The Lack of NSA Supervision

As I noted in my last post, President Obama and the NSA are saying, “Trust us, we’re not doing anything wrong and we’re not spying on Americans.” Even if that were the case, I argued, the wholesale collection of data on Americans’ communications “just in case” is contrary to the principles enshrined in the 4th Amendment and the concept of innocent until proven guilty.

The latest hand grenade tossed by Edward Snowden and reported by the Washington Post is the results of an internal NSA audit disclosing that:

The National Security Agency has broken privacy rules or overstepped its legal authority thousands of times each year since Congress granted the agency broad new powers in 2008. Most of the infractions involve unauthorized surveillance of Americans or foreign intelligence targets in the United States, both of which are restricted by law and executive order. They range from significant violations of law to typographical errors that resulted in unintended interception of U.S. emails and telephone calls…

The audit … dated May 2012, counted 2,776 incidents in the preceding 12 months of unauthorized collection, storage, access to or distribution of legally protected communications. Most were unintended. Many involved failures of due diligence or violations of standard operating procedure. The most serious incidents included a violation of a court order and unauthorized use of data about more than 3,000 Americans and green-card holders.

According to the audit in one case the NSA implemented a new collection methodology and operated it for several months before disclosing it to the FISA court, which held the new methodology unconstitutional.

But the most interesting item (to me) is the 2008 interception of a “large number” of calls placed from Washington due to a supposed “programming error” that confused the Washington, DC area code 202 for 20, the international dialing code for Egypt. While it’s possible that was a programming error, the people who work at Ft. Meade live and work within local calling distance of Washington, DC. If I wanted data on calls being made (perhaps by a spouse, ex-, whomever) and didn’t want to get fired for it, I’d commit a plausible “programming error” that just happened to capture the data I wanted along with a large amount of other noise.

Consistent with the principle of innocent until proven guilty, Jennifer Rubin at the Post makes some excellent points about how we should investigate more before we hyperventilate too much about the audit. Among other things, she says:

In percentage or absolute terms, what is the error rate compared to the total number of bits of data being collected? The Post notes that there were 2,776 incidents of error since 2008. Was this a 5 percent error rate or a 0.0000005 percent error rate? An information sheet put out by the NSA on Aug. 9 indicates that “According to figures published by a major tech provider, the Internet carries 1,826 Petabytes of information per day. In its foreign intelligence mission, NSA touches about 1.6% of that. However, of the 1.6% of the data, only 0.025% is actually selected for review.” That is still tons and tons of data. If there were only 2,776 errors in five years, it may be of the best-run programs anywhere in government.

An important piece of information is that one error can cause a significant amount of unauthorized data to be collected. The 202 vs. 20 error could have collected thousands if not millions of calls. Similarly, as one commentator joked “This is why somehow the NSA wound up with every e-mail sent to or from the state of Georgia, after that same programming error mistook it for the former Soviet republic.”

Rubin continues:

What happened when an error occurred? Was a U.S. citizen’s e-mail read? Was a phone call listened to? When the error was identified what action was taken to make sure the bit of data was not used in an improper way?

When were the most significant problems identified and did the serious error rate drop significantly after the fix?

Both of these are excellent questions, and we should get answers to them from the Administration. However, neither of them justify the level of intrusion that has been committed.

Finally, she asks, “What sorts of problems were reported to Congress and what were not? Were items that were not reported trivial?” She notes that the NSA decided the 202 vs. 20 “error” was sufficiently trivial that it did not need to be reported to Congress. Given that Congress itself sits within the 202 area code, and many members live in the 202 area code and have cell phones with 202 area codes, it seems a little self-serving to decide not to disclose to your supervising authority that you “accidentally” might have captured data about all of their phone calls because that was “trivial.”

Up to this point, the government has claimed that the NSA is well supervised. Leaving aside the “fox guarding the hen house” nature of the NSA deciding which issues it should report to Congress and which ones are trivial, it also turns out that Congress’ ability to supervise the NSA involves looking at heavily redacted reports while sitting in a locked room without being allowed to take notes. And only 10% of members of Congress have staffers with the security clearance necessary to even enter the room. As Glenn Greenwald recently documented, “Members of Congress have been repeatedly thwarted when attempting to learn basic information about the National Security Agency (NSA) and the secret FISA court…”

But, as reported by the Post, according to the Chief Judge of the FISA court – the court that is supposed to supervise the NSA’s monitoring – “the court lacks the tools to independently verify how often the government’s surveillance breaks the court’s rules that aim to protect Americans’ privacy. Without taking drastic steps, it also cannot check the veracity of the government’s assertions that the violations its staff members report are unintentional mistakes.”

Before the Post story about the NSA audit, President Obama said, “In other words, it’s not enough for me as president to have confidence in these programs. The American people need to have confidence in them, as well.”

The people at the NSA are human. They make mistakes and they are trying to do a difficult job. However, for us to have confidence that our Constitutional and human rights are not being violated, there is supposed to be significant monitoring of these programs. If the recent disclosures are correct, that monitoring is poorly designed (at best) and is being actively thwarted (at worst).

– The NSA itself decides which violations are “trivial” and which should be reported.
– The FISA court relies on the NSA to disclose the things the FISA court should review and lacks the staff and the technical ability to actually supervise what the NSA is doing.
– Congress relies on the NSA to disclose things, only a few members of Congress have staffers who can review the NSA reports on itself, and those who don’t appear to be refused access to information they need.

As I noted before, the basic premise of the monitoring currently performed by the NSA is contrary to some of our country’s founding principles and should be stopped. Even if it isn’t stopped, it appears that the oversight structure associated with these programs needs to be significantly restructured so that the NSA is asking specific permission to do things rather than asking forgiveness after the fact.

As President Reagan once said, “Trust, but verify.”


About John Nicholson

I'm a transactional attorney who focuses on structuring and negotiating large outsourcing transactions (both on and offshore). As part of my work, I've specialized in: - Structuring and negotiating large outsourcing transactions (both on and offshore) including IT outsourcing and various BPOs (including HRO, Facilities Management, Procurement, Finance and Accounting), large systems development and implementations; - Assisting with development of RFPs, proposal evaluation, down select, and negotiation; - US and European privacy laws, including US Safe Harbor, and state privacy and data breach notification laws; and - Privacy, security, legal and contractual issues associated with cloud computing. I'm a frequent speaker on outsourcing, privacy and security issues. Before becoming a lawyer, I was the acting IT director for a mid-size company prior to hiring the CIO and project manager for the company's Oracle Financials implementation.
This entry was posted in privacy and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s