When a patron at the New York-New York casino plugged his frequent-player card into a slot machine one day this summer, something strange happened: An alert warned the casino's surveillance officials that an associate of a suspected terrorist might be on the grounds.
How did a casino's computer make such a connection? Shortly after Sept. 11, the FBI had entrusted a quickly developed watch list to scores of corporations around the country.
Departing from its usual practice of closely guarding such lists, the FBI circulated the names of hundreds of people it wanted to question. Counterterrorism officials gave the list to car rental companies. Then FBI field agents and other officials circulated it to big banks, travel reservations systems, firms that collect consumer data, as well as casino operators such as MGM Mirage, the owner of New York-New York. Additional recipients included businesses thought vulnerable to terrorist intrusion, including truckers, chemical companies and power plant operators. It was the largest intelligence-sharing experiment the bureau has ever undertaken with the private sector.
A year later, the list has taken on a life of its own, with multiplying _ and error-filled _ versions being passed around like bootleg music. Some companies fed a version of the list into their own databases and now use it to screen job applicants and customers. A water-utilities trade association used the list "in lieu of" standard background checks, said the New Jersey group's executive director.
The list included many people the FBI didn't suspect but just wanted to talk to. Yet a version on SeguRed.com, a South American security-oriented Web site that got a copy from a Venezuelan bank's security officer, is headed: "list of suspected terrorists sent by the FBI to financial institutions." (The site's editor said he may change the heading.) Meanwhile, a supermarket trade group used a version of the list to try to check whether terrorists were raising funds through known shoplifting rings. The trade group won't disclose results.
The FBI credits the effort, dubbed Project Lookout, with helping it rapidly find some people with relevant information in the crisis atmosphere right after the terror attacks. MGM Mirage said it has tipped off the FBI at least six times since beginning to track hotel and casino guests against the list.
The FBI and other investigative agencies _ which were criticized after Sept. 11 for not sharing their information enough _ are exploring new ways to do so, including mining corporate data to find suspects or spot suspicious activity. The Pentagon is developing technology it can use to sweep up personal data from commercial transactions around the world. "Information sharing" has become a buzzword. But one significant step in this direction, Project Lookout, is in many ways a study in how not to share intelligence.
The watch list shared with companies _ one part of the FBI's massive counterterrorism database _ quickly became obsolete as the bureau worked its way through the names. The FBI's counterterrorism division quietly stopped updating the list more than a year ago. But it never informed most of the companies that had received a copy. FBI headquarters doesn't know who is still using the list because officials never kept track of who got it.
"We have now lost control of that list," said Art Cummings, head of the strategic analysis and warning section of the FBI's counterterrorism division. "We shouldn't have had those problems."
The bureau tried to cut off distribution after less than six weeks, partly from worry that suspects could too easily find out they had been tagged. Another concern has been misidentification, especially as multipart Middle Eastern names are degraded by typos when faxed and are fed into new databases.
Then there's the problem of getting off the list. At first the FBI frequently removed names of people it had cleared. But issuing updated lists, which the FBI once did as often as four times a day, didn't fix the older ones already in circulation. Three brothers in Texas named Atta _ long since exonerated, and no relation to the alleged lead hijacker _ are still trying to chase their names off copies of the list posted on Internet sites in at least five countries.
Some officials at the U.S. Customs Service, the Office of Homeland Security and the FBI's own Criminal Justice Information Services Division doubt the wisdom of circulating watch lists widely, and some say they didn't even know about Project Lookout. Civil libertarians worry about enlisting companies to track innocent people for the government. Many companies say they need to be insulated from liability if they're expected to share data on people with the government.
Before Sept. 11, the government rarely revealed the names of terrorism suspects to companies. The exception was when it had a subpoena for specific information the government believed a company had about a person under investigation. But after the attacks, counterterrorism officials were concerned that members of terrorist cells could have slipped undetected into companies or communities. They feared that by the time they figured out where to direct subpoenas, the suspects could get away or even stage another attack.
Holed up in a "strategic information and operations center" in Washington, a small circle of FBI officials decided on Sept. 15, 2001, to put out a broad headsup to state and local police and to trusted companies. "We're not playing games here. This was real life. We wanted as many people as possible to know this is who we wanted to talk to," said Steven Berry, an FBI spokesman.
Agents cast a wide net that, by its nature, included scores of innocent people. They started by using record searches and interviews to identify "anybody who had contact" with the 19 hijackers, Cummings recalls. Kevin Giblin, chief of the terrorist warning unit, decided that car rental companies and local police should be the first outside of the airlines to get the list. One firm that received it, Ford Motor Co.'s Hertz unit, said it checked the list against its records and told the FBI of any matches, but then let the list lie dormant.
Trade groups proved a quick way to spread the word. The FBI gave the list to the Transportation Department. It shared the names with the American Trucking Associations, which promptly e-mailed the list to nearly 3,000 trucking companies. The International Security Management Association, an elite group of executives at 350 companies, put the list on a password-protected part of its Web site, allowing members to scan it in private, members say.
On their own, FBI field agents shared the list with some chemical, drug, security guard, gambling and power plant companies, according to interviews with companies.
Giblin said that by Oct. 23, 2001, he had notified police agencies that the bureau was no longer looking for the people on the watch list. But he made no arrangements to tell businesses. Indeed, Southern Co. didn't receive its list until November 2001, when FBI field agents in Alabama asked the power company to "see if any folks on the list . . . had (customer) accounts," said a company spokeswoman, Laura Varn. The FBI declined to comment on the timing.
Giblin said the bureau stressed to recipients that the people named weren't all suspects. "This wasn't a blacklist," he said.
Mark Deuitch landed on the list. A financier from Boone, N.C., he works on deals for Middle Eastern investors. On Sept. 11, he was scheduled to begin a flight that would take him to Washington _ using a ticket purchased by a Saudi business partner. After interviewing Deuitch, the FBI removed his name.
But even now, Deuitch said, nearly every time he does a Google search of the Internet, he finds another version of the list that still has his name on it. He said he is searched so often at airports that he has curtailed his flying. He said it once took him nearly two hours to get a rental car from Budget in Florida. Budget Group Inc. had no comment about Deuitch's experience except to say it gave the FBI historical reservations data right after Sept. 11 and "we have not been asked in recent months to assist the FBI in this manner." Deuitch said his worst fear is "an unstable person getting hold of the name and wanting to take some sort of revenge."
The initial list also named Asem Atta. Atta, a Pakistani programmer who once worked for Enron Corp., wasn't hiding. The FBI later removed Atta and two brothers from updated versions of the watch list.
The brothers declined to comment, but Rhonda Atta, the U.S.-born wife of one of them, recently called the FBI to complain about several lists that still include the brothers. She cited an Italian Web site and one in Mexico. She said an FBI agent in Texas told her it didn't have control over those sites and she needed to write the sites.
By the time the FBI tried to close out its list, at least 50 versions were floating around, say people who saw numbered ones.
Some companies were asking software firms such as Systems Research & Development how to make better use of the lists. SRD, which is financed in part by a venture-capital arm of the Central Intelligence Agency, has a program called NORA, for Non-Obvious Relationship Awareness. It mines data to detect hard-to-see links between people, such as use of the same residence or phone number.
MGM Mirage _ which was already using NORA to check hotel and casino guests' names against a lot of lists, such as those of people whose assets have been frozen _ began using the software with the FBI watch list. This is how Patricia Fischer, an MGM surveillance executive, got a computer alert this summer about the gambler at the New York-New York casino. She decided the gambler's link to the watch list was too tenuous to pass on to the FBI: The man merely lived in an apartment building across the street from someone whose name once had been on the list but had been removed. NORA software had made the link.
If the government decides to disseminate watch lists in the future, it won't face high legal hurdles, said Daniel Ortiz, a law professor at the University of Virginia. He said someone who appears wrongly on a watch list could ask for a correction but couldn't prevent the list's circulation or sue the government for damages under current privacy laws. The government just has to be careful not to single people out solely on race or ethnicity.