Read an Excerpt

Chapter 1

The Bad Guys Database

Acxiom, Arkansas and Washington, D.C., 2001

It was a crisp New England morning when Acxiom consumer No. 254-04907-10006 cleared the security checkpoint at Boston’s Logan Airport. Consumer No. 254-04907-10006 was a twenty-two-year-old Saudi national named Waleed al-Shehri. He was of slight stature and pale complexion and had been in the United States for only about five months on a tourist visa. But he had generated enough of a paper trail to be captured and indexed by Acxiom, which at the time was the world’s largest consumer data repository, holding billions of records on consumers drawn from corporate America as well as public records like court filings, voter registrations, and property deeds.

In his twenty weeks in America, al-Shehri had been busy. He had obtained two copies of the same Florida driver’s license (A426-893-78-460-0) with slightly mismatching addresses, giving him a duplicate that he could pass to an associate. He opened a bank account at SunTrust Bank in Florida (account number 0385008119775 linked to Visa debit card 4011 8060 7079 6163) and bought, insured, and then sold a 1993 Dodge Colt. He had bounced around motels and apartment complexes for weeks, generating even more records. The Bimini Motel and Apartments in Hollywood, Florida. Lago Mar Motel in Lake Worth. The Homing Inn in Boynton Beach. Lisa Motel and Apartment in Lake Worth. The DoubleTree in Lake Buena Vista. He’d availed himself of a number of services: a membership to the Body Perfect Fitness Center in Lake Worth and later the World Gym in Lantana. A Mail Boxes Etc. rental. He traveled extensively: to Freeport in the Bahamas, to Boston, to San Francisco, to Las Vegas. He made reservations at the Bahamas Princess Resort. Finally, he flew to the Boston area, where he checked into the 144-room Park Inn in Newton, Massachusetts, a leafy upscale suburb just outside the city. Six days later, he and the two men he’d been sharing a room with—his older brother Wail al-Shehri and a Saudi law school dropout named Satam al-Suqami—checked out of the motel. The trio headed for Boston Logan International Airport.

Corporate data banks were not the only computer systems to take note of al-Shehri. Somewhere in a database called the Computer-Assisted Passenger Prescreening System, or CAPPS, al-Shehri was flagged for additional screening as he made his way to his gate because something about his travel pattern had set off the system. However, under the security procedures in place at the time, additional screening applied only to checked luggage—not carry-on. Because al-Shehri had no checked bags, he cleared the security checkpoint without issue. The metal detectors at the time were calibrated to detect the metal content of a .22-caliber handgun, not blades like what the men were carrying. (Knives and other blades under four inches were permitted under the theory that they could not pose any serious danger if wielded as a weapon.)

Tucked away in yet another federal computer system run by the U.S. Immigration and Naturalization Service were other unusual records: U.S. government travel and visa files that showed al-Shehri shouldn’t even be in the country. He and al-Suqami had tried to visit the Bahamas a few weeks after al-Shehri arrived in America. They flew out of Miami, handing in their U.S.-government-issued travel authorizations. But once in Freeport, Bahamian authorities turned them away over their lack of visas, and they were forced to board the next flight back to the United States. Under U.S. law, they had never left America because they had never legally entered the Bahamas. But their reentry into the United States was never logged by the immigration computer systems. Their aborted trip to the Bahamas was shown as an exit. As far as the U.S. government was aware, neither of the two men strolling through Logan’s Terminal B were in the country at all.

At Logan Airport, the al-Shehri brothers and al-Suqami took their seats in business class of American Airlines Flight 11, offering nonstop service from Boston to Los Angeles. They were joined on that flight by two other associates: Mohamed Atta and Abdul Aziz al-Omari, both of whom had flown in from Portland, Maine, earlier that morning. About fifteen minutes into the flight, the five men sprang into action—stabbing two flight attendants, slashing the throat of a passenger in first class, and spraying a chemical irritant at the front of the plane to force the passengers and crew to the rear. As the plane passed near Albany, New York, the five hijackers had firmly established control. With Atta at the controls, they turned the Boeing 767 south toward New York City. Perhaps unfamiliar with the in-flight address system and intending to address the passengers and crew of Flight 11, Atta barked from the cockpit, “We have some planes. Just stay quiet, and you’ll be okay. We are returning to the airport. . . . ​Nobody move. Everything will be okay. If you try to make any moves, you’ll endanger yourself and the airplane. Just stay quiet.” But he transmitted it not over the intercom in the cabin but out over the plane’s external radio to other pilots and air traffic controllers—a chilling warning to the rest of the world that something was not right in the skies that September morning.

Why had none of the systems in place stopped them? It was a failure to connect the dots. The government had plenty of information, but it had failed to adequately capitalize on the disparate intelligence leads and anomalies in the data that already existed. The FBI knew, in the summer of 2001, that two of the hijackers, Khalid al-Mihdhar and Nawaf al-Hazmi, were al-Qaeda operatives who had entered the United States in January 2000. The bureau was actively hunting for al-Mihdhar in the days before al-Shehri and his associates destroyed the North Tower of the World Trade Center and left a gaping hole in the side of the Pentagon—scouring the country to see if al-Mihdhar was still there and to determine what his intentions were.

In fact, all summer long U.S. intelligence had been picking up vague and unspecific terrorist “chatter” warning of an unspecified threat to the homeland. President Bush’s August 6, 2001, daily intelligence briefing contained an item titled “Bin Ladin Determined to Strike in US.” That was the thirty-sixth time bin Laden or his al-Qaeda terrorist group had been mentioned in a presidential briefing in 2001. There was a memo from the Phoenix FBI field office, where an agent named Kenneth Williams warned in July that he believed the terrorist leader Osama bin Laden was trying to dispatch students to flight training in the United States. There was an FAA warning that same month of “reports of possible near-term terrorist operations” and ongoing threats against civil aviation, including the threat of hijacking. As the CIA director, George Tenet, later told the 9/11 Commission assembled to investigate the attacks about the increasingly dire intelligence warnings piled up on the desks of national security officials in the summer of 2001, “The system was blinking red.”

September 11 taught us something else, too: namely that data valuable in understanding the attacks wasn’t just hidden in government databases. In corporate America’s vast and growing collection of consumer data, there were patterns of bizarre behavior, unusual rentals, confounding address histories, and duplicate licenses. These were all potential signals to law enforcement or the intelligence community that something was potentially amiss—if only law enforcement had bothered to look. In the wake of the attack, the FBI put together a detailed chronology with 3,441 total entries chronicling the steps the hijackers had taken in their planning—bank transactions, travel records, hotel stays, gym check-ins, visa applications, and credit and debit card transactions that told the story of the attacks, from the date of the eldest hijacker Mohamed Atta’s birth in September 1968 to a handwritten letter the FBI found in a mailbox rented by some of the Florida-based hijackers, dated September 10, 2001, with a message to one of the hijackers: “Hammza, whatever you do, do not tell anyone what you are about to do tomorrow. Okay?” It was a chillingly detailed look at the years of planning that went into carrying out the attacks, much of it drawn from records maintained by corporate America.

And as the government soon found out, corporate America was eager to help.

At the heart of this story is a kind of company that few Americans give much thought to: data brokers. Beginning in the 1960s, these data warehousers sprang up to help America’s largest corporations advertise more efficiently. At first, these brokers were collecting fairly basic information: address history and some simple demographics. But as computers grew more powerful and digital storage grew cheaper, so did the capacity to collect and collate huge volumes of information and derive increasingly personalized insights from that data. Data brokers emerged to cater to advertisers’ demands for more and more detailed information on all of us.