When Internal Oversight Shows Non-Compliance With FISA Rules

A piece in today's Washington Post opens with the claim that the government has been caught up in illegal surveillance: "The federal government has repeatedly violated legal limits governing the surveillance of U.S. citizens . . . ."  The piece goes on to explain that there are "ongoing breaches of legal requirements that limit when Americans are targeted [pursuant to the FISA Amendments Act (FAA)] and [that require the government to] minimize the amount of data collected."  All of which sounds pretty terrible from a privacy-protection viewpoint, yet another installment in a familiar narrative...except that a closer read of the article suggests this is in fact a privacy success story. Only those who read a bit further into the article will learn that the underlying investigation revealing the violations discovered no evidence suggesting that the violations were intentional, that the number of instances of rules being volated is "small," and that in any event the "information collected as a result of these incidents has been or is being purged from data repositories." To be sure, all of that would be cold comfort if the violations had come to light only as a result of a fortunate intervention by, say, a one-off whistleblower, and thus that we could have little reason to expect that such problems would continue to be detected and remedied in due course.  But these violations were not revealed in such a fortuitous way.  Rather, they were detected by ordinary internal audit procedures, and they were duly reported both to the FISC and to Congress pursuant to oversight requirements that Congress included in the FAA for exactly this purpose (as Rep. Steny Hoyer explained at the time, these and related provisions were "critical new oversight and accountability requirements").  In short, this appears to be a story about a well-functioning system of internal controls with mixed internal/external oversight, one that detected failures to comply with relevant rules, reported such failings to multiple external sources, and duly eliminated the inappropriately-obtained information. I do not mean to suggest that the very existence of such errors is unimportant.  On the contrary, all violations of the targeting and minimization rules are significant, even if unintentional. They need to be detected and remedied--as was done here.  The real issue raised by the article is whether the magnitude of the error rate indicates a need for better training, better systems, or some other kind of systemic intervention to push down the error rate further (it goes without saying that there will always be some error rate).  As one of the internal audit reports apparently states, "each [incident] - individually or collectively - may be indicative of patterns, trends, or underlying causes, that might have broader implications," and thus there is a "need for continued focus on measures to address underlying causes."