The NSA's technical fouls

August 16, 2013, at 1:20 PM

If the leak of the Foreign Intelligence Surveillance Court order requiring Verizon to provide the FBI and NSA with millions of call records was the most important in advancing the debate about privacy and surveillance, Barton Gellman's report in the Washington Post about NSA's internal compliance audits should count as a close second.

For the first time, albeit inadvertently, the NSA has acknowledged the scope and depth of the agency's privacy violations and explains, in some detail, why these errors happened, how they were caught, and what might be done to correct them.

The prism of your gut will tell you what to think about all of this, and my stomach feels a little gurgley. I remain somewhat astonished at how cavalierly the administration continues to speak of rule violations as if the only type that's relevant is an advertent or deliberate attempt to intercept an American's email content or telephone call. By far, that's certainly the WORST type of rule-breaking there is, and thankfully it is extremely rare. But inadvertent collection is not insignificant. It is not, in my opinion, harmful, but it is by no means acceptable, and to treat it simply as the cost of doing (intelligence collection) business is an insufficient public defense of these problems.

Still, NSA critics, if they take the report at face value, have to acknowledge that the agency's efforts to track errors and compile them are not simply for show. As Joshua Foust points out, something called an "automated alert" flagged most of the violations found, which means that the NSA does indeed actively audit a large percentage of analytical queries or taskings. Retrospective auditing caught others, and a large number of violations were self-reported.

This paragraph I agree with in total, so I will replicate it:

The NSA itself also handled this leak, and the reporting on it, very poorly. There is no real reason this audit could not have been redacted and released more or less immediately after it became clear that Snowden was leaking a huge cache of documents. In fact, they should do that for future audits. Like it or not, they've lost the public's trust, and it's clear reporters are not going to defer to them anymore. They've also made far too many misstatements and poorly thought out responses. "Trust us" will not hack it anymore. I see a lot in this audit that should inspire at least public confidence, if only because it shows they're tracking rules violations and trying to correct for them. By flubbing their response to this kind of disclosure, they are only making things worse and guaranteeing they'll lose input into any future reforms.


It's also bizarre that the NSA does not give Congress detailed information on so-called "EO 12333" violations, which involve inadvertent or incidental collection on U.S. persons using programs which are set up only to collect information on overseas targets from collection platforms located outside the United States. The intelligence committees get basic information about these infractions, but they only get detailed breakdowns of FISA-related errors.

Here's my question: The NSA knows which documents Edward Snowden has. And it knows that collection on U.S. citizens remains the most controversial of all topics it will have to defend. Wouldn't it be in NSA's interest to proactively disclose, declassify, and release the remaining documents having to do with U.S. persons collections?






Subscribe to the Week