In the system

The saga of Khalid S.S. Al-Draibi offers some cautionary insight into the power of technology in the war against terrorism.

Al-Draibi caught the attention of police as his aging Lincoln Town Car limped through Manassas Park, Va., on a flat tire in the dark last Sept. 11. Suspicion quickly turned to alarm when police discovered multiple driver's licenses and Arabic- language flight manuals in his car.

Thirty miles to the east, the Pentagon was still burning where a hijacked airliner had plowed into it 13 hours earlier. The plane had taken off from Washington Dulles International Airport, just north of Manassas Park.

After being questioned by local police, Al-Draibi was handed over to the FBI.

In the days after his arrest, searches through government and commercial databases yielded a wealth of information on Al-Draibi. Cross-checks of his name, address and Social Security number revealed 10 aliases and at least three Social Security numbers. And although Al-Draibi said he was from Saudi Arabia, some of his driver's license applications said he was from Yemen.

Further searches disclosed unpaid traffic fines and missed court dates, and the fact that he was wanted by the Immigration and Naturalization Service.

At least some of the damning data on Al-Draibi was uncovered by LexisNexis, a company that boasts "the world's largest collection of legal, business, and U.S. and global public records data." After Sept. 11, a LexisNexis risk management team donated its services to the FBI's Internet Fraud Complaint Center in West Virginia, and the complaint center turned its attention from fraud to terrorism.

Using its SmartLinx system, LexisNexis combed databases and discovered Al-Draibi's multiple Social Security numbers and identities, and the fact that he lived in an apartment where six motor vehicles were registered.

LexisNexis highlighted its database detective work in publicity pitches for its SmartLinx services.

But what LexisNexis did not discover — and the FBI subsequently did — was that Al-Draibi was not involved in the Sept. 11 attacks. And so after serving a four-month jail term for immigration violations, Al-Draibi was simply deported.

LexisNexis is just one of many companies touting its information technology as a critical new weapon in the war against terrorism. From the data warehousing giant Acxiom Corp. to search-engine maker Dynamic Information Systems Corp. (DISC), high-technology corporations are eager to enlist in the fight for homeland security.

That trend alarms privacy advocates, who worry that government agencies are already gathering too much personal information from commercial databases. According to the Electronic Privacy Information Center, federal law enforcement agencies have begun using commercial databases to circumvent the 1974 Privacy Act, which restricts government agencies from collecting such data on their own.

Database companies disagree.

Data on Demand

"Information is the most powerful weapon in America's fight against terrorism," said Jerry Jones, a business development executive at Acxiom. But privacy laws, deficient government data systems and the nature of terrorism block the full use of IT as a weapon.

Nevertheless, homeland security has become a hot new market for technology vendors.

Officials at Acxiom, which now uses vast stores of consumer data to peddle credit cards, verify auto insurance applications and market the Democratic Party, say the same information could be used to screen airline passengers for suspected terrorists.

Vality Technology Inc. declares that its Veri-Quest software can alert banks, stockbrokers, universities and others in real time when they are dealing with individuals or companies on the Treasury Department's Office of Foreign Assets Control watch list.

Meanwhile, DISC officials say their firm's Omnidex search could link the databases of the CIA, FBI, INS and National Security Agency, enabling "integrated intelligence sharing."

DISC starts with the assumption that federal agencies have workable databases, said Dan McRae, national sales manager. But not all of them do.

INS, for instance, has no reliable database of foreign students, who enter the United States at a rate of 500,000 a year. Nor does it have a comprehensive database of foreign nationals who enter and exit the country on visas.

"Very antiquated," said INS spokeswoman Eileen Schmidt when describing the 20-year-old system used to track immigration matters such as visa extension requests. "The way the data is now kept, you can't pull up a specific case record," Schmidt said.

Because of poor recordkeeping, INS had no information on six of the 19 hijackers in the Sept. 11 terrorist attacks, according to Rep. Elton Gallegly (R-Calif.). The other 13 entered the country legally with visas, but when three remained in the country after their visas expired, INS had no way of knowing they were still here.

Legislation introduced by Gallegly in the House and by Sen. Dianne Feinstein (D-Calif.) in the Senate would provide INS with $32.3 million to construct a database to store information about visa applicants, including a biometric identifier such as a fingerprint or eye scan. It is expected to take at least two years to build such a database.

Meanwhile, INS is turning to the FBI for database help. INS Commissioner James Ziglar announced in December that the agency would add 314,000 names of foreign nationals who have overstayed their visas to the FBI's National Crime Information Center database. That would make the names available to federal, state and local police.

But the task of rounding up the names and entering them into the database is expected to take a year, according to agency officials.

The database situation is similarly grim at the State Department, according to Mike Hethmon, staff attorney at the Federation for American Immigration Reform.

The department uses a computer system it calls Viper to search for information on criminals and terrorists. But the system "was assembled piecemeal and is not uniformly available in all consulates," said Hethmon, who worked for the State Department in Saudi Arabia.

Thus, the 19 Sept. 11 hijackers passed through State Department screening and were issued visas to enter the United States even though two of them, including ringleader Mohamed Atta, were on intelligence agency watch lists, Hethmon said.

It was "a colossal intelligence failure," admitted Ambassador Mary Ryan, the State Department's assistant secretary of consular affairs. But during a Senate hearing last fall, she blamed the FBI and the CIA for refusing to share information.

That's a long-standing problem, according to Rep. Stephen Horn (R-Calif.). "It is clear that agency concerns over protecting 'turf,' or jurisdiction, have precluded any real progress toward developing a well-coordinated system to share intelligence information," said Horn, who convened a hearing on the issue in December.

The USA Patriot Act, one of the first anti-terrorism bills passed after Sept. 11, includes provisions intended to ensure that the State Department and INS obtain access to FBI criminal databases to better investigate foreign nationals before letting them enter the United States. But even if agencies were willing to share data, often they can't, said Horn, who is chairman of the House Government Reform Committee's Government Efficiency, Financial Management and Intergovernmental Relations Subcommittee.

"One might logically expect that the State Department, the FBI, the INS and the Customs Service would share intelligence," Horn said. "Despite the important role that each plays in deciding who and what enters the United States, their systems cannot communicate with each other.

"Over the years, federal agencies have independently built databases using various computer systems that simply do not speak the same language," he said.

That's not as big a problem as it appears, contends DISC's McRae. He says his com.pany's search engine can retrieve information from diverse databases despite format and language differences.

It can compare names — even similar-sounding ones — mul.ti.ple addresses, descriptions, digitized fingerprints and other information from multiple databases, he said. The search engine is fast enough to scan "billions" of airline passenger records for evidence of suspicious travel patterns even as ticket reservations are being booked, according to the company. It could also be used to detect suspicious financial trans.actions or to comb medical records for possible bioterrorism evidence.

Even if such technology makes it possible to connect disparate government databases, there are legal roadblocks, said Schmidt of INS. "A lot of the data is protected by the Privacy Act" of 1974, she said. "It would take a legislative change to give [other agencies] access to it."

Much of the information in databases is off-limits even to the FBI. "Unless there is a legal basis for doing so, we can't just on a hunch go poking through databases," said Paul Bresson, an FBI spokes.man in Washington, D.C.

Combing databases for evidence of crime "can be tricky," said James Lewis of the Center for Strategic and International Studies. "There is a difference between law enforcement and intelligence gathering."

Domestic intelligence gathering has been largely banned for several decades. "No agency does it now," said Lewis, a former employee of the departments of State and Commerce. Before agencies begin interconnecting databases and mining for information, they must develop clear rules on who can search and what the information they find can be used for, he said.

Care must be taken to avoid violating such fundamental elements of U.S. law as the Fourth Amendment to the Constitution, which guarantees against unreasonable searches by the government.

The private sector is far less encumbered. There, the Privacy Act and other such laws don't apply. Companies compile vast stores of consumer data that they routinely buy, sell and analyze for marketing purposes. Privacy advocates, such as David Sobel of the Electronic Privacy Information Center, worry that government agencies may hire companies to do their database snooping, effectively circumventing privacy laws.

And many in the private sector are eager to oblige. Acxiom, which uses databases to create phone directories and sell Mercedes-Benzes, now plans to use them to screen airline passengers.

Jennifer Barrett, Acxiom's chief privacy officer, said the company would cross-check passenger flight reservation data against public and private databases to compare names, addresses, telephone numbers, passport numbers, employment information, driver's license data and other information to verify identifications. Then names would be checked against databases of expired visas, criminal warrants and government watch lists, she said.

Barrett said the Federal Aviation Administration and the Transportation Department have expressed interest in the system, but the creation of the Transportation Security Administration has delayed sales prospects.

FBI computer specialist Roy Weise is not impressed. Such a system probably would ensure that the passengers boarding an airplane are who they say they are, agreed Weise, a senior adviser for the FBI's Criminal Justice Information Services. But that's no guarantee against terrorism.

A determined terrorist "is going to establish a background that looks good," he said.

The Sept. 11 terrorists, for the most part, "all led fairly ordinary lives while in the United States." For most of them, databases "didn't contain anything that stuck out and raised red flags," he said.

"It may be that a good system is able to come up with information on 90 percent of the passengers," Weise said. But what about the other 10 percent? On a plane with 200 passengers, that leaves 20 whom databases cannot account for.

But narrowing the field of suspicious passengers to 20 is enormously valuable, said James Vaules, chief executive officer of the National Fraud Center, a LexisNexis division that uses databases to detect identity fraud. It tells security personnel where to concentrate their efforts, he said.

The Air Transport Association of America has endorsed a similar proposal. ATA President Carol Hallett said aviation security officials should have access to such government data as arrest records, intelligence information, immigration and customs files and any other government data that might disclose information about airline passengers.

ATA also proposes creating a voluntary "trusted traveler card" that would serve as an identification card. To get one, travelers would have to provide extensive personal information and submit to fingerprinting or some other form of biometric identification. The data and biometric ID would be built into the card, which would be a tamper-resistant smart card.

Those with trusted traveler IDs could avoid long lines at security checkpoints.

Skeptics point out that terrorists who prepare for months or years to carry out an attack, as did those who struck Sept. 11, might also enroll in the trusted traveler system. In that case, the system could make it easier, not harder, for them to board an airplane.

At least one computer-driven passenger screening system is already in use, the FAA's Computer-Assisted Passenger Prescreening System.

All major airlines and 40 smaller ones use it to analyze information from passenger reservation databases to determine which luggage should be X-rayed.

Until Sept. 11, questions about the 5-year-old system focused on whether it too often singles out minorities for more rigorous screening. Since the hijackings, however, questions have turned to whether the system is effective.

For all of its promise, technology does not have all of the answers, concedes Vaules of the National Fraud Center. There is no obvious technology that would stop a terrorist like Oklahoma City bomber Timothy McVeigh, he said.

Nor is there one that can discern the intentions of Khalid S.S. Al-Draibi.