Cambridge University Press

US intelligence agencies face a difficult task. They are supposed to provide meaningful analysis that enables officials to manage serious national security problems such as terrorism, weapons proliferation, network attacks on government infrastructure, and counterintelligence efforts. Today these are diffuse and complex threats. There are newly powerful political actors on the international stage. Organizations that are not governments and have no physical territory can inflict great harm. And individuals and diffuse coalitions are increasingly able to traffic in military technology, digital viruses, and other dangerous, potentially lethal tools. These challenges are real, and overcoming them are legitimate goals of foreign intelligence surveillance.

But the track record of the collection programs Edward Snowden revealed provides little evidence that massive surveillance will help us identify future terrorist attacks or mitigate these new risks. American spies’ allegiance to massive surveillance is based on faith, not track record. The Boston Marathon bombing in April of 2013 illustrates how broad proactive surveillance is no panacea against attacks. The NSA was conducting its massive spying at the time, and the attacks happened anyway.

In that case, two brothers allegedly built pressure cooker bombs and placed them near the finish line of the Boston Marathon. The bombings killed three people and injured scores of others. The older brother died and the younger brother was injured in the subsequent manhunt. The younger brother, Dzhokhar Tsarnaev, was sentenced to death in early 2015. Relevant information about the bombers did not come from electronic surveillance. Rather, it came from another government. A few years before the bombing, the Russian government had warned the FBI that the older brother, Tamerlan Tsarnaev, was dangerous. The FBI investigated and found nothing to link either person to terrorism, so they closed the investigation in June 2011. But later that same year, the Russians sent the same warning to the CIA.

The CIA asked the U.S. National Counterterrorism Center to add Tamerlan and his mother’s names to a terrorism watch list. That watchlist is called the Terrorist Identities Datamart Environment, or TIDE. You can be placed on the TIDE list based on an informant pointing the finger at you, your social media posts, or the conduct of your relatives. The list is used to generate other watch lists, like the No Fly list and border security lists. Being on the TIDE list can really complicate your life. But it doesn’t necessarily assist the government in identifying true threats among the more than one million people on the list. How could it, when there are so many people on the list for so many different reasons? The Tsarnaev family might have been on the radar, but even with massive NSA collection of phone call and email data, no one identified the plot.

We should not conflate massive surveillance with broad data collection used to investigate crimes that have already occurred.

After the bombing, FBI agents looked at nearly 13,000 videos and more than 120,000 photographs taken near the scene of the bombing. They found a video that seemed to show the perpetrators. They were the only people who didn’t look surprised when the first bomb went off. The FBI then released the video, asking for the public’s assistance in locating the men. Farhad Manjoo, a reporter for the Wall Street Journal, the New York Times, and National Public Radio, argues that the Boston Marathon bombing makes a good case for broad surveillance. The FBI’s access to so many video and still images is what helped them identify and eventually catch the bombers.

But we should not conflate massive surveillance with broad data collection used to investigate crimes that have already occurred. The Boston Marathon investigation photos and videos were made by private parties. The government did not collect, aggregate, or analyze them until after they knew that a crime had happened. This wasn’t a fishing expedition. The investigators knew what block of the city to focus on, what time frame, and what they were looking for. While the amount of information collected was large, the targeting was narrow. Officers were investigating a particular crime. They collected only videos and photos that would likely contain evidence of that crime.

about the author About Jennifer Stisa Granick is Director of Civil Liberties at Stanford Law School. She practices, speaks, and writes about computer crime and security, electronic surveillance, consumer privacy, and data protection.

That’s not to say that there are no problems with broad collection, even in the criminal context. For example, in the same Boston Marathon investigation, FBI agents searched for purchase records for the model of pressure cooker used to construct the bombs detonated in the attack. They were looking to narrow the field of potential suspects. It turned out, there were only a few dozen of those pressure cookers sold in the year before the attack. But what happened next is worrisome. A woman reported that law enforcement paid her a visit after she had been shopping for pressure cookers and backpacks online. Ultimately the family learned that the investigation was spurred when the husband’s former employer reported his Internet searches to local police. FBI agents confronted a Saudi student for carrying a pressure cooker to a student dinner. Interrogating people who purchase pressure cookers is not a good way to find future attackers. Millions of people purchase these devices without using them in a bombing attack.

Targeted surveillance of people known to be connected to terrorism is the best way to find terrorists. Indeed, almost every major terrorist attack on Western soil in the past fifteen years was committed by someone already on the government’s radar for one or another reason. In January of 2015, two gunmen shot twelve people dead in the Paris offices of satirical magazine Charlie Hebdo. One of the gunmen had already been sent to prison for recruiting jihadist fighters. The other had reportedly studied in Yemen with Umar Farouk Abdulmutallab, who was arrested by the FBI in 2009 after trying and failing while on an airplane to detonate explosives hidden in his underwear. The leader of the July 7, 2005 London suicide bombings had been observed by British intelligence meeting with a suspected terrorist. The men who planned the Mumbai, India attacks in 2008 were already under electronic surveillance by the United States, the United Kingdom, and India. One of the Mumbai plotters had been a DEA informant. Investigators received multiple tips from the informant’s family members, friends, and acquaintances, but the officials never effectively followed up on the information.

In another case where the government failed to understand the information it had and act accordingly, Maj. Nidal Hasan, a military psychiatrist, killed thirteen people at Fort Hood, Texas, in 2009. Intelligence agencies had intercepted multiple emails between Hasan and Anwar al-Awlaki, a notoriously militant cleric living in Yemen. In the emails, Hasan asked Awlaki whether a Muslim US soldier who committed fratricide would be considered a martyr in the eyes of Islam. Despite this and other information that could justify discharging Hasan from the military, counterterrorism investigators didn’t follow up on these emails. While the Defense Department faulted failures of leadership, the Senate investigated the military’s unwillingness to name, detect, or defend against violent Islamist extremism. Scholar Amy Zegart points the finger at the Army’s organizational incentives for promoting and disciplining subordinates as well.

Historian Peter Bergen has assessed the historical record, including the case of Umar Farouk Abdulmutallab, the man who attempted and failed to detonate a bomb in his underwear on Christmas Day 2009. A few weeks before the botched attack, Abdulmutallab’s father contacted the US Embassy in Nigeria with concerns that his son had become radicalized and might be planning an attack. This information wasn’t further investigated. While the White House concluded that the government did not have sufficient information to determine that Abdulmutallab was likely working for al-Qaeda in Yemen and that the group was looking to expand its attacks beyond Yemen, the man was nevertheless allowed to board a plane bound for the United States without any question despite his father’s warning. Bergen concludes by arguing that, “[a]ll of these serious terrorism cases argue not for the gathering of ever vaster troves of information but simply for a better understanding of the information the government has already collected and that are derived from conventional law enforcement and intelligence methods.”

Massive spying didn’t stop these attacks. Nevertheless, the intelligence community seems confident that more information collection will prevent terrorism. Superficially, it just makes sense that in order to “connect the dots” you first have to “collect the dots.” The public conversation about the effectiveness of massive surveillance seems to assume this is the case. For example, in her June 6, 2013 press conference seeking to justify the section 215 phone dragnet The Guardian had just revealed, Senator Feinstein claimed that the FBI had uncovered approximately 100 terrorist plots since 2009. She couldn’t credit the phone dragnet for success in any of those investigations, but it didn’t matter to her:

I do not know to what extent metadata was used or if it was used, but I do know this: That terrorists will come after us if they can and the only thing we have to deter this is good intelligence. To understand that a plot is being hatched and to get there before they get to us.

Feinstein may have revealed more by this statement than she intended. We don’t know what works to identify terrorist plots. But surveillance is one thing we know how to do well. So we are going to do that to stop the terrorists. It’s a little like looking under the lamppost for your keys, because that’s where the light is.

Following classified and public hearings, Senator Leahy and other members of Congress concluded that there was no evidence that the phone records collection has ever been important in fighting terrorism. A subsequent review by the Privacy and Civil Liberties Oversight Board reached the same conclusion. Hundreds of thousands of Americans have had their phone records collected for years, but it hasn’t made the country any safer. A 2009 inspector general report says that the section 215 dragnet cost taxpayers $146 million in supplemental counterterrorism funds to buy new hardware and contract support and to make payments to the phone companies for their collaboration. As set out in later chapters, the program was misused and abused for years. America is none the safer for it.

Excerpted from American Spies: Modern Surveillance, Why You Should Care, and What to Do About It, by Jennifer Stisa Granick. Used with permission of Cambridge University Press. All rights reserved.