The National Security Agency was hoping all eyes were on Santa last Wednesday when it took a dump on citizen privacy. Correction (sort of). It dumped a massive set of documents online related to a Presidentially mandated investigation of its mishandling of surveillance data involving U.S. citizens. The reports include quarterlies from 2001 to 2013, covering the post-9/11 era of security hyper-sensitivity. It is an extraordinary document, as it's is a government agency reporting about its own ongoing “activities they have reason to believe may be unlawful of contrary to Executive Order or Presidential Directive,” the preamble outlines.
For your holiday entertainment, the full set of documents are available here. The revelations are the result of a Freedom of Information request by the ACLU.
While the NSA’s malpractice is not directly related to marketing, ad targeting or the general uses of data we usually discuss here, it is a part of a larger skein of privacy, responsible use of consumer data, and citizen perceptions of a digital economy. The reality of NSA shenanigans only adds to people’s awareness of digital insecurity but also the many ways in which people can have their privacy violated by entities that swear up and down that they are following the rules.
To wit, the NSA argues that “the vast majority of compliance incidents involve unintentional technical or human error.” Admittedly, I have not read all of the decade’s worth of reports here. But just doing a little holiday dumpster diving into select years reveals the nature of the serial violations. Among the most common errors found are errors in targeting. In its sweeps of data, the NSA used queries that were too broad and captured so-called “USPs” (U.S. Persons) rather than the foreign nationals the queries intended. In many other cases someone's citizenship was not checked properly, data was retained when it shouldn’t be, and certain jobs were not “de-tasked” properly so that more data were gathered than allowed or intended. But there were also data leaks and sharing of data with people who were not authorized to see it. There has been considerable forwarding of sensitive data via email to the wrong people.
The exact number of violations is hard to determine from this heavily redacted set of reports. In general, numbers of occurrences are blanked. In one case a whole section referring to the use of telephone location techniques was fully redacted.
Buried within the report are those less common but still numerous incidents where data were being deliberately misused by NSA personnel. In one case cited by a New York Daily News report an analyst “reported that during the past two or three years she had searched her spouse’s personal telephone directory without his knowledge to obtain names and phone numbers for targeting.” In other cases an analyst spied on a girlfriend, while others used their access to data to do personal phone look-ups.
The NSA argues that there were only 12 instances since 9/11 of deliberate misuse of data -- or at least 12 that were discovered and investigated.
The data dump shows the real fragility of any system where massive amounts of data are collected indiscriminately for the purposes of later filtering and analysis. The report raises serious questions for any private company (especially data brokers) about how the people in these data-gathering entities themselves access and use personal information honorably.