Around the world, watch lists are a key but imperfect tool against terrorism.
Experts say simple issues like fickle spelling and incomplete data, as well as deliberate deception and uncooperative countries, all make it possible for a determined terrorist like Umar Farouk Abdulmutallab to slip through the net.
British officials are proud of their border-protecting list, which contains more than 1 million names, including that of Abdulmutallab. That didn't stop the young Nigerian boarding a plane for the United States elsewhere with explosives in his underwear — a stark reminder of the perils of flawed information-sharing and the limits of watch lists.
"It's not difficult to change your identity in the modern world," said Alain Chouet, former chief of the security intelligence service at France's counterintelligence agency, DGSE.
Analysts say intelligence tip-offs, information-sharing and data analysis are also vital to stopping terrorists, and Britain has announced an urgent review of its watch list system in the wake of the Christmas Day attack over Detroit.
The British list holds the names of everyone from suspected terrorists and radical clerics to wanted criminals and rejected visa applicants — like Abdulmutallab, who was added after being denied a student visa in May 2009 for applying to a bogus college.
The program, known as E-borders, will eventually check all passengers traveling to or through Britain against the master list. Information comes from police, intelligence services and other sources and is held by the U.K. Border Agency.
Home Secretary Alan Johnson said this week that the list had led to almost 5,000 arrests since 2005 and prevented 65,000 people entering Britain in 2009.
"In some countries, there are separate watch lists for security, for policing and crime, for people who have lost their passports and for immigration issues, but an integrated watch list serves us well," Johnson told lawmakers in the House of Commons.
Magnus Ranstorp, a terrorism expert at the Swedish National Defense College, said the British system was an effective deterrent.
"What you have in U.K. is data mining of anyone in transit, on every single passenger coming into the U.K." Ranstorp said. "So even if you are in transit, and never meet a border guard, it's a hostile environment if you're flying through the U.K."
'10 percent viable'
The list has its limits, though. Names on it are not automatically shared with other countries, although those on a smaller terrorism-related watch list are.
U.S. authorities have said Abdulmutallab was on a 500,000-strong database of people suspected of terrorist ties, but not on a no-fly watch list. Britain has said it had no indication the Nigerian was planning an attack, and did not flag him to U.S. officials as a particular threat.
On Thursday, President Barack Obama announced about a dozen changes designed to fix the system that let Abdulmutallab slip through, including an overhaul of the nation's terrorist watch lists.
Chouet, the former French intelligence official, estimated that lists he saw when working in intelligence were only about "10 percent viable."
"The identity of people outside the European tradition is vague. People can change their names, and there is the problem of transcription into European alphabets."
He used the example of the name Mohamed, which can have different spellings and different transcriptions into English, French or Polish alphabets.
Difficulties with nations
Even passport numbers are only partially viable since passports can be changed, or people can get passports from other countries.
And some countries are more cooperative than others. European Union nations and close allies like the U.S. routinely share information, but Britain's Johnson noted this week that "it is outside Europe that we have the problem."
The Home Office declined to name any uncooperative nations, but said biometric data such as fingerprints, now included on passports and required from all visa holders, would help tighten up the system.
Experts agree biometrics are key to ensuring names on a watch list can be matched to a real individual.
"It's very difficult to fake, and the governments have begun collecting that information massively," said Ranstorp.
Around the world there are multiple — and often overlapping — watch lists. In addition to national lists, Interpol established a Terrorism Watch List in April 2002 in response to the Sept. 11, 2001, attacks. The list can be viewed by personnel of the international police agency and by authorized police forces in about 180 countries.
It achieves regular success, as in November when authorities in Indonesia were tipped off about Abdul Basir Latip, a suspected al-Qaida-linked militant from the Philippines. Acting on a tip from Interpol, which was sharing information from a U.S. watch list, officials nabbed him Nov. 21 at Soekarno-Hatta international airport with the help of photographs provided by the FBI. He had arrived from Syria using a fake passport.
This kind of effective coordination is more critical to successful security, analysts said, than the watch lists themselves.
Rolf Tophoven, director of the Essen, Germany-based Institute for Terrorism Research and Security Policy, said intelligence failures in the Christmas Day bombing attempt resulted from too much bureaucracy in the U.S. Leaner intelligence services have proven much more effective because there is better communication, and information is less likely to fall through the cracks, he said.
"The different intelligence authorities in the United States are too huge — the apparatus is too large to be effective," he said. "Look at the Israeli intelligence services and their effectiveness countering terrorism and I think you can take one lesson — small but effective."
'An analytical failure'
John Harrison, an aviation security specialist at Singapore's S. Rajaratnam School of International Studies, said Abdulmutallab's behavior should have set off alarm bells, even if his name on a list did not.
Abdulmutallab apparently bought his ticket in cash, was flying the same day, had no check-in luggage and purchased a one-way fare.
Any of those details — and certainly the sum — should have tripped a standard international security procedure, Computer Assisted Passenger Screening or CAPS, Harrison said.
"This case seems more to have been failure, not of lists, but a failure on the human side of intelligence, accurately assessing the threat and tracking the information to see if there were any links," he said. "It was an analytical failure."