The NSA Is Also Grabbing Millions Of Credit Card Records

Privacy

from the so.-much.-hay. dept

Mon, Sep 16th 2013 10:38am — Tim Cushing

In addition to everything else it's collecting, the NSA also has millions of international credit card transactions stashed away in its databases, according to documents viewed by Spiegel.

The information from the American foreign intelligence agency, acquired by former NSA contractor and whistleblower Edward Snowden, show that the spying is conducted by a branch called "Follow the Money" (FTM). The collected information then flows into the NSA's own financial databank, called "Tracfin," which in 2011 contained 180 million records. Some 84 percent of the data is from credit card transactions.

On one hand, what the NSA is doing is exactly what the NSA should be doing: tracing the money flow of terrorist organizations.

Their aim was to gain access to transactions by VISA customers in Europe, the Middle East and Africa, according to one presentation. The goal was to "collect, parse and ingest transactional data for priority credit card associations, focusing on priority geographic regions."

This is part of the Terrorist Finance Tracking Program, which was set up shortly after the 9/11 attacks and gave the US government access to the SWIFT (Society for Worldwide Interbank Financial Telecommunication) database. This, in and of itself, is not news, having been exposed in 2006. Documents uncovered then showed the program had been in place since 2002, with permission extended to the CIA and the Treasury Dept. as part of Bush's "Global War on Terror."

What is new, however, is the fact that the NSA is targeting transactions from major credit card companies, like VISA. This has quite a bit more potential for misuse than SWIFT, which records only banking transactions. VISA responded to this new information with the same quasi-denial we've seen from several other companies whose links to the NSA have been exposed.

"We are not aware of any unauthorized access to our network. Visa takes data security seriously and, in response to any attempted intrusion, we would pursue all available remedies to the fullest extent of the law. Further, its Visa's policy to only provide transaction information in response to a subpoena or other valid legal process."

Of course, this isn't "unauthorized" access, not when gathered with a court order or subpoena. But this isn't as tightly controlled as the spokesperson makes it appear. If pursuing data for "counterterrorism" purposes, the NSA is allowed to skirt the protections of the Right to Financial Privacy Act, thanks to an amendment in the PATRIOT Act. But even with these legal options, it appears the NSA would still rather pursue this in an extralegal fashion in order to circumvent the warrant process.

NSA analysts at an internal conference that year described in detail how they had apparently successfully searched through the US company's complex transaction network for tapping possibilities.

Whatever's happening now appears to be the NSA grabbing more data simply because it can. It's not as if it didn't already have access copious amounts of financial data, thanks to the government's fully legal (and fully public) collection of bulk financial records through SWIFT.

Remember: in addition to stealing the data, Treasury also gets it via a now-public agreement. The former CEO of SWIFT Leonard Schrank and former Homeland Security Czar, Juan Zarate actually boasted in July, in response to the earliest Edward Snowden revelations, about how laudable Treasury’s consensual access to the data was.

"The use of the data was legal, limited, targeted, overseen and audited. The program set a gold standard for how to protect the confidential data provided to the government. Treasury legally gained access to large amounts of Swift’s financial-messaging data (which is the banking equivalent of telephone metadata) and eventually explained it to the public at home and abroad.

It could remain a model for how to limit the government’s use of mass amounts of data in a world where access to information is necessary to ensure our security while also protecting privacy and civil liberties."

Never mind that by the time they wrote this, an EU audit had showed the protections were illusory, in part because the details of actual queries were oral (and therefore the queries weren’t auditable), in part because Treasury was getting bulk data. But there was a legitimate way to get data pertaining to the claimed primary threat at hand, terrorism. And now we know NSA also stole data.

Even when the government has an advantageous agreement to collect bulk data with little oversight, its agencies can't help but exploit this even further. The collection via "oral queries" is another indicator of these agencies' (FBI, NSA, CIA) unwillingness to follow even the most minimal of rules. (See also the administration's 2010 ruling that made the FBI's warrantless wiretapping legal, which occurred after the agency's process had slid from issuing tons of National Security Letters to simply calling up the telcos and requesting records.)

The untargeted collection of financial data has raised concerns from those on the "collection" side.

[E]ven intelligence agency employees are somewhat concerned about spying on the world finance system, according to one document from the UK's intelligence agency GCHQ concerning the legal perspectives on "financial data" and the agency's own cooperations with the NSA in this area. The collection, storage and sharing of politically sensitive data is a deep invasion of privacy, and involved "bulk data" full of "rich personal information," much of which "is not about our targets," the document says.

When even the spies are concerned about about how much data their spy programs are netting, that's a pretty good sign a bulk records collections effort has gone too far. And it has deeper implications than simply a massive amount of privacy violations. As Marcy Wheeler points out, even the then-Fed chairman Alan Greenspan expressed his concerns about the breadth of the SWIFT collections.

If the world’s financiers were to find out how their sensitive internal data was being used, he acknowledged, it could hurt the stability of the global banking systems.

That's a scary thought, considering the "global banking system" isn't all that stable to begin with. A lack of targeting will leave the NSA open to more accusations of economic espionage, something clearly not related to its supposed "national security" agenda.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: credit cards, financial transactions, nsa, nsa surveillance, surveillance, swift
Companies: swift, visa

22 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

This comment has been flagged by the community. Click here to show it

out_of_the_blue, 16 Sep 2013 @ 11:03am

Quit being surprised by universal surveillance!
EVERY gadget and computerized system that human ingenuity can devise and implement is tied into ONE surveillance grid, and more to come: "smart-meters" for your house. That's established --even has a name: "the internet of things" to be rolled out, with even your refrigerator spying on you -- though some weenies STILL can't accept that Google and Facebook give NSA "direct" access.

Now, move on to WHO BENEFITS and HOW TO RESIST.

The phony deal that evil people (and gullible fools) try to force on us: You can't have the benefits of technology unless give up all privacy.
[ link to this | view in thread ]
Anonymous Coward, 16 Sep 2013 @ 11:04am

Quick nitpick
You can't really steal data. You can unlawfully access it, but unless you destroy all the other copies, you can't really steal it.
[ link to this | view in thread ]
Ninja (profile), 16 Sep 2013 @ 11:04am

It's hard to imagine why ANY terrorist would use official Visa cards to buy his explosives. Honestly by now the privacy and trust have been eroded by a degree that I find it hard to accept the supposed counter terrorism effects such surveillance should have had outweigh the damage it's causing.

It's worth following how much of an impact this may have. I personally use plain old money if I don't want to leave tracks. Then there's bitcoin...
[ link to this | view in thread ]
Anonymous Coward, 16 Sep 2013 @ 11:09am

The longer this goes on, the worse the repercussions will be. Financial requires one have faith in the system working. Without that faith it all collapses, which is what happened with the housing meltdown. Once no one could identify the bad loans, no one was willing to take a risk on buying.

We have now another little tidbit from Belgium, you know, home of the European Commission, the European Parliament, NATO Headquarters, and gobs of lobbyists. Every time now a security breach is found it will automatically be suspected that NSA was involved. As such it isn't going to end and there will be results from all this spying done.

http://www.engineeringnet.eu/details.asp?Id=10978
[ link to this | view in thread ]
Skeptical, 16 Sep 2013 @ 11:19am

Potential for misuse
"What is new, however, is the fact that the NSA is targeting transactions from major credit card companies, like VISA. This has quite a bit more potential for misuse than SWIFT, which records only banking transactions."

I'm not sure I see the difference. Why is there more potential for abuse when credit cards are involved?
[ link to this | view in thread ]
Anonymous Coward, 16 Sep 2013 @ 11:20am

The question is not if, but when?
What happens when the NSA storage sites become compromised? Do you really want hackers getting access to so much data? It would be an identity theft nightmare of epic proportions..
[ link to this | view in thread ]
Capt ICE Enforcer, 16 Sep 2013 @ 11:22am

OMG
I can handle the NSA reading my emails, I can handle them turning my Xbox computer and cell phone into a remote video audio and tracking device. But I draw the line when they know I am late on my visa payment. The NSA has gone too far.
[ link to this | view in thread ]
Anonymous Coward, 16 Sep 2013 @ 11:34am

Re: Potential for misuse
I think credit cards are a bit more detailed than banking transactions.

Unless I'm mistaken, the banking transactions would be deposits, withdraws, transfers, etc. So they would see who I write checks to, get checks from, when I deposit or withdraw cash, when I transfer money to or from my stock brokerage, or when I pay utility bills, car payments, make credit card payments etc.

Tracking the credit card transactions themselves on the other hand lets them know exactly how much you spend at what stores on what dates, using which credit card.

The second has a lot more potential for black mail, stalking, etc.
[ link to this | view in thread ]
Michael, 16 Sep 2013 @ 11:58am

This is just a preemptive action in case congress defunds them.
[ link to this | view in thread ]
RyanNerd (profile), 16 Sep 2013 @ 12:19pm

Suck! Suck! Suck!
NSA
[ link to this | view in thread ]
Zakida Paul (profile), 16 Sep 2013 @ 12:27pm

Re: Quick nitpick
Hey, if MPAA and RIAA can deliberately misuse the word 'steal', why can't we?
[ link to this | view in thread ]
Zakida Paul (profile), 16 Sep 2013 @ 12:28pm

Of course
And if I were to grab millions of credit card records, I would face a lengthy jail term.

Do as we say, not as we do. Utter hypocrites.
[ link to this | view in thread ]
Crusty the Ex-Clown, 16 Sep 2013 @ 12:40pm

I still want to know....
.....how they failed to notice LIBOR rigging. Not to mention money laundering by big international banks......

Just sayin'...........
[ link to this | view in thread ]
Anonymous Coward, 16 Sep 2013 @ 1:11pm

so much for the banks saying all our financial services and transactions are 110% safe, then! when is the USG going to come right out and say it? it wants to know what every single person everywhere both on and off the planet is doing, is saying, is writing, is buying, is selling, is making, is destroying, is thinking and where they are going! then it wants the same information about it's 'enemies'!!
[ link to this | view in thread ]
limbodog (profile), 16 Sep 2013 @ 1:15pm

The terrorists hate us for our credit ratings.
[ link to this | view in thread ]
Anonymous Coward, 16 Sep 2013 @ 1:31pm

Re: Re: Quick nitpick
Because we're better than that.

If we sink to their level, then they've won anyway. Because they will have corrupted our thinking.
[ link to this | view in thread ]
Anonymous Coward, 16 Sep 2013 @ 2:07pm

This shouldn't be a cherry on top of everything that happened, this should have been one of the front-and-center points of the entire scandal.

They're watching what you say and what you buy. If that doesn't scare the shit out of anyone, then they aren't worth bothering with to begin with.
[ link to this | view in thread ]
Anonymous, 16 Sep 2013 @ 2:21pm

Terrorist financing
Support Osama Bin Laden. Check.
Support Saddam Hussein. Check.
Support Syrian "rebels". Check.
The US government doesn't miss a trick, does it?
[ link to this | view in thread ]
Anonymous, 16 Sep 2013 @ 3:43pm

Re:
What about debit cards, like those that employees of some companies are paid on? If you have a bank account, you can get all the money off your card. But what if you don't have a bank account? You can go to a store and buy a small, cheap item (like a pack of gum, for example), swipe your card and get the maximum allowed amount of cash back. Sure, they know you bought a pack of gum, but they don't have a clue what you did with that cash.
[ link to this | view in thread ]
Pixelation, 16 Sep 2013 @ 9:30pm

A little shocked
Why the fuck would anyone trust Visa? In fact, why would anyone trust any of the overly large corporations? Microsoft? No. Google? No. Verizon? No. AT&T? Hell No! Intel? Gosh I wish but, no. Amazon, who cares... wait, no.
The problem is that when the government comes calling they will bend over and spread their cheeks.

Too big to fail.
[ link to this | view in thread ]
getauto finance, 11 Nov 2013 @ 2:42am

Private finance refers to your fiscal management of which anyone or maybe a family model is required to create to obtain, spending budget, spend less, in addition to invest personal means as time passes, looking at several fiscal pitfalls in addition to foreseeable future living activities.
[ link to this | view in thread ]
anonymous, 20 Aug 2014 @ 2:37am

Strict action should be taken against the cyber threats.Government should provide the necessary solutions to protect the laws of credit.

documentary letters of credit software
[ link to this | view in thread ]