The Washington Post released a detailed report last night, stating that the NSA broke privacy rules thousands of times per year. The report is based on documents shared earlier with the outlet by NSA leaker Edward Snowden, and it presents a clearer picture of precisely how US citizens can become inadvertently ensnared in the NSA’s dragnet.
Many of the examples are detailed in an internal report on breaches of NSA privacy rules and legal restrictions that was conducted by the director of oversight and compliance for the NSA’s Signals Intelligence Directorate. It covers instances of privacy violations that occurred only out of Ft. Meade headquarters and nearby facilities, rather than all of the NSA facilities. When asked to provide statistics on the NSA operations as a whole, a senior intelligence official would tell the Post only that the number of violations would “not double.”
The violations outlined in the documents range from the purely accidental, if not outright careless, to the failure to report a new collection method.
From the Washington Post article:
In one instance, the NSA decided that it need not report the unintended surveillance of Americans. A notable example in 2008 was the interception of a “large number” of calls placed from Washington when a programming error confused the U.S. area code 202 for 20, the international dialing code for Egypt, according to a “quality assurance” review that was not distributed to the NSA’s oversight staff.
In another case, the Foreign Intelligence Surveillance Court, which has authority over some NSA operations, did not learn about a new collection method until it had been in operation for many months. The court ruled it unconstitutional.
The NSA audit obtained by The Post, dated May 2012, counted 2,776 incidents in the preceding 12 months of unauthorized collection, storage, access to or distribution of legally protected communications. Most were unintended. Many involved failures of due diligence or violations of standard operating procedure. The most serious incidents included a violation of a court order and unauthorized use of data about more than 3,000 Americans and green-card holders.
Additional documents referenced in the Post’s report all provide insight into the training of NSA personnel on identifying and handling such violations.
As various NSA and Justice Department officials have testified before members of Congress, NSA personnel are required to fill out a form that provides the rationale for further targeting someone for surveillance. One such document in the Post report provides a visual example of this process.
Analysts are specifically warned that they “MUST NOT” provide the evidence on which they base their “reasonable articulable suspicion” that a target will produce valid foreign intelligence. They are also forbidden to disclose the “selectors,” or search terms, they plan to use. In examples that draw on actual searches, the document shows how to strip out details and substitute generic descriptions.
A senior intelligence official said in an interview that this form provides only the “headline” and that the document should not be misread to suggest that the NSA is hiding anything from its outside auditors. Particulars are available on request, the official said, by supervisors at the Justice Department and the office of the Director of National Intelligence, and those offices often delve deeply into the details. The official acknowledged that the details are not included in reports to Congress or the Foreign Intelligence Surveillance Court.
Another training document outlines what personnel should do if they’ve incidentally encountered information containing that of US persons, indicating that minimization procedures are to be applied. The document also specifies that intentional targeting and inadvertent collection of data pertaining to US persons warrants that all collection cease immediately.
Collectively, all of the information contained in the Post’s report appears to provide the most clarification to date on what NSA personnel may encounter while searching on foreign intelligence targets and how they are trained to respond when their activities inadvertently yield data that encompasses US citizens.
In response its report, The Washington Post had initially obtained quotes from an NSA official on the matter. But in its typical transparent fashion, it appears the Obama administration wouldn’t have that.
This NSA official told us he could be quoted here, then the White House asked us to edit his quotes. We declined. http://t.co/Bi4n9WflKL
— Washington Post (@washingtonpost) August 16, 2013
From WaPo’s post titled NSA statements to The Post:
The Obama administration referred all questions for this article to John DeLong, the NSA’s director of compliance, who answered questions freely in a 90-minute interview. DeLong and members of the NSA communications staff said he could be quoted “by name and title” on some of his answers after an unspecified internal review. The Post said it would not permit the editing of quotes. Two days later, White House and NSA spokesmen said that none of DeLong’s comments could be quoted on the record and sent instead a prepared statement in his name. The Post declines to accept the substitute language as quotations from DeLong. The statement is below.
We want people to report if they have made a mistake or even if they believe that an NSA activity is not consistent with the rules. NSA, like other regulated organizations, also has a “hotline” for people to report — and no adverse action or reprisal can be taken for the simple act of reporting. We take each report seriously, investigate the matter, address the issue, constantly look for trends, and address them as well — all as a part of NSA’s internal oversight and compliance efforts. What’s more, we keep our overseers informed through both immediate reporting and periodic reporting. Our internal privacy compliance program has more than 300 personnel assigned to it: a fourfold increase since 2009. They manage NSA’s rules, train personnel, develop and implement technical safeguards, and set up systems to continually monitor and guide NSA’s activities. We take this work very seriously.
You can access all of the documents from the Washington Post’s related posts below.
- NSA report on privacy violations
- FISA court finds illegal surveillance
- What’s a ‘violation’?
- What to say (and what not to say)
- NSA statements to The Post