Following a classification review, the National Security Agency (NSA) is releasing in redacted form NSA reports to the President's Intelligence Oversight Board (IOB). The release includes quarterly reports submitted from the fourth quarter of 2001 to the second quarter of 2013. The materials also include four annual reports (2007, 2008, 2009, 2010) which are consolidations of the relevant quarterly reports.
Executive Order 12333, as amended, requires Intelligence Community elements to report to the IOB, in a manner consistent with Executive Order 13462, as amended, intelligence activities they have reason to believe may be unlawful or contrary to Executive Order or Presidential Directive. These reports are also provided to the Office of the Director of National Intelligence. In general, each NSA report contains similar categories of information, including an overview of recent oversight activities conducted by NSA's Office of the Inspector General and the Office of the General Counsel; signals intelligence activities affecting certain protected categories; and descriptions of specific incidents which may have been unlawful or contrary to applicable policies. The vast majority of compliance incidents involve unintentional technical or human error. In the very few cases that involve the intentional misuse of a signals intelligence system, a thorough investigation is completed, the results are reported to the IOB and the Department of Justice as required, and appropriate disciplinary or administrative action is taken (a publicly available letter from NSA's Inspector General to Senator Charles E. Grassley on September 11, 2013, discussed twelve instances of intentional misuse that occurred between January 1, 2003 and September 11, 2013).
NSA goes to great lengths to ensure compliance with the Constitution, laws and regulations. As conveyed in the released materials, an array of technical and human-based checks attempt to identify and correct errors, some amount of which occur naturally in any large, complex system. Nevertheless, as the IOB reports make clear, NSA takes even unintentional errors seriously and institutes corrective action, typically involving at a minimum a combination of training and technical measures designed to prevent recurrences. Data incorrectly acquired is almost always deleted, referred to as the "purge" process.
The released reports demonstrate that NSA has multi-layered protections in place for signals intelligence information. These protections apply across the full spectrum of the signals intelligence process. At the targeting stage, NSA collects only those communications that it is authorized by law to collect in response to valid foreign intelligence and counterintelligence requirements. After foreign intelligence or counterintelligence information is acquired, it must be analyzed to remove or mask certain protected categories of information, including U.S. person information, unless specific exceptions apply. This process is referred to as "minimization." Without appropriate minimization, NSA intelligence reporting generally cannot be distributed to other agencies-"disseminated," in intelligence parlance-even if the other agency requires the information. Reports generated as a result of this process are subject to further constraints on access and handling.
NSA accounts for all identified errors and violations, no matter how slight, in its oversight reporting process. Internally, a wide range of NSA offices currently exercise oversight authority, including the Office of the Inspector General, the Office of the General Counsel, the Office of the Director of Compliance, the Office of Civil Liberties and Privacy, and compliance offices embedded within NSA's mission elements. Externally, errors are reported to a variety of departments and offices across all three branches of government, depending on the nature of the authority involved. The quarterly reports released today are provided to the Department of Defense Senior Intelligence Oversight Official (DOD SIOO) (formerly the Assistant to the Secretary of Defense for Intelligence Oversight (ATSD(IO)), which plays an important role in ensuring NSA operates within the law.
Certain errors in NSA's oversight reports refer to terms that carry specific meaning in the highly regulated domain of signals intelligence. For example, improper "querying" of signals intelligence databases may violate NSA's authorities and regulations. Querying refers to the process of searching NSA's signals intelligence systems. The process of constructing and executing queries is tightly regulated and subject to rigorous technical and human audit controls. Analysts must follow a host of detailed rules when searching for foreign intelligence information. Though the precise contours of the rules vary somewhat across different authorities, they share common hallmarks. Queries may be conducted only for a permissible foreign intelligence or counterintelligence purpose by an analyst with appropriate training and need for the information. And queries must be tightly constructed: overly broad queries are prohibited, as showcased in the released reports. For instance, a query for "improvised explosive devices" would likely be prohibited as overly broad and result in a reportable incident-even if the analyst required the information for her job. Results returned from improper queries may be deleted, and the analyst who submitted the query may be subject to additional training or administrative action as appropriate.
These materials show, over a sustained period of time, the depth and rigor of NSA's commitment to compliance. By emphasizing accountability across all levels of the enterprise, and transparently reporting errors and violations to outside oversight authorities, NSA protects privacy and civil liberties while safeguarding the nation and our allies.