Privacy SOS

Pitfalls of the surveillance state: lessons from Boston

"Data-sharing troubles raise questions in Marathon case" – this Boston Globe headline should surprise no one.

The 2009 Christmas Day bombing attempt had demonstrated that throwing more than $600 billion at 'Homeland Security,' much of it spent on the creation and operation of a new architecture of multi-agency data-driven intelligence, was no guarantee that 'dots' would be connected to enable plots to be detected.

In its review of how a 23-year-old Nigerian national Umar Farouk Abdulmutallab managed to evade the post 9/11 US intelligence network and board a plane carrying an explosive device, the White House cited a failure of 'intelligence analysis' for which the CIA and the National Counterterrorism Center (NCTC) – home to the giant Terrorist Identities Datamart Environment (TIDE) system – were chiefly responsible.

Abdulmutallab's name and biographical data had been deposited in TIDE after his father warned the US Embassy in Abuja and CIA officials about his son’s possible ties to al Qaeda in the Arabian Peninsula. There that information remained, along with a rising tide of information about some 550,000 identities. Today it contains an estimated 200,000 more.

Despite the fact that Abdulmutallab had been listed on a UK watch list in May 2009, and despite intelligence about a plot involving a 'Nigerian' trained in Yemen, his name was never transferred from the TIDE system to the master watch list in the Terrorist Screening Center, maintained by the NCTC partner organization, the FBI.

At the time, the FBI’s Terrorist Screening Database contained over a million names, including aliases. It is the source of names for the "No Fly" list of people barred from air travel and the "Selectee" list of people to be given additional screening.

Like Abdulmutallab, Tamerlan Tsarnaev reportedly was entered into the TIDE database after Russia asked the CIA to do so. Unlike Abdulmutallab, it appears he was moved onto the Terrorist Screening Center master watch list. He never made the "No Fly" or "Selectee" list, but the FBI did forward his name to the Treasury Enforcement Communications System – another database that is supposed to flag Customs and Border Protection when certain people travel.

DHS Secretary Janet Napolitano has stated about Tsarnaev that “the system pinged when he was leaving the US” for Russia and Customs was informed. Did that "ping" register with either the NCTC or FBI? Here there are conflicting accounts.

According to The New York Times, "Mr. Tsarnaev’s departure apparently did not set off a similar alert on the TIDE watch list because the spelling variants of his name and the birth dates entered into the system – exactly how the Russian government had provided the data months earlier – were different enough from the correct information to prevent an alert, a United States official said."

Ponder the implications of that. Enter the data wrong and it is as good as useless.

The question here is not whether the government made the right choice in closing the investigation on Tsarnaev so he was able to come back to the US without being noticed after his trip to Russia, as Secretary Napolitano said – although the swift removal of all digital traces of his name seems somewhat unusual since 'echoes' of a former listing often linger in one or another database and create problems at borders.

The question we need to ask is a more far-reaching one: Is the system we have created either workable or desirable?

Back in March 2007, The Washington Post’s Karen De Young had this to say about the TIDE database:

Ballooning from fewer than 100,000 files in 2003 to about 435,000, the growing database threatens to overwhelm the people who manage it. "The single biggest worry that I have is long-term quality control," said Russ Travers, in charge of TIDE at the National Counterterrorism Center in McLean. "Where am I going to be, where is my successor going to be, five years down the road?"

Well, it is now six years down the road, and there is little indication that those among the five million Americans with security clearance who have charge of the nation’s metastasizing databases are not being overwhelmed and are being subjected to quality control.

And judging from what is emerging from Boston, the intelligence agencies are not doing a great job at sharing information – despite the vast expenditure allocated for precisely this purpose.

According to The Boston Globe, "Antiterrorism intelligence units in Massachusetts were never notified that FBI agents had examined the activities of Tamerlan Tsarnaev in 2011, further evidence of gaps in the network of post-9/11 measures that may have contributed to insufficient scrutiny of the suspected Marathon bomber." Neither the Boston Regional Intelligence Center nor the Commonwealth Fusion Center were informed about what the FBI was doing, even though the FBI has a berth at both Centers.

It’s hard not to be overwhelmed by the intelligence-gathering, storing and sharing system our tax dollars have created when you read the Government Accountability Office’s April 2013 report for Congress entitled "Information Sharing: Agencies could better coordinate to reduce overlap in field-based activities."

There you will learn that there are five different "field-based entities" in the US – the FBI’s JTTF, the FBI’s Field Intelligence Group, the Regional Information Sharing System Center, the system of 72 Fusion Centers, and the High Intensity Drug Trafficking Area Investigative Support Center – which overlap in their activities and have serious coordination problems.

So serious are these problems that there is a big effort underway to establish "deconfliction systems – that is systems that aim to ensure law enforcement officers are not conducting enforcement actions at the same time in the same place or investigating the same target – which could pose risks to officer safety and lead to inefficiencies."

Areas where "deconfliction" is essential include when multiple federal, state or local law enforcement agencies are conducting raids, undercover operations or surveillance in proximity to one another at the same time, or when they are all embarking on the same "link analysis" (to discover relationships among varied subjects) or "telephone toll analysis" (analyzing incoming and outgoing telephone calls).

Maybe we have reached the point where more is not better?

But no doubt 'more' is high on the agenda.

The GAO recently designated "the sharing of terrorism-related information" as "high risk” because “the government faces formidable challenges in analyzing and disseminating this information in a timely, accurate, and useful manner. Federal agencies have created new organizations, systems, partnerships, tools, and standards, among other things, to better share this information with each other and with state, local, tribal, and private security partners, but still have work to do to close gaps in sharing."

Will its budget-busting recommendations be taken on board in these times of sequestration?

Federal agencies can reduce risk on terrorism-related information sharing,” the GAO says, "by focusing on several areas" – areas which you would have expected would long ago have been built into the $600-plus billion appropriation:

Defining, developing, and implementing the remaining capabilities and technologies needed for sharing—such as developing automated means to determine who is authorized to access data—and leveraging successful initiatives that individual agencies implement for the benefit of all homeland security partners.

Developing cost estimates for needed programs and initiatives, which would allow decision makers to plan for and prioritize future investments.

Building information-sharing initiatives into agencies’ enterprise architectures to help align technology investments as a means to promote sharing.

Establishing a system of accountability to track progress and measure the information-sharing and homeland security benefits achieved to inform future investments, including ways to measure the benefits the government is deriving from multimillion-dollar federal investments in state and local fusion centers—state and local entities, supported in part with federal funding and personnel, that coordinate and collaborate with respect to sharing information related to criminal and terrorist activity and that fill information sharing gaps the federal government could not address.

Assessing the impacts of the government’s use of the terrorist watchlist to screen individuals for threats on agencies, their resources, and the traveling public to ensure that use of the list is working effectively and as intended, and that any needed adjustments are implemented.

Yes, a "system of accountability" is long overdue.

But rather than just measuring "the homeland security benefits" the government is deriving from fusion centers and watchlists, shouldn’t we also be taking stock of the deficits, and asking fundamental questions about whether the building of a total surveillance society is really the way to keep safe and free? 

© 2021 ACLU of Massachusetts.