The Washington Post recently published a story about how well the NSA complies with the law. In a leaked, top-secret, internal audit, some alarming details emerged — the agency violated rules and laws about collecting data on people inside the U.S. 2,776 in a single calendar year — but upon closer examination, an important question comes to mind: What is acceptable conduct by our spy agencies?
The math of the NSA’s violations bears some relevance. The NSA’s compliance director told reporters that it performs “around 20 million” queries per month — or 240,000,000 per year. Assuming they are accurately self-reporting (and if we’re arguing about their internal audit, then we’re implicitly adopting that assumption), that means the audit determined about 0.001156666667 percent of the queries the NSA performs each year are violating laws or regulations.
Digging into the data further, a substantial number of improper collection incidents — around 68 percent — are “roamers,” meaning they were foreigners who were legally surveilled outside the U.S. but happened to travel here, which made continued surveillance illegal. The top-secret report even says this was most likely due to the higher-than-usual number of Chinese visitors to the U.S. for the New Year celebrations.
Another way to look at these numbers is as a percentage of the amount of data the NSA handles. David Gerwitz, a computer scientist and government advisor, crunched some numbers and found something remarkable:
The bottom line is this: the NSA runs about 30 quadrillion bytes through its systems each day. It records about 7 trillion of those bytes. It mistakenly records less than a megabyte a day — less than one MP3 worth of data per day… it looks to me more like a triumph of IT and database engineering.
But that triumph may not be enough. Barton Gellman, the reporter who published this audit, in a follow-up interview with the Washington Post, said (around the 3:20 mark) that many Americans don’t care if the NSA has a 99.99 percent rate of compliance, because the eye-popping numbers — thousands a year — is still too high. Anti-NSA activists argue the same thing: The actual context of those violations is immaterial; the sheer number of them is too high to ever tolerate. Moreover, these activists allege, the number of violations proves that there is no effective oversight of the NSA’s programs.
Yet that stance also requires some parsing. Around 10 percent of the reported violations involved typos — not malicious intent, but typing something incorrectly into a computer. If 68 percent are foreigners roaming in the U.S., and another 10 percent are simple typos, that means 78 percent of the NSA’s reported rules violations are more accurately characterized as simple errors rather than a “structural scandal,” as some critics have put it.
That leaves 13 percent of the violations attributable to other causes — “system errors,” in the words of the NSA audit, and, most alarmingly, malicious intent (to include intentional disregard of the law). There is no breakdown of how many violations were intentional, which raises an obvious consideration: Rather than assuming intentional law-breaking, as some do, the debate should instead be about what the country’s expectations for compliance and oversight really are.
That’s a much more difficult question to answer. The more vocal NSA critics think a 99.999999999999 percent rate of compliance with the law is not good enough. Whether the country as a whole agrees is left for the public to decide, but if so, then the question is delving into the demand for absolute perfection, along with a fundamental misunderstanding of the technologies and processes involved. It is the mirror image of those who demand perfect security in the face of terrorist acts and just as unrealistic.
Consider the Wall Street Journal’s report about other incidents of NSA surveillance on Americans. The agency is capable of surveilling most of the internet traffic in America, but it also goes out of its way to not do that. Capability and behavior are not the same (though many critics deliberately conflate the two by using the terms interchangeably). Moreover, many of these errors are due to how the internet itself functions, for which there is no obvious technological workaround.
In fact, the audit document even says this plainly:
Roamer incidents are largely unpreventable, even with good target awareness and traffic review, since target travel activities are often unannounced and not easily predicted.
The reality exposed by this document — contra the Post’s headlines and critics’ narrative framing — is that the NSA takes its duty to safeguard Americans’ privacy seriously. One of the programs discussed in the audit was reviewed by the FISA Court and promptly shut down for being illegal. The FISA Court, in other words, performed its oversight function properly and ended a program it determined was illegal.
Looking ahead, it’s unclear what critics would rather the NSA do — “just stop surveillance” is neither a realistic nor a pragmatic response. As Benjamin Wittes of the Brookings Institution put it, “This is not the stuff of Frank Church,” referring to the 1975 Senate committee that scaled back domestic spying.
So knowing that roaming incidents, which constitute the majority of legal violations, cannot feasibly be prevented, what’s left? If a miniscule number of infractions, which are audited and reported, is too much, is there a way to restrain the NSA?
Answering this question isn’t simple. Civil libertarians argue that the entire surveillance program should be de-funded, but that is not yet a mainstream view. Imposing additional judicial scrutiny and ending programs like metadata collection — frequently mentioned by opponents of the NSA — won’t address the problem if people oppose even existing programs (which, as noted above, have a remarkably high compliance rate with the law). There already is judicial review, and metadata collection won’t address the compliance issues that the audit identified.
So what’s left? Few really think intelligence agencies should be disbanded. There is broad recognition of the need surveillance and analysis. It would be silly to exempt the internet from such scrutiny — far too much of consequence happens there to warrant cutting activities to zero. Moreover, automatically filtering out domestic communications might satisfy a critic’s idea of “collection,” but if traffic is neither stored nor viewed by analysts, it seems unfair to count that as a genuine violation of the law. So how much is enough? When is surveillance of the internet overbroad and not justifiable?
Similarly, it is clear that laws need to be updated. Restricting the collection of metadata is one way to think about this: The world — and the internet! — have changed quite a bit since the 1979 Supreme Court ruling that said metadata is not covered by the Fourth Amendment. Metadata can reveal a great deal about people, especially when analyzed on email. It would make sense to update the laws and regulations to account for that. Many of the laws that govern how computers are regulated and what constitutes crimes in the world of military intelligence are old. The Espionage Act was written in 1917. The Computer Fraud and Abuse Act came in 1986 — a decade before the wide scale use of the internet for communications and commerce.
But before those laws get much-needed updates, the country needs to have a grander discussion of exactly what tradeoffs it is willing to accept between individual privacy and security. That debate never took place. In 2001, the public mood shifted from indifference to prioritizing security above all else. But it’s been twelve years now since the Twin Towers came down — it is probably time to reevaluate our policies.
That balance is not going to come easily. The current debate is strung between, on the one hand, centrist establishment types who think a strong security apparatus is the only bulwark against mass violence, and on the other, civil libertarians who think government surveillance, by design, is tyranny. A middle ground between the two will eventually be found, but until there is an open and honest debate about what compromises to security and privacy are in the country’s best interest, little will change as the arguments about it only get more emotional and intense.