Here’s a good piece on the NSA internal audit published by the Washington Post and what it really shows us, by Benjamin Wittes: NSA Spying Defense: The Case the Administration Isn’t Making.

Wittes actually makes many of the same points about the document that I have previously:

NSA Uncovered and Corrected More Than 3000 Cases of Unauthorized Access Per Year
Feinstein: No Evidence of Intentional NSA Abuse of Authority

In these two posts I argued that the NSA Oversight & Compliance document actually shows the opposite of the overheated Washington Post portrayal — it contains no evidence whatsoever of deliberate wrongdoing, only errors.

The most common incidents reported were “roaming” cases in which a valid foreign target uses a foreign cell phone while inside the US. The next most common incidents were simple typos by analysts entering database queries with fallible human fingers. The remaining incidents are mostly errors of one kind or another. But there is not a single case in the report of deliberate malicious activity.

Let’s start with the audit report that supposedly shows thousands of violations of privacy rules and legal breaches. To be clear, not one of these 2,776 “incidents” (over a year at the NSA’s headquarters) involves a decision by any NSA employee to engage in illegal surveillance against an American. They are nearly all inadvertent mistakes of a technical nature—the majority of a few discrete types (See pp. 5-6). The bulk are “roamers,” which take place when a valid foreign intelligence target happens to cross into the United States. The IG report notes that “Roamer incidents are largely unpreventable, even with good target awareness and traffic review, since target travel activities are often unannounced and not easily predicted” (emphasis added).

There are also a fair number of database query errors—that is, typos, confusions of boolean terms like “and” and “or,” syntax errors, and the like. You know … mistakes. These mistakes are caught through a combination of automated checking, auditing, and self-reporting. In other words, the fewer than 3,000 incidents reported over the year in question involve the NSA’s own systems—and people—catching and correcting technical errors.

Even the section entitled “Significant Incidents of Non-compliance” (pp. 11-13) does not detail anything like any intentional violation of the privacy rights of Americans. One incident involved the retention of FISA business records material longer than the permitted five years. Another involved an incident in which collection continued against an individual after indications had arisen suggesting he had a green card; this stopped when a senior linguist figured out that those indications had been received and not noticed.

In other words, what this document shows is that among the billions and billions of communications the NSA interacts with every year, it has certain low rate of technical errors, many of them unavoidable, which it dutifully records and counts.

Wittes criticizes the Obama administration for failing to make these same points, and I agree. It’s a wasted opportunity to turn a negatively slanted article into a teaching moment.