James Comey, left, with outgoing FBI Director Robert Mueller at a ceremony announcing Comey’s nomination. (Win McNamee/Getty Images)
The Post reported, “The National Security Agency has broken privacy rules or overstepped its legal authority thousands of times each year since Congress granted the agency broad new powers in 2008, according to an internal audit and other top-secret documents.”
I know it is de popular to hyperventilate about the National Security Agency (NSA) findings, but the hysteria is disproportionate to what we know. That is the NSA’s fault because it has tried to get by with generalities and platitudes. However, an internal audit is a sign that there were efforts to reduce or eliminate the error rate.
Here are questions I’d like answered before deciding if this is evidence of huge malfeasance, minor incompetence or generally good performance.
In percentage or absolute terms, what is the error rate compared to the total number of bits of data being collected?
The Post notes that there were 2,776 incidents of error since 2008. Was this a 5 percent error rate or a 0.0000005 percent error rate? An information sheet put out by the NSA on Aug. 9 indicates that “According to figures published by a major tech provider, the Internet carries 1,826 Petabytes of information per day. In its foreign intelligence mission, NSA touches about 1.6% of that. However, of the 1.6% of the data, only 0.025% is actually selected for review.” That is still tons and tons of data. If there were only 2,776 errors in five years, it may be of the best-run programs anywhere in government.
What sorts of problems were reported to Congress and what were not? Were items that were not reported trivial?
The Post reports, “In one instance, the NSA decided that it need not report the unintended surveillance of Americans. A notable example in 2008 was the interception of a ‘large number’ of calls placed from Washington when a programming error confused the U.S. area code 202 for 20, the international dialing code for Egypt, according to a ‘quality assurance’ review that was not distributed to the NSA’s oversight staff.”
The NSA’s Aug. 9 statement asserts that it has “an internal oversight and compliance framework” for catching errors, but we don’t know if the example above was a violation of the framework. Members of Congress who were briefed should be candid about what they already knew.
What happened when an error occurred? Was a U.S. citizen’s e-mail read? Was a phone call listened to? When the error was identified what action was taken to make sure the bit of data was not used in an improper way?
The Post details why errors occurred (“One in 10 incidents is attributed to a typographical error in which an analyst enters an incorrect query and retrieves data about U.S phone calls or e-mails.”) The Post further tells us that “more serious lapses include unauthorized access to intercepted communications, the distribution of protected content and the use of automated systems without built-in safeguards to prevent unlawful surveillance.” We don’t know what that means in concrete terms about discrete pieces of data. Until we understand the actual damage done by these mistakes and the remedial measures taken it is hard to reach the conclusion that there was gross and widespread abuses of privacy.
When were the most significant problems identified and did the serious error rate drop significantly after the fix?
From The Post we know that “the rate of infractions increased throughout 2011 and early 2012.” What we don’t know if these were minor, inconsequential errors or whether serious lapses escalated. The NSA says it set up a “Director of Compliance position, affirmed by Congress in the FY2010 Intelligence Authorization Bill, which monitors verifiable consistency with laws and policies designed to protect U.S. person information.” What we don’t know is if serious errors dropped off after this was put in place. Has the problem been fixed?
It is also noteworthy that when there was a mix-up, the oversight from the Foreign Intelligence Surveillance Act worked when domestic and foreign e-mails got commingled. (“In October 2011, months after the program got underway, the Foreign Intelligence Surveillance Court ruled that the collection effort was unconstitutional. The court said that the methods used were ‘deficient on statutory and constitutional grounds,’ according to a top-secret summary of the opinion, and it ordered the NSA to comply with standard privacy protections or stop the program.”) The oversight worked on some level, but it remains a mystery as to whether there were gaping holes in the system.
Now, why don’t we know more about all of this so we can evaluate whether we should be assured or up in arms about the defects? It is largely because the administration has done a horrendous job explaining itself. Is its passivity intended to allow critics to shred the programs or is this just reflexive unwillingness to be forthcoming? We don’t know.
Former federal prosecutor Andy McCarthy has defended the program, but he is plainly frustrated. He e-mailed me earlier today: “They have to come up with something that makes people understand why you need everyone’s records in order to detect the suspicious activities of .0000001% of the people in the data-set. If they don’t, we’re
cooked. These may be stupid, common bureaucratic errors, but they are much
easier for people to grasp, and get pissed about, than it is for them to
understand why the records of innocent people are needed in order to catch the
guilty people.” If not, he warns, it will be impossible to defend an essential anti-terror operation: “If they can’t do that, we’re going down in flames. And then, once the program is gone, I’m afraid we’ll really be feeling the flames.”
The proper response to the latest revelations is not panic but deep frustration and a demand for data that does more than get the NSA through a news cycle. It must be more forthcoming, or it will lose its mandate. And if the president wants to kill the program, he should say so; otherwise, he should get off the golf links and explain what is going on here.