INTELLIGENCE ANALYSIS OF DOMESTIC TERRORISM
"We have to be right a thousand times a day; the terrorist only has to be right once" (Tom Ridge)

    Intelligence is the first level of protection against domestic terrorism.  The "human factor" is especially important here since protection within a nation's borders cannot or should not rely solely upon technology.  It might be appropriate to put the whole of another (enemy) nation under electronic surveillance, but it's not appropriate to do that with your own citizens.  This means that domestic counterterrorism and counterintelligence must by necessity be labor-intensive, employing a lot of people -- and the right people -- high-level professionals with good, quality training.  Because more complexities surround the "sources" which are involved with domestic intelligence gathering, the work of an analyst in this area can be quite laborious and unexciting.  Of course, material can still be collected overtly or covertly, and the twin purposes of collecting intelligence data remain intact -- for tactical or strategic reasons, but special care should be taken with the strategic purpose, which refers to the long-term collection of intelligence over time for producing sound judgments with respect to long-range law enforcement objectives and goals.  By comparison, tactical intelligence simply involves collecting enough information to effect arrest and prosecution.  The following are some typical "sources" of domestic intelligence data:

    Interviewing and interrogation (along with records checks) are the most commonly used techniques, followed closely (if not followed ahead by) use of informants.  Although one may encounter a proud and talkative suspect (e.g., I'm a domestic terrorist and proud of it), one is more likely to encounter a suspect who knows their rights inside and out, knows police procedures inside and out, and presents what might be called a "street sophisticated" suspect, for purposes of interviewing and interrogation.  Chances are that the best which can be lawfully and successfully obtained from such a suspect are "res gestae" or spontaneous utterances obtained thru ingenuity.  Also, in grand jury or regular court proceedings, the typical domestic terrorist will not recognize the legitimacy or authority of the court's jurisdiction.  These are delaying tactics, for the most part, and criminal justice officials should give careful consideration to matters of immunity and whether civil and/or criminal contempt proceedings are pursued.  Immunity, like contempt, comes in two forms.  There is "blanket" (transactional) immunity and "use" (anything said cannot be used against them, but independently derived evidence can) immunity.  Civil contempt proceedings are quite informal, with repeated remand procedures in order to compel or cajole testimony while the purpose of criminal contempt proceedings is punitive, to be used when there is no hope of ever getting testimony and an example must be made in the name of deterrence.  Immunity bargains, like plea bargains (which are quite common in this area), should be regarded as unfair and unsatisfactory devices to be used sparingly and where absolutely required.  Thought should be given to using "voluntary" informants who have credibility with nothing to hide.

    The "informer's privilege" as it is called (McCormack 2005) is invoked by the government whenever a probable cause challenge on the part of the defendant attempts to discover information that might shed light on the background of the investigation.  This privilege does not allow the government to use anonymous testimony at trial.  It does NOT trump the Sixth Amendment right to confrontation. It means that if the informant's information is to be used and kept secret, prosecution and subsequent conviction MUST be based on other admissible information developed from the informant's information.  Using informants as well as undercover operations are procedures which leave behind the realm of "least intrusive" techniques and enter the realm of "moderately intrusive" techniques, according to the typology of least - moderately - highly intrusive (Thornburgh 1989).  DOJ as well as JTTF guidelines call for the use of risk assessment before any "moderately" or "highly" intrusive procedures are used.  Risk assessment, in general, operates on the following basic principle -- level of threat x chances of threat being carried out = level of risk.  There is more to it, of course, and a critical point for the "highly" intrusive category involves consideration of whether the information sought can be effectively obtained by any other means (i.e., the so-called "exhaustion" requirement that law enforcement exhaust other means).  In addition, the timeliness of information and its relevance to ongoing operations or national security interests are further considerations.  This latter point is worth elaborating upon since in the typical defense of a domestic terrorism trial (any terrorism trial for that matter), the defense counsel usually not only files for suppression of evidence on constitutional grounds, but sees it as an opportunity to file FOIA (Freedom of Information Act) requests which presumably expand privacy rights and dismantle or draw attention to national security apparatus (amicus curaie briefs are also usually filed along these lines).  Certain law enforcement exemptions exist in FOIA law, but some courts have not been all that supportive of the exemption, especially when outrageous government conduct is involved.  Cases are also frequently lost when it is discovered in court that the government has thousands of hours of surveillance tapes or footage.  In such cases, juries become sympathetic to the defendant(s), more so than they may be already given the common practice of change of venue which not uncommonly places the trial in a more sympathetic location.  

Outrageous Government Conduct and Entrapment

     Outrageous government conduct is a variation of the entrapment defense. With the former, the focus is on the government rather than the mind of the defendant. The principle is that when government behavior is so offensive and so outrageous, it cannot be the basis for collecting evidence to prosecute or convict a suspect. Examples might include coerced police infiltration and/or instances of undercover policing involving romantic liaisons. Some states recognize the defense while others don't.  Entrapment is a perfect defense (the defendant "walks").  Technically, it's a way to shift the burden of persuasion back to the prosecution, like in insanity law.  Entrapment defense is not a constitutional right. It's a 20th Century invention that has it's origins in sympathy for the accused. The principle, if there is one, is that of balancing limited sympathy for the accused with the needs of law-abiding citizens. It also depends on the crime, and specifically the factual predicate offense or nexus to crime-related activity (leading up to terrorism).  The predicate offense can NOT be based on a legitimate exercise of First Amendment freedoms. The law also looks negatively at police entrapment in cases of consensual, victimless crimes. In order for an entrapment defense to work, police must have initiated the encouragement of crime, specifically by any of the following:
  • pretending to be victims

  • enticing suspects to commit crimes

  • communicating the enticement to suspects

  • influencing the decision to commit crimes

  • making repeated requests to commit a crime

  • forming personal relationships with suspects and appealing to the personal

  • promising benefits from committing the crime

  • supplying essential materials and/or contraband to complete the crime

    As a matter of policy, investigation should begin with the least-intrusive method, and having exhausted those, turn to other methods to gather more useful and relevant information.  So-called "fishing expeditions" are not allowed, and a "good faith" assumption prevails that law enforcement will pursue specific rather than general information.  Also, at this point (if not earlier), attention should be paid to the labeling or classifying of reports generated (i.e., FILING SYSTEMS).  Open source material, in this regard, presents a special problem.  These materials are best indexed and stored in a case subfile, separate from any closed-source law enforcement sensitive information.  The same procedure should be followed for informant files (subfiles) because discovery rules of evidence may exempt certain subfiles but not main files, or vice-versa, depending upon how the judge sees things.  In general, the following rules govern non-disclosure:

THE ROLE OF THE FBI

    The FBI (Federal Bureau of Investigation) is the lead agency for the investigation of domestic terrorism.  If explosive devices are suspected to be involved, the ATF will be collaborated with, and there may be other instances of information sharing at state and local levels.  The FBI, however, is specifically tasked and funded for specialized units to deal with domestic terrorist threats.  This means that should another law enforcement agency identify an individual or group engaged in suspected domestic terrorism, they are to notify the FBI immediately.  JTTFs (Joint Terrorism Task Forces) are set up throughout the U.S. in strategic, geographical areas, and several support units also exist at Quantico and elsewhere (e.g., CIRG - Critical Incident Response Group, NCAVC - National Center for Analysis of Violent Crime, ABIS - Arson Bombing Investigative Services, and CIA - Criminal Investigative Analysis program).  In addition, the FBI has long maintained an on-line computer database known as the Terrorist Information System (TIS) which contained information on suspected terrorist groups and individuals (currently, the best domestic terrorism database is the Terrorism Knowledge Base (START Database).  Other "war room" capabilities exist within the FBI, such as the Terrorist Threat Integration Center - TTIC, and the multi-crisis Strategic Operation Information Center - SOIC.  For many years, the FBI was somewhat hamstrung in its capabilities to carry out domestic counterterrorism, in part due to backlash from the Hoover administration legacy (of which FOIA is a part), but also in part to the guidelines issued by Gerald Ford's Attorney General Edward Levi in 1976.  These guidelines were modified in 1983 by Ronald Reagan's Attorney General, William French Smith.  The Levi guidelines were restrictive and cumbersome, while the Smith guidelines essentially allow the FBI to be pre-emptive and carry out "terrorism PREVENTION" (i.e., "the FBI does not have to wait for blood in the streets before it can investigate" or "in its efforts to anticipate or prevent crimes, the FBI must at times initiate investigations in advance of criminal conduct.")  In addition, new powers granted to law enforcement under the Patriot Act may afford the opportunity to obtain FISA-like warrants for eavesdropping purposes, or at least Title III warrants if a predicate crime (like threats against a public official, civil rights conspiracies, conveying false information, piracy and privateering, racketeering, material support to terrorism, and treason, sedition, or subversive activities) can be identified (Cole & Dempsey 1999).  The FBI, often in conjunction with their state counterpart agencies, will also usually have the last word on whether it is too dangerous or not to attempt infiltration.

    The FBI can easily open a domestic terrorism investigation.  Nothing in law prohibits the FBI from opening investigations based on open source material or reports from private civil rights groups like the Southern Poverty Law Center as well as other "watchdog" groups. The FBI can open an investigation based on any credible source, including news reports.  Terrorism prevention is an emerging discipline, but basically and in principle, it is the opposite of post-incident investigation.  It is also an important part of homeland security initiatives, encapsulated in such documents as PDD-39 (U.S. Policy on Counter-terrorism), parts of which are classified. According to Vohryzek-Bolden et. al. (2001), the FBI conducts domestic terrorism investigation into three (3) classifications.

    (1) Terrorist incidences -- these are violent acts or predicate crimes in furtherance of political or social objectives that are dangerous to human life.
    (2) Suspected terrorist incidents -- these are potential acts of terrorism, which because of their circumstances, indicate that a known individual or group is involved in a pattern of force, violence, intimidation, or preparation towards a target resulting in furtherance of their political or social objectives.
    (3) Terrorist incidents -- these are the things to be prevented, and consist of documented instances in which a violent act is in preparation or about to be carried out by a known or suspected terrorist group or individual with the means and proven propensity to carry out the act.

    Profiling is an important part of terrorism prevention.  Ronczkowski (2004) provides a good guide to this complex area where, with domestic terrorism especially, typologies are difficult because offenders typically do not show all the common traits necessary for a perfect fit in each category.  Lifestyle factors and other "red flag" indicators (as commonly used in white collar investigation) represent an emerging, new, non-trait approach to terrorist profiling.  Current research has also looked at "pre-incident" indicators.  However, the standard personality (or trait) approach is unlikely to go away, since it has some proven utility, as it has had for serial crime investigation.  Some common trait factors with domestic terrorists are rugged individualism, anti-intellectualism, a dislike of government bureaucracy, an attraction to conspiracy theories, and of course, racism.  Social class membership may be across the board, but certain "drift" background elements are usually present in social histories.

    Controversies over profiling are abundant.  There is really no "right" or "wrong" way to do domestic terrorist profiling correctly, but a few comments are in order about this.  Like with much of law enforcement's self-made expertise in cybercrime, there's a lot that can go wrong with amateur dabbling.  Too often in domestic terrorism, the most readily available profiling criterion is race or religion, and even though those might be the most salient factors, there is a strong appearance of impropriety given false impressions which would reverberate throughout society that persons of certain religions or race were more criminal somehow; i.e., so-called "ethnic profiling."  It is also difficult to distinguish extremism from its "fringe" elements, although the likelihood of particular weapon usage may be a fine indicator.  However, less experienced experts usually only look at the degree of conspiratorial delusion and irrationality, but by definition, you can't  (or shouldn't) predict or profile anything that's too delusional or irrational.  There's an abundance of literature in the field of conspiracy theory by those who've tried nonetheless (e.g., Robins & Post 1997; Knight 2001).  Laqueur (1999) does a good job of using destructiveness as a profiling criterion, for example.  Leadership and organizational structure are better criteria.  Most domestic terrorist leaders exercise some restraint from violence, and it's the "lone wolf" who represents the most threat, but the problem becomes establishing a "leaderless leadership" link.  Body counts also seem to be important to domestic terrorists, and there may exist a preferred range in the number of victims which can be analyzed in terms of weaponry, say, in terms of chemical agents that kill thousands, or radiological "dirty bombs" which are hard to clean up.  Cyberterrorism is also a "natural" habitat for domestic terrorism since viruses and logic bombs can be set to detonate at certain times, perhaps on a significant anniversary date for the group.  Specialized weaponry with advanced Swiss or technological timers are likely to indicate a military connection, hence DOD involvement in the investigation is not only a good idea, but a necessity. 

THE INTERNET AS A SOURCE OF INFORMATION

    The Internet can be a valuable source of information about domestic terrorism.  However, it can also be an unreliable source.  Take news media releases, for example.  Domestic terrorist groups are well-known to be involved in hoaxes and deliberate disinformation.  Counterintelligence is therefore called for, representing a significant overlap area with criminal intelligence.  Chances are that the more reliable transmissions are to be found in relatively spontaneous comments on discussion boards and/or in emails, the latter which can be decrypted (if necessary) and traced.  However, an investigator of domestic terrorism who uses the Internet is likely to have a target-rich environment.  There is much content, but the hard work is in assessing the reliability of the source.  Denial and Deception operations should be something the analyst is aware of.  These can be divided into two subsets: "Denial" – measures taken to protect secrets through concealment, camouflage, and other activities that degrade collection systems; and "Disinformation" – operations that feed analysts false or partly false information through the use of intriguing content, double agents, and/or manipulation of the communications channel.  Here are some warning signs that a denial and deception operation might be active:

    Uniform procedures when analyzing Internet content are worthwhile.  The objective is to collect A-1 (Reliable and Confirmed) information that can be used to protect the public and suppress criminal operations (Struve 1994).  Further, there are various analytical schemes which can be used to determine reliability.  One of these (see Davis 1992; 1997) was devised by Professor Sherman Kent, Yale Professor. His method of balancing mathematics with verbal probability is sometimes referred to as the "Kent" or "Yale" method:

100% -- certainly
93% give or take 6% -- almost certainly
75% give or take about 12% -- probably
50% give or take about 10% -- chances about even
30% give or take about 10% -- probably not
7% give or take about 5% -- almost certainly not
0% -- impossible

Also from Davis (1997), the following terms have some standardized definitions in intelligence work:

    Luca (1998) illustrates the standard law enforcement methods of source reliability, content validity, and classification of information, as follows:

 

Source Reliability

1. Reliable -- the reliability of the source is unquestioned or has been well tested in the past
2. Usually reliable -- the reliability of the source can usually be relied upon as factual, and the majority of the source information provided in the past has proven to be reliable
3. Unreliable -- the reliability of the source has been sporadic in the past
4. Unknown -- the reliability of the source cannot be judged, and neither experience nor investigation can help determine its authenticity or trustworthiness

Content Validity

1. Confirmed -- an investigator or another independent, reliable source has corroborated the information
2. Probable -- the information is consistent with past accounts
3. Doubtful -- the information is inconsistent with past accounts
4. Cannot be judged -- the information cannot be judged because neither experience nor investigation has yet determined its authenticity

Classification System

1. Sensitive -- the highest classification level used in civilian law enforcement, and intended to be disseminated to law enforcement only, but on occasion, one might see "For Commander's Eyes Only" or "Destroy After Reading" (federal equivalent is roughly Top Secret)
2. Confidential -- information for law enforcement use only but not otherwise designated as sensitive (federal equivalent is roughly Secret)
3. Restricted -- when information is intended for sharing between law enforcement agencies, and is nonconfidential (federal equivalent is roughly Confidential)
4. Unclassified -- when information comes from a public source that the public has, or had, access to (federal equivalent is roughly Official Use Only)

     

SECRECY AND SECURITY

 

    Leaks are common in domestic terrorism investigations.  Therefore, how much intelligence sharing should go on between law enforcement agencies, and even judges, is an issue.  Secrecy and security are important. Certain federal employees and certain employees in the private sector are required to have security clearances because their job requires them to have access to classified documents. Various other jobs take place in secured facilities. The occupant of any such job is said to hold a "sensitive" position, defined as "any position, by virtue of its nature, could bring about a material adverse effect on national security."  At any given time, there are about 3 million people with security clearances. In addition, there are about 2 million security clearances in the hands of private contractors and consulting firms. Contractors participate in what is called the industrial security program administered by the Defense Industrial Security Clearance Office (DISCO) which is part of the Joint Information Systems Technology (JIST), a military agency. 

    One out of every thirty Americans has some sort of security clearance. It has been estimated that one out of every thousand can be expected to compromise the secrets they are entrusted with. Some need money, some can be blackmailed, some are disgruntled and want revenge, and some are just sloppy. America, in many ways, is a prime target for espionage aimed at unveiling secrets.  A security clearance is technically a license issued by a department head of a department, division, or agency of the government, and the type of security clearance one can be approved for depends upon the department, division, or agency involved.  Wikipedia has a really good article on Classified Information Systems, but typical levels of security clearances are as follows:

    The confidential security clearance is the easiest to obtain whereas other classifications will almost always involve a background check which may be conducted by the agency itself or outsourced.  Certain clearances, like with the FBI, the Energy Dept., and the State Dept.  Secret (sometimes called "ordinary secret") and top secret classifications almost always have some amount of military involvement in the clearance process.  One of the differences between secret and top secret is how "expansive" the background check is, i.e., how far and deep the investigation goes into your dependents, friends, and relatives.  SCI classifications are only cleared for a few people, and the background investigation process as well as the continual monitoring is extremely intensive.  The amount of time it takes to receive a security clearance is usually 6 months to a year, if all goes well. Rarely if ever are temporary clearances granted while waiting for the review process to conclude.

    There are things in a domestic terrorism trial which the government doesn't want made public.  These include things like the identities of informants, the exact nature of the surveillance technology used, and in addition, the exact nature of any explosive devices (like recipes for C4) or military equipment which may be in the hands of the defendant(s).  None of these things should be described in any detail, and adopted in 1980, the Classified Information Procedures Act (CIPA) 18 U.S.C. App. IV, spells out the provisions for in camera proceedings in this regard.  It leaves a lot of discretion up to the judge.  If the judge agrees that the secret information would not be helpful to the defense, that is the end of the matter.  If it would be helpful, but a substantial equivalent can be provided by redaction (or blanking out) of certain sections, the judge can so order.  If a judge deems the information is necessary for a "best defense," then the government has the choice to reveal the secrets, or dismiss the prosecution.  Most of the time with the latter, such prosecutions are dismissed.

INTERNET RESOURCES
ADL Domestic Terrorism Page
ANSIR (Awareness of National Security Issues and Response)
CloseUp Foundation Domestic Terrorism Data Site
Domestic Extremism Watchdog Groups

Emergency.com's Counterterrorism N. America Chronology
Hate Crimes Research Network
Project Megiddo (Millennial Threats)
Rise of Domestic Terrorism and Its Relation to US Armed Forces
Secret Service FOIA Page

Southern Poverty Law Center

PRINTED RESOURCES
Cole, D. & Dempsey, J. (1999). Terrorism & the Constitution: Sacrificing Civil Liberties in the Name of National Security. Tallahassee: First Amendment Foundation.
Crank, J. & Gregor, P. (2005). Counterterrorism After 9/11: Justice, Security, and Ethics Reconsidered. Cincinnati: LexisNexis Anderson.
Davis, Jack (1992). "The Kent-Kendall Debate of 1949."  Studies in Intelligence Vol. 36 No. 5 (1992), 91-103.
Davis, Jack. (1997). A Compendium of Analytic Tradecraft Notes. Directorate of Intelligence: CIA Center for the Study of Intelligence.
Deflem, M. (Ed.) (2004). Terrorism and Counter-Terrorism: Criminological Perspectives. San Diego: Elsevier.
Dyson, W. (2001). Terrorism: An Investigator's Handbook. Cincinnati: Anderson.
Ignatieff, M. (2004). The Lesser Evil: Political Ethics in an Age of Terror. Toronto: Penguin Canada.
Johnson, Edgar. (1974). Effects of Data Source Reliability on Inference. Technical Paper #251 US Army Research Institute for the Behavioral and Social Sciences.
Knight, P. (2001). Conspiracy Culture: From Kennedy to the X-Files. NY: Routledge.
Kushner, Harvey. (2003). Encyclopedia of Terrorism. Thousand Oaks, CA: Sage.
Laqueur, W. (1999). The New Terrorism. NY: Oxford Univ. Press.
Levitas, D. (2002). The Terrorist Next Door. NY: Thomas Dunne Books.
Luca, R. (Ed.) (1998). Criminal Intelligence Programs for the Smaller Agency. Sacramento: California Peace Officers Association.
McCormack, W. (2005). Legal Responses to Terrorism. Dayton, OH: LexisNexis Matthew Bender.
Perlmutter, D. (2004). Investigating Religious Terrorism and Ritualistic Crimes. Boca Raton, FL: CRC Press.
Peterson, M. (1994). Applications in Criminal Analysis. Westport, CT: Praeger.
Robins, R. & Post, J. (1997). Political Paranoia: The Psychopolitics of Hatred. New Haven: Yale Univ. Press.
Ronczkowski, M. (2004). Terrorism and Organized Hate Crime: Intelligence Gathering, Analysis, and Investigations. Boca Raton, FL: CRC Press.
Simon, J. (1994). The Terrorist Trap. Bloomington, IN: Ind. Univ. Press.
Snow, R. (1999). The Militia Threat: Terrorists Among Us. New York: Plenum.
Struve, D. (1994). Criminal Intelligence Guidelines. Sacramento: Attorney General's Office.
Thornburgh, D. (1989). The Attorney General's Guidelines on General Crimes, Racketeering, Enterprise and Domestic Security and Terrorism. Washington DC: Office of the Attorney General. [available online]
Vohryzek-Bolden, M., Olson-Raymer, G. & Whamond, J. (2001). Domestic Terrorism and Incident Management. Springfield, IL: Charles C. Thomas.

Last updated: Aug 26, 2010
Not an official webpage of APSU, copyright restrictions apply, see Megalinks in Criminal Justice
O'Connor, T.  (Date of Last Update at bottom of page). In Part of web cited (Windows name for file at top of browser), MegaLinks in Criminal Justice. Retrieved from http://www.drtomoconnor.com/rest of URL accessed on today's date.