NSA Rule Violations Matter, but Aren’t Severe

Bar­ton Gell­man has another impor­tant story in the Wash­ing­ton Post, this time pub­lish­ing an inter­nal NSA audit that found 2,776 vio­la­tions of var­i­ous rules against col­lect­ing infor­ma­tion on Americans.

A large num­ber of the vio­la­tions (60%) come from human error and “lack of due dili­gence.” More impor­tant, after the FISC was informed of a pro­gram, they ruled it uncon­sti­tu­tional and it was shut down — which sug­gests the court is not as much of a rub­ber stamp as peo­ple accuse it of being.

Some math helps to con­tex­tu­al­ize the vio­la­tions as well. 2,776 vio­la­tions in one cal­en­dar year aver­ages out to around 7 vio­la­tions per day (or, per­haps more real­is­ti­cally, 10 vio­la­tions per busi­ness day). The NSA prob­a­bly employs between 30,000 and 40,000 peo­ple, mostly con­cen­trated in the DC area at Ft. Meade in Mary­land. Let’s say 1/3 of them are involved in analy­sis, so any­where between 10,000 and 13,000. 7 vio­la­tions per day among 13,000 ana­lysts is actu­ally a very small num­ber in a rel­a­tive sense. Espe­cially con­sid­er­ing the vol­ume of infor­ma­tion the NSA tries to sort each day (upwards of bil­lions of pieces of data), 7 vio­la­tions per day doesn’t sound very sig­nif­i­cant. That doesn’t make it okay, but it does sug­gest vio­la­tions hap­pen rarely, and are far out­side the norm.

More­over, buried deep in the linked report is a graph show­ing the vast major­ity of vio­la­tions were caught by “auto­mated alert.” It’s not entirely clear what that means, but it is sug­ges­tive that the NSA has sys­tems in place to catch unau­tho­rized or improper data­base queries. Also, from a log­i­cal per­spec­tive, the fact that the NSA audits itself and records these vio­la­tions — even if they did not present this audit to their over­sight com­mit­tees or the FISC — again sug­gests they take pri­vacy seri­ously. The audit also reported vio­la­tions had gone down 8% in the cal­en­dar year under review com­pared to the pre­vi­ous year. Even if they don’t pro­tect it as much as we’d like them to, it would be ten­den­tious to say they dis­re­gard pri­vacy as a mat­ter of course.

Some lan­guage in the Wash­ing­ton Post story requires a bit of pars­ing as well. On page one, there is men­tion of a com­puter mix-up where Egypt’s call­ing code (20) is acci­den­tally input as DC’s area code (202), result­ing in a “large num­ber” of calls being “inter­cepted.” How­ever, on page four, the inci­dent is clar­i­fied to have only involved col­lect­ing the meta­data about those calls, and not their con­tent — a key dis­tinc­tion. The first leak in this scan­dal required U.S. tele­coms to hand over their phone call meta­data for analy­sis. Acci­den­tally vac­u­um­ing up meta­data improp­erly is still not okay, but it is a fun­da­men­tally dif­fer­ent rule vio­la­tion that directly inter­cept­ing and lis­ten­ing to phone calls.

This last bit is key. Char­lie Sav­age, a fan­tas­tic reporter at the New York Times who’s done won­ders in report­ing on intel­li­gence issues, had to cor­rect his story when he thought the men­tion of “inter­cept” on page one meant “lis­ten to.” Slip­pery lan­guage in report­ing — a sadly com­mon trend in a lot of the cov­er­age of the NSA leaks — leads to assump­tions that tend to be false. Meta­data is not con­tent, and is treated dif­fer­ently under the law and Supreme Court prece­dent, and that’s an impor­tant thing to keep in mind.

The NSA itself also han­dled this leak, and the report­ing on it, very poorly. There is no real rea­son this audit could not have been redacted and release more or less imme­di­ately after it became clear that Snow­den was leak­ing a huge cache of doc­u­ments. In fact, they should do that for future audits. Like it or not, they’ve lost the public’s trust, and it’s clear reporters are not going to defer to them any­more. They’ve also made far too many mis­state­ments and poorly thought out responses. “Trust us” will not hack it any­more. I see a lot in this audit that should inspire at least pub­lic con­fi­dence, if only because it shows they’re track­ing rules vio­la­tions and try­ing to cor­rect for them. By flub­bing their response to this kind of dis­clo­sure, they are only mak­ing things worse and guar­an­tee­ing they’ll lose input into any future reforms.

Nev­er­the­less, the pre­dictable sus­pects are scream­ing “police state” as if police states audit their own mis­con­duct and under­take mea­sures to reduce them over time. Which is a real loss here — there remain seri­ous issues of pro­gram design, legal con­straints, and over­sight issues with the NSA. But, much like drones last year, exag­ger­a­tions, hyper­bole, and florid, bor­der­line unin­tel­li­gence polemic is replac­ing any sort of ratio­nal dis­cus­sion about what proper roles are and how effec­tive over­sight might be strength­ened. And to repeat: that is a real loss.