The just-released report of the Privacy and Civil Liberties Oversight Board is rigorous and well-written, and it’s worth reading in its entirety. One section warranting particular attention assesses the argument that the September 2001 terrorist attacks could have been averted if the phone-records program had been available to the government in the fall of that year. This narrative has been a standby for many defenders of the program—see, for example, Senator Dianne Feinstein’s op-ed here and NSA Director Keith Alexander’s congressional testimony here—and Judge William H. Pauley III’s decision upholding the program in ACLU v. Clapper opened with a particularly dramatic telling of it:
The September 11th terrorist attacks revealed, in the starkest terms, just how dangerous and interconnected the world is. While Americans depended on technology for the conveniences of modernity, al-Qaeda plotted in a seventh-century milieu to use that technology against us. It was a bold jujitsu. And it succeeded because conventional intelligence gathering could not detect diffuse filaments connecting al-Qaeda.
The narrative is powerful. But the privacy board explains, as clearly as anyone else has done to date, that it’s just not true.
In the late 1990s, over a period of several years, the NSA intercepted telephone calls to and from an al-Qaeda safe house in Yemen. Some of the calls were with Khalid al-Midhar, who later became one of the hijackers. According to the government, the technology then used by the NSA didn’t allow the agency to determine al-Midhar’s phone number or location, and consequently the agency did not realize that al-Midhar was in the United States. If the NSA had realized this, the argument goes, it would have shared the information with the FBI, and the FBI would have apprehended al-Midhar, identified the other hijackers, and foiled the plot.
As the privacy board writes, though, the failure to identify al-Midhar’s presence in the United States “stemmed primarily from a lack of information sharing among federal agencies, not a lack of surveillance capabilities.”
As explained by the 9/11 Commission Report, the joint inquiry into the 9/11 attacks by the House and Senate intelligence committees, and a Department of Justice Inspector General report, the government had ample opportunity before 9/11 to pinpoint Mihdhar’s location, track his activities, and prevent his 2001 reentry into the United States. By early 2000, the CIA was aware of Mihdhar and knew that he had a visa enabling him to travel to the United States. Yet despite having information that Mihdhar and fellow hijacker Nawaf al-Hazmi “were traveling to the United States,” the CIA “missed repeated opportunities to act based on the information in its possession.” The agency did not advise the FBI of what it knew or “add their names to watchlists.” Furthermore, at the time that Mihdhar and Hazmi were in San Diego in early 2000, when the calls to Yemen were made, they were living with “a long-time FBI asset.” Mihdhar left the United States in June 2000, and he was able to return in 2001 because he still had not been placed on any watchlists. And “[o]n four occasions in 2001, the CIA, the FBI, or both had apparent opportunities to refocus on the significance of Hazmi and Mihdhar and reinvigorate the search for them.” Yet these opportunities were missed.
The privacy board also rejects the proposition that the availability of a phone-records dragnet would have made up for the intelligence community’s information-sharing failures. Discovering al-Midhar’s location, the board notes, “did not require a bulk telephone records program.”
The NSA knew the telephone number of the Yemen safe house. If the telephone calls with Mihdhar were deemed suspicious at the time, the government could have used existing legal authorities to request from U.S. telephone companies the records of any calls made to or from that Yemen number. Doing so could have identified the San Diego number on the other end of the calls. Thus we do not believe that a program that collects all telephone records from U.S. telephone companies was necessary to identify Mihdhar’s location in early 2000, nor that such a program is necessary to make similar discoveries in the future.
Will the privacy board’s report lead intelligence officials to reconsider their false narrative? On one hand, it’s not as if the members of the privacy board are the first to have exposed the falsity of the intelligence community’s al-Midhar narrative—Mike German did so here, and Professor Ed Felten did so in an affidavit submitted to, but regrettably overlooked by, Judge Pauley. And the false al-Midhar narrative will likely have lasting appeal to some members of the intelligence community because it assigns responsibility for pre-September 2001 intelligence failures to technological and legal constraints rather than to the officials who should have shared information but didn’t.
But I hope it’s not naïve to think that the board’s analysis will change the place of the al-Midhar story in the public debate. At the very least, intelligence officials who cite the story as a justification for the phone-records dragnet should be asked far sharper questions than they’ve been asked in the past. The privacy board worked for six months on its report, heard from experts, met with intelligence officials, received classified briefings, and examined classified documents. If intelligence officials continue to cite the al-Midhar story as a justification for the dragnet, someone should ask them what they know that the privacy board doesn’t.
(Full disclosure: I’m counsel to the plaintiffs in ACLU v. Clapper and I participated in one of the privacy board’s workshops in July.)