X

NSA violated privacy rules thousands of times, audit finds

Transgressions ranged from serious legal violations to typos that led to unintended data collection, according to documents supplied to The Washington Post.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
3 min read
The National Security Agency's headquarters in Ft. Meade, Maryland, in an undated file photo.
The National Security Agency's headquarters in Ft. Meade, Md. NSA

The National Security Agency exceeded its legal authority and broke agency rules thousands of times since it was granted broader powers in 2008, according to an internal agency audit obtained by The Washington Post.

Most violations involved unauthorized surveillance of Americans or foreign intelligence targets in the U.S., according to the documents, which were supplied to the newspaper by NSA whistleblower Edward Snowden. The documents show infractions ranging from serious legal violations to typographical errors that resulted in unintended data collection, The Post reported.

The agency was not always forthcoming with the details of its transgressions, the Post found. A quality assurance report not shared with an oversight committee found that a "large number" of calls were placed to Egypt 2008 when the U.S. area code 202 was mistakenly entered as 20. In another case, the Foreign Intelligence Surveillance Court, which reviews NSA warrant requests, was not made aware of a new collection method until it had been in place for several months. The court ultimately ruled it unconstitutional, the Post reported.

The audit, dated May 2012, uncovered 2,776 incidents in the preceding 12 months of unauthorized collection, storage, access to or distribution of legally protected communications, the Post reported. One of those cases involved the unauthorized use of data on 3,000 Americans and green-card holders.

An anonymous representative defended the agency's record in an interview with the Post.

"We're a human-run agency operating in a complex environment with a number of different regulatory regimes, so at times we find ourselves on the wrong side of the line," the senior NSA official said, speaking with White House permission. "You can look at it as a percentage of our total activity that occurs each day. You look at a number in absolute terms that looks big, and when you look at it in relative terms, it looks a little different."

The Obama administration, which has defended the NSA activities, has never publicly addressed the agency's compliance record, the Post noted. However, the NSA Director of Compliance John DeLong defended the agency's procedures, saying it had in recent years quadrupled the number of personnel working in its privacy compliance program:

We want people to report if they have made a mistake or even if they believe that an NSA activity is not consistent with the rules. NSA, like other regulated organizations, also has a "hotline" for people to report -- and no adverse action or reprisal can be taken for the simple act of reporting. We take each report seriously, investigate the matter, address the issue, constantly look for trends, and address them as well -- all as a part of NSA's internal oversight and compliance efforts. What's more, we keep our overseers informed through both immediate reporting and periodic reporting. Our internal privacy compliance program has more than 300 personnel assigned to it: a fourfold increase since 2009. They manage NSA's rules, train personnel, develop and implement technical safeguards, and set up systems to continually monitor and guide NSA's activities. We take this work very seriously.

The NSA later offered this as a substitute statement:

"NSA's foreign intelligence collection activities are continually audited and overseen internally and externally," the NSA said. "When NSA makes a mistake in carrying out its foreign intelligence mission, the agency reports the issue internally and to federal overseers -- and aggressively gets to the bottom of it."

Updated at 8:20 p.m. PT with companion NSA statement.