U.S. Spy Agency Reports Improper Surveillance of Americans
The NSA, responding to a Freedom of Information Act lawsuit from the American Civil Liberties Union, released a series of required quarterly and annual reports to the President’s Intelligence Oversight Board that cover the period from the fourth quarter of 2001 to the second quarter of 2013.
The heavily-redacted reports include examples of data on Americans being e-mailed to unauthorized recipients, stored in unsecured computers and retained after it was supposed to be destroyed, according to the documents. They were posted on the NSA’s website at around 1:30 p.m. on Christmas Eve.
In a 2012 case, for example, an NSA analyst “searched her spouse’s personal telephone directory without his knowledge to obtain names and telephone numbers for targeting,” according to one report. The analyst “has been advised to cease her activities,” it said.
Other unauthorized cases were a matter of human error, not intentional misconduct.
Last year, an analyst “mistakenly requested” surveillance “of his own personal identifier instead of the selector associated with a foreign intelligence target,” according to another report.
Unauthorized Surveillance
In 2012, an analyst conducted surveillance “on a U.S. organization in a raw traffic database without formal authorization because the analyst incorrectly believed that he was authorized to query due to a potential threat,” according to the fourth-quarter report from 2012. The surveillance yielded nothing.
The NSA’s intensified communications surveillance programs initiated after the Sept. 11, 2001, terrorist attacks on New York and Washington unleashed an international uproar after they were disclosed in classified documents leaked by fugitive former contractor Edward Snowden last year.
No New Legislation
Congress has considered but not passed new legislation to curb the NSA’s collection of bulk telephone calling and other electronic data.
The Privacy and Civil Liberties Oversight Board, created by lawmakers under post-Sept. 11 anti-terrorism laws, issued a 238-page report in January urging the abolition of the bulk collection of Americans’ phone records. The five-member board said the program has provided only “minimal” help in thwarting terrorist attacks.
The ACLU, which filed a lawsuit to access the reports, said the documents shed light on how the surveillance policies of NSA impact Americans and how information has sometimes been misused.
“The government conducts sweeping surveillance under this authority -— surveillance that increasingly puts Americans’ data in the hands of the NSA,” Patrick C. Toomey, staff attorney with the ACLU’s National Security Project, said in an e-mail.
No Oversight
“Despite that fact, this spying is conducted almost entirely in secret and without legislative or judicial oversight,” he said.
The reports show greater oversight by all three branches of government is needed, Toomey added.
The ACLU filed suit to turn a spotlight on an executive order governing intelligence activities that was first issued by President Ronald Reagan in 1981 and has been modified many times since then.
The order allows the NSA to conduct surveillance outside the U.S. While the NSA by law can’t deliberately intercept messages from Americans, it can collect messages that get vacuumed up inadvertently as part of its surveillance of foreigners overseas.
Masking Identities
After foreign intelligence is acquired, “it must be analyzed to remove or mask certain protected categories of information, including U.S. person information, unless specific exceptions apply,” the NSA said in a statement before posting the documents.
The extent of that collection has never been clear.
The agency said today it has multiple layers of checks in place to prevent further errors in intelligence gathering and retention.
“The vast majority of compliance incidents involve unintentional technical or human error,” NSA said in its executive summary. “NSA goes to great lengths to ensure compliance with the Constitution, laws and regulations.”
Report Violations
The intelligence community is required to report potential violations to the oversight board, as well as the Office of the Director of National Intelligence.
In some cases, surveillance of foreign targets continued even when those targets were in the U.S., although such “non-compliant data” were later purged, according to the reports released today.
Some analysts sent intelligence information to other analysts who weren’t authorized to receive it, according to the documents. That information was deleted from recipients’ files when discovered.
Because of the extensive redactions, the publicly available documents don’t make clear how many violations occurred and how many were unlawful. While the reports contain no names or details of specific cases, they show how intelligence analysts sometimes have violated policy to conduct unauthorized surveillance work.
‘Intentional Misuse’
The NSA’s inspector general last year detailed 12 cases of “intentional misuse” of intelligence authorities from 2003 to 2013 in a letter to Senator Charles Grassley, of Iowa, the top Republican on the Senate Judiciary Committee.
Those cases included a member of a U.S. military intelligence unit who violated policy by obtaining the communications of his wife, who was stationed in another country. After a military proceeding, the violator was punished by a reduction in rank, 45 days of extra duty and forfeiture of half of his pay for two months, according to the letter.
In a 2003 case, a civilian employee ordered intelligence collection “of the telephone number of his foreign-national girlfriend without an authorized purpose for approximately one month” to determine whether she was being faithful to him, according to the letter. The employee retired before an investigation could be completed.
Ignoring Restrictions
The NSA acknowledged last year that some of its analysts deliberately ignored restrictions on their authority to spy on Americans multiple times in the past decade.
“Over the past decade, very rare instances of willful violations of NSA’s authorities have been found,” the agency said in a statement to Bloomberg News in August 2013. “NSA takes very seriously allegations of misconduct, and cooperates fully with any investigations — responding as appropriate.”
To contact the reporter on this story: David Lerman in Washington at dlerman1@bloomberg.net
To contact the editors responsible for this story: John Walcott at jwalcott9@bloomberg.net Elizabeth Wasserman
In Holiday Document Dump, NSA Declassifies Compliance Errors
The National Security Agency (NSA) on Christmas Eve released a grip of compliance reports that detail its own admitted failures to always operate inside the orbit of the law.
The reports spanned a 12 year period, from 2001 to 2013. According to the agency, Executive Order 12333 — a controversial Regan-era law — “requires” the NSA to detail and report “intelligence activities they have reason to believe may be unlawful or contrary to Executive Order or Presidential Directive.”
The reports, released in response to a Freedom of Information Act suit from the American Civil Liberties Union, are heavily redacted. That said, they still contain a wealth of information about what sort of errors the NSA makes, both on purpose and not. The language is, naturally, quite dry, but there is still much to glean from the reports, including what sort of compliance issues the NSA encounters, how often, and the mix between accidental, and willful issues.
You can find the whole trove here. For quick reference, I’ve selected a few highlights from just the 2012 reports, which I think are illustrative of the overall tone of the other documents. Of course, nothing can beat a full reading on your own, which TechCrunch fully recommends.
First up, The Analyst Who NSA’d Himself:
This is not a rare occurrence, however, and appears to be something of a running prank among analysts:
It seems to happen a lot!
A lot, a lot!
Oh, and the military had access to raw traffic databases under Section 702 of Foreign Intelligence Surveillance Act. That’s probably not good:
The NSA accidentally emailed out unminimized “US telephone numbers.” Oops:
NSA analysts also executed searches that “produced imprecise results” “potentially” “returned information about USPs,” or United States Persons (This is repeated in other reports as well):
Next up, an NSA analyst executed a [redacted] number of queries on a “U.S. organization in a raw traffic database without formal authorization.” The analyst received counseling:
Another noted case occurred when an analyst “searched her spouse’s personal telephone directory without his knowledge to obtain names and telephone numbers for targeting.” The NSA continues that the analyst in question was “advised to cease her activities.” Keep in mind that the above is merely a smattering of errors from 2012.
Most of the reports contain entries like the following:
And:
In short, most of the reported errors are more programatic in nature, dealing with people finding selectors that should have been deleted and the like. Keep in mind that the NSA employs a huge number of employees who have powerful tools, who operate under complex law, all while dealing with fluid situations. That they make the occasional accidental error is neither surprising, nor particularly worrisome.
However, the cases of NSA analysts looking themselves up seems to indicate that they have broad capabilities to run queries on phone numbers inside the Section 215 system at their own whim, something that appears to invite abuse. This is amplified by the fact that even trainees are given what appears to be broad berth to query the accumulated data, as the quoted example indicates.
Although opponents of surveillance reform in Congress say no illegal activities have occurred, the NSA reports appear to push back against that claim. Also, a report from 2013 detailed that the NSA managed to break privacy rules thousands of times per year. The above, NSA-reported incidents underscore that previous report.
What we can ask next is what percentage of the compliance issues that occur at the NSA are caught. That’s to say, of the reported mistakes, and illegal activities, how many are not caught? It would seem optimistic to presume that all are caught.
http://techcrunch.com/2014/12/25/in-holiday-document-dump-nsa-declassifies-compliance-errors/