This is how a senior National Security Agency official defends his outfit: “We’re a human-run agency operating in a complex environment with a number of different regulatory regimes, so at times we find ourselves on the wrong side of the line.” That’s what’s been making many people nervous about recent reports on the organization’s vast capabilities to collect information about people’s lives.
Even if analysts don’t abuse their tools, mistakes happen. The Obama Administration repeatedly has assured the public that procedures are in place to limit the NSA’s use of its extraordinary powers, and it even admitted in recently declassified documents that occasional errors occur. But until now, the public simply didn’t have a firm sense of how often the process failed.
The Washington Post has published an internal intelligence oversight report detailing “incidents” in which the agency failed to comply with the various restrictions on its massive information-gathering operation. Over a year’s span in 2011 and 2012, NSA employees violated the rules at least 2,776 times.
About a tenth of the violations involved typographical errors. Many more involved user errors such as “inaccurate or insufficient research,” “failure to follow standard operating procedures,” and “training issues.”
Automated error detection systems caught a lot of these problems. But sometimes, technical systems themselves also led to violations. In one case, the NSA collected U.S. and foreign emails in a way its judicial overseers called “deficient on statutory and constitutional grounds,” once they heard about it in 2011.
The NSA’s director of compliance, John DeLong, offered some context. The agency queries its various databases millions of times a month, he said. Willful abuse of NSA systems is almost nonexistent, he insisted. Still, even a very-low incident rate can cause discomfort when there is so much the agency can sift through.
At the least, the NSA must be more transparent in its error reporting. It doesn’t need to provide properly classified operational details to admit that it messes up. The audit not only discloses the raw number of violations in the period it covers, but also breaks down those violations by the legal authorities under which NSA reviews were supposed to take place, such as the Foreign Intelligence Surveillance Act..
It’s no secret that these authorities exist, so why not do the same regularly, and in public? The agency could also release information on the types of violations it’s seeing — user or systems — and how it caught them. There’s nothing dangerous about any of that.
Mr. DeLong suggested the very existence of the audit shows the compliance program is working. Now that the NSA will be getting a lot more scrutiny, one more question to answer is what, if anything, these sorts of audits have missed.