By Tim Cushing | Techdirt | September 16, 2013
In addition to everything else it’s collecting, the NSA also has millions of international credit card transactions stashed away in its databases, according to documents viewed by Spiegel.
The information from the American foreign intelligence agency, acquired by former NSA contractor and whistleblower Edward Snowden, show that the spying is conducted by a branch called “Follow the Money” (FTM). The collected information then flows into the NSA’s own financial databank, called “Tracfin,” which in 2011 contained 180 million records. Some 84 percent of the data is from credit card transactions.
On one hand, what the NSA is doing is exactly what the NSA should be doing: tracing the money flow of terrorist organizations.
Their aim was to gain access to transactions by VISA customers in Europe, the Middle East and Africa, according to one presentation. The goal was to “collect, parse and ingest transactional data for priority credit card associations, focusing on priority geographic regions.”
This is part of the Terrorist Finance Tracking Program, which was set up shortly after the 9/11 attacks and gave the US government access to the SWIFT (Society for Worldwide Interbank Financial Telecommunication) database. This, in and of itself, is not news, having been exposed in 2006. Documents uncovered then showed the program had been in place since 2002, with permission extended to the CIA and the Treasury Dept. as part of Bush’s “Global War on Terror.”
What is new, however, is the fact that the NSA is targeting transactions from major credit card companies, like VISA. This has quite a bit more potential for misuse than SWIFT, which records only banking transactions. VISA responded to this new information with the same quasi-denial we’ve seen from several other companies whose links to the NSA have been exposed.
“We are not aware of any unauthorized access to our network. Visa takes data security seriously and, in response to any attempted intrusion, we would pursue all available remedies to the fullest extent of the law. Further, its Visa’s policy to only provide transaction information in response to a subpoena or other valid legal process.”
Of course, this isn’t “unauthorized” access, not when gathered with a court order or subpoena. But this isn’t as tightly controlled as the spokesperson makes it appear. If pursuing data for “counterterrorism” purposes, the NSA is allowed to skirt the protections of the Right to Financial Privacy Act, thanks to an amendment in the PATRIOT Act. But even with these legal options, it appears the NSA would still rather pursue this in an extralegal fashion in order to circumvent the warrant process.
NSA analysts at an internal conference that year described in detail how they had apparently successfully searched through the US company’s complex transaction network for tapping possibilities.
Whatever’s happening now appears to be the NSA grabbing more data simply because it can. It’s not as if it didn’t already have access copious amounts of financial data, thanks to the government’s fully legal (and fully public) collection of bulk financial records through SWIFT.
Remember: in addition to stealing the data, Treasury also gets it via a now-public agreement. The former CEO of SWIFT Leonard Schrank and former Homeland Security Czar, Juan Zarate actually boasted in July, in response to the earliest Edward Snowden revelations, about how laudable Treasury’s consensual access to the data was.
“The use of the data was legal, limited, targeted, overseen and audited. The program set a gold standard for how to protect the confidential data provided to the government. Treasury legally gained access to large amounts of Swift’s financial-messaging data (which is the banking equivalent of telephone metadata) and eventually explained it to the public at home and abroad.
It could remain a model for how to limit the government’s use of mass amounts of data in a world where access to information is necessary to ensure our security while also protecting privacy and civil liberties.”
Never mind that by the time they wrote this, an EU audit had showed the protections were illusory, in part because the details of actual queries were oral (and therefore the queries weren’t auditable), in part because Treasury was getting bulk data. But there was a legitimate way to get data pertaining to the claimed primary threat at hand, terrorism. And now we know NSA also stole data.
Even when the government has an advantageous agreement to collect bulk data with little oversight, its agencies can’t help but exploit this even further. The collection via “oral queries” is another indicator of these agencies’ (FBI, NSA, CIA) unwillingness to follow even the most minimal of rules. (See also the administration’s 2010 ruling that made the FBI’s warrantless wiretapping legal, which occurred after the agency’s process had slid from issuing tons of National Security Letters to simply calling up the telcos and requesting records.)
The untargeted collection of financial data has raised concerns from those on the “collection” side.
[E]ven intelligence agency employees are somewhat concerned about spying on the world finance system, according to one document from the UK’s intelligence agency GCHQ concerning the legal perspectives on “financial data” and the agency’s own cooperations with the NSA in this area. The collection, storage and sharing of politically sensitive data is a deep invasion of privacy, and involved “bulk data” full of “rich personal information,” much of which “is not about our targets,” the document says.
When even the spies are concerned about about how much data their spy programs are netting, that’s a pretty good sign a bulk records collections effort has gone too far. And it has deeper implications than simply a massive amount of privacy violations. As Marcy Wheeler points out, even the then-Fed chairman Alan Greenspan expressed his concerns about the breadth of the SWIFT collections.
If the world’s financiers were to find out how their sensitive internal data was being used, he acknowledged, it could hurt the stability of the global banking systems.
That’s a scary thought, considering the “global banking system” isn’t all that stable to begin with. A lack of targeting will leave the NSA open to more accusations of economic espionage, something clearly not related to its supposed “national security” agenda.