The Post’s View

Understanding the NSA’s errors

“WE’RE A human-run agency operating in a complex environment with a number of different regulatory regimes, so at times we find ourselves on the wrong side of the line.”

That’s how one senior National Security Agency (NSA) official defended his outfit to The Post. It’s also what’s been making many people nervous about recent reports on the organization’s vast capabilities to collect information about people’s lives. Even if analysts don’t abuse their tools, mistakes happen. The Obama administration has repeatedly assured the public that procedures are in place to limit the NSA’s use of its extraordinary powers, and it even admitted in recently-declassified documents that occasional errors happen. But, until now, the public simply didn’t have a firm sense of how often the process failed.

Washington Post Editorials

Editorials represent the views of The Washington Post as an institution, as determined through debate among members of the editorial board. News reporters and editors never contribute to editorial board discussions, and editorial board members don’t have any role in news coverage.

Read more

Latest Editorials

Obamacare’s winning numbers

Obamacare’s winning numbers

More people signed up, and costs are not as high as predicted.

Culture of indifference

Culture of indifference

After a lack of transparency in the death of Medric Cecil Mills, a central figure escapes judgment.

An accord on Ukraine

An accord on Ukraine

But Russia has to commit to more than just words to avoid further sanctions.

On Friday, The Post published an internal intelligence oversight report detailing “incidents” in which the agency failed to comply with the various restrictions on its massive information-gathering operation. Over a year’s span in 2011 and 2012, NSA employees violated the rules at least 2,776 times. About a tenth of the violations involved typographical errors. Many more involved user errors such as “inaccurate or insufficient research,” “failure to follow standard operating procedures,” and “training issues.”

Automated error detection systems caught a lot of these problems. But sometimes technical systems themselves also led to violations. In one case, the NSA collected U.S. and foreign e-mails in a way its judicial overseers called “deficient on statutory and constitutional grounds,” once they heard about it in 2011.

On Friday, NSA Director of Compliance John DeLong offered some context. The NSA, for example, queries its various databases millions of times per month, he reported. And, he insisted, willful abuse of the NSA’s systems is almost non-existent. Still, even a very-low incident rate can cause discomfort when there is so much the agency can sift through.

At the least, the NSA must be more transparent in its error reporting. It doesn’t need to provide properly-classified operational details in order to admit that it messes up. The audit The Post published not only discloses the raw number of violations in the period it covers, but also breaks down those violations by the legal authorities under which the NSA’s reviews were supposed to take place, such as the Foreign Intelligence Surveillance Act. It’s no secret these authorities exist, so why not do the same regularly, and in public? The agency could also release information on the types of violations it’s seeing — user or systems — and how it caught them. There’s nothing dangerous about any of that.

Mr. DeLong, finally, suggested that the very existence of the audit shows that the compliance program is working. Now that the NSA will be getting a lot more scrutiny, one more question to answer is what, if anything, these sorts of audits have missed.

 
Read what others are saying