Key Takeaways From the Washington Post Report Detailing Thousands of Privacy Violations by the NSA
The Washington Post has published two important stories, based on perhaps the most signficant documents yet leaked by NSA whistleblower Edward Snowden. Separately, the stories tell of an agency in charge of policing itself, leading to thousands of violations of Americans’ privacy per year, and a secret court with no power to stop them.
These new revelations, and the many before it, lead to one conclusion: we need a full, independent investigation of the NSA’s powers. Here are the most significant new facts we learned yesterday:
The documents, provided earlier this summer to The Washington Post by former NSA contractor Edward Snowden, include a level of detail and analysis that is not routinely shared with Congress or the special court that oversees surveillance.
The NSA, on at least one occasion, decided not to report a violation of Americans’ privacy to the FISA court, in violation of court rules:
In one instance, the NSA decided that it need not report the unintended surveillance of Americans. A notable example in 2008 was the interception of a “large number” of calls placed from Washington when a programming error confused the U.S. area code 202 for 20, the international dialing code for Egypt, according to a “quality assurance” review that was not distributed to the NSA’s oversight staff.
In an important statement to the Post, the chief judge of the FISA court essentially says the court does not have enough power to adequately oversee the NSA:
“The FISC is forced to rely upon the accuracy of the information that is provided to the Court,” its chief, U.S. District Judge Reggie B. Walton, said in a written statement to The Washington Post. “The FISC does not have the capacity to investigate issues of noncompliance, and in that respect the FISC is in the same position as any other court when it comes to enforcing [government] compliance with its orders.”
In just a year’s time, from April 1, 2011 through March 31, 2012, there were 2,776 “incidents” of privacy violations. The number of Americans affected is unknown, but much higher than 2,776.
The NSA audit obtained by The Post, dated May 2012, counted 2,776 incidents in the preceding 12 months of unauthorized collection, storage, access to or distribution of legally protected communications. Most were unintended… The most serious incidents included a violation of a court order and unauthorized use of data about more than 3,000 Americans and green-card holders.
The audit only takes into account violations at NSA headquarters in Ft. Meade in Maryland, and omits other NSA locations.
Three government officials, speaking on the condition of anonymity to discuss classified matters, said the number would be substantially higher if it included other NSA operating units and regional collection centers.
The Senate Intelligence Committee, which is supposed to oversee the NSA, did not have a copy of the privacy audit until asked by the Post:
Senate Intelligence Committee Chairman Dianne Feinstein (D-Calif.), who did not receive a copy of the 2012 audit until The Post asked her staff about it, said in a statement late Thursday that the committee “can and should do more to independently verify that NSA’s operations are appropriate, and its reports of compliance incidents are accurate.”
The NSA continues to use secret definitions of ordinary words (see more here) in order to mislead Congress:
One of the documents sheds new light on a statement by NSA Director Keith B. Alexander last year that “we don’t hold data on U.S. citizens.” Some Obama administration officials, speaking on the condition of anonymity, have defended Alexander with assertions that the agency’s internal definition of “data” does not cover “metadata” such as the trillions of American call records that the NSA is now known to have collected and stored since 2006.
...And sometimes even deceive the public about their actual secret definitions:
The NSA’s authoritative definition of data includes those call records. “Signals Intelligence Management Directive 421,” which is quoted in secret oversight and auditing guidelines, states that “raw SIGINT data . . . includes, but is not limited to, unevaluated and/or unminimized transcripts, gists, facsimiles, telex, voice, and some forms of computer-generated data, such as call event records and other Digital Network Intelligence (DNI) metadata as well as DNI message text.”
We also learned that violations of Americans' privacy have increased in recent years:
Despite the quadrupling of the NSA’s oversight staff after a series of significant violations in 2009, the rate of infractions increased throughout 2011 and early 2012. An NSA spokesman declined to disclose whether the trend has continued since last year.
Despite claims to the contrary by the administration, the documents provide further confirmation Americans’ data are stored in the NSA’s database on a massive scale:
The large number of database query incidents, which involve previously collected communications, confirms long-standing suspicions that the NSA’s vast data banks — with code names such as MARINA, PINWALE and XKEYSCORE — house a considerable volume of information about Americans. Ordinarily the identities of people in the United States are masked, but intelligence “customers” may request unmasking, either one case at a time or in standing orders.
Go here to demand Congress authorize a full, independent investigation into the NSA's domestic surveillance powers.