NSA Violated Its Own Privacy Rules Over 2,000 Times

    August 16, 2013

Since the NSA’s spy programs were revealed in early June, its proponents have argued that there’s a number of safeguards in place to make sure the agency’s surveillance is under the utmost oversight. A recent report finds that to not be the case.

The Washington Post reports that it has obtained an internal audit of the NSA’s surveillance program from Edward Snowden that shows the agency has violated rules or court orders. The violations aren’t much of a surprise, but the sheer number of violations definitely is. The audit found that there have been 2,776 rule violations over the past few years.

So, what does a violation mean in terms of the NSA? A document, humorously titled, “So you got U.S. Person Information?,” points out what analysts must do when collecting information on a U.S. person through incidental data. The slide says to immediately apply “minimization procedures” and to “focus your report on the foreign end of the communication.” That’s all well and good except that the document also says that incidental data collection doesn’t constitute a violation so it “does not have to be reported.”

What’s more worrisome about this slide is that it says the NSA can keep the incidental data store on its servers. It has to mask the identities of the U.S. person whose data was collected, but it’s still there. The slide also notes that the analyst can obtain permission from a supervisor, not a judge, to unmask the U.S. person if the investigation requires it.

Besides the retention of incidental data, the leaks also show that the NSA is taught to give as little data as possible when requesting surveillance permission from the FISA court. In a perfect world, the government would hand over all the details of its request so the FISA court could make an informed decision on whether or not it should grant the surveillance request. Instead, the NSA is told to not provide the court with any “extraneous information.” According to the slide, extraneous information includes “probable cause-like information (i.e. proof of your analytic jugdment), how you came to your analytic conclusions, any RAGTIME information, classification marking, or selector information.”

As TechDirt points out, these surveillance requests are meant to provide only the bare minimum information necessary to initiate surveillance while the surveillance itself can be used to scoop up all kinds of incidental data. In other words, the NSA is subject to very little oversight by its own design.

In fact, the chief judge for the FISA court, Reggie B. Walton, told The Washington Post that their hands are essentially tied when it comes to granting surveillance orders. He said the FISA court “does not have the capacity to investigate issues of noncompliance, and in that respect the FISC is in the same position as any other court when it comes to enforcing compliance with its orders.”

Walton’s statement is a little worrisome because it pretty much says that the court knows it’s being duped, but they can’t do anything about it. The government has stacked the cards against the FISA court system to make sure that the NSA can get away with anything. It appears that President Obama’s proposal to add a privacy proponent to the court would do very little in a system where the NSA holds the power.