The Washington Post's Bart Gellman was one of the reporters who received stolen classified documents from Edward Snowden and who simultaneously, with Glenn Greenwald, broke the news about the National Security Agency's PRISM system back in June. Gellman published another Snowden-based article on Thursday, also based on a top secret Snowden document, with the headline: NSA broke privacy rules thousands of times per year, audit finds.
Gellman's document contained information about 2,776 errors made by both NSA analysts and computers during three-quarters of 2011 and the first quarter of 2012. The infractions included "operator error," "computer error," "typographical errors" and so forth.
More importantly, this was an internal audit, which means... oversight! It turns out, yes, obviously, NSA has multiple layers of oversight and exhaustive internal audits of the agency and its analysts as a means of both weeding out problems and then mitigating them. The elephant in the room is that the purpose of Gellman's document, written by the Signals Intelligence Directorate's (SID) director of oversight and compliance, is to keep detailed tabs on the agency.
We've been led to infer by Greenwald and others, however, that NSA is a rogue, reckless agency without any oversight; operating in total secrecy and with limitless impunity. That's simply not the case, and the existence of this document, as well as Gellman's article, proves it.
Here are some additional positive areas of oversight as reported by Gellman:
--There was a "quadrupling of NSA’s oversight staff" in 2009 after the Obama administration came into office.
--There are "semi-annual reports to Congress" about NSA "errors and infractions."
--The public can read abbreviated versions of these audits. "The limited portions of the reports that can be read by the public acknowledge 'a small number of compliance incidents.'" Obviously, a full public disclosure of agency errors would reveal the nature of NSA's top secret SIGINT operations. But this is evidence that the public can attain a limited peek at NSA's audits anyway.
--There are "regular audits from the Justice Department and the Office of the Director of National Intelligence and periodic reports to Congress and the surveillance court."
--Regarding the surveillance court, Gellman's article reveals a summary of a now infamous 86-page October 2011 decision by the FISA court, which determined that a then-brand new NSA operation was unconstitutional and must be discontinued.
The very existence of this FISC decision utterly neuters the "FISA is a rubber stamp court" narrative peddled by Greenwald and his groupies. In total, the article decimates the notion that NSA operates without oversight or self-correcting measures that yield to constitutional mandates.
While we're here, what are some other layers oversight? There are, of course, the various congressional committees tasked with NSA oversight. There's the Privacy & Civil Liberties Oversight Board (PCLOB). There are ODNI and Justice Department audits like this one. Via reporter Joshua Foust, the audit indicates that hundreds of errors were nabbed by an "automated alert" system. The document cited by Gellman wouldn't even exist were it not for oversight within NSA. Come to think of it, NSA's Office of the Inspector General website contains another layer of oversight: a whistleblower hotline.
The NSA Office of the Inspector General (OIG) maintains a hotline to facilitate the reporting of allegations of fraud, waste, abuse, and mismanagement in NSA programs and operations and violations of law, rules, and regulations by NSA employees and contractors, and assigned military. If you wish to report such allegations, you may call, send a letter, or e-mail the OIG Hotline as identified at the left.
Whistleblowers can remain completely anonymous, but, if not, their identities are protected by Section 7(b) of the Inspector General Act of 1978. And Edward Snowden, a contractor, would've been able to report his grievances via this channel, among others. Of course there wouldn't have been all of the ensuing melodrama, aggrandizement and, yes, Snowden t-shirts. But the fact remains: even NSA employees can conduct their own micro-oversight and report abuses to the OIG, while being legally protected by numerous legislative statues.
I agree that mistakes involving sensitive information like the communications of American citizens should be taken seriously and corrected. Clearly, based on the existence of this internal audit, NSA is doing precisely that: taking its errors seriously and repairing them. For the first time in the history of this story, we have the only evidence of actual wrongdoing within NSA (other than Snowden's document theft), although the article doesn't call out any deliberate or malicious violations of the rules. The infractions only appear to be unintentional, incidental glitches in the system, which could easily be discovered in any internal audit -- be it within a large governmental agency that employs thousands of people, or a private corporation of the same size. We also have no frame of reference to determine whether 2,776 errors in a year is atypical for a large government agency. How many errors per year are generally discovered by internal audits at FBI, ATF, FAA or IRS? Gellman doesn't say. Considering the size of each bureaucracy, I refuse to believe any government audit document is a slender volume.
But whatever. The "national discussion" continues based almost entirely upon deliberate ignorance and unnecessary histrionics. Gellman's article has surely added more fuel to this conga-line of misplaced outrage.
Adding... Greenwald via Twitter:
Totally clueless. Why would NSA whitewash a top secret internal audit? To presumably lie to itself?
UPDATE: Joshua Foust provided some enlightening numbers:
Some math helps to contextualize the violations as well. 2,776 violations in one calendar year averages out to around 7 violations per day (or, perhaps more realistically, 10 violations per business day). The NSA probably employs between 30,000 and 40,000 people, mostly concentrated in the DC area at Ft. Meade in Maryland. Let’s say 1/3 of them are involved in analysis, so anywhere between 10,000 and 13,000. 7 violations per day among 13,000 analysts is actually a very small number in a relative sense. Especially considering the volume of information the NSA tries to sort each day (upwards of billions of pieces of data), 7 violations per day doesn’t sound very significant. That doesn’t make it okay, but it does suggest violations happen rarely, and are far outside the norm.
CORRECTION: I originally wrote that the audit was conducted by the Office of the Inspector General. The body of Gellman's article didn't say one way or another. In fact, the audit was conducted by the Director of Oversight & Compliance. The text above was corrected to reflect that. Additionally, Gellman clarified his "per year" and "each year" reporting via Twitter by noting this link, containing statements from NSA to The Washington Post, indicating "thousands" of incidents "per year." That said, I stand by the assertion that given the volume of queries (around 20 million per month, according to NSA) and the number of analysts at Ft. Meade, 2,776 incidents is statistically insignificant.