Or: How Histrionics and Hysteria Continue to Drive A Misleading Narrative
As has been discussed in numerous diaries over the last two days, a Washington Post article reported on Thursday that the NSA "broke privacy rules thousands of times" per year, according to a May, 2012, audit covering several intelligence analysis facilities over the course a year, covering the last 3 quarters of 2011 and the first quarter of 2012.
This report has been seized by many purportedly as evidence of a lack of oversight over a supposedly out-of-control NSA which is allegedly abusing its programs to spy illegally on Americans at will.
But looking past all the usual histrionics, hyperbole, and gross exaggerations, what do the report and the audit upon it which it was based actually show? As usual, once the initial hysteria dies down, when one gets past all the usual outrage porn, one discovers that the reality of the "violations" is actually far less sinister, and in fact much more mundane, than suggested in the article and the diaries it spawned here. Indeed, a careful reading of the actual details of the report beyond the hysterical headlines not only confirms that the "violations" were actually just mistakes and errors, most having little or no impact on Americans' communications at all, and representing only an infinitesimally tiny portion of the communications data processed by the faciliities at issue; but also confirms, contrary to the existing narrative, that there are numerous working safeguards in place. An actual close reading of the article and the audit document further demonstrates that there is zero evidence that any of the "violations" were willful or intentional, and confirms, once again, that there is still no evidence of any actual abuse of the programs, much less any policy of abuse.
A healthy dose of reality, in a super-sized cup, below the fold.
Part I: In Which the "Privacy Violations" are Grossly Exaggerated and Over-Hyped
The WaPo report goes to great length to note that the audit reflects 2,776 separate incidents amounting to "violations" of one privacy rule or another. But we have now learned, based on a more detailed analysis of the "violations" by the New York Times, that more than 2/3 of those "violations" consisted entirely of the programs monitoring the foreign communications of foreign targets as they are authorized to do, but failing to recognize when those foreign targets had actually come to the U.S. and brought their foreign cellphones with them. So, in over 1,900 cases, the "violations" had zero to do with Americans' communications at all, but rather resulted solely from a geographic anomaly not picked up by the computer programs, which impacted otherwise perfectly legal, authorized surveillance of foreign calls:
The largest number of episodes — 1,904 — appeared to be “roamers,” in which a foreigner whose cellphone was being wiretapped without a warrant came to the United States, where individual warrants are required.http://www.nytimes.com/...
Which actually, therefore, leaves less than 900 total incidents of errors and mistakes causing inadvertent over-reach across numerous facilities over an entire year -- less than 3 per day among thousands and thousands of analysts and billions and billions of pieces of data! Hardly the doomsday scenario pushed in the WaPo article, by Greenwald, and in various diaries here.
But wait, there's more (or less, in fact). It turns out, again per the more thorough and less histrionic anlysis by the NYT, that the "202"/"20" area code/nation code mix-up is likewise much less alarming than initially suggested by the WaPo article and in diaries and comments here. Indeed, it turns out that when the 202 area code was used instead of the 20 nation code, only metadata and not the calls themselves were collected:
In one case in 2008 . . . the system collected metadata logs about a “large number” of calls dialed from Washington – something it was already doing through a different program – because of a programming error mixing up the district’s area code, 202, with the international dialing code of Egypt, 20.So once again, we see that this supposedly "serious" and "scary" incident turns out to be essentially no incident at all. In this case, there really is no there there, as the error merely resulted in the programs doing what the NSA was already separately authorized by the FISC to do -- collect telephone metadata. But that apparently didn't stop the WaPo and numerous diaries and comments here from hyping this non-incident into a mountain of spying-on-Americans outrage porn:
Some language in the Washington Post story requires a bit of parsing as well. On page one, there is mention of a computer mix-up where Egypt’s calling code (20) is accidentally input as DC’s area code (202), resulting in a “large number” of calls being “intercepted.” However, on page four, the incident is clarified to have only involved collecting the metadata about those calls, and not their content — a key distinction.http://joshuafoust.com/...
This last bit is key. Charlie Savage, a fantastic reporter at the New York Times who’s done wonders in reporting on intelligence issues, had to correct his story when he thought the mention of “intercept” on page one meant “listen to.” Slippery language in reporting — a sadly common trend in a lot of the coverage of the NSA leaks — leads to assumptions that tend to be false. Metadata is not content, and is treated differently under the law and Supreme Court precedent, and that’s an important thing to keep in mind.
And here we see the typical pattern from all of these NSA stories: Lead with the outrageous headline, then hype the scary story, but bury the contradictory clarifications, caveats, and actual facts pages later. And in this case, the factual clarification really matters: The scary-sounding area-code mix-up did not, as widely claimed, result in any eavesdropping on Americans' communications; instead, it merely resulted in the gathering of phone metadata, which the NSA was already doing anyway pursuant to FISC authorization.
Oh, but wait, there's still more (again, actually less)! Just as the WaPo article and its progeny over-hyped the number of of actual incidents having any impact at all on domestic communications, the claim that similar "thousands of violations" occur "each year" is completely unsupported by anything in the audit or any other document cited in the WaPo report. As noted above, and as appears on the face of the audit, it covers a period of one year. So, for that one yearlong period, from the 2Q 2011 through 1Q 2012, there were 2,776 total incidents at the various facilities covered by the audit. But that figure includes the 1900+ foreign roaming non-incidents. So, where does the report get the claim that there are "thousands" of incidents each and every other year, too? Nowhere -- the report doesn't cite any information for any other year, so that claim is apparently based purely and entirely on assumption and speculation. Now, it may turn out that other years have similar error rates as 2Q 2011 - 1Q 2012, but we don't know that, and the WaPo article provides no information to suggest that they know it, either. The article provides no support for the claim at all -- it apparently just makes an assumption and then engages in speculation, yet states its unsubstantiated claim as a fact anyway.
For further reality-based perspective, rather than over-wrought hype, whether there are 900 or 2,700 or more incidents doesn't actually tell us much at all without (a) telling us what the error rate for these NSA programs is; and (b) how that rate compares to other government agencies and/or to other intelligence entities. Notably, the article doesn't say, though such a critical omission apparently didn't stop the outrage and hysterical narrative. To wade through the histrionics, some perspective is in order [and this includes all 2,700 + incidents, not just the less than 900 remaining after accounting for the foreign cellphone "roaming" issue]:
Some math helps to contextualize the violations as well. 2,776 violations in one calendar year averages out to around 7 violations per day (or, perhaps more realistically, 10 violations per business day). The NSA probably employs between 30,000 and 40,000 people, mostly concentrated in the DC area at Ft. Meade in Maryland. Let’s say 1/3 of them are involved in analysis, so anywhere between 10,000 and 13,000. 7 violations per day among 13,000 analysts is actually a very small number in a relative sense. Especially considering the volume of information the NSA tries to sort each day (upwards of billions of pieces of data), 7 violations per day doesn’t sound very significant. That doesn’t make it okay, but it does suggest violations happen rarely, and are far outside the norm.http://joshuafoust.com/...
So, once again, whether we're talking about 900, or 2,700, or an even larger number of incidents, the number of errors and mistakes is incredibly small when compared to the amount of communications data being handled.
Further, putting aside all the exaggeration and hysteria, the WaPo article tells us nothing about how the error rate for these NSA programs compares to other government programs and agencies generally, or to other intelligence programs specifically. As one commentator notes:
We also have no frame of reference to determine whether 2,776 errors in a year is atypical for a large government agency. How many errors per year are generally discovered by internal audits at FBI, ATF, FAA or IRS? Gellman doesn’t say.http://thedailybanter.com/...
Funny thing about the WaPo article -- I always thought the purpose of journalism is to provide as complete and accurate a picture as possible. It turns out, in the era and the area of Glenn Greenwald, hyping a narrrative trumps completeness and accuracy, and that hyped narrative is spreading across other papers now.
And speaking of a false narrative, this brings us to:
Part II: In Which The Narrative Ignores The Oversight and Safeguards Which Caught and Identified These "Violations"
At the outset, one would think it would be unnecessary to point out that the WaPo report on errors and mistakes which led to over-reach by the NSA is only possible because the NSA conducted a regular, thorough compliance audit of its programs. Yet that critical, material fact has been lost amid the usual histrionics and hysteria. To repeat: There were errors and mistakes -- 2,700 + of them -- but they were caught and flagged by the NSA itself. So, the safeguards, including the audit safeguard -- as in, oversight -- worked.
Further, once one has waded through all the hype, one reads -- buried much deeper in the article, of course -- that the vast majority of the incidents listed in the audit were actually caught and flagged by an automated alert safeguard system built into the programs themselves. Funny that these safeguards have been all but entirely ignored in the rush to judgment, huh? Because multiple levels of functioning, vigorous, and effective safeguards do not fit The Narrative:
Moreover, buried deep in the linked report is a graph showing the vast majority of violations were caught by “automated alert.” It’s not entirely clear what that means, but it is suggestive that the NSA has systems in place to catch unauthorized or improper database queries. Also, from a logical perspective, the fact that the NSA audits itself and records these violations — even if they did not present this audit to their oversight committees or the FISC — again suggests they take privacy seriously. The audit also reported violations had gone down 8% in the calendar year under review compared to the previous year. Even if they don’t protect it as much as we’d like them to, it would be tendentious to say they disregard privacy as a matter of course.http://joshuafoust.com/...
Wait -- what??? The report and underlying documents themselves show that there are automatic safeguards built into the system, which catch unauthorized use and inquiries? AND these incidents are actually down 8% from the prior reporting period? What? Where is this critical, material information among the all the hysteria and hype about "violations" and claims of "abuses"? In other words, once one again wades through the bullshit, the reality is that there are multiple safeguards, just as previously disclosed by Dana Priest of the same Washington Post, and those safeguards work.
So, what can we conclude from this? That, contrary to The Narrative, there is -- gasp -- oversight!
It turns out, yes, obviously, NSA has multiple layers of oversight and exhaustive internal audits of the agency and its analysts as a means of both weeding out problems and then mitigating them. The elephant in the room is that the purpose of Gellman’s document, presumably from NSA’s Office of the Inspector General (OIG), is to keep detailed tabs on the agency. But Gellman never explicitly mentioned the OIG, just that the document is an “audit.” But it’s a fair to reach such a conclusion since internal audits are performed by various OIGs within all government agencies and departments.
We’ve been led to infer by Greenwald and others, however, that NSA is a rogue, reckless agency without any oversight; operating in total secrecy and with limitless impunity. That’s simply not the case, and the existence of this document, as well as Gellman’s article, proves it.
So, what other examples oversight and safeguards have been lost amid all the hysteria?
Well, as usual, if one digs past the hysterical headlines and wildly exaggerated conclusions in the WaPo story, one actually finds that there is, in fact, a lot of oversight -- buried in the report and the underlying documents themselves:
There was a “quadrupling of NSA’s oversight staff” in 2009 after the Obama administration came into office.
There are “semi-annual reports to Congress” about NSA “errors and infractions.”
The public can read abbreviated versions of these audits. . . [T]he public can attain a limited peek at NSA’s audits anyway.
There are “regular audits from the Justice Department and the Office of the Director of National Intelligence and periodic reports to Congress and the surveillance court.”In addition, there is the FISC, which the WaPo article notes struck down a new program in 2011. So, as I have pointed out repeatedly for weeks, the FISC is not, in fact, a rubber stamp, but serves as an important, vigorous safeguard against over-reaching:
The very existence of this FISC decision utterly neuters the “FISA is a rubber stamp court” narrative peddled by Greenwald and his groupies.Oh, but wait -- there's even MORE layers of oversight, all conveniently ignored by The Narrative, of course:
There are, of course, the various congressional committees tasked with NSA oversight.
There’s the Privacy & Civil Liberties Oversight Board (PCLOB)
There are ODNI and Justice Department audits like this one.But even more, the NSA expressly provides for further oversight through -- wait for it -- whistleblower protections:
[T]he NSA OIG’s website contains another layer of oversight: a whistleblower hotline . . . to facilitate the reporting of allegations of fraud, waste, abuse, and mismanagement in NSA programs and operations and violations of law, rules, and regulations by NSA employees and contractors, and assigned military.Wow, that's a whole lot of oversight and safeguards! Does anyone remember any of the media reports or DK diaries discussing those revelations from the WaPo article? Yeah, me neither. The Narrative must be served, after all. Why paint a complete picture when you can spin misleading hyperbole instead?
Whistleblowers can remain completely anonymous, but, if not, their identities are protected by Section 7(b) of the Inspector General Act of 1978. . . [E]ven NSA employees can conduct their own micro-oversight and report abuses to the OIG, while being legally protected by numerous legislative statues.
Part III: In Which Glenn Greenwald Goes Off The Rails
So, given all the foregoing fundamental flaws and misleading claims in the latest NSA "story" and The Narrative, how does the poster-boy for fundamentally flawed and misleading NSA reporting, Glenn Greenwald, respond to the fact that it was the NSA's system and audit safeguards and oversight which caught and identified the incidents of over-reach? If you guessed, "Come up with a way to blame the government and push a conspiracy theory instead of acknowledging that it was NSA system and audit safeguards that caught and documented the errors and mistakes," then you're correct!
Faced with the knowledge that it was, in fact, the NSA itself which caught all of these incidents and thoroughly documented them through an audit, and it was, in fact, the carrying out and documenting of that audit that even allowed knowledge of the incidents to come to light, how does Greenwald spin the existence of the audit? As a government conspiracy, naturally:
One key to the WashPost story: the reports
are internal, NSA audits, which means high
likelihood of both under-counting & white-
Good grief. Really, Glenn? If these were supposed to be secret "internal" audits, then why would they be white-washed? Why would they "white-wash" something that no one was supposedly ever supposed to see? And if it's a cover-up, then why would the audit look so bad, at least on its face? If the NSA was secretly trying to abuse the programs and cover up any such abuse, then why would they identifyy and document more than 2,700 separate incidents? If they were were really trying to abuse the programs and get away with it, why document any actual incidents of over-reach at all, much less 2,700 of them? And why, as the article notes, would the DOJ self-report incidents of over-reach to the FISC? As usual, Greenwald's anti-government hysteria makes no sense. But as we know, with Greenwald, if something doesn't fit The Narrative, it must be ignored or explained away, and for Glenn, government conspiracy is always an easy fall-back position. Like I said, good grief.
Part IV: In Which the Reader is Invited to Draw Conclusions About the Continuing, Consistently Dishonest Narrative
So, where does all of this leave us? Well, to begin, contrary to the bullshit spun by Greenwald and his acolytes, we now have confirmation of previous reports that the NSA programs do, in fact, have numerous levels of vigorous oversight and safeguards, both at the system and audit levels:
In total, the article decimates the notion that NSA operates without oversight or self-correcting measures that yield to constitutional mandates.http://thedailybanter.com/...
Further, we know that once again, as always, there are important issues here which need review and reform, but that wading through all of the gross exaggerations, misleading characterizations, and outright bullshit can make that task difficult:
[T]he predictable suspects are screaming “police state” as if police states audit their own misconduct and undertake measures to reduce them over time. Which is a real loss here — there remain serious issues of program design, legal constraints, and oversight issues with the NSA. But, much like drones last year, exaggerations, hyperbole, and florid, borderline unintelligence polemic is replacing any sort of rational discussion about what proper roles are and how effective oversight might be strengthened. And to repeat: that is a real loss.http://joshuafoust.com/...
In other words, there's still no abuse, much less any policy of abuse, and the sky is not falling. It's not even very cloudy.