NSA broke privacy rules thousands of times, audit says
Most infractions involve unauthorized surveillance of Americans or foreign-intelligence targets in the United States, both of which are restricted by law and executive order.
The Washington Post
WASHINGTON — The National Security Agency (NSA) has broken privacy rules or overstepped its legal authority thousands of times each year since Congress granted the agency broad new powers in 2008, according to an internal audit and other top-secret documents.
Most infractions involve unauthorized surveillance of Americans or foreign intelligence targets in the United States, both of which are restricted by law and executive order.
They range from significant violations of law to typographical errors that resulted in unintended interception of U.S. emails and telephone calls.
The documents, provided this summer to The Washington Post by former NSA contractor Edward Snowden, include a level of detail and analysis that is not routinely shared with Congress or the special court that oversees surveillance.
In one document, agency personnel are instructed to remove details and substitute more generic language in reports to the Justice Department and the Office of the Director of National Intelligence.
In one instance, the NSA decided it need not report the unintended surveillance of Americans.
A notable example in 2008 was the interception of a “large number” of calls placed from Washington, D.C., when a programming error confused U.S. area code 202 for 20, the international dialing code for Egypt, according to a “quality assurance” review that was not distributed to the NSA’s oversight staff.
In another case, the Foreign Intelligence Surveillance Court (FISC), which has authority over some NSA operations, did not learn about a new collection method until it had been in operation for months. The court ruled it unconstitutional.
The Obama administration has provided almost no public information about the NSA’s compliance record.
In June, after promising to explain the NSA’s record in “as transparent a way as we possibly can,” Deputy Attorney General James Cole described extensive safeguards and oversight that keep the agency in check.
“Every now and then, there may be a mistake,” Cole said in congressional testimony.
The NSA audit obtained by The Post, dated May 2012, counted 2,776 incidents in the preceding 12 months of unauthorized collection, storage, access to or distribution of legally protected communications.
Most were unintended. Many involved failures of due diligence or violations of standard operating procedure. The most serious incidents included a violation of a court order and unauthorized use of data about more than 3,000 Americans and green-card holders.
In response to questions for this article, the NSA said it attempts to identify problems “at the earliest possible moment, implement mitigation measures wherever possible, and drive the numbers down.”
The government was made aware of The Post’s intention to publish the documents.
“We’re a human-run agency operating in a complex environment with a number of different regulatory regimes, so at times we find ourselves on the wrong side of the line,” a senior NSA official said in an interview, speaking with White House permission on the condition of anonymity.
There is no reliable way to calculate from the number of recorded compliance issues how many Americans have had their communications improperly collected, stored or distributed by the NSA.
The causes and severity of NSA infractions vary widely. One in 10 incidents is attributed to a typographical error in which an analyst enters an incorrect query and retrieves data about U.S. phone calls or emails.
But the more serious lapses include unauthorized access to intercepted communications, the distribution of protected content and the use of automated systems without built-in safeguards to prevent unlawful surveillance.
The May 2012 audit, intended for the agency’s top leaders, counts only incidents at NSA’s Fort Meade, Md., headquarters and other facilities in the Washington area.
Three government officials, speaking on condition of anonymity, said the number would be substantially higher if it included other NSA operating units and regional collection centers.
Senate Intelligence Committee Chairman Dianne Feinstein, D-Calif., who did not receive a copy of the 2012 audit until The Post asked her staff about it, said late Thursday that the committee “can and should do more to independently verify that NSA’s operations are appropriate, and its reports of compliance incidents are accurate.”
Despite the quadrupling of NSA’s oversight staff after a series of significant violations in 2009, the rate of infractions increased throughout 2011 and early 2012. An NSA spokesman declined to disclose whether the trend has continued.
One major problem is largely unpreventable, the audit says, because current operations rely on technology that cannot quickly determine whether a foreign mobile phone has entered the United States.
In what appears to be one of the most serious violations, the NSA diverted large volumes of international data passing through fiber-optic cables in the United States into a repository where the material could be stored temporarily for processing and selection.
The operation to obtain what the agency called “multiple communications transactions” collected and commingled U.S. and foreign emails, according to an article in SSO News, a top-secret internal newsletter of the NSA’s Special Source Operations unit.
In October 2011, months after the program began, the Foreign Intelligence Surveillance Court ruled the collection was unconstitutional. The court ordered the NSA to comply with standard privacy protections or stop the program.
James Clapper Jr., director of national intelligence, has acknowledged that the court found the NSA in breach of the Fourth Amendment, which prohibits unreasonable searches and seizures, but the Obama administration has fought a Freedom of Information Act lawsuit that seeks the opinion.
Little is disclosed
Generally, the NSA reveals nothing in public about its errors and infractions.
Members of Congress may read the unredacted documents, but only in a special secure room and they are not allowed to take notes. Less than 10 percent of lawmakers employ a staff member who has the security clearance to read the reports and provide advice about their meaning and significance.
Under NSA auditing guidelines, the incident count does not usually disclose the number of Americans affected.
“What you really want to know, I would think, is how many innocent U.S. person communications are, one, collected at all, and two, subject to scrutiny,” said Julian Sanchez, a research scholar and student of the NSA at the Cato Institute.
The documents provided by Snowden offer only glimpses of those questions. Some reports make clear that an unauthorized search produced no records.
But a single “incident” in February 2012 involved the unlawful retention of 3,032 files that the surveillance court had ordered the NSA to destroy, according to the May 2012 audit. Each file contained an undisclosed number of telephone-call records.
In one required tutorial, NSA collectors and analysts are taught to fill out oversight forms without giving “extraneous information” to “our FAA overseers.”
FAA is a reference to the FISA Amendments Act of 2008, which granted broad new authorities to the NSA in exchange for regular audits from the Justice Department and the office of the Director of National Intelligence and periodic reports to Congress and the surveillance court.