Over at the Washington Post, Barton Gellman has a Snowden-sourced piece revealing that the NSA "has broken privacy rules or overstepped its legal authority thousands of times each year since Congress granted the agency broad new powers in 2008."
According to an internal audit from May 2012, the violations typically come in the form of unauthorized domestic surveillance of Americans or foreign targets. A handful are the result of wayward typographical errors or over-broad search terms. Other infractions seem more serious: one operation, aimed at collecting "multiple communications transactions," was only ruled unconstitutional months after the program's inception.
All in all, the audit found 2,776 "incidents" in the preceding twelve months. Gellman notes that this number may be conservative because the audit only focused on violations occurring at NSA headquarters and other premises in the D.C. area, and did not include other operating units or regional collection centers. In any case, it is impossible to tell how many Americans have been affected by these incidents; "a single 'incident' in February 2012 involved the unlawful retention of 3,032 files that the surveillance court had ordered the NSA to destroy . . . [and e]ach file contained an undisclosed number of telephone call records." To complicate things even further, Gellman documents one required tutorial that explains how NSA employees should cut out "extraneous" details from oversight forms and use generic descriptions instead.
As per Ben's earlier practice, I will not post classified documents on the website. But for those who want to read them, the Washington Post has annotated copies of the May 2012 audit here, some details of an Oct. 3, 2011 FISC ruling holding that the NSA was using unconstitutional methods here, a slide from an NSA presentation about what constitutes a "violation" here, and the aforementioned tutorial here.