Because of the release of top-secret documents in recent days, we actually know more about the government’s multi-layered oversight system than about how private companies safeguard data.
A limited number of NSA analysts can query the accumulated metadata bases, and their computers log in when they seek clearance to do that. The data they seek must be related to a specific foreign terrorist organization. Less than 300 such queries were recorded last year for the telephonic metadata base — the one that provides the number that placed the call, the number called and the time of the call.
In the next step, when more than a number is involved, picking up a communication of an American citizen who is not a target — or data related to a person inside the United States — is considered a non-compliant action. Such a pickup must be reported and the data minimized either through total destruction or removal of the individual’s identification.
At least once every 60 days, the Justice Department and the ODNI conduct oversight of agencies’ activities under the FISA law. These reviews include on-site inspections by a joint Justice/ODNI team that generally includes people with operational experience.
Every six months, the attorney general and the director of national intelligence conduct an assessment and send their report to the FISA court and the House and Senate intelligence and judiciary committees. Those reports include compliance incident reports.
The Justice Department each year publicly reports the number of applications to the FISA court for electronic surveillance (1,789 last year), physical surveillances (78 last year) and searches for business records (212 last year, among which are some for metadata).
In its June 7, 2012, report on the FISA Sunsets Extension Act, the Senate Select Committee on Intelligence said that “relatively few incidents of non-compliance” occurred and that “where such incidents have arisen, they have been the inadvertent result of human error or technical defect and have been promptly reported and remedied.”
Most important, the committee said, “through four years of oversight, the committee has not identified a single case in which a government official engaged in a willful effort to circumvent or violate the law.”
If there is a whistleblower out there who can identify a case in which these records have been misused, he or she apparently has not come forward.
Does that mean it hasn’t happened or will never happen? No. But that’s what oversight is all about — supplemented, of course, by an active and responsible free press.