The New SWIFT Agreement

Last night I went to bed before I looked at the new SWIFT Agreement giving the US access to all of Europe’s finance data to track for terrorists. Here’s that agreement and here’s a Q&A document about what the agreement does. The agreement is instructive both for what it suggests about the negotiations between the US and EU, but also for what it suggests about the protections the US is willing to grant citizens of other countries that it is not extending to its own citizens.

This is a temporary extension

This is not a permanent agreement. This is a 9 month extension of the SWIFT agreement from February 1 of next year for nine months, meaning the new EU government will begin negotiations on a proposed new agreement immediately.

in July of this year the 27 Member States of the European Union unanimously gave the EU Presidency a mandate to negotiate an agreement with the United States to ensure the transfer of the data and thereby the continuation of the TFTP. In July, it was not known when or indeed whether the Lisbon Treaty would come into force. Accordingly, the mandate is based on the legal mechanism of the EU Treaty which will cease to exist on 1 December when the Lisbon Treaty enters into force. To ensure that the European Parliament is able to exercise its new powers under the new Treaty in this regard, the envisaged Agreement is for a maximum duration of 9 months. The Commission will come forward with a new proposed mandate in early 2010 for a subsequent agreement based on the Lisbon Treaty. [my emphasis]

Note that “maximum duration” language. I’m guessing the US is going to try to bulldoze an agreement through ASAP, presumably before the new government (or, more importantly, activists) settles in.

The envisaged Agreement has a short duration in order to ensure that the European Parliament’s new powers under the Lisbon Treaty will apply to any possible longer term agreement which might replace the envisaged Agreement.

It’ll be interesting to see whether this agreement gets better, or worse, in the coming months.

The agreement claims the data is not used for data-mining

Here’s what the agreement claims the US does with this data.

The [Terrorist Finance Tracking Program] does not involve data mining or any other type of algorithmic or automated profiling or computer filtering. The U.S. Treasury shall ensure the protection of personal data by means of the following safeguards, which shall be applied without discrimination, in particular on the basis of nationality or country of residence.

(a) Provided data shall be processed exclusively for the prevention, investigation, detection, or prosecution of terrorism or its financing;

(b) All searches of Provided Data shall be based upon pre-existing information or evidence which demonstrates a reason to believe that the subject of the search has a nexus to terrorism or its financing;

(c) Each individual TFTP search of Provided Data shall be narrowly tailored, shall demonstrate a reason to believe that the subject of the search has a nexus to terrorism or its financing, and shall be logged, including such nexus to terrorism or its financing required to initiate the search;

(d) Provided data shall be maintained in a secure physical environment, stored separately from any other data, with high-level systems and physical intrusion controls to prevent unauthorized access to the data;

(e) Access to Provided Data shall be limited to analysts investigating terrorism or its financing and to persons involved in the technical support, management, and oversight of the TFTP;

(f) No copies of Provided Data shall be made, other than for disaster recovery back-up purposes;

(g) Provided Data shall not be subject to any manipulation, alteration, or addition and shall not be interconnected with any other database;

(h) Information obtained through this Agreement shall only be shared with law enforcement, public security, or counter terrorism authorities in the United States, European Union, or third states to be used for the purpose of the investigation, detection, prevention, or prosecution of terrorism or its financing;

(i) During the term of this Agreement, the U.S. Treasury Department shall undertake a review to identify all non-extracted data that are no longer necessary to combat terrorism or its financing. Where such data are identified and shall be completed as soon as possible thereafter but in any event no later than 8 months after identification, absent extraordinary technological circumstances;

(j) If it transpires that financial payment messaging data were transmitted which were not requested, the U.S. Treasury Department shall promptly and permanently delete such data and shall inform the relevant Designated Provider and central authority of the request Member State;

(k) Subject to subparagraph (i), all non-extracted data received prior to 20 July 2007 shall be deleted not later than five years after the date;

(l) Subject to subparagraph (i), all non-extracted data received on or after 20 July 2007 shall be deleted not later than five years from receipt; and

(m) Information extracted from Provided Data, including information shared under subparagraph (h), shall be subject to the retention period applicable to the particular government authority according to its particular regulations and record retention schedules.

EU citizens can make sure their data are being protected

Here’s one of the most interesting provisions granted to those in the EU but not (presumably) to those whose data is accessed solely in the US:

Any person has the right to obtain, following requests made at reasonable intervals, without constraint and without excessive delay or expense, confirmation from his or her data protection authority whether all necessary verifications have taken place within the European Union to ensure that his or her data protection rights have been respected in compliance with this Agreement, and, in particular, whether any processing of his or her personal data has taken place in breach of this agreement.

The agreement (and the Q&A document) also list a bunch of provisions they claim provide EU persons some kind of redress but really don’t (this is from the Q&A document):

The Agreement states that any person whose personal data are mishandled in breach of the Agreement is entitled to seek effective legal redress. Under U.S. law for example, the Administrative Procedure Act allows a person who has suffered harm as a result of governmental action to seek judicial review of the action. Also under U.S. law the Inspector General Act would allow, for example, the Inspector General of the U.S. Treasury Department to investigate complaints concerning abuses or deficiencies relating to the administration of the TFTP and to report their findings to the Treasury Secretary and to Congress.

The Agreement specifically invokes attacks prevented

The Q&A document invokes three incidences where the SWIFT data sharing has helped prevent terrorist attacks.

  • TFTP information provided substantial assistance to European governments during investigations into the Al-Qa’ida-directed plot to attack transatlantic airline flights travelling between the EU and the United States. TFTP information provided new leads, corroborated identities and revealed relationships among individuals responsible for this terrorist plot. In mid-September 2009 three individuals were convicted in the UK, and each was sentenced to at least 30 years in prison;
  • In early 2009 TFTP was used to identify financial activity of a Europe-based Al-Qa’ida individual who played a role in the planning of an alleged attack on aircraft. The information was passed to the governments of European and Middle Eastern countries;
  • In summer 2007 the TFTP was used to identify financial activities of members of the Islamic Jihad Union (IJU) in Germany. This information contributed to the investigation and eventual arrest of IJU members plotting to attack sites in Germany. The TFTP continued to provide additional useful information to German authorities following the arrests. The persons subsequently confessed.

Of course, what they don’t say is that because the US had control of the data, they were able to trigger the Pakistani liquid airplane plot early, causing the Brits all manner of hassle actually prosecuting it.

44 replies
  1. BoxTurtle says:

    Ya know, I’d probably be okay with the above if they’d GET A FUGGIN’ WARRANT!

    It’s not so tough. It can be done in hours, and there’s an exception that allows them to look at the data if they’re in the process of getting the warrant. A warrant wouldn’t delay things at all.

    Unless, of course, you don’t have enough probable cause to satisify a judge.

    Boxturtle (Officers have been granted probable cause to search a car due to a dirty look)

  2. fatster says:

    Destruction of the Fourth Amendment. It’s been done so cynically, so cheaply, and it is insidious.

    Who does it benefit?

  3. Ishmael says:

    There is significant opposition in Germany to the new deal – Germany, Austria, Hungary and Greece had to abstain in order for even the temporary extension to pass just under the Lisbon Treaty coming into effect. Merkel’s FDP coalition partners are very much against the agreement. Deutsche Welle suggests another reason besides Lisbon for the need for an extension, even temporary:

    “SWIFT is based in Brussels and has a server in the US, but a plan to move data servers to the Netherlands and Switzerland at the end of the year would have cut off US officials’ ability to access such information. The existence of the US server allowed American authorities to use American anti-terror laws to access European transaction data. EU law would have barred such access had the servers been on European soil.”

    The US has irritated the EU in the past by attempting to bypass EU Directives on the Protection of Personal Data by entering into bilateral MOUs with member states – this was done with the Airline PNR agreement. A similar approach could be forthcoming if there is significant dissent on the new SWIFT when it expires.

    • Mary says:

      This is something we’ve talked about here before some on SWIFT – how the US actions resulted in a decision to wholesale move the operations out of the US, in large part bc while it was violating laws of both Belgium and the EU, the US based persons involved with the SWIFT mirror server here in the US were being threatened under US law if they didn’t violate their own laws. That’s a bit of a tough position. It’s also somethign that I keep asking about and wondering about with the telecoms and their programs. Congress wants to say to telecoms operating in other countries as well as the US – ignore the laws of the countries where you are operating with respect to the communications of their citizens.

      Congress is wanting to say (basically has said) that – unlike any of the caveats in the compromise above re: terrorism – US telecoms must turn over to the Executive branch, including hundreds and thousands of minions (who all may or may not engage in things like swindling Target in their spare time)- all info and access it wants regarding any “foreign to foreign” communications, without regard to criminal wrongdoing, foreign power agency or terrorism. I find it really intersting that foreign countries where the telecoms operate haven’ had anything to say about the US assertion that telecoms operating in their countries have to provide all their citizens and govt officials info to “some guy” in the US, on whim and with no subpoenas or oversight or penalties for misuse. OTOH, I’m still kind of surprised that Pepsico does such a good business in Canada after hiring as Gen Counsel a man who thinks its ok to kidnap Canadians and ship them to torture in the Middle East without any consequence, not even an apology.

      Maybe the world isn’t that much different than the US citizens. We get the govt that we allow, they get the US that they allow.

      • Ishmael says:

        “Maybe the world isn’t that much different than the US citizens. We get the govt that we allow, they get the US that they allow.”

        The European Parliament wanted transfers to be subject to “judicial authorization”, including in the US, and no further transfers to third parties besides the US. It also wanted requests limited to terrorist financing only, and of organizations recognized as terrorist by both the US and the EU. The EU didn’t even ask for reciprocity from the US on banking data to combat terrorism – something they never would have permitted in a million years if this was about cheese exports. Nor is there any recourse for European citizens in US courts, maybe not even in the ECJ. And you are right, while Canada ultimately gave Maher Arar compensation, we have no moral highground to lecture to the Europeans about holding the US to higher standards, far from it.

  4. Mary says:

    Argh -I’m out the door and probably won’t get a chance to read through your links until tomorrow, but thanks for this post. Notice how the examples provided are all from after the NYT outed the program in 2006? Um, where’s all the “oh, noes, now that they knows, the terrorists winz!”

    Oh, and when we were illegally running the program before the NYT piece, um, wasn’t a major player not, “law enforcement” but ex-DNI McConnell’s old firm? Booz Allen? Contractors again.

    There were some older EU docs too, that indicated that the EU entities were told that program wasn’t data mining and were sold on the APA as being some kind of recourse. You have to look at what Britain is dealing with on the Binyam Mohamed info to figure out how forthcoming the US is going to be about misuses of info that result in depravity and criminal acts within its own Executive branch.

    Anyway – what they carefully don’t say is the evidence used to get to the SWIFT info was, itself, a product of data mining. That isn’t prohbited in any way. It was a flat out joke to read before the information being given oh so earnestly by DOJ and Treasury dept paid liars to the EU crew on all the integrity in the programs and the power of the APA etc.

    OTOH, paid liars do just as well under the democrats as they do under the republicans, so I guess that means – what, help me out here Ms Howell – that if you lie for the Republicans and the Democrats both, you must be doing something right?

  5. Arbusto says:

    Prior to 9/11, the CIA was dieing for work and entertained the idea of business espionage. Well now the CIA is as happy as a pig in shit with all its black sights and ops and the NSA gets the business espionage business. I’m sure that Goldman Sachs is more than happy to pay for NSA intel. They do have to pay don’t they?

  6. earlofhuntingdon says:

    A “temporary extension”? You mean like temporarily going to war or using the supplemental appropriations process to fund it? Or like Bush’s temporary tax cuts, which politicians will be loathe to let expire, lest Grover Norquist descend upon them like a biblical plague?

    The tension and conflicting interests between EU- and state level politicians and their US counterparts are different than those that apply among Congresscritters, so there’s hope that the EU will protect its own better than the US protects anyone outside the Village.

    • emptywheel says:

      Well, more like the PAA or the extension on the PAA during the FISA debate. That statute was improved for forcing a renegotiation once the activists were ready–and once there was good leverage to demand more information.

  7. earlofhuntingdon says:

    The [Terrorist Finance Tracking Program] does not involve data mining or any other type of algorithmic or automated profiling or computer filtering.

    Let’s get that statement under oath before a Congressional committee. Admiral Poindexter “retired” after Congress “shut down” funding for the DoD’s Total Information Awareness, too, yet here we are.

  8. Rayne says:

    Wasn’t one of the early aims of BCCI to cull information about terrorists and organized crime through a central banking organization?

    Is this the modern equivalent of BCCI in this respect?

    And if so, what else is going on which might be parallel to BCCI’s activities?

    • emptywheel says:

      That’s a weird spin on that being the primary purpose of BCCI. MOre accurately, it was a bank that, by its very nature, served as the ideal laundering vehicle for everyone, intelligence, organized crime, or terrorists (if there’s a distinguishable difference, I mean). Right now, though, Citi serves that purpose very well, so no need to have a special entity for it.

  9. earlofhuntingdon says:

    Given how the US government, generally, and the “intelligence community”, specifically, outsources its critical functions to the private sector, that’s a large group of people.

    That the USG does that is not news to the EU. The US is the contracting party, but it will predictably engage a series of non-governmental, commercial actors in carrying out its activities under this agreement. Consequently, there should be a provision requiring the US to impose the same or more stringent conditions on any third party to which the US gives access to the data it receives in connection with this agreement.

    There would ordinarily be an audit provision, too, as well as a dispute resolution provision. The EU should have the unilateral right promptly and without notice to cease cooperation at such time, if any, that it reasonably believes material provisions of this agreement are not being adequately complied with. How they would make that determination may be problematic, given their probably limited reach into what the US actually does with this information, but they ought to have such rights.

    The problem with “temporary agreements” of this kind is that they set the framework for permanent ones. It is very hard after nine months of “cooperation” to insert more stringent terms, especially where the original cooperation carries the element of coercion that the US inserts into such discussions.

    • emptywheel says:

      There would ordinarily be an audit provision, too, as well as a dispute resolution provision. The EU should have the unilateral right promptly and without notice to cease cooperation at such time, if any, that it reasonably believes material provisions of this agreement are not being adequately complied with. How they would make that determination may be problematic, given their probably limited reach into what the US actually does with this information, but they ought to have such rights.

      I left those details out, but they are in the agreement.

      Either party can back out of the agreement with one month’s notice.

      And after 6 months, there is a review; the US has to give the EU whatever they want about the operation of the program.

      • earlofhuntingdon says:

        Thanks, I see that now.

        I was incorrect in that the Agreement does provide for mutual exchanges of financial data, though it seems to anticipate more requests from the US than from the EU.

        The audit or review of the Agreement, in Art. 10, to be done after six months, under a yet to be agreed process. It is to include persons representing the EU Council, Commission and data protection agencies of the member states. On the US side, it’s the US Treasury, which seems inevitably to include Goldman Sachs.

        Under Art. 11, redress for EU citizens is through their national data protection or information commissioner and also through national, EU or US courts. For all but the well-heeled, that means recourse through their national commissioner, as court action would be prohibitively expensive.

        On the credibility of the US claim that more thorough protections for US citizens would be too complex, I thought it would put your point in context to compare that claim with one data point – the number of languages in which this one agreement was drawn up:

        English, Bulgarian, Czech, Danish, Dutch, Estonian, Finnish, French, German, Greek, Hungarian, Italian, Latvian, Lithuanian, Maltese, Polish, Portuguese, Romanian, Slovak, Slovenian, Spanish and Swedish languages.

        As you know, that process includes not just translating the text, but rendering it in terms intelligible in those disparate common law, civil law and former Soviet legal traditions. Too complex my quill pen.

        • earlofhuntingdon says:

          I should rephrase that. What the US would exchange under this agreement is its analysis of threats assessed using EU and, presumably, other data, that affect EU member states. I don’t see this agreement as providing EU authorities access to similar financial data on US persons. The EU may have access to raw SWIFT data, including information on non-EU persons, under separate arrangement.

          • emptywheel says:

            SWIFT covers all global transactions, so it covers people from all over teh world. In fact, I wonder whether that wasn’t a factor when this started–US was hoovering up data from Saudi Arabia, so it wasn’t like the data was form Europeans. Of course, now that’s clearly not true.

            So it’s all about what the CIA wants, not what their intelligence agencies want. BC if it’s their own intelligence agencies, they have to follow EUropean law.

  10. earlofhuntingdon says:

    The references to allowing data subjects to verify and correct their data parrot language common to the national EU data protection regimes in each member state. As you say, whether that process will work in this context will be an interesting issue.

    I also note that data requests are to be routed through an EU judicial person, that is, a judge equivalent to a UK High Court judge or higher, and not directly to the data holder, such as a bank or SWIFT.

    • earlofhuntingdon says:

      I should add that permitted exceptions to the rules protecting personal data under the EU regime – such as the right of access to verify or correct wrong or improperly processed data, or data held too long or used for purposes to which the data subject has not consented – include “public security” and “not prejudicing a criminal investigation” and that measures taken to protect those rights are to be proportionate to the interest involved.

      That’s a wide gap, especially since the US has no similar protections – ever tried to correct information held by your credit rating agency or get your name, John Smith, off the No Fly list? – or culture of accountability, and has a record of disdain for such consumer rights.

      To add insult to injury, this agreement appears to require aggrieved EU persons to pursue their rights in the US, under US law, rather than via their national Data Protection or Information Commissioner. If so, and as EW says, that amounts to a grievance without a practical way to redress it. It would be a serious failing on the part of the EU to protect its citizens.

      • emptywheel says:

        One of the reasons I’m interested in this language is it seems civil liberties groups here ought to be able to demand the same kind of review process as the Yupeens get. The IC has been able to avoid this kind of review (and, more importantly, data segregation) in the US, saying it’s too difficult technologically. But if they’re doing it for Europeans, why not for us?

        • earlofhuntingdon says:

          Absolutely! I agree with you that US persons should have similar rights and protections under FISA and similar laws.

          We ought also to have statutory rights similar to those in the EU data protection regime, an approach adopted more or less – like health care regimes – in the rest of the developed world. Instead, the US government disdains and strenuously avoids it, again, like health care, so as to enrich corporate profits at the individual’s expense.

          Our laissez-faire rules grossly err on the side of allowing open commercial use. They impose few or no obligations, such as allowing a person ready access to personally identifiable information held by others, the right to verify or correct that data, the right that it be used for disclosed purposes and no other, and that it be held only for a reasonable period of time.

          Gandhi’s quote about Western civilization applies to the US’s free-for-all approach (meaning, free for businesses, not individuals) to protecting personal data: “Western civilization? I think it would be a good idea.”

  11. earlofhuntingdon says:

    Compliance with past exchanges (that is, transmission to the US from the EU of personally identifiable banking information) was via a review by “an eminent European person”. In the event, it was a French counter-terrorism judge, Jean Louis Bruguiere. (Q&A, Part 5.) He concluded the US had complied with its obligations. Haven’t read, yet, the audit process proposed for this agreement.

  12. earlofhuntingdon says:

    As a provisional agreement, EU member states will have to implement this new agreement using their existing laws, rules for judicial review, exchange of information among cooperating governments, etc.

    This is not a paragraph to read while enjoying a cuppa, from the preamble, formally stating the parties shared purposes for the agreement:

    Stressing the common values governing privacy and the protection of personal data in the European Union and the United States of America (“United States”), including the importance with both Parties assign to due process and the right to seek effective remedies for improper government action;

    Under Bush and still under Obama, I think the DoJ has a whole division designed to circumvent those rights. The language is Kissingerian. It is useful in appearance, but as there is little commonality in those values, it is not a shared “obligation” with much meaning.

  13. earlofhuntingdon says:

    Presumably, SWIFT’s major new operating center is in non-EU Switzerland for more than the raclette, the spaetzle and the chocolate.

  14. fuckno says:

    All being done in preparation for the inevitable Rabble uprising against the government of an ever more failing and ultimately failed state.

    The global South is throwing off the shackles of a Manifest Destiny drunk, Monroe Doctrine wielding, Washington Consensus armed, USA.

    We’re done, – just don’t know it yet.

  15. montag2 says:

    I’ll bet the word “reciprocity” appears nowhere in the agreement. Wouldn’t it be fun for the EU to demand that all US transactions be available to EU countries? You could hear the screams emanating from Washington, DC, on Mars… especially since some members of the EU have been tres suspicious of the Echelon program spying on European commercial firms.

    Sorry, Europe. Empire is a one-way business.

  16. Mary says:

    sideways to topic – and I’m probably the only one who didn’t already know about this, but I was looking at Wired and found this:
    From Dec 4, talking about a fight between Yahoo and Cryptome, bc Cryptome has put up a copy of Yahoo’s – and others – spying and email presevation criteria and price list for some of the spy services rendered to law enforcement (wonder how that income shows up on the books)

    Here’s the cryptome site
    with Sprint, Verizon, ATT etc. in addition to Yahoo.
    And of course, they’ve got “Cricket Communications” too.

    Call data information is delivered from their facility located in Albuquerque, NM. It is the responsibility of the law enforcement agency to make this connection. As with other carriers, the law enforcement agency must provide a router and modem to be installed in their facility to complete the CDC or establish a VPN. Call content is delivered via a dial-out “Conference Bridge,” dialing to a directory number provided by the law enforcement agency at their listening post.
    Costs: $2200.00 per Order.

      • Mary says:

        That would be the interesting *price list* wouldn’t it? What do we charge for illegal surveillance – oh, well, that’s gonna be a little bit more Mikey . . .

        • fatster says:

          $2500 per pop, er, person of interest? Is that correct? Or is that $2500 per router and modem? And what is the origin of the funds for this activity? DHS?

          EW and Mary, you continue to amaze.

          And an O/T for you, Mary. “Dozens” or “scores” of GITMO prisoners may be headed to IL. Link.

        • fatster says:

          At least Cricket required a court order. (Finally got the time to look at the documents you linked.) Nonetheless, this is certainly disturbing. Whew!

    • earlofhuntingdon says:

      “It isn’t personal, Mikey; it’s strictly business.”

      First banks made billions by forcing customers into paying default rates of interest and penalties as “standard” fees. Now telecoms balance their books by charging the government when they spy on us. No wonder Obama doesn’t want to stop or curtail it. Too much money in play – imagine the number of requests times the cost for each – regardless of the deficit or legality.

  17. klynn says:

    OT but interesting

    Our friends up North might want to comment on this.

    A discussion regarding torture going on in Canada, complete with evidence and denials.

    • skdadl says:

      Yes, klynn, that is our torture scandal with legs (we have other complicity scandals that are worse imho, but so far it has been hard to get people worked up about them).

      What broke this case open was one brave and principled diplomat, Richard Colvin, who defied the government and testified to a Commons committee honestly about what he knew and had told the brass and the government about detainee transfers to almost certain abuse in Afghanistan. The government is in trouble because they lied about what was happening in the first place; then they tried to smear Colvin; and now further evidence supporting Colvin is tumbling out.

      MacKay (now defence minister but formerly foreign minister) has been obviously lying for a while; interesting to see from Koring’s article today that General Natynczyk, now chief of defence staff, has also been caught in a lie. And then there’s good ole boy General Hillier, former CDS — ah, I could go on all day.

      About half the press (the good ones) are really on top of this story — Koring has been great — and the Commons committee isn’t going to quit.

        • skdadl says:

          I can has bad case of writer’s block? If I were doing my duty at our place, I would think about a diary, although my blogboss already has this particular story well in hand. That doesn’t let me off the hook, though …

          One other aspect of the story that has to blow up sooner or later — all the leaking. Oddly enough, we haven’t heard much official huffing and puffing about leaks to journalists yet, but it has become almost comical to watch. There are government apologists getting some leaks and then different good journalists (at the Star, the Globe, the Citizen, etc) all getting their own particular leaks — too funny, imagining some kind of quiet leak competition going on in the civil service.

Comments are closed.