The NSA's Ongoing Efforts to Hide Its Lawbreaking

The spy agency touts its commitment to transparency and following the rules. But there are many good reasons to reject its characterizations.

Every quarter, the National Security Agency generates a report on its own lawbreaking and policy violations. The reports are classified and sent to the President’s Intelligence Oversight Board. It's unclear what happens once they get there.

Those reports are now online dating back to late 2001.

The NSA has posted redacted versions of the documents to its website. "These materials show, over a sustained period of time, the depth and rigor of NSA’s commitment to compliance," the agency's self-congratulatory introduction declares. "By emphasizing accountability across all levels of the enterprise, and transparently reporting errors and violations to outside oversight authorities, NSA protects privacy and civil liberties while safeguarding the nation and our allies."

These NSA characterizations are not credible.

Even the uninformed observer will be suspicious of the spy agency's account upon learning that far from voluntarily releasing redacted versions of these documents, it was forced to do so by Freedom of Information Act requests filed by the ACLU. The NSA fought to continue suppressing these documents from the public, even though the redacted versions in no way harm U.S. national security.

A court ordered the documents released.

The next clue that the NSA does not, in fact, believe these documents reflect favorably upon its performance is the timing of the release. They chose to make the reports public on Christmas Eve, knowing that this would minimize news coverage.

As one might expect of reports that the NSA fought to suppress and attempted to release with minimal attention from the press, the newly released documents are less an illustration of  "the depth and rigor of NSA’s commitment to compliance" than the fact that the NSA has, by its own admission, broken the law in every period covered. And these are just violations they self-reported. The NSA construes its mandate so broadly that it doesn't regard logging every number I dial on my phone to be an instance of spying on a U.S. citizen. It continues to regard most of what Edward Snowden revealed to be perfectly legal and appropriate. Yet even with that expansive understanding of its powers, the NSA has not managed to stay within the laws and rules set for itself.

Its ongoing operations proceed with the expectation that laws will be broken every quarter, and that this is acceptable so long as the violations are logged and reported. It would be as if a journalist assured readers of the depth of his commitment to truth-telling by pointing to a backward-looking log documenting fabricated stories he wrote in every four-month period going back to 2001.

The NSA will demonstrate a commitment to lawfulness when it ceases to break laws.

The NSA's supposed emphasis on "accountability" falls apart rather quickly when one realizes what happens when its employees are caught breaking a law. Take a female analyst mentioned in a 2012 report. It explains that for two or three years, "she had searched her spouse's personal telephone directory without his knowledge to obtain names and telephone numbers for targeting." The report adds that "although the investigation is ongoing, the analyst has been advised to cease her activities." As Kevin Drum writes, "She was caught using NSA surveillance facilities to spy on her husband and was merely told to cease her activities? Wouldn't it be more appropriate to, say, fire her instantly and bar her from possessing any kind of security clearance ever again in her life? What am I missing here?"

Perhaps she knew too much to be fired.

After all, even apart from the lawbreaking and disregard for privacy, you'd think it would be a firing offense to waste time spying on one's lover instead of terrorists or foreign heads of state. Years of doing that wasn't enough for termination?

Surveying similar misdeeds, Kevin Williamson flags a larger problem it illuminates:

These actions do not represent mere violations of NSA policies... but willful violations of the law... If you, citizen, were caught illegally using an NSA database to check up on that girl you met on OkCupid, what do you think would happen?

Do you reckon that you’d get a cease-and-desist letter — or that you’d be scooped up by a team of thick-necked men with very short haircuts and dumped in the darkest oubliette Uncle Sam has available? ...This is an inversion of the right order. In a sane society, people entrusted with state power — from NSA agents down to traffic cops — would be held to a higher standard rather than a lower one, and sanctioned more severely for wrongdoing rather than less.

At The Intercept, Murtaza Hussain notes that "many of the reports appear to deal with instances of human error rather than malicious misuse of agency resources. Nonetheless, many of these errors are potentially serious, including entries suggesting that unminimized U.S. telephone numbers were mistakenly disseminated to unauthorized parties and that military personnel were given unauthorized access to raw traffic databases collected under the Foreign Intelligence Services Act."

And even regular instances of human error should be alarming for at least two reasons. First, they suggest that the NSA maintains procedures and infrastructure wherein routine human error can result in laws being broken and significant privacy breaches. Second, in a system where human error routinely results in such abuses, wouldn't it be relatively easy to mask a willful, targeted abuse as a mere error? To spy on a target despite the flagrant illegality of doing so, just reverse engineer the plausible "errors" that would expose what one wants.

Don't worry about being caught: it'll be explained away as an unintentional mistake in a very complicated system overseen so well that even such errors are flagged.

Then there are the report's heavily-redacted abuses. They alone make it irresponsible for any media outlet to characterize this release as a compendium of minor transgressions.

Here's an example of a heavily redacted entry documenting a violation of law or policy:

Here's another:

Here's a third:

It's easy to fill in those blank spots with grave abuses... or relatively minor abuses. There's no way of knowing the gravity so long as the redactions remain in place. And the examples above are but a few taken from a single quarterly report.

There's plenty more like them.

Do I trust the NSA to redact these documents appropriately, given its dubious invocations of national security when arguing  that it should never have had to release these reports at all and its record of misrepresenting its actions to overseers? Of course I don't. Neither should you. As Scott Shackford puts it at Reason, "The fact that the ACLU had to fight the NSA to get just this extremely vague information is a reminder of how little the NSA actually supports transparency." Unfortunately, the Obama Administration has often been just as bad.