The lead in the Washington Post’s latest revelations on the NSA says: “The National Security Agency has broken privacy rules or overstepped its legal authority thousands of times each year since Congress granted the agency broad new powers in 2008, according to an internal audit and other top-secret documents.”

If that’s the heart of the story, they left out one crucial detail: the audit only covers the NSA’s activities in the Washington DC area! A few thousand “incidents” of the NSA spying on Americans in the nation’s capital may mean hundreds of thousands of such “incidents” across the country.

In June, NSA director Keith Alexander said that the agency had determined which files Snowden took. It follows therefore, that administration officials would not subsequently make statements which could later be falsified by information yet to be leaked — unless of course Alexander’s claim turned out to be bogus.

Government officials spend half their lives coming up with variations on these two assertions: we know what’s going on, and, we’ve got everything under control. Most of the time, neither of those claims are true.

In a series of posts, TechDirt digs into the Post’s report and accompanying documents.

Mike Masnick: Throughout the whole ordeal with the NSA leaks, the one line that we kept hearing from defenders of the program was that not only were these programs legal, no one had showed any abuse by the NSA. That is, even if this program was collecting data on everyone, the NSA had those important tools in place to block it from being abused. At last week’s press conference, this was a key point made by President Obama. NSA boss Keith Alexander insisted that there was no abuse, while Rep. Mike Rogers, the NSA’s prime defender and head of the House Intelligence Committee, similarly insisted that there was no abuse by the NSA. As we noted, that seemed hard to believe, given past revelations of clear abuse.

And… the latest report from the Washington Post based on leaked documents shows that an audit of the NSA’s activities shows it broke privacy rules, mostly to spy on Americans, thousands of times per year:

The National Security Agency has broken privacy rules or overstepped its legal authority thousands of times each year since Congress granted the agency broad new powers in 2008, according to an internal audit and other top-secret documents.

Most of the infractions involve unauthorized surveillance of Americans or foreign intelligence targets in the United States, both of which are restricted by law and executive order. They range from significant violations of law to typographical errors that resulted in unintended interception of U.S. e-mails and telephone calls.

The audit info comes from Ed Snowden’s leaks, so it seems rather incredible that President Obama, Keith Alexander and Mike Rogers didn’t seem to realize that this audit would eventually come to light, showing that they were flat out 100% lying to the American public.

The NSA audit obtained by The Post, dated May 2012, counted 2,776 incidents in the preceding 12 months of unauthorized collection, storage, access to or distribution of legally protected communications. Most were unintended. Many involved failures of due diligence or violations of standard operating procedure. The most serious incidents included a violation of a court order and unauthorized use of data about more than 3,000 Americans and green-card holders.

The NSA’s response to all of this is almost comical:

“We’re a human-run agency operating in a complex environment with a number of different regulatory regimes, so at times we find ourselves on the wrong side of the line,” a senior NSA official said in an interview, speaking with White House permission on the condition of anonymity.

Well, of course! That’s the point that we’ve made over and over and over again here in response to these claims of “no abuse.” The NSA is made up of humans. And when you give humans the power to spy on just about anyone there will always be some abuse. This is why it’s important to limit the collection of information, not promise to stop the abuses. You need to make such abuses much more difficult in the first place. [Continue reading…]

Mike Masnick: It’s already been shown that the Congressional oversight is a joke, because of obstruction by the Intelligence Committee. And now we know that the “oversight” from the courts was similarly a joke. The chief judge of FISC, Reggie Walton, who has reacted angrily in the past to the claims of FISC being a “rubber stamp”, has now admitted that the FISC really can’t check on what the NSA is doing and relies on what they tell him to make sure that they’re not breaking the law.

“The FISC is forced to rely upon the accuracy of the information that is provided to the Court,” its chief, U.S. District Judge Reggie Walton, said in a written statement to The Washington Post. “The FISC does not have the capacity to investigate issues of noncompliance, and in that respect the FISC is in the same position as any other court when it comes to enforcing [government] compliance with its orders.”

That’s not quite true. You see, with “any other court” when it comes to “enforcing compliance” things aren’t all hidden away from everyone, so there is scrutiny to make sure that there’s compliance. Not here. [Continue reading…]

Mike Masnick: Gellman reveals an a somewhat wacky presentation slide, complete with a palm tree graphic and with the somewhat folksy title:

Lesson 4: So you got a U.S. Person Information?

And then explains what to do about it. They’re pretty clear that if you’re directly targeting a US person that’s a problem (and it is, because that’s illegal). If it’s considered “inadvertent” then you also have to stop, write up an incident report and notify people. That sounds reasonable. But… then there’s the “incidental” section. Here, incidental is described as:

You targeted a legitimate foreign entity and acquired information/communications to/from/about a U.S. Person in your results.

That doesn’t seem particularly “incidental” to me. But, here’s the kicker. While with all the other forms of collection the NSA is told to stop, when it’s “incidental” they’re told:

This does not constitute a USSID SP008 violation, so it does not have to be reported in the IG quarterly.

Note that the IG report is the one that was revealed, listing all of the abuses. Yet, here they seem to be indicating that these “incidental” collections of information (and note that it’s not just “metadata” here, but full “communications” as well) aren’t a real problem. [Continue reading…]

Mike Masnick: One of the documents released with the report, via Ed Snowden, shows that NSA agents were directly told to give their overseers as little information as possible. The document explains to agents the process for justifying why they were requesting targeting (i.e., a more detailed look concerning an individual or group — not just at that person’s communications, but potentially anyone even remotely connected to them), and makes it clear that they are to give the bare minimum necessary to fulfill their reporting requirements, but not even the slightest bit beyond that. In fact, they’re told to give a single short sentence, and to make sure it includes no “extraneous information.”

The basic premise of this process is to memorialize why you the analyst have requested targeting. This rationale will be provided to our external FISA Amendment Act (FAA) overseers, the Department of Justice and Office of the Director of National Intelligence, for all FAA targeting.

While we do want to provide our FAA overseers with the information they need, we DO NOT want to give them any extraneous information…. This rationale can be no longer than one short sentence.

[….] Your rationale MUST NOT contain any additional information including: probable cause-like information (i.e., proof of your analytic judgment), how you came to your analytic conclusions, any RAGTIME information, classification marking or selector information.

The document goes on to list a variety of “example” rationale sentences, all pretty short and sweet, which basically demonstrate to NSA agents how to remove any pertinent information for oversight, while still giving a “reason” for targeting someone. It’s a lesson in stripping out information and, as the Washington Post notes, replacing it with “generic” info that will pass muster with the folks supposedly in charge of oversight. As an aside, while parts of them are redacted, there are a few “fake” names given, including “Mohammad Badguy” and “Muhammad Fake Name.” No profiling there. [Continue reading…]