Earlier this month, as fears of new al-Qaida attacks mounted, the Justice Department announced new FBI guidelines that would allow intelligence and law enforcement agents to work together on terrorism investigations. An ACLU spokesman was quick to condemn the guidelines as creating the possibility of "an end run around Fourth Amendment requirements." I used to worry about that possibility myself. Not any more. Because the alternative is to maintain a wall of separation between law enforcement and intelligence. That's what we used to do. And on Sept. 11, 2001, that wall probably cost us 3,000 American lives.
There's a quiet scandal at the heart of Sept. 11; one that for different reasons neither the government nor the privacy lobby really wants to talk about. It's this: For two and a half weeks before the attacks, the U.S. government knew the names of two hijackers. It knew they were al-Qaida killers and that they were already in the United States. In fact, the two were living openly under their own names, Khalid al-Mihdhar and Nawaf al-Hazmi. They used those names for financial transactions, flight school, to earn frequent flier miles, and to procure a California identity card.
Despite this paper trail, and despite having two and a half weeks to follow the scent, the FBI couldn't locate either man—at least not until Sept. 11, when they flew American Airlines Flight 77 into the Pentagon. If we had found them, there is a real possibility that most or all of the hijackings would have been prevented. The two shared addresses with Mohamed Atta, who flew into the North Tower of the World Trade Center, and Marwan Al-Shehhi, who flew into the South Tower. They were linked to most of the other hijackers as well. So August 2001 offered our last chance to foil the attacks. And if we want to stop the next attack, we need to know what went wrong in August 2001. Despite all the resources of our intelligence and law enforcement agencies, we did not find two known terrorists living openly. How could we have failed so badly in such a simple, desperate task?
We couldn't find al-Mihdhar and al-Hazmi in August 2001 because we had imposed too many rules designed to protect against privacy abuses that were mainly theoretical. We missed our best chance to save the lives of 3,000 Americans because we spent more effort and imagination guarding against these theoretical privacy abuses than against terrorism.
I feel some responsibility for sending the government down that road.
In August 2001, the New York FBI intelligence agent looking for al-Mihdhar and al-Hazmi didn't have the computer access needed to do the job alone. He requested help from the bureau's criminal investigators and was turned down. Acting on legal advice, FBI headquarters had refused to involve its criminal agents. In an e-mail to the New York agent, headquarters staff said: "If al-Midhar is located, the interview must be conducted by an intel[ligence] agent. A criminal agent CAN NOT be present at the interview. This case, in its entirety, is based on intel[ligence]. If at such time as information is developed indicating the existence of a substantial federal crime, that information will be passed over the wall according to the proper procedures and turned over for follow-up criminal investigation."
In a reply message, the New York agent protested the ban on using law enforcement resources for intelligence investigations in eerily prescient terms: "[S]ome day someone will die—and wall or not—the public will not understand why we were not more effective and throwing every resource we had at certain 'problems.' Let's hope the [lawyers who gave the advice] will stand behind their decisions then, especially since the biggest threat to us now, UBL [Usama Bin Laden], is getting the most 'protection.' "
It breaks my heart to read this exchange. That "wall"—between intelligence and law enforcement—was put in place to protect against a hypothetical risk to civil liberties that might arise if domestic law enforcement and foreign intelligence missions were allowed to mix. It was a post-Watergate fix meant to protect Americans, not kill them. In fact, in 1994, after I left my job as general counsel to the National Security Agency, I argued that the wall should be left in place because I accepted the broad assumption that foreign intelligence-gathering tolerates a degree of intrusiveness, harshness, and deceit that Americans do not want applied against themselves. I recognized at the time that these privacy risks were just abstract worries, but I accepted the conventional wisdom: "However theoretical the risks to civil liberties may be, they cannot be ignored." I foresaw many practical problems as well if the wall came down, and I argued for an approach that "preserves, perhaps even raises, the wall between the two communities."
I was wrong, but not alone, in assigning a high importance to theoretical privacy risks. In hindsight, that choice seems little short of feckless, for it made the failures of August and September 2001 nearly inevitable. In 2000 and 2001, the FBI office that handled al-Qaida wiretaps in the United States was thrown into turmoil because of the heights to which the wall had been raised. The Foreign Intelligence Surveillance Act Court, the body that oversees national security wiretaps, had ordered strict procedures to ensure that such wiretaps were not contaminated by law enforcement purposes. And when those procedures were not followed strictly, the court barred an FBI agent from the court because his affidavits did not fully list all contacts with law enforcement. This mushroomed into a privacy scandal that set the stage for 9/11.
In the spring and summer of 2001, with al-Qaida's preparations growing even more intense, the turmoil grew so bad that national security wiretaps were allowed to lapse—something that had never happened before. It isn't clear what intelligence we missed, but the loss of those wiretaps was treated as less troubling than the privacy scandal that now hung over the antiterrorism effort. The lesson was not lost on the rest of the bureau. According to a declassified Joint Intelligence Committee report on Sept. 11, "FBI personnel involved in FISA matters feared the fate of the agent who had been barred and began to avoid even the most pedestrian contact with personnel in criminal components of the Bureau or DOJ because it could result in intensive scrutiny by the Justice Department office that reviewed national security wiretaps and the FISA Court."
Against this background, it's easy to understand why FBI headquarters and its lawyers refused to use law enforcement resources in the effort to find al-Mihdhar and al-Hazmi. To do so would be to risk a further privacy scandal and put their careers in jeopardy. Viewed in this light, the New York agent's fight to get law enforcement involved in his search for the terrorists looks like an act of courage that borders on foolishness. We can all be thankful for his zeal. But in the end, one agent's zeal was not enough to overcome the complex web of privacy rules and the machinery of scandal that we built to enforce those rules.
What lessons can we learn from this tragic unfolding?
First, that the source of this tragedy was not wicked or uncaring officials. The wall was built by professionals who thought they were acting in the country's and their agency's best interest. They were focused on the hypothetical risk to privacy if foreign intelligence and domestic law enforcement were allowed to mix, and they worried that courts and Congress would punish them for putting aside these theoretical concerns to combat a threat that was both foreign and domestic. They feared that years of successful collaboration would end in disaster if the results of a single collaboration could be painted as a privacy scandal, so they created an ever-higher wall to govern operations at the border between domestic law enforcement and foreign intelligence. As drafted, the rules technically allowed antiterrorism investigators to do their jobs—if the investigators were sufficiently determined and creative. For a while they were, but the FISA court scandal sapped their determination and finally choked off any practical hope of getting the job done.
The second lesson is that we cannot write rules that will both protect us from every theoretical risk to privacy and still allow the government to protect us from terrorists. We cannot fine-tune the system to perfection, because systems that ought to work can fail. That is why I am profoundly skeptical of efforts to write new privacy rules and why I would rely instead on auditing for actual abuses. We should not again put American lives at risk for the sake of some speculative risk to our civil liberties.
And the final lesson? Perhaps it isn't fair to blame all the people who helped to create the wall for the failures that occurred in August of 2001. No one knew then what the cost of building such a separation would be. But we should know now. We should know that we can't prevent every imaginable privacy abuse without hampering the fight against terror; that an appetite for privacy scandals hampers the fight against terror; and that the consequence of these actions will be more attacks and more dead, perhaps in numbers we can hardly fathom.
The country and its leaders have had more than two years to consider the failures of August 2001 and what should be done. In that time, libertarian Republicans have joined with civil- liberties Democrats to teach the law enforcement and intelligence communities the lesson that FBI headquarters taught its hamstrung New York agent: You won't lose your job for failing to protect Americans, but you will if you run afoul of the privacy lobby. So the effort to build information technology tools to find terrorists has stalled. Worse, the wall is back; doubts about legal authority are denying CIA analysts access to law enforcement information in our new Terrorist Threat Integration Center. Bit by bit we are recreating the political and legal climate of August 2001.
And sooner or later, I fear, that August will lead to another September.