NSA’s Dragnet Failed to “Correlate” David Headley’s Identity, One of Its Core Functions

In a piece on the GCHQ and NSA failure to identify David Headley’s role in the Mumbai terrorist attack, ProPublica quotes former CIA officer Charles Faddis on the value of bulk surveillance.

“I’m not saying that the capacity to intercept the communications is not valuable,” said Charles (Sam) Faddis, a former C.I.A. counterterror chief. “Clearly that’s valuable.” Nonetheless, he added, it is a mistake to rely heavily on bulk surveillance programs in isolation.

“You’re going to waste a lot of money, you’re going to waste a lot of time,” Faddis said. “At the end, you’re going have very little to show for it.”

The article as a whole demonstrates that in a manner I’m fairly shocked about. The NSA failed to recognize what it had in intelligence collected on Headley’s role in the attack even after the attack because they hadn’t correlated his known birth name with the name he adopted in the US.

Headley represents another potential stream of intelligence that could have made a difference before Mumbai. He is serving 35 years in prison for his role. He was a Pakistani-American son of privilege who became a heroin addict, drug smuggler and DEA informant, then an Islamic terrorist and Pakistani spy, and finally, a prize witness for U.S. prosecutors.

In recounting that odyssey, we previously explored half a dozen missed opportunities by U.S. law enforcement to pursue tips from Headley’s associates about his terrorist activity. New reporting and analysis traces Headley’s trail of suspicious electronic communications as he did reconnaissance missions under the direction of Lashkar and Pakistan’s Inter-Services Intelligence Directorate (ISI).

Headley discussed targets, expressed extremist sentiments and raised other red flags in often brazen emails, texts and phone calls to his handlers, one of whom worked closely on the plot with Shah, the Lashkar communications chief targeted by the British.

U.S. intelligence officials disclosed to me for the first time that, after the attacks, intensified N.S.A. monitoring of Pakistan did scoop up some of Headley’s suspicious emails. But analysts did not realize he was a U.S.-based terrorist involved in the Mumbai attacks who was at work on a new plot against Denmark, officials admitted.

The sheer volume of data and his use of multiple email addresses and his original name, Daood Gilani, posed obstacles, U.S. intelligence officials said. To perfect his cover as an American businessman, Headley had legally changed his name in 2006.

“They detected a guy named ‘Gilani’ writing to bad guys in Pakistan, communicating with terror and ISI nodes,” a senior U.S. intelligence official said. “He wrote also in fluent Urdu, which drew interest. Linking ‘Gilani’ to ‘Headley’ took a long time. The N.S.A. was looking at those emails post-Mumbai. It was not clear to them who he was.”

As I’ve explained, one of the things NSA does with all its data is to “correlate” selectors, so that it maps a picture of all the Internet and telecom (and brick and mortar, where they have HUMINT) activities of a person using the multiple identities that have become common in this day and age. This is a core function of the NSA’s dragnets, and it works automatically on EO 12333 data (and worked automatically on domestically-collected phone and — probably — Internet metadata until 2009).

When you think about it, there are some easy ways of matching online identities (going to a provider, mapping some IP addresses). And even the matching of “burner” IDs can be done with 94% accuracy, at least within AT&T’s system, according to AT&T’s own claims.

The NSA says they didn’t do so here because Headley had changed his name.

Headley, recall, was a DEA informant. Which means, unless these intelligence agencies are far more incompetent than I believe they are, this information was sitting in a government file somewhere: “Daood Gilani, the name of a known Urdu-fluent informant DEA sent off to Pakistan to hang out with baddies  = David Headley.” Unless Headley adopted the new name precisely because he knew it would serve to throw the IC off his trail.

And yet … NSA claims it could not, and did not, correlate those two identities and as a result didn’t even realize Headley was involved in the Mumbai bombing even after the attack.

Notably, they claim they did not do so because of the “sheer volume of data.”

In short, according to the NSA’s now operative story (you should click through to read the flaccid apologies the IC offered up for lying about the value of Sections 215 and 702 in catching Headley), the NSA’s dragnet failed at one of its core functions because it is drowning in data.


11 replies
  1. Saul Tannenbaum says:

    As anyone who works for an organization that has an “identity management” function could tell you, even in a populations that’s limited to the thousands, using controlled and cleaned data sources, identity correlation is hard. This may seem paradoxical in a world where privacy is dead and de-anonymization is thought to be easy, but figuring out who is who and de-ambiguating indentity just seems to be intrinsically hard.

    If there ever is a Truth Commission about this stuff, I really want it to find the person who said “Oh, yeah, hoover up the internet, we’ll build this great map of identities and connections” and give them an award for recklessly bad advice in pursuit of a surveillance state.

    • wallace says:

      quote”If there ever is a Truth Commission about this stuff, I really want it to find the person who said “Oh, yeah, hoover up the internet, we’ll build this great map of identities and connections” and give them an award for recklessly bad advice in pursuit of a surveillance state.”unquote

      Speaking of truth, I bet Jack Rebney would have an earful for them..


      Look up Winnebago Man on netflix too. fuck.

    • emptywheel says:

      True. But if you’re able to get the providers to provide its own correlated data — to have Google explain that emptywheel at gmail is the same person who uses a certain phone number — then you’ve got a really good baseline.

      • bloopie2 says:

        When you sign up for email, do you (have to) give a phone number? When you sign up for a phone number, do you (have to) give an email address? I’ve tried over the years to hold back as much as possible on that stuff, but it’s just so darn difficult any more. How does Jack Reacher, for example, get away with no home phone number and no home address?

        • P J Evans says:

          As far as I know, you don’t have to give Google your phone number – I certainly haven’t – although they certainly push it as part of their ‘security’ system.

          • RUKidding says:

            Yeah, google is forever pushing me to give them my phone number “for my own good/security” blah blah blah… I always click No Thanks and move on. Not that I think it provides me with much in the way of “privacy.” I am just churlish that way… like I refuse to use the fingerprint ID thingy at my gym (the system – forget name – is alleged to be tied into the “matrix” of law enforcement, so again: churlish) and force all the Gen Y employees to log me in the old fashioned way into the company database. Of course, now we’re learning that fingerprint ID’ing isn’t all that accurate anyway. hoo boy.

        • RUKidding says:

          Props for Jack Reacher Q. I only read the first novel in that series. Not my cuppa, but I know Childs’ books are very popular. The first novel took place some time ago, but if my memory serves me, I thought Reacher was pretty much off the grid in terms of not having much of anything, including money. I don’t remember him having a credit card, for ex. Don’t know what’s happening now. Series has, no doubt, changed. Hard to live off the grid, although some try to do it. Could use Farraday bags for phones, etc.

  2. Kenneth Roylance says:

    The NSA has to spend most of its resources going after enemies of the government, such as whistleblowers that try to expose government corruption and illegal activity. It makes sense that the government’s first priority is to protect itself. Protecting its citizens comes second or maybe it’s even further down the list. I just did some minor whistleblowing and now they’re spending three million a year going after me. I bet they have people listening to me snoring at night. http://chemspray.weebly.com

  3. bloopie2 says:

    Sometimes dragnets are not, in fact, needed.
    “A suspected Islamic terrorist’s plans to mount attacks on French churches were thwarted when he accidentally shot himself and called an ambulance, leading to the discovery of loaded guns, bulletproof vests and chilling notes about his intended targets, authorities said Wednesday.”
    I mean, really?

    • Jo says:

      Well, you have to realize that even baddies are human and regardless of their training and commitment, they make mistakes—like shooting yourself, leaving evidence behind, or being seen by surveillance cameras. We can only hope that they continue to make these small mistakes and get discovered early before any massacres happen.

  4. v v anand says:

    David Headley had the same social security number even after he changed his name. No need therefore for connecting any dots . His name-change was official through a court in the US. And 5 years before that, an FBI official was present in court when he was enlarged from status of supervised release. CIA continued to have him as an agent and the mumbai plot was possibly a false flag event staged by CIA and Mossad to worsen Indo-pak relations and block the prospect of the Iran-Pak-India oil pipeline.

Comments are closed.