If the leak of the Foreign Intelligence Surveillance Court order requiring Verizon to provide the FBI and NSA with millions of call records was the most important in advancing the debate about privacy and surveillance, Barton Gellman's report in the Washington Post about NSA's internal compliance audits should count as a close second.
For the first time, albeit inadvertently, the NSA has acknowledged the scope and depth of the agency's privacy violations and explains, in some detail, why these errors happened, how they were caught, and what might be done to correct them.
The prism of your gut will tell you what to think about all of this, and my stomach feels a little gurgley. I remain somewhat astonished at how cavalierly the administration continues to speak of rule violations as if the only type that's relevant is an advertent or deliberate attempt to intercept an American's email content or telephone call. By far, that's certainly the WORST type of rule-breaking there is, and thankfully it is extremely rare. But inadvertent collection is not insignificant. It is not, in my opinion, harmful, but it is by no means acceptable, and to treat it simply as the cost of doing (intelligence collection) business is an insufficient public defense of these problems.
Still, NSA critics, if they take the report at face value, have to acknowledge that the agency's efforts to track errors and compile them are not simply for show. As Joshua Foust points out, something called an "automated alert" flagged most of the violations found, which means that the NSA does indeed actively audit a large percentage of analytical queries or taskings. Retrospective auditing caught others, and a large number of violations were self-reported.
This paragraph I agree with in total, so I will replicate it:
It's also bizarre that the NSA does not give Congress detailed information on so-called "EO 12333" violations, which involve inadvertent or incidental collection on U.S. persons using programs which are set up only to collect information on overseas targets from collection platforms located outside the United States. The intelligence committees get basic information about these infractions, but they only get detailed breakdowns of FISA-related errors.
Here's my question: The NSA knows which documents Edward Snowden has. And it knows that collection on U.S. citizens remains the most controversial of all topics it will have to defend. Wouldn't it be in NSA's interest to proactively disclose, declassify, and release the remaining documents having to do with U.S. persons collections?