The recent Washington Post article via whistleblower Edward Snowden, NSA report on privacy violations in the first quarter of 2012 has a few figures, which were never intended to be made public about the inevitable errors in large scale interception and communication data / "metadata" trawling by the United States' National Security Agency (NSA)
Without any individual detail, there is mention of completely predictable errors such as transposing or mis-typing the digits of a telephone number, or failing to narrow a database query sufficiently, either on the original authorisation documentation or at a later stage by a human analyst.
There are also worrying mentions of what are claimed to be merely massive automated data snooping cockups, which can be interpreted as hints of illegal activity e.g. snooping on all telephone traffic in Washington D.C. (area code 202) during an election year when automated equipment was supposedly "only" snooping on all international phone calls to / from Egypt (international phone prefix 20). Why was that not noticed after an hour or at most a day ?
The NSA spin doctors claim that only a tiny percentage of their vast snooping schemes are affected by such (admitted) mistakes, which may reassure US citizens that they are mostly not being snooped on by the NSA, deliberately or accidentally, but that is of no comfort whatsoever to United Kingdom and other "foreign" citizens.
For Spy Blog and the other few readers of the United Kingdom's Regulation of Investigatory Powers Act 2000 Commissioner' Annual reports, anodyne, detail free "audits" of the secret surveillance snoopers are familiar and depressing.
However, if we assume that the public servants in the NSA Signals Intelligence Directorate's (SID) director of oversight and compliance office and the UK's Interception of Communications Commissioner have tried to do an honest job, with their deliberately limited resources, the figures which have been not published but revealed (USA) or which have been published & censored (UK) should be compared:
: Table of the Number of NSAW SID-reported Incidents by Authority
2QCY11 3QCY11 4QCY11 1QCY12 E.O. 12333 396 390 601 670 FISA 150 198 176 195 TOTAL 546 588 777 865
i.e. 2776 "privacy violations" = "unauthorized collection, storage, access to or distribution of legally protected communications" in 2012, just for the main NSA HQ at Fort Meade in Maryland, not including its other big centres in USA :Augusta, Georgia; San Antonio, Texas; Honolulu, Hawaii; Denver, Colorado. or foreign stations like Menwith Hill in the UK.
2012 Annual Report of the Interception of Communications Commissioner
6.4 Interception Errors
Figure 4 - Total Number of Intercept Errors over the previous 5 years
During the reporting year, 55 errors / breaches were reported to my office by public authorities.
N.B. GCHQ only admits to 8 intercept errors, 3 of which were from the previous reporting period i.e. only 5 for 2012..
Compare this with the over 2700 "privacy violations" admitted to in secret by the NSA for 2012.
Page 27 About half a million Communications Data requests per year for all UK intelligence agencies, police forces, local authorities etc.
Page 28 Just under 1000 Communications Data errors in the last year for all UK intelligence agencies, police forces, local authorities etc.
This figure is higher than the previous year (895). However, as the number of requests has increased by 15% this year, the overall error percentage has actually reduced from 0.18% in 2011 to 0.17% in 2012. I am satisfied that the overall error rate is still low when compared to the number of requests that were made during the course of the reporting year
Less than 0.2% error rate for all of the United Kingdom's Intelligence Agencies, Police Forces, Local Authorities etc.
N.B. the Interception of Communications Commissioner only audits a tiny sample of the half a million or so Communications Data requests each year.
The UK'S GCHQ has about 6,000 employees worldwide compared with the estimated 37,000 to 40,000 at the USA's NSA i.e. about 7 times as many in total, probably at least 3 or 4 times as many (more than 20,000) at the Fort Meade HQ and nearby facilities which are the subject of the leaked audit report.
The likelyhood of human errors e.g. transpositions of telephone number digits etc. must be similar in both organisations and the technology appears to be identical in many cases, so why is there an apparent discrepancy between the two sets of figures ?
Is the NSA in Maryland really orders of magnitude more error prone than GCHQ, even allowing for its bigger size, or are the UK's publicly published figures seriously mis-reporting or covering up the real number of GCHQ intercept errors ?
How does over 2700 "privacy violations" a year compare with only low single figures for GCHQ intercepts and less than a thousand Communications Data errors a year for the whole of the United Kingdom, including GCHQ plus the other two UK intelligence agencies, the 50 or so Police Forces and the several hundred albeit low level users of Communications Data (Local Authorities mobile phone subscriber name & address lookups mostly) i.e. National Security and general crime and regulatory infringements
N.B. It is scandalous that the UK Communications Data figures are not broken down by agency.
There is no conceivable tactical impact on any ongoing counter espionage or counter terrorism investigations which could be harmed by publishing, openly, the figures and percentages of self defined, self reported vague "privacy violations", even broken down by database access programme codeword / cover name.
Both NSA and GCHQ should publish such data openly, so that their respective bosses i.e. politicians and the people, can get a vague idea as to whether privacy violations are on the increase or not and can adjust their policies and budgets accordingly.