You are using an outdated browser.
Please upgrade your browser
and improve your visit to our site.

There's a Perfectly Good NSA Defense that the Obama Administration Isn't Making

I cannot decide if I am more annoyed at the Washington Post or more annoyed at the Obama administration for the way this latest cache of Snowden-leaked NSA documents is playing. I have now gone through the documents with some care, and I find both the Post‘s formulation of the story and the administration’s response to the leak mind-boggling.

The Post, for its part, has managed, in my opinion at least, to completely mislead its readers as to the significance of these documents. The problem is not the paper’s facts. It is with the edifice it has built with those facts.

On the administration’s side of the ledger, if there were a way to botch more completely a public response to these disclosures, I’m not sure I know what it would look like. 

“The National Security Agency has broken privacy rules or overstepped its legal authority thousands of times each year since Congress granted the agency broad new powers to 2008, according to an internal audit and other top-secret documents,” screams the Post‘s lead sentence. In the second paragraph, we learn that “agency personnel are instructed to remove details and substitute more generic language in reports to the Justice Department and Office of the Director of National Intelligence.” Two paragraphs down, the story reports that the FISA Court “did not learn about a new collection method until it had been in operation for months” and then “ruled it unconstitutional.” In a separate story, the paper ominously informs us—again in the lead paragraph—that the FISA Court’s presiding judge, Reggie Walton, has warned that the court’s ability “to provide critical oversight of the government’s vast spying programs . . . is limited and that it must trust the government to report when it improperly spies on Americans.”

What with unconstitutional surveillance, hidden for months from the court, agency officials instructed to withhold information, thousands of privacy violations, and a court enfeebled in its oversight responsibility, you’d think we were dealing with COINTELPRO here.And certainly, the administration’s weedy and defensive response would do nothing to convince you otherwise. “We’re a human-run agency operating in a complex environment with a number of different regulatory regimes, so at times we find ourselves on the wrong side of the line,” a senior NSA official told the Post.Way to go, guys.The administration also issued a collection of statements that are cumulatively about as compelling as its protestations that it does not have to cut off aid to Egypt because it doesn’t have to decide whether or not a coup has taken place.Here’s what an administration here’s what an administration confident in itself, its compliance procedures, and its counterterrorism policies more generally and with the imagination to try to change the narrative would have said:

Shameful as it is that these documents were leaked, they actually should give the public great confidence both in NSA’s internal oversight mechanisms and in the executive and judicial oversight mechanisms outside the agency. They show no evidence of any intentional spying on Americans or abuse of civil liberties. They show a low rate of the sort of errors any complex system of technical collection will inevitably yield. They show robust compliance procedures on the part of the NSA. And they show an earnest, ongoing dialog with the FISA Court over the parameters of the agency’s legal authority and a commitment both to keeping the court informed of activities and to complying with its judgments on their legality. While it took a criminal act to make this record public, we are deeply proud of this record and make no apologies for it.

The underlying documents support every component of this statement the administration for some deer-in-the-headlights reason is not capable of making.

Let’s start with the audit report that supposedly shows thousands of violations of privacy rules and legal breaches. To be clear, not one of these 2,776 “incidents” (over a year at the NSA’s headquarters) involves a decision by any NSA employee to engage in illegal surveillance against an American. They are nearly all inadvertent mistakes of a technical nature—the majority of a few discrete types (See pp. 5-6). The bulk are “roamers,” which take place when a valid foreign intelligence target happens to cross into the United States. The IG report notes that “Roamer incidents are largely unpreventable, even with good target awareness and traffic review, since target travel activities are often unannounced and not easily predicted” (emphasis added).

There are also a fair number of database query errors—that is, typos, confusions of boolean terms like “and” and “or,” syntax errors, and the like. You know . . . mistakes. These mistakes are caught through a combination of automated checking, auditing, and self-reporting. In other words, the fewer than 3,000 incidents reported over the year in question involve the NSA’s own systems—and people—catching and correcting technical errors.

Even the section entitled “Significant Incidents of Non-compliance” (pp. 11-13) does not detail anything like any intentional violation of the privacy rights of Americans. One incident involved the retention of FISA business records material longer than the permitted five years. Another involved an incident in which collection continued against an individual after indications had arisen suggesting he had a green card; this stopped when a senior linguist figured out that those indications had been received and not noticed.

In other words, what this document shows is that among the billions and billions of communications the NSA interacts with every year, it has certain low rate of technical errors, many of them unavoidable, which it dutifully records and counts.

As we used to say in grade school, big whoop. Or rather, it is a big whoop—just for the opposite reason than the Post‘s story suggests.

Then there’s the matter of the supposed withholding of information from the Justice Department and the ODNI—a reference to this document, which contains guidance on what to report in memorializing why an analyst is requesting a targeting. The gravamen of the complaint seems to be that the NSA is telling its people not to provide DOJ and ODNI with more than the question on the electronic form asks. “While we do want to provide our FAA overseers with the information they need, we DO NOT want to give them any extraneous information,” the document says. So if the question asks for the reason you want surveillance, the memo says, give the reason, not the information that underlies reason. The guidance here may reflect, to some degree, what was by some accounts a difficult adjustment for the NSA to having programmatic oversight from the Justice Department and the ODNI at a very granular level.

But come on. It’s hardly a news flash that a secret, clandestine intelligence agency might resist giving out information about its operations when not not legally required to do so.

This is not the stuff of Frank Church.

The Post similarly considers it newsworthy that the NSA isn’t even reporting certain incidental collection against U.S. persons that it handles using minimization procedures—as reflected in this Powerpoint slide. But to think that fact interesting, you really have to not understand the law. Sometimes, the intelligence community does legal collection against a legitimate foreign intelligence target and that target interacts with U.S. persons, against whom our people thus end up collecting information as a collateral matter. There is nothing illegal about that; that is why we have minimization procedures. And the procedures in question are quite clear on this point. The Section 702 minimization procedures require the government to “destroy inadvertently acquired communications of or concerning a United States person at the earliest practical point in the processing cycle at which such communication can be identified” if it “does not contain foreign intelligence information” or “evidence of a crime.” 

Then there’s the matter of the FISA Court’s declaring an unspecified NSA activity illegal under both FISA and the Fourth Amendment. This issue is certainly more substantial than a mere technical error. It provoked an 80-page opinion, after all, and it did involve a finding of illegality by a judicial tribunal on the part of the agency.

But here’s the thing: the FISA Court knew about this incident because the NSA kept it informed of its activities, and as the document (an internal newsletter) the Post cites makes clear in summarizing the incident, the agency was committed to complying with the court’s order and bringing the program (whatever it was precisely) into compliance.

The common mythology is that the FISA Court is a rubber stamp. But in this incident, as the document recounts, “the judge ordered certain ‘upstream’ or ‘passive’ FAA DNI collection to cease after 30 days, unless NSA implements solutions to correct all deficiencies identified in the opinion document.” The agency noted that its components were “coordinating a response, which includes planning to implement a conservative solution in which the higher-risk collection will be sequestered.” This solution is “designed to comply with the judge’s order; however, the judge will have to determine if it does.” It sounds suspiciously like a court here was holding the government to its vision of the law—and the government, even while contemplating an appeal of this decision by the rubber-stamp that wasn’t, was snapping to attention.

This brings us to the Post‘s final point, to which it devotes an entire separate story: that the FISA Court lacks the power to investigate government conduct and is entirely dependent on the government itself to report problems. Again, the paper’s facts are right, but it draws entirely the wrong inferences from them. The story reads:

The FISC is forced to rely upon the accuracy of the information that is provided to the Court,” its chief, U.S. District Judge Reggie B. Walton, said in a written statement to The Washington Post. “The FISC does not have the capacity to investigate issues of noncompliance, and in that respect the FISC is in the same position as any other court when it comes to enforcing [government] compliance with its orders.

I’ve italicized the key line in Judge Walton’s statement, which says very directly something the entire Post story (headline: “Court: Ability to Police U.S. Spying Program Limited”) seems to miss: Courts are not investigative agencies. They nearly always rely on the parties before them to bring to their attention violations of their orders. The oddity of the FISA Court is that its proceedings take place ex parte, so the government is the only party—and thus bears a particular responsibility for candor and openness with the institution. But this is hardly any kind of surprise. Yes, as the Post says breathlessly in its opening, the FISC “must trust the government to report when it improperly spies on Americans.” What we’ve learned from this incident, however, is that the government does so—even when doing so may be costly to its operations.

In the fevered environment in which we are now operating, the NSA can’t catch a break. And perhaps it shouldn’t be able to catch a break. It’s a clandestine spy agency, after all.

But if the administration can’t be troubled to defend it in a full-throated and serious way, why should anyone pause to ask whether we’re pervasively confusing minor technical mistakes with real civil liberties infringements and whether we’re confusing a remarkable big picture portrait of self-policing and intelligence collection under the law with a portrait of rampant spying on Americans?

This story was cross-posted at Lawfare. Benjamin Wittes is editor in chief of Lawfare and a Senior Fellow in Governance Studies at the Brookings Institution.