The NSA violated privacy laws thousands of times in the last five years by spying on US citizens, an internal audit by the super-snoopers has disclosed.
The Washington Post reports that the intelligence agency also overstepped its legal remit since Congress gave it broad powers in 2008.
Most of the violations involved unauthorised surveillance of Americans and foreigners in the US. Problems arose thanks to clumsy operator mistakes, insufficient or inaccurate research, failures to follow the correct procedures and even typos.
Meanwhile, system errors led to further problems, such as failures to recognise foreign phone users who roamed onto US soil but whose data was hoovered up anyway.
An NSA internal audit, leaked to the Washington Post by former NSA contractor turned whistleblower Edward Snowden, logs 2,776 incidents of "unauthorized collection, storage, access to or distribution of legally protected communications" in the year to May 2012.
Most were accidental mishaps where procedures were not followed correctly, but some involved violations of a court order - such as a February 2012 incident involving the unauthorised retention of 3,000 files that a surveillance court had ordered the NSA to destroy.
Violations include unauthorised access to intercepted communications and the use of automated systems without built-in safeguards to prevent unlawful surveillance.
NSA 'marking its own homework'
The audit only covers figures from the NSA's Maryland headquarters and Washington DC offices and not those from its regional collection centres.
In some cases, the NSA decided that it didn't need to report the unintended surveillance of US residents and citizens. One glaring example of unreported dragnet overreach occurred in 2008 when a programming error resulted in the interception of a large number of calls made in the Washington DC area: buggy software confused the US telephone area code 202 with intentional calls made to Egypt (country code +20).
In another case the Foreign Intelligence Surveillance Court was not told about a data collection programme run by the NSA until months after it was up and running. The court eventually ruled in October 2011 that hoovering up international communications passing through fibre-optic cables in the United States, was unconstitutional because Americans' emails and other net traffic was collected. The agency was ordered to drop the collection programme within 30 days unless it figured out a way to filter out US citizens' traffic.
Evading official scrutiny
Another leaked document instructs NSA analysts about how to explain their targeting decisions without giving "extraneous information" to overseers in the Department of Justice, Congress or the special court that scrutinises surveillance. NSA personnel are "instructed to remove details and substitute more generic language in reports to the Justice Department and the Office of the Director of National Intelligence", the Post reports.
This relates to an internal NSA document [PDF] that offers rationales for targeting and provides examples of the kinds of people the NSA may spy on - and that's besides amassing 1.6 per cent of the world's net communications. The document makes for an interesting read.
Other training files explain that analysts do not need to report "incidental" collection of data from US citizens, green-card holders or companies to the NSA Inspector General because (in the opinion of the NSA) it is not deemed a violation of the rules.
Signals intelligence spooks are allowed to use anonymised sets of data routinely, and with supervisory permission they may unmask the identities of US persons in reports to the agency's clients, such as the CIA and US military, among others.
FISA judge: We can't investigate non-compliance
In response to the Post's revelations about its violation of privacy rules, the NSA said it attempts to identify problems "at the earliest possible moment, implement mitigation measures wherever possible, and drive the numbers down".
“We’re a human-run agency operating in a complex environment with a number of different regulatory regimes, so at times we find ourselves on the wrong side of the line,” a senior NSA official told the Post in an interview.
The chief judge of the secret court tasked with overseeing the NSA's dragnet surveillance said his court's powers of scrutiny are limited because it is reliant on government reports of improper spying. There is no independent verification, the Post reports.
"The FISC is forced to rely upon the accuracy of the information that is provided to the Court," its chief, U.S. District Judge Reggie B. Walton, said in a written statement to The Washington Post. "The FISC does not have the capacity to investigate issues of non-compliance, and in that respect the FISC is in the same position as any other court when it comes to enforcing [government] compliance with its orders."
So the FISA court isn't a rubber stamp, they're just totally incapable of overseeing the NSA & has to trust the gov. http://t.co/BpXOhnogGh— Christopher Soghoian (@csoghoian) August 16, 2013
The judge's frank admission pulls the rug out from under repeated assurances from President Obama and his officials that the secret intelligence court provides robust oversight of government surveillance. ®