The public summaries of the violations do not say how long the problem went undetected and unreported to the court, or what information was improperly gathered by the agency’s automated collection systems.
“The problems generally involved the implementation of highly sophisticated technology in a complex and ever-changing communications environment which, in some instances, results in the automated tools operating in a manner that was not completely consistent with the specific terms of the Court’s orders,” according to unredacted portions of a December 2009 memo provided to the Senate and House intelligence committees.
Two people familiar with the 2009 flaw said that the agency was collecting more “fields” of information from the customer records of telephone companies than the court had approved. The NSA declined to answer questions about the event.
One senior intelligence official, who was authorized by the White House to speak on the condition of anonymity, described the 2009 incident as a “major event” that prompted the agency to dramatically increase its compliance staff.
“We uncovered some disconnects between us and our overseers, disconnects between what we had put in documentation, the way we had described things in documentation,” the official said.
Although the violation was unintentional, the official said, “it wasn’t always the easiest of discussions” with the court.
The agency paused, “got ourselves with our overseers back into fair territory,” and has since made “substantial improvement” in compliance, the official said.
Privacy advocates say they fear that some violations are never reported to the court.
In January 2008, the NSA appeared to have mistakenly collected data on numerous phone calls from the Washington area code 202, thinking they were foreign phone calls from Egypt, whose country code is 20. According to a 2013 “quality assurance” review of the incident, a communications switch misread the coding of the calls and presumed they were international. The NSA has broad authority that is not subject to the FISA court to collect and monitor foreign communications under certain circumstances.
The description of the 2008 problem suggests that the inadvertent collection of U.S. phone calls was not reported to the FISA court.
“However, the issue pertained to Metadata ONLY so there were no defects to report,” the review stated.
Under FISA rules, the government is required to immediately notify the court if it believes it has violated any of its orders on surveillance.
The government does not typically provide the court with case-specific detail about individual compliance cases, such as the names of people it later learned it was improperly searching in its massive phone or e-mail databases, according to the two people familiar with the court’s work.
In contrast to the dozens of staff available to Congress’s intelligence and judiciary committees, the FISA court has five lawyers to review compliance violation reports.
A staff lawyer can elevate a concern about a significant compliance issue to a judge on the court, according to a letter Walton recently sent to the Senate describing the court’s role.
The court can always demand and obtain more details about cases, but it is unclear how often that occurs. In the past, while grappling with rules for implementing the surveillance programs, judges on the court have requested a visit to NSA headquarters to inspect the operations, the officials said.
Last week, the president said that he recognizes that some Americans may lack trust in the oversight process — in which the secret court approves the rules for collecting Americans’ communications — and that he will work with Congress on reforms, which could include a privacy advocate to the court.
“In other words, it’s not enough for me as president to have confidence in these programs,” Obama said in his news conference. “The American people need to have confidence in them, as well.”
Barton Gellman, Peter Wallsten and Alice Crites contributed to this report.