the Post reported late Thursday.
The Post obtained the top-secret documents from fugitive Edward Snowden, a former NSA contractor now sheltered in Russia on a one-year visa, the newspaper said. Causes of the incidents ranged from “operator/human error” to technical glitches that inadvertently scooped up both foreign and domestic communications, according to the May 2012 audit report.
Produced by the chief of the NSA’s Signals Intelligence Division Oversight and Compliance staff, that core document appeared on the Post website late Thursday. The Monitor has reviewed it and other available documents.
An incident is defined as any violation, whether deliberate or accidental, of court-ordered procedures that govern how surveillance is to be handled involving “U.S. persons” worldwide – whether they are abroad or in the country. The largest number of incidents listed in the audit fell under the “query incident” category, which occurs when an NSA analyst discovers that a US person’s data appear in a database among previously collected intelligence data, or when an analyst keys in a search term that inadvertently returns data on US persons.
“The majority of incidents in all authorities were database query incidents due to human error,” the audit report said. The reported incidents were for NSA headquarters in Fort Meade, Md., and other locations near Washington, raising the prospect that an audit of the agency’s entire operation would have produced a larger number of violations.
Perhaps among the most serious violations, the NSA intercepted international data surging through fiber-optic cables in the US and shunted the whole lot into a database for later processing and analysis, the Post reported, citing a top-secret internal NSA newsletter. The collection included a mix of US and foreign e-mails that could not be separated, the NSA argued.
But in October 2011, several months after the program began, the Foreign Intelligence Surveillance Court, which authorizes certain NSA surveillance activities, ruled the collection program unconstitutional.
Another “incident,” in February 2012, involved the unlawful retention of 3,032 files that the FISA court had ordered the NSA to destroy after five years, according to the May 2012 audit document. Each file contained an undisclosed number of telephone-call metadata records, the document showed.
The large number of database query incidents – which by definition involve communications that were previously collected – indicate that the NSA is collecting and storing scads of information for later analysis, including data on Americans, some analysts say. The audit documents list a dozen data-collection systems with code names – among them PINWALE, MARINA, DISHFIRE, FASTSCOPE, OCTAVE, and XKEYSCORE – in which there were 119 incidents in early 2011.
For its part, the NSA said Friday in a statement to the Post that the audit shows that the agency is trying hard to ride herd on its surveillance programs and to ensure that it adheres to the law – and that it is unabashedly documenting its own failures.
“We want people [inside the agency] to report if they have made a mistake or even if they believe that an NSA activity is not consistent with the rules,” according to the NSA statement. “NSA, like other regulated organizations, also has a 'hotline' for people to report and no adverse action or reprisal can be taken for the simple act of reporting. We take each report seriously, investigate the matter, address the issue, constantly look for trends, and address them as well – all as a part of NSA’s internal oversight and compliance efforts.”
The agency reported, too, that more than 300 people are assigned to its internal privacy-compliance program, a fourfold increase since 2009. That group manages NSA’s rules, trains its personnel, develops and implements technical safeguards, and sets up systems to monitor and guide NSA activities.
“We take this work very seriously,” the statement said.
Mr. Obama noted at a news conference in June that federal judges keep a close eye on NSA activities. “We also have federal judges that we’ve put in place who are not subject to political pressure,” Obama said. “They’ve got lifetime tenure as federal judges, and they’re empowered to look over our shoulder at the executive branch to make sure that these programs aren’t being abused.”
But the chief judge of the FISA court, responding in writing to a Post query about the NSA audit, said his judicial crew could not be expected to provide close oversight of the agency.
The FISA court "is forced to rely upon the accuracy of the information that is provided to the Court,” US District Judge Reggie Walton said in a written statement to the Post. That court "does not have the capacity to investigate issues of noncompliance, and in that respect the FISC is in the same position as any other court when it comes to enforcing [government] compliance with its orders.”
That raises the question of how vigilant a watchdog the NSA can be when it's watching itself. One episode, at least, casts doubts on that capability.
In 2008, the agency accidentally intercepted a “large number” of phone-call metadata from the Washington area because a programming error confused the district's area code, 202, for the international dialing code for Egypt, 20, the Post reported. Yet a “quality assurance” review on that incident was not distributed to the NSA’s oversight staff because “the issue pertained to Metadata ONLY so there were no defects to report,” the review stated, according to the Post report.
None of this is happy news for civil libertarians or US lawmakers, who say the leaked audit shows that much more oversight of the NSA is needed.
“The number of ‘compliance incidents’ is jaw-dropping. The rules around government surveillance are so permissive that it is difficult to comprehend how the intelligence community could possibly have managed to violate them so often,” said Jameel Jaffer, ACLU deputy legal director, in a statement. “Obviously it’s important to know what precisely these compliance incidents involved, and some are more troubling than others. But at least some of these incidents seem to have implicated the privacy of thousands or millions of innocent people.”
Senate Intelligence Committee Chairman Dianne Feinstein (D) of California did not have a copy of the 2012 audit until the Post's reporter asked her staff about it. The committee “can and should do more to independently verify that NSA’s operations are appropriate, and [that] its reports of compliance incidents are accurate,” she said in a statement Thursday.
Momentum appears to be building for increased NSA oversight. NSA surveillance activity has prompted civil liberties groups to file at least five lawsuits against the government, and even a fractious Congress seems to be uniting behind the idea of greater accountability. Between the two parties, at least 19 bills to boost oversight are in the offing.
“I plan to hold another hearing on these matters in the Judiciary Committee and will continue to demand honest and forthright answers from the intelligence community,” said Senate Judiciary Committee Chairman Patrick Leahy (D) of Vermont, the author of one oversight bill, in a statement Friday. “Using advanced surveillance technologies in secret demands close oversight and appropriate checks and balances, and the American people deserve no less than that.”