Authorities knew of at least three of the Paris attackers but did not act – and ignored a warning about a potential attack

Do the arithmetic and it is hard not to feel sympathy for the French intelligence agencies. Every day they face a dilemma created by the gap between available staff and the huge number of suspects.

French intelligence and police have only an estimated 500-600 staff whose task is to physically follow people. But the agencies have about 11,000 people on their books classified as potential threats to national security.

To mount an operation to monitor one person 24-hours-a-day requires about 30 to 40 people. So they have to make hard choices about which people to prioritise.

They often get it right, foiling many plots. But when they get it wrong, as they have twice this year, first in the Charlie Hebdo attack and in last Friday’s massacre, they have come under huge pressure.

French MPs vote to extend state of emergency after Paris attacks Read more

There will inevitably be an inquiry into the failings. But the French government has already proposed new legislation introducing tougher security measures.

Senior members of the US intelligence community, still smarting from the loss of the bulk data collection of phone records in the Freedom Act this summer, are taking advantage of events in Paris to renew arguments over surveillance.

In New York on Wednesday, the director of the FBI, James Comey, complained that too much of the internet had gone dark. Intelligence and law enforcement agencies both needed faster and better access to communications data, he said.

The stripped down argument is that if you have access to everything, it is easier to keep everyone secure. When there are attacks such as those in Paris, the agencies say they quickly need to search back through data to see who suspects had been talking to, helping to identify the networks and prevent potential other attacks.

French intelligence under scrutiny in wake of Paris attacks Read more

The problem with this, as with almost every terrorist incident since 9/11, is that the French intelligence agencies already knew at least three of the attackers.

Abelhamid Abaaoud was known as an accomplice of two jihadis killed in Belgium in January. The police had a file on Omar Ismaïl Mostefai even before he travelled to Syria in 2013, while Sami Amimour had been detained in 2012 on suspected terrorist links.

In other words, the failure of the French intelligence agencies is not that they did not have enough data – but that they did not act on what they had.

The three could have been the subject of traditional targeted surveillance. While physical surveillance is difficult in terms of staffing, keeping tabs on their communications is less labour-intensive.

Tracking such suspects does not require the collection of the communications data – phone records, emails, Facebook postings, chat lines – of every French citizen, only the suspects.

One of the key arguments put forward by Comey and earlier in the week by the director of the CIA, John Brennan, is that terrorists have become better at covert communications. But the discarded mobile phone that led police to the St-Denis hideout contained unencrypted text.

CIA chief criticises recent surveillance rollbacks in wake of Paris attacks Read more

One of the biggest failings was not the French intelligence agencies’ lack of sufficient surveillance powers but the long-running lack of cooperation between European intelligence agencies – and reluctance to share information – due to fears about leaks. When they do cooperate, the process is slow – even over things as simple as translation.

The Iraq government sent warnings to French intelligence about a potential attack that were ignored. Such warnings are regularly received by the agencies struggling to work out which ones reflect a genuine threat.

A more serious omission is the French failure to respond to the Turkish government when it flagged up concern about Mostefai. Added to that is the lack of cooperation between France and Belgium, where some of the attackers were based.

Such failures are where the French and US intelligence agencies should be looking, rather than exploiting the tragedy to make the case for bulk data surveillance.