August 17, 2013

“WE’RE A human-run agency operating in a complex environment with a number of different regulatory regimes, so at times we find ourselves on the wrong side of the line.”

That’s how one senior National Security Agency (NSA) official defended his outfit to The Post. It’s also what’s been making many people nervous about recent reports on the organization’s vast capabilities to collect information about people’s lives. Even if analysts don’t abuse their tools, mistakes happen. The Obama administration has repeatedly assured the public that procedures are in place to limit the NSA’s use of its extraordinary powers, and it even admitted in recently-declassified documents that occasional errors happen. But, until now, the public simply didn’t have a firm sense of how often the process failed.

On Friday, The Post published an internal intelligence oversight report detailing “incidents” in which the agency failed to comply with the various restrictions on its massive information-gathering operation. Over a year’s span in 2011 and 2012, NSA employees violated the rules at least 2,776 times. About a tenth of the violations involved typographical errors. Many more involved user errors such as “inaccurate or insufficient research,” “failure to follow standard operating procedures,” and “training issues.”

Automated error detection systems caught a lot of these problems. But sometimes technical systems themselves also led to violations. In one case, the NSA collected U.S. and foreign e-mails in a way its judicial overseers called “deficient on statutory and constitutional grounds,” once they heard about it in 2011.

On Friday, NSA Director of Compliance John DeLong offered some context. The NSA, for example, queries its various databases millions of times per month, he reported. And, he insisted, willful abuse of the NSA’s systems is almost non-existent. Still, even a very-low incident rate can cause discomfort when there is so much the agency can sift through.

At the least, the NSA must be more transparent in its error reporting. It doesn’t need to provide properly-classified operational details in order to admit that it messes up. The audit The Post published not only discloses the raw number of violations in the period it covers, but also breaks down those violations by the legal authorities under which the NSA’s reviews were supposed to take place, such as the Foreign Intelligence Surveillance Act. It’s no secret these authorities exist, so why not do the same regularly, and in public? The agency could also release information on the types of violations it’s seeing — user or systems — and how it caught them. There’s nothing dangerous about any of that.

Mr. DeLong, finally, suggested that the very existence of the audit shows that the compliance program is working. Now that the NSA will be getting a lot more scrutiny, one more question to answer is what, if anything, these sorts of audits have missed.