US Cheating on European SWIFT Agreement Reveals Safeguards Were Oversold

As I noted last night, the US has been violating the spirit of its agreement with the EU on access to the SWIFT database–the database tracking international financial transfers. Rather than giving Europol specific, written requests for data, it has been giving it generic requests backed by oral requests the Europol staffers are not supposed to record. That arrangement makes it impossible to audit the requests the US is making, as required by the agreement between the US and EU.

But not only does our cheating make us an arrogant data octopus, it may suggest we’re violating our own internal safeguards on the program.

Back when Lichtblau and Risen first exposed the SWIFT program, they described how it initially operated under emergency powers. On such terms, SWIFT turned over its entire database.

Indeed, the cooperative’s executives voiced early concerns about legal and corporate liability, officials said, and the Treasury Department’s Office of Foreign Asset Control began issuing broad subpoenas for the cooperative’s records related to terrorism. One official said the subpoenas were intended to give Swift some legal protection.

Underlying the government’s legal analysis was the International Emergency Economic Powers Act, which Mr. Bush invoked after the 9/11 attacks. The law gives the president what legal experts say is broad authority to “investigate, regulate or prohibit” foreign transactions in responding to “an unusual and extraordinary threat.”


Within weeks of 9/11, Swift began turning over records that allowed American analysts to look for evidence of terrorist financing. Initially, there appear to have been few formal limits on the searches.

“At first, they got everything — the entire Swift database,” one person close to the operation said.

But then they put in more safeguards. One of those safeguards was to have an outside auditing firm review the requests to make sure they were based on actual leads about actual suspected terrorists.

Officials realized the potential for abuse, and narrowed the program’s targets and put in more safeguards. Among them were the auditing firm, an electronic record of every search and a requirement that analysts involved in the operation document the intelligence that justified each data search. Mr. Levey said the program was used only to examine records of individuals or entities, not for broader data searches.


Swift executives have been uneasy at times about their secret role, the government and industry officials said. By 2003, the executives told American officials they were considering pulling out of the arrangement, which began as an emergency response to the Sept. 11 attacks, the officials said. Worried about potential legal liability, the Swift executives agreed to continue providing the data only after top officials, including Alan Greenspan, then chairman of the Federal Reserve, intervened. At that time, new controls were introduced.

Among the safeguards, government officials said, is an outside auditing firm that verifies that the data searches are based on intelligence leads about suspected terrorists. “We are not on a fishing expedition,” Mr. Levey said. “We’re not just turning on a vacuum cleaner and sucking in all the information that we can.”

In addition, SWIFT could veto any search.

Swift representatives would be stationed alongside intelligence officials and could block any searches considered inappropriate, several officials said.

So in 2006, when the NYT broke this story, the program supposedly had the following safeguards:

  • Documentation by analysts of the intelligence that justified the search
  • An electronic record of every search
  • An audit by an outside firm that verifies that intelligence justified the search
  • Veto power by SWIFT over any particular search

Also, at that time, Stuart Levey claimed the program was targeted exclusively at “individuals or entities,” they were not, “just turning on a vacuum cleaner and sucking in all the information that we can.”

But here’s what we learned yesterday, almost five years after the program was exposed: the program is not making specific requests. Rather, according to EU members who have read the report, it involves the transfer of bulk data. And whether or not there are records internally that an outside auditing firm can audit, those records are not being shared with the Europeans who are, by law, empowered to do a similar audit. In fact, the US is deliberately avoiding creating the kind of records that can be audited by relying on oral requests.

  1. PeasantParty says:

    The US Treasury and Fed are being more and more scrutinized. They don’t want the rest of the world to see what they are doing. In fact, the G-20 group was tepid for them considering they allowed the world’s economies to break down on their economic hit to America.

  2. earlofhuntingdon says:

    The Europeans are now on notice that the US and its outsourced corporations have no intention of complying with the terms of its legal commitment to them. (Another example of legal scholar Mr. Obama’s disdain for the law.) By law, the export, storage and processing of personally identifiable information about EU nationals is subject to EU data protection rules. There are special exemptions for police and judicial affairs uses of such information, but those require substantiation that the intended use fits those exceptions.

    Programs that vacuum all available data to populate a data base for subsequent analysis, screening for clues, associations and the like, by definition, would fail to meet those exceptions or the EU rules that apply as to how such data can be stored, processed and retransmitted and for how long. (Among the plethora of ways personal data, like access to health care, is treated differently in the EU, Canada, Japan, Australia is that there are time limits on specific uses of data.) The same would be true of any exchange that failed to identify the information exchanged and document its purpose.

    The EU and its national governments now have an obligation to revise their data sharing agreement with the US – and their own practices in administering any such sharing – or they will be violating the equivalent of constitutional protections guaranteed to their citizens. It’s time to tell the American king that he wears no clothes.

  3. bittersweet says:

    Are there really national borders anymore? It seems as though a handful of U.S. elite control the U. S. Military (which in turns dictates its whims worldwide), all of the banks, and now all computerized data bases and information exchanges. Everyday, more power is hovered up by these people.
    The other governments in the world must be getting frustrated over their own impotence. Just as U. S. citizens are. How long before Europe begins to see the U.S. as the enemy? How long before the world unites against the New Rome?
    I sincerely wonder what the world will look like in fifty years. (I better say 30 years if I hope to live to see it).

  4. Mary says:

    Wasn’t that auditing firm McConnell’s firm? And if it found a problem it couldn’t have told swift officials anyway since it would have been classified. Unless the auditors wanted to end up like manning,being experimented on in the isolation unit of a brig somewhere

  5. Mary says:

    Re the “subpoena” The eu guys knew (and iirc this was an eu privacy ct holding after the program was revealed) that they were violating eu laws if the handed over information without a subpoena. A real subpoena, issued by a judge. That’s the standard. Treasury did something very different by internally issuing “administrative” subpoenas which are a vastly different thing. I don’t believe anyone has ever conducted any review of how treas handled its tropic into foreign politcians and financiers records

  6. earlofhuntingdon says:

    Per der Spiegel, a second data protection control mechanism has failed:

    According to Article 15 of the SWIFT agreement, every EU citizen has the right to know if American authorities had access to personal banking data and if so, which authorities received that information.

    For the past six months, Alexander Alvaro, a member of European Parliament from Germany’s Free Democrats, has been doing a test in an attempt to obtain the information entitled to him from German authorities.

    The result: “The German authorities have not yet been able to find out whether data has been accessed at all. As such, the rights of EU citizens on correction, deletion or blockage of the data are being violated.”

    The EU, like most other industrialized states with the exception of the United States, has an extensive statutory and regulatory regime designed to limit commercial and governmental use of personally identifiable information.

    There are various exceptions for police and judicial authorities and “national security”, but these are more narrowly construed. Member states vary in how well they implement it. Germany and Holland do far better than the UK, for example, but the rules are reasonably uniform. Restrictions include time limits on the use of data, requirements that it be stored and processed in a physically and virtually secure way, that persons are informed of uses of their data and have the option of whether to agree to them, and have the right of access to that data and the right to demand that a “data holder” correct inaccuracies in their data.

    It’s important to note that the data protection regime is not limited to protecting against and punishing outright abuse. It governs routine commercialization – an epidemic here – that occurs without the knowledge of or permission from the individual whose data is being used.

    All of the above is anathema to private corporations in our “market” driven economy, where everything not nailed down – and half of that – is fair game if the owner’s not looking or is simply unable to defend him or herself. The USG has a similar if not more fervent attitude. It often uses private concerns to gather or analyze data when legal restrictions prohibit it from doing it directly.

    The US here is attempting to use its standard method of dealing with personal information – whatever TF it wants, it gets. Here’s hoping the Europeans will stick to their rights and not let them wash down the American kitchen sink.

    BTW, presumably, the US has similar arrangements with Australia, Canada, Japan and other countries that have privacy regimes modeled on the EU’s. I wonder how their citizens’ information is being respected by the US.

    Click through to the der Spiegel article’s account of the extensive runaround a member of the EU parliament was given when he tried to find out whether and, if so, what personal information of his was sent to the US. It makes Dana Milbank’s mortgage refinancing nightmare read like a fairy story.