A recently leaked FBI watchlist seems to imply that the surveillance hawks in the federal government think that nearly two million people who either are in the United States or may want to travel here are terrorists. The leaked watchlist is compiled and maintained by the Terrorist Screening Center (TSC), which was set up by the FBI in the wake of 9/11. The TSC database also includes the “no-fly list” of those who have been tagged to keep them from boarding flights either to or within the U.S.
With 1.9 million names on the list, it appears that the FBI thinks there are enough terrorists to fill any one of several of America’s large cities. For instance, literally every man, woman, and child living in Dallas could be on that list and there would still be room on the list for another 600,000 terrorists. That is the population of Oklahoma City.
TSC shares information on suspected terrorists with the Department of State, Department of Defense, Transportation Security Agency (TSA), Customs and Border Protection (CBP), and a few international partners. The list is also used to determine who can and cannot fly to or within the United States. Before 2015, the list was completely secret. It is still classified, but since 2015, U.S. policy allows U.S. citizens in the United States to be privately informed that they are on the list. Those outside the United States — even some U.S. citizens — may be on the list without any knowledge of that fact until they attempt to board a flight to the United States.
As a point of clarification, this is not a list of people found guilty of (or even charged with) any crime, much less terrorism; it is a list of those suspected of being terrorists.
The leaked list was discovered and first reported by Volodymyr “Bob” Diachenko, head of security research at Comparitech. In an August 16 post on LinkedIn, Diachenko wrote that he discovered the leaked watchlist on July 19. The list had already been indexed by search engines Censys and ZoomEye — both of which are search engines tailored to the needs of Internet security specialists. Diachenko wrote:
On July 19, 2021 I discovered a terrorist watchlist containing 1.9 million records online without a password or any other authentication required to access it.
The watchlist came from the Terrorist Screening Center, a multi-agency group administered by the FBI. The TSC maintains the country’s no-fly list, which is a subset of the larger watchlist. A typical record in the list contains a full name, citizenship, gender, date of birth, passport number, no-fly indicator, and more.
I immediately reported it to Department of Homeland Security officials, who acknowledged the incident and thanked me for my work. The DHS did not provide any further official comment, though.
And though the list was searchable on those Internet security search engines — which are accessible by anyone, without the need of a password — and though Diachenko made DHS aware of this, the data remained available for another three weeks. Diachenko wrote:
On July 19, 2021, The exposed server was indexed by search engines Censys and ZoomEye. I discovered the exposed data on the same day and reported it to the DHS.
The exposed server was taken down about three weeks later, on August 9, 2021. It’s not clear why it took so long, and I don’t know for sure whether any unauthorized parties accessed it.
As to what was included in the exposed data, Diachenko wrote:
The exposed Elasticsearch cluster contained 1.9 million records. I do not know how much of the full TSC Watchlist it stored, but it seems plausible that the entire list was exposed.
Each record in the watchlist contained some or all of the following info:
Full name
TSC watchlist ID
Citizenship
Gender
Date of birth
Passport number
Country of issuance
No-fly indicator
Diachenko also noted that the list contained categorical fields that appear to be specific to the list, and therefore, not something he could identify. Those fields included “tag,” nomination type,” and “selectee indicator.”
The list, which has been a closely-guarded secret since its creation almost 20 years ago, was leaked, and DHS appears to have been completely unaware of the breach until Diachenko brought it to their attention. Then, it took another three weeks for DHS to bring down the server where the list was being made available.
As Diachenko states, it is notable that the database was not found on a U.S. ip address. The server is in the Middle-Eastern island nation of Bahrain.
So, the United States — which moves Heaven and Earth to spy on its own citizens via powerful and highly technological surveillance programs — appears not to have put the proper effort into protecting the secret data is spends so much time, effort and money to collect. Furthermore, as Diachenko points out:
The terrorist watchlist is made up of people who are suspected of terrorism but who have not necessarily been charged with any crime. In the wrong hands, this list could be used to oppress, harrass, or persecute people on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list.
There have been several reports of US authorities recruiting informants in exchange for keeping their names off of the no-fly list. Some past or present informants’ identities could have been leaked.
That the leak of a classified “terrorist watchlist” went undetected and then remained online for three additional weeks after DHS was made aware is an indication that DHS cannot be trusted to protect the data of Americans. That this list certainly contains the names of innocent people is a foregone conclusion. That the leak endangers informants by exposing their names is a travesty.
And since the server where the leaked list was stored is in Bahrain, the above concerns are even further compounded. While Bahrain has close relations with the United States, the recent collapse of Afghanistan should serve as a reminder that in a region historically marked by political instability and radical Islamic ideology, allegiances can change quickly and national boundaries do not necessarily coincide with ideological boundaries.
