Internal audit shows NSA broke privacy rules “thousands of times per year”

posted at 8:01 am on August 16, 2013 by Ed Morrissey

This Washington Post exposé surprises me only in one regard.  If the NSA and the Obama administration knew this internal audit existed, why not pull a Lois Lerner and do a Friday-night apology to defuse it?  Hey, that worked really well in the IRS targeting scandal, right?

We’ll get back to that in a moment:

The National Security Agency has broken privacy rules or overstepped its legal authority thousands of times each year since Congress granted the agency broad new powers in 2008, according to an internal audit and other top-secret documents.

Most of the infractions involve unauthorized surveillance of Americans or foreign intelligence targets in the United States, both of which are restricted by law and executive order. They range from significant violations of law to typographical errors that resulted in unintended interception of U.S. e-mails and telephone calls.

The documents, provided earlier this summer to The Washington Post by former NSA contractor Edward Snowden, include a level of detail and analysis that is not routinely shared with Congress or the special court that oversees surveillance. In one of the documents, agency personnel are instructed to remove details and substitute more generic language in reports to the Justice Department and the Office of the Director of National Intelligence.

Were these just inadvertent and innocent errors? The Post makes one of them sound that way, but …

In one instance, the NSA decided that it need not report the unintended surveillance of Americans. A notable example in 2008 was the interception of a “large number” of calls placed from Washington when a programming error confused U.S. area code 202 for 20, the international dialing code for Egypt, according to a “quality assurance” review that was not distributed to the NSA’s oversight staff.

The NSA made a mistake that just happened to pick the nation’s capital for eavesdropping?  Didn’t the absence of Arabic and a preponderance of Southern-inflected English give the signals experts at NSA a clue that they’d tapped into the wrong pipe before listening to “a large number” of those calls? The report doesn’t indicate how many calls from members of Congress got scooped up in that “mistake,” but I’d bet at least some of those came from Capitol Hill offices or other official federal business.  How will that dispose some of the NSA’s defenders in the House and Senate?

For that matter, the FISA court will have an unpleasant surprise in the story, too:

In another case, the Foreign Intelligence Surveillance Court, which has authority over some NSA operations, did not learn about a new collection method until it had been in operation for many months. The court ruled it unconstitutional.

Let’s get back to the Friday night news dump strategy.  A week ago, Barack Obama held a rare press conference before starting his vacation, in which he proposed a few cosmetic reforms to NSA surveillance while insisting he wanted a “conversation” on NSA surveillance all along.  That claim fooled no one, and as if to tip everyone off to the charade, Obama asked James Clapper to appoint a panel to look into potential NSA abuses, even though Clapper deliberately misled Congress on the nature of NSA surveillance.

As Allahpundit noted last night on Twitter:

In other words, Obama tried to pull a Lois Lerner.  When he gets back from vacation, will anyone in the White House press corps ask him about this little charade?

Speaking of charades, the White House tried to get the Post to change quotes given in an on-the-record interview with John DeLong, the NSA’s compliance director, after the Obama administration figured out what the Post had.  DeLong was not quoted by name in the final article, but instead the Post attributed the quotes to a “senior NSA official … speaking with White House permission.”  The damaging quotes come at the end of Barton Gellman’s article:

The NSA uses the term “incidental” when it sweeps up the records of an American while targeting a foreigner or a U.S. person who is believed to be involved in terrorism. Official guidelines for NSA personnel say that kind of incident, pervasive under current practices, “does not constitute a . . . violation” and “does not have to be reported” to the NSA inspector general for inclusion in quarterly reports to Congress. Once added to its databases, absent other restrictions, the communications of Americans may be searched freely.

In one required tutorial, NSA collectors and analysts are taught to fill out oversight forms without giving “extraneous information” to “our FAA overseers.” FAA is a reference to the FISA Amendments Act of 2008, which granted broad new authorities to the NSA in exchange for regular audits from the Justice Department and the Office of the Director of National Intelligence and periodic reports to Congress and the surveillance court.

Using real-world examples, the “Target Analyst Rationale Instructions” explain how NSA employees should strip out details and substitute generic descriptions of the evidence and analysis behind their targeting choices.

“I realize you can read those words a certain way,” said the high-ranking NSA official who spoke with White House authority, but the instructions were not intended to withhold information from auditors. “Think of a book of individual recipes,” he said. Each target “has a short, concise description,” but that is “not a substitute for the full recipe that follows, which our overseers also have access to.”

And this is what the White House wanted the Post to use instead:

We want people to report if they have made a mistake or even if they believe that an NSA activity is not consistent with the rules. NSA, like other regulated organizations, also has a “hotline” for people to report — and no adverse action or reprisal can be taken for the simple act of reporting. We take each report seriously, investigate the matter, address the issue, constantly look for trends, and address them as well — all as a part of NSA’s internal oversight and compliance efforts. What’s more, we keep our overseers informed through both immediate reporting and periodic reporting. Our internal privacy compliance program has more than 300 personnel assigned to it: a fourfold increase since 2009. They manage NSA’s rules, train personnel, develop and implement technical safeguards, and set up systems to continually monitor and guide NSA’s activities. We take this work very seriously.

Golly, why not change it to, “We’re super-awesome and take the Boy Scout Oath of Honor three times daily”?  Did the White House think that edit would impress Congress after finding out that the NSA was scooping up their calls?

And this is what we discover from an internal NSA audit. Imagine what we’d find in an external audit.  Perhaps Congress might move that from imagination to reality tout-suite.

Update: Stoic Patriot notes in the comments that “intercepts” are not the same as listening in.  However, we are talking about two different things here in another sense. The domestic surveillance conducted by the NSA was (supposedly) on phone records that have nothing to do with real-time intercepts.  The NSA can conduct real-time intercepts, including listening in on calls and the content of digital messaging, on foreign communications; in fact, that is one of the NSA’s main purposes.  If the NSA conducted real-time intercepts of calls in Washington DC as this article states, I doubt that was limited to just the metadata from those calls.


Related Posts:

Breaking on Hot Air