Article Lead Image

NSA audit finds agency broke surveillance laws thousands of times a year

According to a top secret audit, in the 12-month period preceding March 2012 alone, the agency committed 2,776 violations.

 

Joe Kloc

Tech

Posted on Aug 16, 2013   Updated on Jun 1, 2021, 8:58 am CDT

The U.S. National Security Agency unlawfully sweeps up Americans’ data on thousands of occasions each year, the Washington Post reported.

According to a top secret audit report obtained by the Post from former NSA contractor Edward Snowden, in the 12-month period preceding March 2012 alone, the agency committed 2,776 violations.

As documents taken from the agency by Snowden have revealed this summer, the NSA employs massive domestic and international surveillance tools to sweep up intelligence on both foreigners and U.S. citizens. Leveraging partnerships with Silicon Valley, telecom providers, and foreign intelligence agencies, the NSA collects emails, chats, phone call records, photos, videos and messages. 

A document released by the White House last week indicates that every day the agency “touches” about 1.6 percent of all information moving across the Internet. That number may seems small but, according to the Guardian, by rough estimation, “the NSA’s 1.6% of net traffic would be half of the communication on the net.”

Referred to as “incidents” in the reports published by the Post, these infractions reference violations of either the Foreign Intelligence Surveillance Act (FISA) or the Presidential Executive Order 12333, which together define the legal parameters for the collection of information on American citizens.

One notable passage of the executive order reads: “[surveillance] shall not be undertaken [within the United States or against a United States person] unless the Attorney General has determined in each case that there is probable cause to believe that the technique is directed against a foreign power.” That is, if the agency wants to collect information on any specific U.S. person, it must do so with good reason and the explicit approval of the attorney general. The vast majority of NSA incidents were in violation of this order.

The remainder of incidents—between about a third and a quarter each year—-are in violation of FISA. The act, first passed in 1978, prohibited the domestic surveillance of communications in which a U.S. persons is involved. The protection was greatly weakened by a 2008 amendment which allowed the surveillance of any U.S. person who was communicating abroad, as long as that person was not the “target.”

As a result, the agency sweeps up massive amounts of data on U.S. citizens. Officially, the agency is supposed to purge this data, but a recent Guardian story revealed that some of it—when deemed of national security interest—is stored in a searchable database.

According to the reports published in the Post, most violations of the Foreign Intelligence Surveillance Act in the first quarter of 2012 were either “operational error”–described as “insufficient or inaccurate research information” and “workload issues”–or “computer error.” Other reasons included neglect of standard operating procedures, typographical errors, training issues and “other system errors.”

The Post pointed out one particularly telling example of computer error. In 2008, the NSA captured metadata on a “large number” (unspecified in the report) of calls coming out of Washington because of a programming mistake that conflated the area code 202 with 20, Egypt’s country code.

When asked by the paper for comment, an NSA “senior official” explained the errors this way: “We’re a human-run agency operating in a complex environment with a number of different regulatory regimes, so at times we find ourselves on the wrong side of the line.” 

The reference to a “human” element in the official’s response, in fact, echoes one of the central concerns surrounding the NSA debate since the first of Snowden’s documents were published in early June. The broad surveillance ambitions of the agency, through its partnerships and technologies, have created an incredibly powerful spying institution vulnerable to human error and abuse. 

In June, President Barack Obama said this in defense of the phone metadata collection program: “This program, by the way, is fully overseen not just by Congress but by the FISA Court, a court specially put together to evaluate classified programs to make sure that the executive branch, or government generally, is not abusing them.” 

The Post report stands as refutes the notions that such legal safeguards are adequate.  

By August, after a substantial number of subsequent leaks about agency surveillance both domestically and abroad, Obama acknowledged the potential of misuse of these programs. “ I’ve taken steps to make sure they have strong oversight by all three branches of government and clear safeguards to prevent abuse and protect the rights of the American people,” he said. “But given the history of abuse by governments, it’s right to ask questions about surveillance.”

The Post revelations came only hours after Foreign Policy published a feature by NSA historian Matthew Aid explaining just how much data the agency touches every day–about 3,000 times the amount contained in the entire Library of Congress. 

An editor’s note on the Foreign Policy article (added after the Post story was published) puts in context the severity of even the smallest error against this massive scope of the agency’s data collection. “With such a huge haul, even the most infrequent of error rates— one in a hundred thousand, say—still produces terabytes and terabytes of improperly-harvested data.”

The senior NSA official who spoke to the Post, however, argued that this massive scale excused the amount of illegal intelligence the agency collects. “You can look at [the errors] as a percentage of our total activity that occurs each day…You look at a number in absolute terms that looks big, and when you look at it in relative terms, it looks a little different.”

CORRECTION: According to a correction from the New York Times, the country code mixup involving Egypt did not lead to the interception of call content. Rather, only call metadata was collected.

Photo by Greg/Flickr

Share this article
*First Published: Aug 16, 2013, 1:39 pm CDT