The National Security Agency broke the law and ignored privacy protections thousands of times in each of the years since Congressional leaders expanded the agency’s power in 2008, according to a new report citing documents leaked by Edward Snowden.
The majority of the violations are related to unauthorized surveillance on Americans or foreigners inside the United States, conditions deemed illegal by executive order, according to a new report from the Washington Post.
The account is based on top-secret documents and a May 2012 internal NSA audit that found 2,776 infractions – including unauthorized collection, storage, access to or distribution of legally protected communications – in the preceding 12 months alone. The audit, originally only meant to be seen by top NSA leaders, only accounted for violations at NSA headquarters at Fort Meade, Virginia, and other locations in the Washington DC region.
Three government sources told the Post that the 2,776 infractions would in fact be much higher had the audit included all NSA data collection centers. Each of the 2,776 violations could have potentially encompassed thousands of communications.
“One key to the Washington Post story,” tweeted journalist Glenn Greenwald, who first published Snowden’s disclosures in June, “the reports are internal, NSA audits, which means high likelihood of both under-counting and white-washing.”
One of the most flagrant examples is a 2008 incident when a “large number” of telephone calls were inadvertently intercepted because a programmer erroneously typed “202” instead of “20,” Egypt’s national calling code, according to a “quality assurance” memorandum never seen by NSA oversight staff.
Another time, the NSA kept 3,032 files they were ordered to destroy by the Foreign Intelligence Surveillance Act (FISA) court. Each individual file included an undisclosed number of telephone call records, according to the Post.
In separate incident, the NSA failed to notify the FISA court about a new collection method the agency was using for months, at which point the court deemed the method unconstitutional. The agency reportedly “diverted large volumes of international data passing through fiber-optic cables in the United States into a repository where the material could be stored temporarily for processing and selection.”
This finding, and others like it, refutes claims made by NSA chief Keith Alexander and other brass that the government does not store or process the information it collects. As per NSA policy, the number of Americans affected was not disclosed in the top-secret documents.
NSA officials also failed to explain why, with the number of violation lower in 2008 and 2009 than in later years, violations only increased as time went on.
US District Judge Reggie Walton, the chief judge of the FISA court, admitted that the court’s rulings are based only on information provided by the government. Consequently, judges entrusted with determining what the NSA may and may not do are forced to rely on the NSA to prove the government has not and will not overstep its legal bounds.
“The [FISA court] is forced to rely upon the accuracy of the information that is provided to the Court,” Walton wrote to The Washington Post. “The [FISA court] does not have the capacity to investigate issues of noncompliance, and in that respect the [FISA court] is in the same position as any other court when it comes to enforcing [government] compliance with its orders.”
Privacy advocates have previously expressed concern that the court is never informed of many of the violations. Even when the court is informed of the agency’s intentions, however, the judges are sometimes ignored.
A recently declassified Justice Department review from 2009 discovered a “major operational glitch that had led to a series of significant violations of the court’s order and notified the court.” While specifics of the error were not disclosed, problems including the so-called “over-collection” of phone call metadata were reported.
“The problems generally involved the implementation of highly sophisticated technology in a complex and ever-changing communications environment which, in some instances, results in the automated tools operating in a manner that was not completely consistent with the specific terms of the Court’s orders,” a December 2009 memo to the Senate and House intelligence committees stated.
The Washington Post notified the NSA of Thursday’s report before it was published, at which point the agency said it stops mistakes “at the earliest possible moment, implement mitigation measures wherever possible, and drive them down.”
“We’re a human-run agency operating in a complex environment with a number of different regulatory regimes, so at times we find ourselves on the wrong side of the line,” said one senior official who spoke on the condition of anonymity. “You can look at a number in absolute terms that looks big, and you look at it in relative terms, it looks a little different.”
The documents also described a tutorial that NSA collectors and analysts are required to complete. Titled the “Target Analysts Rationale Instructions,” the training instructs employees on how to complete oversight requirements without revealing “extraneous information” to “our FAA overseers,” a reference to the FISA Amendments Act of 2008.
California Senator Dianne Feinstein said she did not receive a copy of the audit until questioned by the Post, despite her position as Senate Intelligence Committee Chairman. She said the committee “can and should do more to independently verify that NSA’s operations are appropriate, and its reports of compliance incidents are accurate.”
The timing of the report comes just after US President Barack Obama defended the NSA’s widespread domestic and foreign surveillance. Obama said the programs were necessary to protect national security and legitimate partly because of comprehensive oversight.
“If you look at the reports – even the disclosures that Mr. Snowden has put forward – all the stories that have been written, what you’re not reading about is the government actually abusing these programs and listening in on people’s phone calls or inappropriately reading people’s emails,” Obama said.
“What you’re hearing about is the prospect that these could be abused. Now, part of the reason they’re not abused is because these checks are in place, and those abuses would be against the law and would be against the orders of the Foreign Intelligence Surveillance Court.”
After the initial report was published Thursday night the Washington Post issued an appendix revealing that after reporters spoke with NSA leadership, the Obama administration refused allow the Post to publish their names or official titles. The explanation from the newspaper is reproduced in full below:
"The Obama administration referred all questions for this article to John DeLong, the NSA’s director of compliance, who answered questions freely in a 90-minute interview. DeLong and members of the NSA communications staff said he could be quoted “by name and title” on some of his answers after an unspecified internal review. The Post said it would not permit the editing of quotes. Two days later, White House and NSA spokesmen said that none of DeLong’s comments could be quoted on the record and sent instead a prepared statement in his name. The Post declines to accept the substitute language as quotations from DeLong. The statement is below.
"We want people to report if they have made a mistake or even if they believe that an NSA activity is not consistent with the rules. NSA, like other regulated organizations, also has a “hotline” for people to report — and no adverse action or reprisal can be taken for the simple act of reporting. We take each report seriously, investigate the matter, address the issue, constantly look for trends, and address them as well — all as a part of NSA’s internal oversight and compliance efforts. What’s more, we keep our overseers informed through both immediate reporting and periodic reporting. Our internal privacy compliance program has more than 300 personnel assigned to it: a fourfold increase since 2009. They manage NSA’s rules, train personnel, develop and implement technical safeguards, and set up systems to continually monitor and guide NSA’s activities. We take this work very seriously."