Spying on Its Own The NSA's Deep Bag of Tricks
Spy on US citizens? We don't do that, the American government claimed. But new NSA documents published by the Washington Post show that the intelligence service violates the law in thousands of instances. Analysts with the agency are free to pick targets as they choose.
With each new publication of documents provided by whistleblower Edward Snowden, the scope of the United States' spying system becomes ever clearer. And each piece of the puzzle reveals yet more lies and half-truths that those who are supposed to be providing oversight for the NSA have used to defend the practices.
New revelations published on Friday in the Washington Post make clear that the legal controls intended as checks and balances for this surveillance system are, at best, ineffective. And the power that NSA analysts have to monitor Internet and telephone data according to whim is enormous. At the same time, intelligence workers take significant efforts not to overburden supervisory authorities with too much information.
"I, sitting at my desk, certainly had the authority to wiretap anyone, from you or your accountant, to a federal judge or even the president, if I had a personal e-mail," Snowden told the Guardian in an interview published in June. Mike Rogers, the Republican chairman of the House Intelligence Committee, said of Snowden's assertion, "He's lying. It's impossible for him to do what he was saying he could do."
But the new documents show that Snowden wasn't lying, and it was Rogers who had it wrong. Whether Rogers did so knowingly or because the Congressman had been deceived by the intelligence service must still be clarified.
Thousands of 'Incidents'
Some 2,776 "incidents" are listed in the classified quarterly report from 2012 that the Washington Post has published in its entirety, with the exception of a few areas that have been blacked out. The report encompasses incidents from the previous 12 months. The report only covers incidents involving NSA facilities in the Washington DC area; the actual global figure could be considerably higher. The "incidents" referred to data for which the NSA does not have authorization to collect, store or analyze.
The only information collection that is not permitted is that of American citizens, but the report shows that their data often lands in the NSA's digital dragnet as by-catch. Each "incident" means that e-mails have been read, contact networks have been mapped and communications have been intercepted. In some cases such data has even been passed on to other US government agencies, like the Drug Enforcement Administration (DEA).
"The majority of incidents in all authorities were database query incidents due to human error," the report, written by the director of oversight and compliance for the NSA's Signals Intelligence Directorate, states. The systems most often involved in those incidents are powerful spying tools like XKeyscore and the NSA's Pinwale database, which can save large quantities of Internet communications data for years.
Among the most common causes given for the unauthorized surveillance is "lack of due diligence," as well as issues like typographical errors, using the wrong search parameters or overly broad syntax in searches. In some cases, data collection continues even though the related order to intercept it has long since expired.
No Built-In Safeguards
A breakdown of the causes of the errors shows that NSA analysts do in fact decide to use the powerful tools at their disposal to conduct surveillance on the people or entitites they want, just as Snowden described. And if they punch in the wrong name or an incorrect email address, then they will also be snooping on the wrong person. The automated systems used to conduct this spying do not appear to have built-in safeguards or controls to prevent unauthorized spying.
A further document published by the Washington Post shows that reporting is required for certain "incidents" and that in those cases, collection must be stopped "immediately." One example given is that of an analyst deliberately targeting a foreign entity who regularly corresponds with a certain person inside the United States with the sole purpose of gathering information about the American citizen. But in other cases, the breaches are not even required to be reported internally. When, for example, a legitimate foreign entity is monitored and communications "to/from/about a US person" are also captured, it is considered "incidental" and does not require reporting.
No 'Extraneous Information'
A further document states that, "While we do want to provide our FAA overseers with the information they need, we DO NOT want to give them any extraneous information." The FAA is a reference to the FISA Amendments Act of 2008, a US intelligence law designed to control electronic surveillance. It is followed by detailed examples of the kind of information the person doing the reporting should not provide, including, for example, "proof of your analytical judgement" that the monitoring is actually appropriate and necessary.
At times, the new report shows, the NSA doesn't even consider it necessary to inform its own regulatory overseers. The Washington Post reports on how the NSA accidentally intercepted a "large number" of calls placed from Washington in 2008 when a programming error confused the US area code 202 for 20, the international dialling code for Egypt. The NSA deemed it did not have to report the error, according to a secret memo from March 2013 cited by the paper. The memo's author determined there were "no defects to report" because "the issue pertained to metadata only" -- in other words, telephone numbers, times calls took place and their duration.
Reggie Walton, the chief judge of the Foreign Intelligence Surveillance Court (FISC), the secret court charged with critical oversight of the government's vast spying programs, issued a written statement to the Washington Post in which he wrote: "The FISC does not have the capacity to investigate issues of non-compliance, and in that respect the FISC is in the same position as any other court when it comes to enforcing (government) compliance with its orders." In addition to providing oversight of the NSA, FISC must also approve many of its activities.
In June, after the first revelations from Snowden were published, President Obama said federal judges had been put in place for the job "who are not subject to political pressure. They've got lifetime tenure as federal judges, and they're empowered to look over our shoulder at the executive branch to make sure that these programs aren't being abused."
The Washington Post also quotes a senior NSA official stating: "We're a human-run agency operating in a complex environment with a number of different regulatory regimes, so at times we find ourselves on the wrong side of the line." The unnamed official added that if the errors are viewed as a percentage of the NSA's total activity, then the figures are relatively small.
But in absolute terms, a small percentage of the NSA's total activity is still vast. Even larger, though, is the number of NSA targets affected who are not US citizens. And they enjoy no protections at all.