SWIFT and the Asymmetric Control of Data

I’ve been thinking a lot about SWIFT lately. Partly that’s because of the renewed discussion on how some big banks relied on cash from drug cartels to survive as the housing bubble began to pop. Partly that’s because of advance publicity for Nicholas Shaxson’s Treasure Islands and coverage of corporate tax dodging. And partly it’s because of this piece, declaring privacy dead without realizing that privacy is only dead for the little people.

You see, I’m increasingly convinced SWIFT will one day be the ultimate battleground over whether the US government can just suck up and analyze all the data it wants.

As a reminder, SWIFT (or Society for Worldwide Interbank Financial Telecommunicatiom) is the online messaging system the world’s finance industry uses to transfer funds internationally. It records the flows of trillions of dollars each day.

It first got big news coverage when Eric Lichtblau and James Risen reported on how our government uses it to track terrorist financing. But of course, the database tracks all sorts of financial flows, not just terrorist financing. Thus, it could be used to track drug finance, tax cheats (both corporate and individual), and the looting of various nations’ riches by their elites.

Swift, a former government official said, was “the mother lode, the Rosetta stone” for financial data.

Indeed, according to Lichtblau’s Bush’s Law, the database appears to track even more information than tax havens would ever collect.

[T]he routing instructions that the company used to move money around the globe often included much more detailed data than any other system: passport information, phone numbers and local addresses, critical identifying information about the senders and the recipients, the purpose of the transaction, and more. (243)

In a world where–as described in Shaxson’s book–our financial system largely runs on the strategic shifting of money behind the cloak of corporate anonymity or secret back accounts, SWIFT appears to be the one place where there is full transparency.

The US and UK in particular, according to Shaxson, have used the secrecy that corporate laws and associated tax havens can offer to sustain their hegemonic position in the world. As we saw, giving a bunch of drug cartels means to launder their money allowed Wachovia to survive for years after the time when it should have collapsed; the US and UK are just larger versions of the same gimmick.

Which is why, I’ve become convinced, the response to NYT’s reporting on SWIFT was (and remains) so much more intense than even their exposure of the illegal wiretap program. The shell game of international finance only works so long as we sustain the myth that money moves in secret; but of course there has to be one place, like SWIFT, where those secrets are revealed. And so, in revealing that the US was using SWIFT to track terror financing, the NYT was also making it clear that there is such a window of transparency on a purportedly secret system.

And the CIA has, alone among the world’s intelligence services, access to it.

Read more

US Cheating on European SWIFT Agreement Reveals Safeguards Were Oversold

As I noted last night, the US has been violating the spirit of its agreement with the EU on access to the SWIFT database–the database tracking international financial transfers. Rather than giving Europol specific, written requests for data, it has been giving it generic requests backed by oral requests the Europol staffers are not supposed to record. That arrangement makes it impossible to audit the requests the US is making, as required by the agreement between the US and EU.

But not only does our cheating make us an arrogant data octopus, it may suggest we’re violating our own internal safeguards on the program.

Back when Lichtblau and Risen first exposed the SWIFT program, they described how it initially operated under emergency powers. On such terms, SWIFT turned over its entire database.

Indeed, the cooperative’s executives voiced early concerns about legal and corporate liability, officials said, and the Treasury Department’s Office of Foreign Asset Control began issuing broad subpoenas for the cooperative’s records related to terrorism. One official said the subpoenas were intended to give Swift some legal protection.

Underlying the government’s legal analysis was the International Emergency Economic Powers Act, which Mr. Bush invoked after the 9/11 attacks. The law gives the president what legal experts say is broad authority to “investigate, regulate or prohibit” foreign transactions in responding to “an unusual and extraordinary threat.”


Within weeks of 9/11, Swift began turning over records that allowed American analysts to look for evidence of terrorist financing. Initially, there appear to have been few formal limits on the searches.

“At first, they got everything — the entire Swift database,” one person close to the operation said.

But then they put in more safeguards. One of those safeguards was to have an outside auditing firm review the requests to make sure they were based on actual leads about actual suspected terrorists.

Officials realized the potential for abuse, and narrowed the program’s targets and put in more safeguards. Among them were the auditing firm, an electronic record of every search and a requirement that analysts involved in the operation document the intelligence that justified each data search. Mr. Levey said the program was used only to examine records of individuals or entities, not for broader data searches.


Swift executives have been uneasy at times about their secret role, the government and industry officials said. By 2003, the executives told American officials they were considering pulling out of the arrangement, which began as an emergency response to the Sept. 11 attacks, the officials said. Worried about potential legal liability, the Swift executives agreed to continue providing the data only after top officials, including Alan Greenspan, then chairman of the Federal Reserve, intervened. At that time, new controls were introduced.

Among the safeguards, government officials said, is an outside auditing firm that verifies that the data searches are based on intelligence leads about suspected terrorists. “We are not on a fishing expedition,” Mr. Levey said. “We’re not just turning on a vacuum cleaner and sucking in all the information that we can.”

Read more

US Cheats on SWIFT Agreement with Oral Requests

I have tracked the American negotiations with the post-Lisbon EU to get continued access to the SWIFT database, the database that tracks international money payments.

Basically, after the Lisbon Treaty went into effect last year, the EU Parliament balked at giving Americans free run of the SWIFT database. The EU and US put an interim agreement in place. Which the EU Parliament then overturned in February. The US then granted EU citizens privacy protections Americans don’t have.

As part of the Terrorist Finance Tracking Program agreement negotiated between the US and EU, the Europol Joint Supervisory Body was tasked with auditing whether the US was complying with the data protection requirements of the agreement.

Back in November, JSB did their first audit; they just released their report.

The report revealed that the Americans have been submitting largely identical requests–but then supplementing them with oral requests.

The oral requests, of course, make it impossible to audit the requests.

At the time of the inspection, Europol had received our requests for SWIFT data. Those four requests are almost identical in nature and request–in abstract terms–broad types of data, also involving EU Member States’ data. Due to their abstract nature, proper verification of whether the requests are in line with the conditions of the Article 4(2) of the TFTP Agreement–on the basis of the available documentation–is impossible. The JSB considers it likely that the information in the requests could be more specific.

Information provided orally–to certain Europol staff by the US Treasury Department, with the stipulation that no written notes are made–has had an impact upon each of Europol’s decisions; however, the JSB does not know the content of that information. Therefore, where the requests lack the necessary written information to allow proper verification of compliance with Article 4(2) of the TFTP Agreement, it is impossible to check whether this deficiency is rectified by the orally provided information.

And boy are the Europeans P-I-S-S-E-D mad at the Americans for betraying the spirit of the agreement.

“As Members of Parliament we feel betrayed reading this report”, said Alexander Alvaro (ALDE, DE), Parliament’s rapporteur on the TFTP agreement. “We voted in favour [of this agreement last year] in the trust that both parties would apply the adopted agreement”, which “concerns the transfer of sensitive data belonging to our citizens”, he stressed, adding that “the credibility of Parliament and of this committee are being jeopardised. This is about trust and confidence of the public in what the EU did and is capable of doing here”.

“We have given our trust to the other EU institutions, but our trust has been betrayed”, said Sophia in’t Veld (ALDE, NL), rapporteur on the EU-US Passenger Name Record (PNR) agreements. “This should be kept in mind when they want our approval for other agreements”, she declared.

“Somehow I am not surprised”, said Simon Busuttil (EPP, MT), recalling that “at the time of the negotiations last year we were not satisfied with having Europol controlling it – we wanted additional safeguards”. He added that “the agreement is not satisfactory”, since it involves the transfer of bulk data, and insisted that “we need an EU TFTP”.

Read more

What State Wanted Withheld from WikiLeaks Publication

There are now four versions of the cooperation between WikiLeaks and its journalistic “partners:” Vanity Fair, NYT, Guardian, and Spiegel. A comparison of them is more instructive than reading any in isolation.

For example, compare how the NYT and Spiegel describe the three things the State Department asked journalistic partners not to publish during the lead-up to publication of the diplomatic cables. The NYT says State asked them not to publish individual sources, “sensitive American programs,” and candid comments about foreign leaders.

The administration’s concerns generally fell into three categories. First was the importance of protecting individuals who had spoken candidly to American diplomats in oppressive countries. We almost always agreed on those and were grateful to the government for pointing out some we overlooked.

“We were all aware of dire stakes for some of the people named in the cables if we failed to obscure their identities,” Shane wrote to me later, recalling the nature of the meetings. Like many of us, Shane has worked in countries where dissent can mean prison or worse. “That sometimes meant not just removing the name but also references to institutions that might give a clue to an identity and sometimes even the dates of conversations, which might be compared with surveillance tapes of an American Embassy to reveal who was visiting the diplomats that day.”

The second category included sensitive American programs, usually related to intelligence. We agreed to withhold some of this information, like a cable describing an intelligence-sharing program that took years to arrange and might be lost if exposed. In other cases, we went away convinced that publication would cause some embarrassment but no real harm.

The third category consisted of cables that disclosed candid comments by and about foreign officials, including heads of state. The State Department feared publication would strain relations with those countries. We were mostly unconvinced.

Spiegel describes those three things slightly differently. It says State asked them to withhold government sources, cables with security implications, and “cables relating to counterterrorism.”

At first, less than a week before the upcoming publication of the leaked documents, Clinton’s diplomats wanted three things from the participating media organizations. First, they wanted the names of US government sources to be protected if leaks posed a danger to life and limb. This was a policy that all five media organizations involved already pursued. Second, they asked the journalists to exercise restraint when it came to cables with security implications. Third, they asked them to be aware that cables relating to counterterrorism are extremely sensitive.

Now the discrepancy may mean nothing. Both agree State had three categories of information they wanted withheld. Both agree State asked the newspapers to withhold both the names of sources and details on intelligence programs. But since the NYT notes the journalistic partners didn’t take the third category–candid comments–very seriously, perhaps Spiegel just misremembered what that third category was, or just remembered a particular focus on counterterrorism. Presumably, after all, the counterterrorism programs would be included in category two.

But whatever the cause of the discrepancy, I am intrigued that Spiegel emphasizes counterterrorism programs rather than candid comments about foreign officials, not least because the Spiegel article describes working with US Ambassador to Germany Philip Murphy directly. Consider the two most sensitive revelations pertaining to Germany and counterterrorism. First, there was the news of Philip Murphy personally bad-mouthing the Free Democratic Party’s opposition to US vacuuming up European data, particularly as it relates to the SWIFT database. Then there are negotiations about whether Germany would prosecute Americans involved in the rendition of Khalid El-Masri. As I showed, it appears that Condi was telling German Foreign Minister Frank-Walter Steinmeier one thing about a subpoena for those Americans, followed quickly by the American Deputy Chief of Mission “correcting” the US position on it.

That is, on both major disclosures about US counterterrorism cooperation with the Germans, the US has reason to be embarrassed about its two-faced dealing with German officials.

In other words, there may be no discrepancy. It is possible that the third category of information State wanted suppressed has to do not with the substance of our counterterrorism program (after all, both the details of SWIFT and of our rendition program have been widely publicized), but with the degree to which our private diplomacy belies all the public claims we make about counterterrorism.

Vampire Squid Pissy about Response to Data Octopus Demands

We’ve discussed US negotiations with Europe over the SWIFT database at length here. Basically, after the Lisbon Treaty went into effect last year, the EU Parliament balked at giving Americans free run of the SWIFT database. The EU and US put an interim agreement in place. Which the EU Parliament then overturned in February. The US then granted EU citizens privacy protections Americans don’t have. But then the US started negotiating unilateral agreements with countries, using the Visa Waiver as blackmail to force individual countries into submission (and, some in Europe suggested, drumming up a terrorist threat to add to the pressure).

Alexander Alvaro, the home affairs spokesman of the Germany’s Free Democratic Party (FDP) in the European Parliament, likened the US demands for data sharing to a “data octopus.”

One of the cables from yesterday’s WikiLeaks dump offers a window into the US perspective on the negotiation, in a cable from the US Embassy to Germany to the Secretary of State’s Office. The cable speaks disparagingly of the FDP.

Germany has become a difficult partner with regards to security-related information sharing initiatives following the September 27 national elections, which brought the FDP into the governing coalition. The FDP sees themselves as defenders of citizens’ privacy rights and these views have led the FDP to oppose many of Germany’s post-9/11 counterterrorism legislative proposals (see reftels). At times, the FDP’s fixation on data privacy and protection issues looks to have come at the expense of the party forming responsible views on counterterrorism policy.


The FDP returned to power after a ten-year foray in the opposition and key leaders lack experience in the practical matters of tackling real-world security issues in the Internet age. In our meetings we have made the point that countering terrorism in a globalized world, where terrorists and their supporters use open borders and information technology to quickly move people and financing, requires robust international data sharing. We need to also demonstrate that the U.S. has strong data privacy measures in place so that robust data sharing comes with robust data protections.

So Ambassador Philip Murphy’s office bad mouths a party that had been in opposition for ten years to his colleague–including Hillary Clinton–who had been in opposition for eight, suggesting the Germans were too naive to understand what was good for them.

But there’s one more detail that makes this disdain of those who dislike the data octopus cute.

Before Ambassador Philip Murphy was the DNC’s Finance Chair for its last two years of apparently ignorant opposition, he spent 23 years at the Vampie Squid, Goldman Sachs.

So this amounts to one of the geniuses who crashed the global economy–not least with some pretty tricky international financial flows–badmouthing the Germans for not understanding the crime that can happen using those flows.

The American Data Octopus

Data octopus. That’s how one European Parliament official described the US’ continued grab for unfettered access to more and more European data. (h/t WM)

“The Americans want to blackmail us,” said an agitated Alexander Alvaro, home affairs spokesman of the Germany’s Free Democratic Party (FDP) in the European Parliament. The Americans have become “like a data octopus,” he said, as if their tentacles were reaching out to all the world’s data.

Alvaro’s reference to “blackmail” refers to the US’ link of the Visa Waiver program–which allows citizens from a particular country to enter the US without a visa–with access to criminal investigation databases.

“Participation in the United States’ ‘Visa Waiver’ program,” Austrian Chancellor Werner Faymann wrote in a letter to the Viennese parliament, has been “linked to additional requirements for the exchange of information,” including “an agreement to exchange data relating to the detection of terrorists.” In other words, no data, no visa waiver.

The US is negotiating such deals, one by one, with individual countries. It seems to be an effort to undercut demands for more stringent protection of European data from the EUP, which previously demanded concessions from the US on the SWIFT program (though one of those concessions–for an approved EU bank data overseer who would monitor US access of SWIFT data–seems to be held up at the nominating stage).

I’m rather curious by this use of leverage. After all, to a point, the visa waiver program is a matter of convenience to international travelers, particularly business travelers. But after a point, it would just be a disincentive to do business with the US. We’ve already lost large numbers of the best researchers, as visa restrictions simply convinced them to study elsewhere. Is the US risking the same with business travelers?

Perhaps the most interesting revelation in this Spiegel article on the current tensions is that European investigators have repeatedly forced private companies to turn over their complete databases.

This attitude, [Sophie in ‘t Veld] said, is now beginning to rub off on European investigators. Time and again executives come to in ‘t Veld in her role as chair of the European Parliament’s Civil Liberties, Justice and Home Affairs committee to tell her confidentially that they have been illegally forced to hand over “their complete customer data.”

This would seem to follow the pattern used under Dick Cheney’s illegal wiretap program. But given the higher data protection laws in Europe, would seem to be even more incendiary.

At least one EU expert voiced the same thought I had as I traveled through Europe during what was purportedly a time of heightened security–the security warnings of a terrorist threat to Europe sure seem like they are being treated as scaremongering.

Last weekend, the US issued a travel warning for Europe on the basis of possible imminent terrorist attacks. Germany Interior Minister Thomas de Maizière, however, has warned against scaremongering. There is apparently no concrete evidence of imminent attacks in Germany. But perhaps, speculates one European Union security expert, it was just a little “background music” for the real questions to be discussed in the trans-Atlantic talks: How deeply can American terrorism investigators peer into European computers, how extensively can they monitor European bank accounts, tap into Blackberrys or listen in on Skype calls?

When Brian Ross first reported this, even he admitted that the US had no details of a real attack (I’m still looking for that video). But continued leaks to the ever-useful but unreliable Ross focused on tourists in major European airports. I just flew through Heathrow, undoubtedly one of the targets of any plot targeted at US tourists in major European airports. While American Airlines appeared to have heightened security, Delta had none, not even for those flying, as I was, on the same flight that the underwear bomber attempted to take down in December. Frankly, no one at the airport seemed even aware that there was a heightened alert. And if the fearmongering is designed to make European countries worried about the travel trade, then why not raise concerns about airports?

Ultimately, if the US achieves (or, more likely, continues to sustain) what it is seeking in these negotiations–unilateral control over much of the world’s data–then it can fearmonger like this at will, since only it will be able to claim to have a view of all the data points. Yes, there are undoubtedly real benefits to terror investigators to have access to data (balanced, no doubt, by the problem of having too much data to adequately scan). But this unquenchable thirst for more data sure seems to be as much about power as anything else.

Obama Administration Grants Europeans Rights Americans Don’t Have

You know what happens when your elected representatives fight for your privacy? Counterterrorism investigators actually grant you some!

At issue is SWIFT–the database that tracked most international money transfers which the Bush Administration mined in its counterterrorism fight. When SWIFT’s server moved to the EU, the US tried to demand the same access as it had had previously. But the EU Parliament–strengthened by the Lisbon treaty–rejected the terms the US initially demanded. And as negotiations went on, the EU insisted on safeguards for its citizens.

Well, the EU finally signed an agreement with the US, and here are the protections the EU won for its citizens (h/t LES):

Elimination of bulk data transfers

The key to the deal for Parliament was the eventual elimination of “bulk” data transfers. In exchange for backing the agreement, MEPs won an undertaking that work on setting up an EU equivalent to the US “Terrorism Finance Tracking Program” (TFTP), which would preclude the need for bulk data transfers, will start within 12 months. Once Europe has a system enabling it to analyse data on its own territory, it need only transfer data relating to a specific terrorist track.

A new role for Europol

Another innovation of the new agreement is that it empowers “Europol”, the EU’s criminal intelligence agency based in The Hague, to block data transfers to the USA. Europol will have to check that every data transfer request by the US Treasury is justified by counter-terrorism needs and that the volume of data requested is as small as possible.

An EU representative in the USA to monitor data processing

The new version of the agreement also provides that the use of data by the Americans, which must be exclusively for counter-terrorism purposes, is to be supervised by a group of independent inspectors, including someone appointed by the European Commission and the European Parliament. This person will be entitled to request justification before any data is used and to block any searches he or she considers illegitimate.

The agreement prohibits the US TFTP from engaging in “data mining” or any other type of algorithmic or automated profiling or computer filtering. Any searches of SWIFT data will have to be based on existing information showing that the object of the search relates to terrorism or terrorism finance.

Right of redress for European citizens

In February 2010, MEPs demanded that under any new version of the agreement European citizens should be guaranteed the same judicial redress procedures as those applied to data held on the territory of the European Union. The new proposal says this time that US law must provide a right of redress, regardless of nationality.

Data retention and deletion

Extracted data may be retained only for the duration of the specific procedures and investigations for which they are used. Each year, the US Treasury must take stock of any data that have not been extracted, and hence individualised, which will no longer be of use for counter-terrorism purposes, and delete them.  Such data must be deleted after five years at the latest.

There will be two checks–at the Europol level and via an EU representative working in the US–to make sure the data is being accessed appropriately. Within a year, Europe will assume the role the US is now playing. And the agreement at least grants redress in court and limits on data retention (though like those in Europe who opposed this deal, I’m skeptical of the efficacy of these requirements).

That’s more than we American citizens get under some of the provisions of the PATRIOT Act.

Then again, some of our representatives tried to win greater protections for US persons last year. But short of doing what the EU did–withdrawing US access to the data–Congress was unable to win concessions from the Administration.

EU Won’t Hand Over Their Data

Last year and in February, we watched as the EU balked at US demands for data-sharing under the SWIFT program. The Belgian cooperative in charge of the international money transfer database moved its servers to the EU, but the US still wanted the same access it had had when the servers were in the US. The US had tried to push through a last-minute deal before EU Parliament changed hands last year, but the parliament rejected that deal. So now the EU is trying to decide what kind of data-sharing they’ll have with the US.

EFF links to a report from this week’s EU debate on SWIFT. The result? The Europeans passed a resolution stating that they’re not going to hand over to the US bulk downloads of data, and ultimately any data shared with the US should be extracted on EU soil, and should include reciprocity with the US.

On the issue of bank data transfers, Parliament argues in a resolution adopted by show of hands, that bulk data transfers infringe EU legislation.  It urges the Council and Commission to “address this issue properly in the negotiations”.  In addition, the new agreement should include “strict implementation and supervision safeguards, monitored by an appropriate EU-appointed authority” on the day-to-day extraction of and use by the US authorities of all such data. The maximum storage period must not exceed five years and the data may not be disclosed to third countries.

Any new agreement should be limited in duration and pave the way for arrangements to enable requested data to be extracted on European soil, say MEPs. They believe that “the option offering the highest level of guarantees” would be to allow for the extraction of data to take place on EU soil, in EU or joint EU-US facilities.  In the medium term, an EU judicial authority should oversee the extraction of data in the EU. Meanwhile, select EU personnel should take part in the oversight of the extraction process in the USA.

Reciprocity would require the Americans to allow EU authorities to obtain and use data stored in servers in the US.

Parliament wants access to any documents that demonstrate the need for the scheme.  It also wants to know whether the envisaged agreement will guarantee the same rights to European citizens as to Americans in the event of any abuse of the data: the rights guaranteed under the US Privacy Act can be invoked only by citizens and permanent residents of the United States.

The Europeans might yet put some limits on the US efforts to totally eliminate privacy in the name of counter-terrorism.

EU Parliament Rejects Interim SWIFT Deal

The EU Parliament voted today–by big margins–to end the temporary deal allowing the US access to data from SWIFT.

The European Parliament on Thursday broadly rejected an agreement with the United States on sharing information on bank transfers that was aimed at tracking suspected terrorists through their finances.The vote in Strasbourg, France, underlined differences between the United States and the European Union over how to balance guarantees of personal privacy with concerns about national and international security.

A resolution to reject the deal passed 378-196, with 31 abstentions. The vote means that the agreement, which provisionally went into force at the beginning of February, cannot be used as planned.

The agreement would have freed the United States from having to seek bank data on a country-by-country basis. But Washington still could press for access to the data through such avenues.

Remember, this deal would have given European citizens more protections than Americans currently get from their banks (because it would have allowed them to check whether their data had been accessed).

This rejection also comes just as the Administration, following yesterday’s release of language concerning the treatment of Binyam Mohamed, is making a show of complaining about information sharing.

On Wednesday, the White House said, “We’re deeply disappointed with the court’s judgment today, because we shared this information in confidence and with certain expectations.”

Dennis Blair, U.S. director of national intelligence, condemned the release of the information.

“The protection of confidential information is essential to strong, effective security and intelligence cooperation among allies,” he said. “The decision by a United Kingdom court to release classified information provided by the United States is not helpful, and we deeply regret it.”

Obviously, particularly following the Undie Bomber attempt, the Administration is going to do anything it can to continue sharing information, both on detainees and data analysis. But it’s going to have to start playing well with others to do so.