Barton Gellman has another important story in the Washington Post, this time publishing an internal NSA audit that found 2,776 violations of various rules against collecting information on Americans.
A large number of the violations (60%) come from human error and “lack of due diligence.” More important, after the FISC was informed of a program, they ruled it unconstitutional and it was shut down — which suggests the court is not as much of a rubber stamp as people accuse it of being.
Some math helps to contextualize the violations as well. 2,776 violations in one calendar year averages out to around 7 violations per day (or, perhaps more realistically, 10 violations per business day). The NSA probably employs between 30,000 and 40,000 people, mostly concentrated in the DC area at Ft. Meade in Maryland. Let’s say 1/3 of them are involved in analysis, so anywhere between 10,000 and 13,000. 7 violations per day among 13,000 analysts is actually a very small number in a relative sense. Especially considering the volume of information the NSA tries to sort each day (upwards of billions of pieces of data), 7 violations per day doesn’t sound very significant. That doesn’t make it okay, but it does suggest violations happen rarely, and are far outside the norm.
Moreover, buried deep in the linked report is a graph showing the vast majority of violations were caught by “automated alert.” It’s not entirely clear what that means, but it is suggestive that the NSA has systems in place to catch unauthorized or improper database queries. Also, from a logical perspective, the fact that the NSA audits itself and records these violations — even if they did not present this audit to their oversight committees or the FISC — again suggests they take privacy seriously. The audit also reported violations had gone down 8% in the calendar year under review compared to the previous year. Even if they don’t protect it as much as we’d like them to, it would be tendentious to say they disregard privacy as a matter of course.
Some language in the Washington Post story requires a bit of parsing as well. On page one, there is mention of a computer mix-up where Egypt’s calling code (20) is accidentally input as DC’s area code (202), resulting in a “large number” of calls being “intercepted.” However, on page four, the incident is clarified to have only involved collecting the metadata about those calls, and not their content — a key distinction. The first leak in this scandal required U.S. telecoms to hand over their phone call metadata for analysis. Accidentally vacuuming up metadata improperly is still not okay, but it is a fundamentally different rule violation that directly intercepting and listening to phone calls.
This last bit is key. Charlie Savage, a fantastic reporter at the New York Times who’s done wonders in reporting on intelligence issues, had to correct his story when he thought the mention of “intercept” on page one meant “listen to.” Slippery language in reporting — a sadly common trend in a lot of the coverage of the NSA leaks — leads to assumptions that tend to be false. Metadata is not content, and is treated differently under the law and Supreme Court precedent, and that’s an important thing to keep in mind.
The NSA itself also handled this leak, and the reporting on it, very poorly. There is no real reason this audit could not have been redacted and release more or less immediately after it became clear that Snowden was leaking a huge cache of documents. In fact, they should do that for future audits. Like it or not, they’ve lost the public’s trust, and it’s clear reporters are not going to defer to them anymore. They’ve also made far too many misstatements and poorly thought out responses. “Trust us” will not hack it anymore. I see a lot in this audit that should inspire at least public confidence, if only because it shows they’re tracking rules violations and trying to correct for them. By flubbing their response to this kind of disclosure, they are only making things worse and guaranteeing they’ll lose input into any future reforms.
Nevertheless, the predictable suspects are screaming “police state” as if police states audit their own misconduct and undertake measures to reduce them over time. Which is a real loss here — there remain serious issues of program design, legal constraints, and oversight issues with the NSA. But, much like drones last year, exaggerations, hyperbole, and florid, borderline unintelligence polemic is replacing any sort of rational discussion about what proper roles are and how effective oversight might be strengthened. And to repeat: that is a real loss.