Privacy Advisor

NSA Audit Reveals Thousands of Privacy Violations

August 16, 2013

By Jedidiah Bracy, CIPP/US, CIPP/E

The Audit

The fallout from leaks provided by former government contractor Edward Snowden continued late Thursday when an internal audit and other top-secret documents (links to all four documents below) were published by The Washington Post. According to the report, the National Security Agency (NSA) broke privacy rules or overstepped its legal authority thousands of times each year, beginning in 2008. Most violations concerned unauthorized surveillance of U.S. citizens or foreign intelligence targets in the U.S. One document reveals that staff were instructed to alter detailed language to more generic language before supplying reports to the Justice Department and the Office of the Director of National Intelligence. In another case, a typographical error caused the collection of all the calls for area code 202—Washington, DC—instead of country code 20, which is for Egypt.

Government Response

The NSA supplied The Post with a statement about the audit disclosure, stating it attempted to identify problems “at the earliest possible moment, implement mitigation measure wherever possible and drive the numbers down.” With White House permission, a senior NSA official told The Post “We’re a human-run agency operating in a complex environment with a number of different regulatory regimes, so at times we find ourselves on the wrong side of the line.”

Sen. Dianne Feinstein (D-CA), who is chairwoman of the Senate Intelligence Committee and who has defended the NSA’s surveillance programs, said she had not known about the audit and now the committee “can and should do more to independently verify that NSA’s operations are appropriate and its reports of compliance incidents are accurate.”

In a Q&A with Rolling Stone about surveillance and government transparency, Sen. Ron Wyden (D-OR) said, “If we don’t recognize that this is a truly unique moment in America’s constitutional history, our generation’s going to regret it forever.”

President Barack Obama recently called for a new chief privacy officer position within the NSA. The sheer number of violations prompts the question: Would there have been fewer compliance issues if there had been proper staffing?

Mary Ellen Callahan, CIPP/US, former chief privacy officer at the Department of Homeland Security (DHS), told The Privacy Advisor, "Privacy officers need to be involved in the lifecycle of information collection, use and sharing.  As I learned at DHS, privacy people need to be involved in every stage, which is why DHS had senior component privacy officers and my office had an oversight /investigatory function. Hands on accountability is necessary to run a privacy protective program."

FISA Court Judge Speaks; Judicial Oversight Is Limited

In a separate article by The Post, the chief judge of the Foreign Intelligence Surveillance Court (FISC), U.S. District Court Judge Reggie B. Walton, said the ability of the court to oversee the government’s surveillance programs is limited. The court does not have the tools to independently verify the number of times the government violates court rules designed to protect Americans’ privacy, the report states.

Walton said, “The FISC is forced to rely upon the accuracy of the information that is provided to the court…The FISC does not have the capacity to investigate issues of noncompliance, and in that respect, the FISC is in the same position as any other court when it comes to enforcing [government] compliance with its orders.”

Privacy Advocates React

The American Civil Liberties Union issued a press release after the disclosure, noting the compliance violations is “jaw-dropping.” Deputy Legal Director Jameel Jaffer said, “Obviously it’s important to know what precisely these compliance incidents involved, and some are more troubling than others. But at least some of these incidents seem to have implicated the privacy of thousands or millions of innocent people.” The Electronic Frontier Foundation said the report confirmed that two pillars of oversight—the executive and judicial branches—“don’t really exist.”

EU Regulators May Investigate for Possible Violations

Jacob Kohnstamm, who heads the Article 29 Working Party, has sent a letter to EU Justice Commissioner Viviane Reding about possibly probing for violations by the U.S. of the EU’s data protection rules, Bloomberg reports. He said the WP29 “considers it is its duty to also assess independently to what extent the protection provided by EU data protection legislation is at risk and possibly breached.”

Read more by Jedidiah Bracy:
A Roundup of Obama’s Surveillance Changes
Senate Committee Presses NSA; Agencies Willing to Re-evaluate Program
Committee Hears Testimony, Patriot Act Must Change
FTC, Irish DPA Release Mutual Enforcement Agreement