Thursday, February 12, 2015

In Holiday Document Dump, NSA Declassifies Compliance Errors

The National Security Agency (NSA) on Christmas Eve released a grip of compliance reports  that detail its own admitted failures to always operate inside the orbit of the law.
The reports spanned a 12 year period, from 2001 to 2013.  According to the agency, Executive Order 12333 — a controversial Regan-era law — “requires” the NSA to detail and report “intelligence activities they have reason to believe may be unlawful or contrary to Executive Order or Presidential Directive.”
The reports, released in response to a Freedom of Information Act suit from the American Civil Liberties Union, are heavily redacted. That said, they still contain a wealth of information about what sort of errors the NSA makes, both on purpose and not. The language is, naturally, quite dry, but there is still much to glean from the reports, including what sort of compliance issues the NSA encounters, how often, and the mix between accidental, and willful issues.
You can find the whole trove here. For quick reference, I’ve selected a few highlights from just the 2012 reports, which I think are illustrative of the overall tone of the other documents. Of course, nothing can beat a full reading on your own, which TechCrunch fully recommends.
First up, The Analyst Who NSA’d Himself:
Screen Shot 2014-12-25 at 1.18.45 PMThis is not a rare occurrence, however, and appears to be something of a running prank among analysts:
Screen Shot 2014-12-25 at 1.21.11 PM
It seems to happen a lot!
Screen Shot 2014-12-25 at 1.46.01 PM
A lot, a lot!
Screen Shot 2014-12-25 at 1.47.27 PM
Oh, and the military had access to raw traffic databases under Section 702 of Foreign Intelligence Surveillance Act. That’s probably not good:
Screen Shot 2014-12-25 at 1.24.08 PM
The NSA accidentally emailed out unminimized “US telephone numbers.” Oops:
Screen Shot 2014-12-25 at 1.12.07 PM
NSA analysts also executed searches that “produced imprecise results” “potentially” “returned information about USPs,” or United States Persons (This is repeated in other reports as well):
Screen Shot 2014-12-25 at 1.41.26 PM
Next up, an NSA analyst executed a [redacted] number of queries on a “U.S. organization in a raw traffic database without formal authorization.” The analyst received counseling:
Screen Shot 2014-12-25 at 1.17.30 PM
Another noted case occurred when an analyst “searched her spouse’s personal telephone directory without his knowledge to obtain names and telephone numbers for targeting.” The NSA continues that the analyst in question was “advised to cease her activities.” Keep in mind that the above is merely a smattering of errors from 2012.
Most of the reports contain entries like the following:
Screen Shot 2014-12-25 at 1.53.31 PM
And:Screen Shot 2014-12-25 at 1.53.41 PMIn short, most of the reported errors are more programatic in nature, dealing with people finding selectors that should have been deleted and the like. Keep in mind that the NSA employs a huge number of employees who have powerful tools, who operate under complex law, all while dealing with fluid situations. That they make the occasional accidental error is neither surprising, nor particularly worrisome.
However, the cases of NSA analysts looking themselves up seems to indicate that they have broad capabilities to run queries on phone numbers inside the Section 215 system at their own whim, something that appears to invite abuse. This is amplified by the fact that even trainees are given what appears to be broad berth to query the accumulated data, as the quoted example indicates.
Although opponents of surveillance reform in Congress say no illegal activities have occurred, the NSA reports appear to push back against that claim. Also, a report from 2013 detailed that the NSA managed to break privacy rules thousands of times per year. The above, NSA-reported incidents underscore that previous report.
What we can ask next is what percentage of the compliance issues that occur at the NSA are caught. That’s to say, of the reported mistakes, and illegal activities, how many are not caught? It would seem optimistic to presume that all are caught.
Disqus Comments