On what planet are you on where you think Obama wasn't referring to what behavior is permissible under regulations? That's like if Obama said "The FBI is not a drug dealing organization" and then you find out that an FBI agent has been dealing in violation of the law. Is Obama somehow a liar for that? Sweet jesus.
In your hypothetical example, if the FBI had been given (or given itself) official sanction to deal drugs, then someone's (who was responsible for such an instruction), head needs to go on the block, figuratively speaking.
Or, if rules against drug dealing were in place yet were disregarded, not enforced or laughably lax rules were in place regarding the security of seized drugs, then someone in authority has to figuratively swing for it.
Or, if someone was given official instructions to deal drugs, but when news of this reaches the public, people in authority deny everything and let the person who got caught red-handed swing for it, that would be wrong.
http://en.wikipedia.org/wiki/Plausible_deniability
Just to confirm that I'm not a complete idiot though, just because someone in the FBI were to deal drugs, it does not result in Obama being a liar or having broken some promise or held some opinion about the FBI.
Re the main topic:
However, in any organisation big enough, there will always be some rules being broken (with intent or not). The question is, does the organisation take reasonable steps to the head of it to reasonably have a clear conscience when they say that their organisation is law-abiding. Considering the NSA's apparent track record of serial dishonesty, I can't say I have much faith in them, or the intelligence community in the UK either when they trot out the usual crap like "the greater good", "if you have nothing to hide, you have nothing to fear", and "we trust the US with all of our stuff".
One other thing I should point out however, the rule for the general public is "ignorance is no excuse in the eyes of the law", and especially in an organisation whose job is security, they should know the rules with regard to security.
The problem with saying "oh, lots of these were minor offences", is that one or a few such "minor offences" combined with a security breach from an external source (or say leaving a laptop on a train), could lead to catastrophic results. Also factor in "familiarity breeds contempt", the fact that a lot of government entities don't know the difference between password protection and encryption, and an organisation that perhaps doesn't take privacy seriously enough combined with insufficient security, it may as well be a trading station for criminals and foreign powers.
Facebook
Twitter