What does the National Security Agency consider a small or a big number? The Washington Post’s Barton Gellman has a report based on documents the paper got from Edward Snowden about an N.S.A. audit that found two thousand seven hundred and seventy-six “incidents” in 2012 in which it broke its own rules about spying on Americans, either accidentally or on purpose. That is seven times a day, which sounds less like a slip than a ritual. But to call those violations frequent, according to the agency, would be to misunderstand the scale of its operations: “You can look at it as a percentage of our total activity that occurs each day,” a senior N.S.A. official told the paper. “You look at a number in absolute terms that looks big, and when you look at it in relative terms, it looks a little different.” We spy so much that the math gets hard; even thousands of privacy and legal violations can’t really be held against us.
But how many thousands? As it turns out, there are numbers packed into the numbers. An “incident” can have affected multiple people—even multitudes. In a single one of the two thousand seven hundred and seventy-six cases, someone at the N.S.A. made a mistake in entering a number into a search request. As a result, instead of pulling information on phone calls from Egypt (country code 20) the agency got data on “a large number” of calls from Washington, D.C. (area code 202). How many, and what did they learn? There are more Egyptians than there are Washingtonians, but the N.S.A.’s mandate forbids it from spying on Americans, and singling out an area as politicized as Washington seems particularly unfortunate. Mistyping the country code for Iran could have left analysts looking at calls in North Carolina and Louisiana. Another incident involved “the unlawful retention of 3,032 files that the surveillance court had ordered the NSA to destroy…. Each file contained an undisclosed number of telephone call records.” The Post said that it was not able to tell how many Americans were affected in all. Those two examples suggest that the number could be very, very big—even by the N.S.A.’s standards.
There are other ways the number multiplies. One incident involved someone the N.S.A. continued to target well after it confirmed that he had a green card, and was therefore off limits. There were four “selectors” associated with this person—these might be things like e-mail addresses or phone number—which led to requests for “881 cuts in NUCLEON,” a program that collects the contents of phone calls; thirty-two reports; and “serialized dissemination” of information to other parts of the government. There are many ways to get on a list; what seems hard is getting off of one.
The information spreads, and it contracts or is flattened: in a training document the Post published (in redacted form), analysts were told not to give their “overseers” any “extraneous information.” The rationale for a surveillance request should be “no longer than one short sentence”—and in particular that “your rationale MUST NOT contain any additional information including: probable cause-like information.” One fictional example in the training document involves a target named “Mohammad Badguy” whose name was found on the buddy list of his brother-in-law, who had some connection to Al Qaeda in Somalia. In the request, the part about being brothers-in-law is omitted: there is just selector, buddy list, Al Qaeda.
Suspicion becomes an indexing label. Everyone is a Badguy.
The audit shows that the N.S.A. considered most of the incidents to be errors—“operator error” or “computer error.” There were a lot of typos; that’s darkly funny, if you’re in the right mood. But “error” is a bit of a dodge. It includes categories like “did not follow standard operating procedures”—by mistake?—“training issues” and “workload issues.” Also, too-broad search terms, like “any communications that mentioned both the Swedish manufacturer Ericsson and ‘radio’ or ‘radar.’” What that seems to mean is that a great deal of private American communications are swept into databases because the N.S.A. has people who work for it who don’t follow the rules, don’t know the rules, or are assigned tasks in a way that just leads to rules being broken. That is a structural scandal, not a mistake.
The White House and the N.S.A. have tried to give a different, false impression, talking about occasional mistakes quickly dealt with. The Post notes that the unclassified version of the Administration’s regular report on the agency mentioned “a small number of compliance incidents.” And the audit doesn’t cover all of the N.S.A.’s facilities. Three government officials told the Post that there would be many more violations to count if it did. After the Post story was published, Senators Ron Wyden and Mark Udall issued a statement, saying, “Americans should know that this confirmation is just the tip of a larger iceberg.”
The agency does train its people not to talk too much about broken rules. (The 20-202 error was not reported to the FISA court or Congress, whose members likely had phones with that area code.) The documents make it clear that the agency was not telling the court or Congress even less than the little we thought it did. On Friday, Nancy Pelosi, the House Minority leader, called the new report “extremely disturbing”; in another piece, the Post’s Carol Leonnig spoke to the chief judge of the FISA court, Reggie Walton, who said that there wasn’t much he and the other judges could do other than rely on what the N.S.A. told them: the court “does not have the capacity to investigate issues of noncompliance.” According to the audit, the majority of these violations were caught thanks to automated alerts, and not because someone at the N.S.A. raised his or her hand. (The one who did, ultimately and emphatically, was Edward Snowden.) Is that because the alerts were so strict, or the humans so lax? Which number is wrong?