Privacy and 9/11

[Dave Farber <dave () farber net>]

Delivered-To: dfarber+ () ux13 sp cs cmu edu
Date: Thu, 01 Jan 2004 11:55:15 -0500
From: "sbaker () steptoe com" <sbaker () steptoe com>
Subject: Privacy and 9/11
To: "'dave () farber net'" <dave () farber net>


Dave,

I thought your list might find my recent article in Slate interesting, and a
challenge.  The article is at http://slate.msn.com/id/2093344/.

It actually is a summary of my recent testimony to the 9/11 commission,
which contains considerably more discussion of technology issues but is too
long to reproduce.  It's on the web at
http://www.steptoe.com/publications/280a.pdf.

Stewart Baker

Wall Nuts
The wall between intelligence and law enforcement is killing us.
By Stewart Baker
Posted Wednesday, Dec. 31, 2003, at 1:01 PM PT


Earlier this month, as fears of new al-Qaida attacks mounted, the Justice
Department announced new FBI guidelines that would allow intelligence and
law enforcement agents to work together on terrorism investigations. An ACLU
spokesman was quick to condemn the guidelines as creating the possibility of
"an end run around Fourth Amendment requirements." I used to worry about
that possibility myself. Not any more. Because the alternative is to
maintain a wall of separation between law enforcement and intelligence.
That's what we used to do. And on Sept. 11, 2001, that wall probably cost us
3,000 American lives.

There's a quiet scandal at the heart of Sept. 11; one that for different
reasons neither the government nor the privacy lobby really wants to talk
about. It's this: For two and a half weeks before the attacks, the U.S.
government knew the names of two hijackers. It knew they were al-Qaida
killers and that they were already in the United States. In fact, the two
were living openly under their own names, Khalid al-Mihdhar and Nawaf
al-Hazmi. They used those names for financial transactions, flight school,
to earn frequent flier miles, and to procure a California identity card.

Despite this paper trail, and despite having two and a half weeks to follow
the scent, the FBI couldn't locate either man-at least not until Sept. 11,
when they flew American Airlines Flight 77 into the Pentagon. If we had
found them, there is a real possibility that most or all of the hijackings
would have been prevented. The two shared addresses with Mohamed Atta, who
flew into the North Tower of the World Trade Center, and Marwan Al-Shehhi,
who flew into the South Tower. They were linked to most of the other
hijackers as well. So August 2001 offered our last chance to foil the
attacks. And if we want to stop the next attack, we need to know what went
wrong in August 2001. Despite all the resources of our intelligence and law
enforcement agencies, we did not find two known terrorists living openly.
How could we have failed so badly in such a simple, desperate task?

We couldn't find al-Mihdhar and al-Hazmi in August 2001 because we had
imposed too many rules designed to protect against privacy abuses that were
mainly theoretical. We missed our best chance to save the lives of 3,000
Americans because we spent more effort and imagination guarding against
these theoretical privacy abuses than against terrorism.

I feel some responsibility for sending the government down that road.

In August 2001, the New York FBI intelligence agent looking for al-Mihdhar
and al-Hazmi didn't have the computer access needed to do the job alone. He
requested help from the bureau's criminal investigators and was turned down.
Acting on legal advice, FBI headquarters had refused to involve its criminal
agents. In an e-mail to the New York agent, headquarters staff said: "If
al-Midhar is located, the interview must be conducted by an intel[ligence]
agent. A criminal agent CAN NOT be present at the interview. This case, in
its entirety, is based on intel[ligence]. If at such time as information is
developed indicating the existence of a substantial federal crime, that
information will be passed over the wall according to the proper procedures
and turned over for follow-up criminal investigation."

In a reply message, the New York agent protested the ban on using law
enforcement resources for intelligence investigations in eerily prescient
terms: "[S]ome day someone will die-and wall or not-the public will not
understand why we were not more effective and throwing every resource we had
at certain 'problems.' Let's hope the [lawyers who gave the advice] will
stand behind their decisions then, especially since the biggest threat to us
now, UBL [Usama Bin Laden], is getting the most 'protection.' "

It breaks my heart to read this exchange. That "wall"-between intelligence
and law enforcement-was put in place to protect against a hypothetical risk
to civil liberties that might arise if domestic law enforcement and foreign
intelligence missions were allowed to mix. It was a post-Watergate fix meant
to protect Americans, not kill them. In fact, in 1994, after I left my job
as general counsel to the National Security Agency, I argued that the wall
should be left in place because I accepted the broad assumption that foreign
intelligence-gathering tolerates a degree of intrusiveness, harshness, and
deceit that Americans do not want applied against themselves. I recognized
at the time that these privacy risks were just abstract worries, but I
accepted the conventional wisdom: "However theoretical the risks to civil
liberties may be, they cannot be ignored." I foresaw many practical problems
as well if the wall came down, and I argued for an approach that "preserves,
perhaps even raises, the wall between the two communities."

I was wrong, but not alone, in assigning a high importance to theoretical
privacy risks. In hindsight, that choice seems little short of feckless, for
it made the failures of August and September 2001 nearly inevitable. In 2000
and 2001, the FBI office that handled al-Qaida wiretaps in the United States
was thrown into turmoil because of the heights to which the wall had been
raised. The Foreign Intelligence Surveillance Act Court, the body that
oversees national security wiretaps, had ordered strict procedures to ensure
that such wiretaps were not contaminated by law enforcement purposes. And
when those procedures were not followed strictly, the court barred an FBI
agent from the court because his affidavits did not fully list all contacts
with law enforcement. This mushroomed into a privacy scandal that set the
stage for 9/11.

In the spring and summer of 2001, with al-Qaida's preparations growing even
more intense, the turmoil grew so bad that national security wiretaps were
allowed to lapse-something that had never happened before. It isn't clear
what intelligence we missed, but the loss of those wiretaps was treated as
less troubling than the privacy scandal that now hung over the antiterrorism
effort. The lesson was not lost on the rest of the bureau. According to a
declassified Joint Intelligence Committee report on Sept. 11, "FBI personnel
involved in FISA matters feared the fate of the agent who had been barred
and began to avoid even the most pedestrian contact with personnel in
criminal components of the Bureau or DOJ because it could result in
intensive scrutiny by the Justice Department office that reviewed national
security wiretaps and the FISA Court."

Against this background, it's easy to understand why FBI headquarters and
its lawyers refused to use law enforcement resources in the effort to find
al-Mihdhar and al-Hazmi. To do so would be to risk a further privacy scandal
and put their careers in jeopardy. Viewed in this light, the New York
agent's fight to get law enforcement involved in his search for the
terrorists looks like an act of courage that borders on foolishness. We can
all be thankful for his zeal. But in the end, one agent's zeal was not
enough to overcome the complex web of privacy rules and the machinery of
scandal that we built to enforce those rules.

What lessons can we learn from this tragic unfolding?

First, that the source of this tragedy was not wicked or uncaring officials.
The wall was built by professionals who thought they were acting in the
country's and their agency's best interest. They were focused on the
hypothetical risk to privacy if foreign intelligence and domestic law
enforcement were allowed to mix, and they worried that courts and Congress
would punish them for putting aside these theoretical concerns to combat a
threat that was both foreign and domestic. They feared that years of
successful collaboration would end in disaster if the results of a single
collaboration could be painted as a privacy scandal, so they created an
ever-higher wall to govern operations at the border between domestic law
enforcement and foreign intelligence. As drafted, the rules technically
allowed antiterrorism investigators to do their jobs-if the investigators
were sufficiently determined and creative. For a while they were, but the
FISA court scandal sapped their determination and finally choked off any
practical hope of getting the job done.

The second lesson is that we cannot write rules that will both protect us
from every theoretical risk to privacy and still allow the government to
protect us from terrorists. We cannot fine-tune the system to perfection,
because systems that ought to work can fail. That is why I am profoundly
skeptical of efforts to write new privacy rules and why I would rely instead
on auditing for actual abuses. We should not again put American lives at
risk for the sake of some speculative risk to our civil liberties.

And the final lesson? Perhaps it isn't fair to blame all the people who
helped to create the wall for the failures that occurred in August of 2001.
No one knew then what the cost of building such a separation would be. But
we should know now. We should know that we can't prevent every imaginable
privacy abuse without hampering the fight against terror; that an appetite
for privacy scandals hampers the fight against terror; and that the
consequence of these actions will be more attacks and more dead, perhaps in
numbers we can hardly fathom.

The country and its leaders have had more than two years to consider the
failures of August 2001 and what should be done. In that time, libertarian
Republicans have joined with civil- liberties Democrats to teach the law
enforcement and intelligence communities the lesson that FBI headquarters
taught its hamstrung New York agent: You won't lose your job for failing to
protect Americans, but you will if you run afoul of the privacy lobby. So
the effort to build information technology tools to find terrorists has
stalled. Worse, the wall is back; doubts about legal authority are denying
CIA analysts access to law enforcement information in our new Terrorist
Threat Integration Center. Bit by bit we are recreating the political and
legal climate of August 2001.

And sooner or later, I fear, that August will lead to another September.

---

Stewart Baker heads the technology law practice at Steptoe & Johnson in
Washington, D.C. From 1992 to 1994, he was general counsel of the National
Security Agency. 

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/