more on Privacy and 9/11

[Dave Farber <dave () farber net>]

Delivered-To: dfarber+ () ux13 sp cs cmu edu
Date: Sat, 03 Jan 2004 15:13:15 -0800
From: Lee Tien <tien () well com>
Subject: Re: [IP] Privacy and 9/11
X-Sender: tien () mail well com
To: Dave Farber <dave () farber net>
Cc: tien () eff org, eff-civlib () eff org

Dave,

IMHO, Stewart Baker's article tells only a part of the story about
privacy and 9/11.

It talks about how in late August 2001 the FBI couldn't find two
known hijackers (al-Hazmi and al-Mihdhar) in the United States
-- "our last chance" to stop the 9/11 attacks -- and it blames
that failure largely on the so-called "wall" between intelligence
and law enforcement intended to protect the "theoretical" privacy
of U.S. persons (e.g., the Foreign Intelligence Surveillance Act
(FISA) before its amendment by the PATRIOT Act).

I think this is a very questionable argument.  In my view, most of
what went wrong involved managerial, organizational and resource
problems.  Not the law or courts or those who care about privacy.

My main criticism of the article is pretty simple:
It focuses on "our last chance" in late August 2001 but ignores all
the chances missed before then.

It doesn't say that in January 2000, the CIA had intelligence from
overseas that al-Hazmi and al-Mihdhar, already believed to be
al-Qaida members, were coming to the United States
--but didn't put their names on a watchlist that might have kept
them out of the country or led to more information.

It doesn't say that in March 2000, CIA HQ learned that one of the
two men had traveled to Los Angeles on Jan. 15, 2000
--but again didn't put them on a watchlist,
--and didn't tell the FBI about them.
(See below for a more detailed chronology)

Once you think about the chances missed before that "last chance,"
the "wall" looks much less important than the CIA's 18-month
failure to follow Intelligence Community watchlisting guidelines.

The declassified Joint Intelligence Committee report makes clear
that "there was no formal process in place . . .  prior to September
11 for watchlisting suspected terrorists, even where, as was the case
with al-Hazmi and al-Mihdhbar, there were indications of travel to
the United States," that some CIA personnel "received no training on
watchlisting," and that "names were added on an ad hoc basis."

More generally, the legal "wall" looks a lot less important than
the Intelligence Community's* failure as to overseas (not domestic)
intelligence:
--to know what it knew
--to share what it knew with the rest of the government.
[*The FBI had and has similar problems, but this isn't the place
to discuss them.]

In short, this is a story largely about agencies not doing what they
were supposed to be doing under their own, pre-9/11 rules during
all of 2000 and early 2001.

That's no justification for weakening rules intended to protect
privacy of U.S. persons against domestic intelligence-gathering
or data-mining.

Below is a very condensed summary of some of the rest of the story.

Lee Tien
Senior Staff Attorney
Electronic Frontier Foundation

* * * *

[Disclaimer:  I'm no intelligence expert and I'll never have Stewart
Baker's credentials, so skeptical readers should look at the redacted,
unclassified Final Report of the U.S. Senate Select Committee on
Intelligence and U.S. House Permanent Select Committee on Intelligence,
Joint Inquiry into Intelligence Community Activities Before and After
the Terrorist Attacks of September 11, 2001, S. Rept. No. 107-351 &
H. Rept. No. 107-792 (Dec. 20, 2002).
http://news.findlaw.com/hdocs/docs/911rpt/
http://www.thememoryhole.org/911/hearings/
http://www.iwar.org.uk/sigint/resources/creport-911/index.htm

Although I don't agree with all of the report (800+ pages), it presents
the most comprehensive analysis of the myriad issues that I've seen.
All quotations below are from that report.]

* * * *

Stewart Baker's article says that it's a "quiet scandal" that

> For two and a half weeks before the attacks, the U.S.
> government knew the names of two hijackers. It knew they were al-Qaida
> killers and that they were already in the United States. In fact, the two
> were living openly under their own names, Khalid al-Mihdhar and Nawaf
> al-Hazmi. They used those names for financial transactions, flight school,
> to earn frequent flier miles, and to procure a California identity card.

Calling the FBI's failure to find two known hijackers in August 2001
"our last chance to foil the attacks," he argues that "if we want to
stop the next attack, we need to know what went wrong in August 2001."

Why start in August 2001?

Why not start in January 2000 (or even earlier)?

By early 2000 the CIA already knew that al-Mihdhar and al-Hazmi they
were probably headed to the United States.  Regrettably, "the CIA missed
repeated opportunities to act based on information in its possession that
these two Bin Laden-associated terrorists were traveling to the United
States, and to add their names to watchlists."

Here's a rough chronology of the chances that our government missed
*before* August 2001 -- all from the declassified Joint Intelligence
Committee report.

1.  In early 1999, the National Security Agency (NSA) analyzed
communications involving a suspected Mideast terrorist facility that
included the full name of Nawaf al-Hazmi.

BUT this information wasn't reported by NSA because it didn't meet the
NSA's reporting thresholds.  Id. at 11.

2.  In summer 1999, the NSA analyzed more communications involving
a suspected Mideast terrorist facility that included the name "Khaled"
and the NSA became aware of the name "Khallad."

BUT this information wasn't reported because it didn't meet the NSA's
reporting thresholds.  Id. at 11.

3.  In late 1999, NSA analyzed more communications involving a suspected
Mideast terrorist facility that included the name "Khaled" and "Nawaf."

BUT the NSA didn't draw a connection between this Nawaf and the Nawaf
al-Hazmi it learned about in 1.  However, it did pass this information to
both the CIA and FBI in late 1999.  Id. at 12

4.  in early January 2000, the CIA knew al-Mihdhar's full name, that
Nawaf's last name was probably al-Hazmi, that the two men had attended
what was believed to be a gathering of al-Qaida associates in Malaysia, that
the two men had been traveling together, and that al-Mihdhar probably had
a U.S. multiple-entry visa that would let him travel to and from the United
States until April 2000.

BUT despite clear indications that al-Mihdhar and al-Hazmi were
traveling to the United States, CIA did not add their names to the State
Dept, INS, and Customs watchlists used to control entry into the United
States.

AND it's not clear whether the CIA told the FBI (in Jan. 2000) about
al-Mihdhar's U.S. visa and the very real possibility that he
would come to the United States (the CIA claims it did; the FBI "had no
record the visa information was received"). Id. at 12-13.

(missed chance #1)

5.  The Intelligence Community learned after Jan. 2000 that someone
named "Khaled" had contacted a suspected Mideast terrorist facility.

BUT it didn't report all of this information because some was deemed not to
be terrorist-related; only after 9/11 did "the Intelligence Community
determine[] that these contacts had been made from future hijacker
Khalid al-Mihdhar while he was living within the domestic United States."
Id. at xii; id. at 16-17.

6.  On March 5, 2000, CIA HQ learned from on overseas station that Nawaf
al-Hazmi had traveled to Los Angeles on Jan. 15, 2000.  The next day, CIA
HQ got a message from another CIA station noting its interest that an
al-Qaida member had traveled to the United States.

BUT CIA didn't act on either message, didn't watchlist either al-Mihdhar or
al-Hazmi, and didn't tell the FBI that they might be in the United States.
Id. at 13.

(missed chance #2)

7.  During summer 2000, al-Mihdhar and al-Hazmi had numerous
contacts with a long-time FBI counterterrorism informant while they
were living in San Diego, and the informant told the FBI handling agent
that the informant had had contacts with two men named "Nawaf" and
"Khalid."

BUT the FBI didn't act because it didn't consider them of interest to the FBI.
Id. at 18.

We don't know what might have happened if the FBI had known what the CIA
knew, but it "is clear . . . that the informant's contacts with the hijackers,
had they been capitalized on," would have given the San Diego FBI field
office perhaps the Intelligence Community's best chance to unravel the
September 11 plot.  Given the CIA's failure to disseminate, in a timely
manner, intelligence information on the significance and location of
al-Mihdhar and al-Hazmi, that chance, unfortunately, never
materialized."  Id. at 19-20.

8.  On Jan. 4, 2001, CIA learned that a planner of the Oct. 2000 USS Cole
bombing had, along with al-Mihdhar and al-Hazmi, attended the al-Qaida
meeting in Malaysia.  At the time, al-Mihdhar was abroad, but al-Hazmi
was still in the United States.

BUT the CIA again didn't watchlist al-Mihdhar and al-Hazmi.

(missed chance #3)

9.  In May 2001, the CIA gave FBI HQ photographs taken in Malaysia,
including one of al-Mihdhar, as part of the USS Cole bombing
investigation.

BUT the CIA still didn't watchlist al-Mihdhar and al-Hazmi, and it still
didn't tell the FBI about their possible travel to the United States.  Indeed,
CIA director George Tenet testified that CIA personnel "did not recognize
the implications of the information about al-Hazmi and al-Mihdhar that
they had in their files."  Id. at 13-14.

(missed chance #4)

10. On June 11, 2001, FBI HQ and CIA personnel met with NY FBI field
office, investigating the USS Cole bombing, but the NY agents weren't told
anything useful about al-Mihdhar.  Two days later, al-Mihdhar got a new
U.S. visa and on July 4, 2001, he re-entered the United States.

AGAIN, "the CIA missed yet another opportunity to advise the FBI about
al-Mihdhar's visa and possible travel to the United States and, again, the
CIA took no action to watchlist these individuals."  Id. at 15.

(missed chance #5)

11. In mid-July 2001, a CIA officer assigned to the FBI triggered a CIA
review of its cables about the Malaysia meeting; then, an FBI analyst
assigned to the Counterterrorist Center (CTC) and working with the INS
determined that al-Mihdhar and al-Hazmi had entered the United States.
As a result, "on Aug. 23, 2001, the CIA finally notified the FBI and
requested of the State Department that the two individuals should be
watchlisted."  Id. at 15.

FINALLY!

But even then, no one told the FAA -- which had, coincidentally, issued a
security directive on Aug. 21, 2001 alerting commercial airlines that
nine named terrorism-related persons (unconnected to the 9/11
hijackers) were planning commercial air travel and should receive
additional security scrutiny if they tried to board an airplane.  The
directive was updated on Aug. 24 and Aug. 28, 2001.  "Had FAA been
advised of the presence of al-Hazmi and al-Mihdhar in the United States, a
similar directive could have been issued, subjecting the two, their luggage
and any carry-on items to detailed, FAA-directed searches."  Id. at 15.

And even then, only the NY FBI field office was asked to look for al-Hazmi
and al-Mihdhar.  It was not until Sept. 11 that the L.A. FBI field office was
also asked to look for them.  The San Diego FBI office was not contacted
until after Sept. 11.

So what's the real "quiet scandal" here?

> <x-flowed>
> Date: Thu, 01 Jan 2004 11:55:15 -0500
> From: "sbaker () steptoe com" <sbaker () steptoe com>
> Subject: Privacy and 9/11
> To: "'dave () farber net'" <dave () farber net>
>
> Dave,
>
> I thought your list might find my recent article in Slate interesting, and a
> challenge.  The article is at http://slate.msn.com/id/2093344/.
>
> It actually is a summary of my recent testimony to the 9/11 commission,
> which contains considerably more discussion of technology issues but is too
> long to reproduce.  It's on the web at
> http://www.steptoe.com/publications/280a.pdf.
>
> Stewart Baker
>
> Wall Nuts
> The wall between intelligence and law enforcement is killing us.
> By Stewart Baker
> Posted Wednesday, Dec. 31, 2003, at 1:01 PM PT
>
>
> Earlier this month, as fears of new al-Qaida attacks mounted, the Justice
> Department announced new FBI guidelines that would allow intelligence and
> law enforcement agents to work together on terrorism investigations. An ACLU
> spokesman was quick to condemn the guidelines as creating the possibility of
> "an end run around Fourth Amendment requirements." I used to worry about
> that possibility myself. Not any more. Because the alternative is to
> maintain a wall of separation between law enforcement and intelligence.
> That's what we used to do. And on Sept. 11, 2001, that wall probably cost us
> 3,000 American lives.
>
> There's a quiet scandal at the heart of Sept. 11; one that for different
> reasons neither the government nor the privacy lobby really wants to talk
> about. It's this: For two and a half weeks before the attacks, the U.S.
> government knew the names of two hijackers. It knew they were al-Qaida
> killers and that they were already in the United States. In fact, the two
> were living openly under their own names, Khalid al-Mihdhar and Nawaf
> al-Hazmi. They used those names for financial transactions, flight school,
> to earn frequent flier miles, and to procure a California identity card.
>
> Despite this paper trail, and despite having two and a half weeks to follow
> the scent, the FBI couldn't locate either man-at least not until Sept. 11,
> when they flew American Airlines Flight 77 into the Pentagon. If we had
> found them, there is a real possibility that most or all of the hijackings
> would have been prevented. The two shared addresses with Mohamed Atta, who
> flew into the North Tower of the World Trade Center, and Marwan Al-Shehhi,
> who flew into the South Tower. They were linked to most of the other
> hijackers as well. So August 2001 offered our last chance to foil the
> attacks. And if we want to stop the next attack, we need to know what went
> wrong in August 2001. Despite all the resources of our intelligence and law
> enforcement agencies, we did not find two known terrorists living openly.
> How could we have failed so badly in such a simple, desperate task?
>
> We couldn't find al-Mihdhar and al-Hazmi in August 2001 because we had
> imposed too many rules designed to protect against privacy abuses that were
> mainly theoretical. We missed our best chance to save the lives of 3,000
> Americans because we spent more effort and imagination guarding against
> these theoretical privacy abuses than against terrorism.
[snip]

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/