Internal audit shows NSA often breaks privacy rules, made thousands of violations a year

The Washington Post today published several big scoops related to the National Security Agency's surveillance programs. The paper's investigations were triggered by documents leaked to them "earlier this summer" by former NSA contractor Edward Snowden. He has sought political asylum from a number of nations, and is currently in Moscow. The U.S. wants to charge him with espionage for his revelations.

Barton Gellman writes about an internal NSA audit document which shows that since Congress granted the agency broad new powers in 2008, it has broken privacy rules thousands of times per year–and sometimes because of typos.

In one instance, the NSA decided that it need not report the unintended surveillance of Americans. A notable example in 2008 was the interception of a "large number" of calls placed from Washington when a programming error confused U.S. area code 202 for 20, the international dialing code for Egypt, according to a "quality assurance" review that was not distributed to the NSA's oversight staff.

In another case, the Foreign Intelligence Surveillance Court, which has authority over some NSA operations, did not learn about a new collection method until it had been in operation for many months. The court ruled it unconstitutional.

"The documents, provided earlier this summer to The Washington Post by former NSA contractor Edward Snowden, include a level of detail and analysis that is not routinely shared with Congress or the special court that oversees surveillance," writes Gellman.

One curious side note: the timing of the story's publication. Did President Obama know about the story when he made remarks about the NSA last week which amounted to, "nothing to see here, move along"?

Here are NSA's comments to the Post on the article, after its publication.

A companion report by Carol Leonnig, also released late today by the Post, reveals that the head of the secret FISA court tasked with overseeing the government's vast spying programs "said that its ability do so is limited and that it must trust the government to report when it improperly spies on Americans."

The chief judge of the Foreign Intelligence Surveillance Court said the court lacks the tools to independently verify how often the government's surveillance breaks the court's rules that aim to protect Americans' privacy. Without taking drastic steps, it also cannot check the veracity of the government's assertions that the violations its staff members report are unintentional mistakes.

Read: "Court: Ability to police U.S. spying program limited."

Separately, the Washington Post has published the actual Q1 2012 audit document leaked to the paper by Snowden. "Names redacted by The Post."

The report covers the period from January through March 2012 and includes comparative data for the full preceding year. Its author is director of oversight and compliance for the NSA's Signals Intelligence Directorate, but the scope of the report is narrower. Incidents are counted only if they took place within "NSA-Washington," a term encompassing the Ft. Meade headquarters and nearby facilities. The NSA declined to provide comparable figures for its operations as a whole. A senior intelligence official said only that if all offices and directorates were included, the number of violations would "not double."

Read: "NSA report on privacy violations in the first quarter of 2012."

Here's one interesting subsection: "What to say, and not to say, to 'our overseers'."

Two thoughts on their publication of the NSA's audit file: Will the government now go after the Washington Post, as it is against Snowden, on espionage charges? And, if this is any indication of the sort of journalism we can expect from the Post under new owner Jeff Bezos, it's a good sign.

Below, a (lawful, non-secret) collection of responses to the story, via Twitter.