Days ago, when the Washington Post reported on an internal NSA audit showing thousands of rules violations every year, civil libertarians got the hard proof of rights violations they've long sought. Yet defenders of the NSA insisted that the audit reflected well on the surveillance agency, arguing that a comparison of database queries to violations shows an extremely low error rate. As I explain at length here, that's an almost useless metric for exonerating the NSA. How easy to manipulate that ratio at an agency capable of carrying out automated queries by the millions!
The latest NSA defenses also elide the fact that the abuses documented in the May 2012 audit are the minimum number of violations committed by the NSA, not a comprehensive accounting. This is partly because, per the Post story, the audit "counts only incidents at the NSA's Fort Meade headquarters and other facilities in the Washington area. Three government officials, speaking on the condition of anonymity to discuss classified matters, said the number would be substantially higher if it included other NSA operating units and regional collection centers."
For those reasons alone, Rep. Peter King is misleading Americans when he goes on Fox News and declares the 2012 audit as evidence that the NSA has achieved "99 percent compliance."
But there is an even larger problem with the audit. There is now a new reason to be skeptical that it captured all of the violations at the limited facilities under examination. Why? Give me three paragraphs.
NBC News revealed Tuesday that "more than two months after documents leaked by former contractor Edward Snowden first began appearing in the news media, the National Security Agency still doesn't know the full extent of what he took, according to intelligence community sources." Two separate sources told the network that the NSA doesn't know how many documents were taken or what they are. "One U.S. intelligence official said government officials 'are overwhelmed' trying to account for what Snowden took," the write-up states. "Another said that the NSA has a poor audit capability, which is frustrating efforts to complete a damage assessment."
This flatly contradicts what General Keith Alexander, the NSA's director, has told the public. NBC News gives an example:
Appearing at the Aspen Security Forum on July 18, NSA Director Alexander responded "Yes" when NBC News correspondent Pete Williams asked, "Do you feel you now know what [Snowden] got?" Asked "Was it a lot?", Alexander again said, "Yes." On Tuesday, NSA spokesperson Vanee Vines said Alexander's Aspen answer was not intended as "a hard, 'We know everything, completely,' answer to Williams' question. He did not say the assessment had been completed in absolute terms," Vines added in an email. "The Director answered a question about his general sense."
That attempt to wriggle out of being caught in a lie is incredibly unpersuasive, but there's actually an even more clearcut example of Alexander misrepresenting the NSA's audit capabilities. "The assumption is our people are just out there wheeling and dealing," he told a hacker conference in July. "Nothing could be further from the truth. We have tremendous oversight over these programs. We can audit the actions of our people 100 percent, and we do that." (my emphasis)
If NBC's latest reporting is accurate -- if either of its two intelligence sources are telling the truth -- then the head of the NSA has already publicly misrepresented the audit capabilities of the NSA. And if it can't audit the actions of its people 100 percent, if a subcontractor like Edward Snowden could abscond with an unknown quantity of the most sensitive secrets kept by the NSA in such a way that, even months later, what exactly he took is unknown, it is that much harder to believe that the NSA's May 2012 audit would even be capable of picking up all analyst violations.
As the ACLU points out, there is an additional problem with NSA audits as well: the gaping loophole that exempts a large subsection of data on Americans from the "audit-trail" requirement. Knowing all that, you can see why it's frustrating to read Benjamin Wittes's NSA-friendly take on the Washington Post audit story, especially his quip about what the NSA decides not to reveal to overseers: "This is not the stuff of Frank Church."
Senator Church conducted an intrusive, adversarial, independent investigation into America's surveillance agencies. The NSA conducted a constrained, internal audit that significantly undercounts violations.
So no, the documented problems don't compare to what Frank Church documented! But a Church Committee-style inquiry into clandestine agencies since September 11 could conceivably rival the Church Committee Report, which is reason enough for Congress to commission it. Increased transparency and oversight served America well back then, and it would today too. And even if nothing alarming was discovered tens of millions of Americans would feel better.