The NSA Is Also Grabbing Millions Of Credit Card Records

from the so.-much.-hay. dept

In addition to everything else it's collecting, the NSA also has millions of international credit card transactions stashed away in its databases, according to documents viewed by Spiegel.

The information from the American foreign intelligence agency, acquired by former NSA contractor and whistleblower Edward Snowden, show that the spying is conducted by a branch called "Follow the Money" (FTM). The collected information then flows into the NSA's own financial databank, called "Tracfin," which in 2011 contained 180 million records. Some 84 percent of the data is from credit card transactions.
On one hand, what the NSA is doing is exactly what the NSA should be doing: tracing the money flow of terrorist organizations.
Their aim was to gain access to transactions by VISA customers in Europe, the Middle East and Africa, according to one presentation. The goal was to "collect, parse and ingest transactional data for priority credit card associations, focusing on priority geographic regions."
This is part of the Terrorist Finance Tracking Program, which was set up shortly after the 9/11 attacks and gave the US government access to the SWIFT (Society for Worldwide Interbank Financial Telecommunication) database. This, in and of itself, is not news, having been exposed in 2006. Documents uncovered then showed the program had been in place since 2002, with permission extended to the CIA and the Treasury Dept. as part of Bush's "Global War on Terror."

What is new, however, is the fact that the NSA is targeting transactions from major credit card companies, like VISA. This has quite a bit more potential for misuse than SWIFT, which records only banking transactions. VISA responded to this new information with the same quasi-denial we've seen from several other companies whose links to the NSA have been exposed.
"We are not aware of any unauthorized access to our network. Visa takes data security seriously and, in response to any attempted intrusion, we would pursue all available remedies to the fullest extent of the law. Further, its Visa's policy to only provide transaction information in response to a subpoena or other valid legal process."
Of course, this isn't "unauthorized" access, not when gathered with a court order or subpoena. But this isn't as tightly controlled as the spokesperson makes it appear. If pursuing data for "counterterrorism" purposes, the NSA is allowed to skirt the protections of the Right to Financial Privacy Act, thanks to an amendment in the PATRIOT Act. But even with these legal options, it appears the NSA would still rather pursue this in an extralegal fashion in order to circumvent the warrant process.
NSA analysts at an internal conference that year described in detail how they had apparently successfully searched through the US company's complex transaction network for tapping possibilities.
Whatever's happening now appears to be the NSA grabbing more data simply because it can. It's not as if it didn't already have access copious amounts of financial data, thanks to the government's fully legal (and fully public) collection of bulk financial records through SWIFT.
Remember: in addition to stealing the data, Treasury also gets it via a now-public agreement. The former CEO of SWIFT Leonard Schrank and former Homeland Security Czar, Juan Zarate actually boasted in July, in response to the earliest Edward Snowden revelations, about how laudable Treasury’s consensual access to the data was.

"The use of the data was legal, limited, targeted, overseen and audited. The program set a gold standard for how to protect the confidential data provided to the government. Treasury legally gained access to large amounts of Swift’s financial-messaging data (which is the banking equivalent of telephone metadata) and eventually explained it to the public at home and abroad.

It could remain a model for how to limit the government’s use of mass amounts of data in a world where access to information is necessary to ensure our security while also protecting privacy and civil liberties."

Never mind that by the time they wrote this, an EU audit had showed the protections were illusory, in part because the details of actual queries were oral (and therefore the queries weren’t auditable), in part because Treasury was getting bulk data. But there was a legitimate way to get data pertaining to the claimed primary threat at hand, terrorism. And now we know NSA also stole data.
Even when the government has an advantageous agreement to collect bulk data with little oversight, its agencies can't help but exploit this even further. The collection via "oral queries" is another indicator of these agencies' (FBI, NSA, CIA) unwillingness to follow even the most minimal of rules. (See also the administration's 2010 ruling that made the FBI's warrantless wiretapping legal, which occurred after the agency's process had slid from issuing tons of National Security Letters to simply calling up the telcos and requesting records.)

The untargeted collection of financial data has raised concerns from those on the "collection" side.
[E]ven intelligence agency employees are somewhat concerned about spying on the world finance system, according to one document from the UK's intelligence agency GCHQ concerning the legal perspectives on "financial data" and the agency's own cooperations with the NSA in this area. The collection, storage and sharing of politically sensitive data is a deep invasion of privacy, and involved "bulk data" full of "rich personal information," much of which "is not about our targets," the document says.
When even the spies are concerned about about how much data their spy programs are netting, that's a pretty good sign a bulk records collections effort has gone too far. And it has deeper implications than simply a massive amount of privacy violations. As Marcy Wheeler points out, even the then-Fed chairman Alan Greenspan expressed his concerns about the breadth of the SWIFT collections.
If the world’s financiers were to find out how their sensitive internal data was being used, he acknowledged, it could hurt the stability of the global banking systems.
That's a scary thought, considering the "global banking system" isn't all that stable to begin with. A lack of targeting will leave the NSA open to more accusations of economic espionage, something clearly not related to its supposed "national security" agenda.

Reader Comments (rss)

(Flattened / Threaded)

  1. This comment has been flagged by the community. Click here to show it
    out_of_the_blue, Sep 16th, 2013 @ 11:03am

    Quit being surprised by universal surveillance!

    EVERY gadget and computerized system that human ingenuity can devise and implement is tied into ONE surveillance grid, and more to come: "smart-meters" for your house. That's established --even has a name: "the internet of things" to be rolled out, with even your refrigerator spying on you -- though some weenies STILL can't accept that Google and Facebook give NSA "direct" access.

    Now, move on to WHO BENEFITS and HOW TO RESIST.

    The phony deal that evil people (and gullible fools) try to force on us: You can't have the benefits of technology unless give up all privacy.

    reply to this | link to this | view in thread ]

  2. identicon
    Anonymous Coward, Sep 16th, 2013 @ 11:04am

    Quick nitpick

    You can't really steal data. You can unlawfully access it, but unless you destroy all the other copies, you can't really steal it.

    reply to this | link to this | view in thread ]

  3. icon
    Ninja (profile), Sep 16th, 2013 @ 11:04am

    It's hard to imagine why ANY terrorist would use official Visa cards to buy his explosives. Honestly by now the privacy and trust have been eroded by a degree that I find it hard to accept the supposed counter terrorism effects such surveillance should have had outweigh the damage it's causing.

    It's worth following how much of an impact this may have. I personally use plain old money if I don't want to leave tracks. Then there's bitcoin...

    reply to this | link to this | view in thread ]

  4. identicon
    Anonymous Coward, Sep 16th, 2013 @ 11:09am

    The longer this goes on, the worse the repercussions will be. Financial requires one have faith in the system working. Without that faith it all collapses, which is what happened with the housing meltdown. Once no one could identify the bad loans, no one was willing to take a risk on buying.

    We have now another little tidbit from Belgium, you know, home of the European Commission, the European Parliament, NATO Headquarters, and gobs of lobbyists. Every time now a security breach is found it will automatically be suspected that NSA was involved. As such it isn't going to end and there will be results from all this spying done.

    reply to this | link to this | view in thread ]

  5. identicon
    Skeptical, Sep 16th, 2013 @ 11:19am

    Potential for misuse

    "What is new, however, is the fact that the NSA is targeting transactions from major credit card companies, like VISA. This has quite a bit more potential for misuse than SWIFT, which records only banking transactions."

    I'm not sure I see the difference. Why is there more potential for abuse when credit cards are involved?

    reply to this | link to this | view in thread ]

  6. identicon
    Anonymous Coward, Sep 16th, 2013 @ 11:20am

    The question is not if, but when?

    What happens when the NSA storage sites become compromised? Do you really want hackers getting access to so much data? It would be an identity theft nightmare of epic proportions..

    reply to this | link to this | view in thread ]

  7. identicon
    Capt ICE Enforcer, Sep 16th, 2013 @ 11:22am


    I can handle the NSA reading my emails, I can handle them turning my Xbox computer and cell phone into a remote video audio and tracking device. But I draw the line when they know I am late on my visa payment. The NSA has gone too far.

    reply to this | link to this | view in thread ]

  8. identicon
    Anonymous Coward, Sep 16th, 2013 @ 11:34am

    Re: Potential for misuse

    I think credit cards are a bit more detailed than banking transactions.

    Unless I'm mistaken, the banking transactions would be deposits, withdraws, transfers, etc. So they would see who I write checks to, get checks from, when I deposit or withdraw cash, when I transfer money to or from my stock brokerage, or when I pay utility bills, car payments, make credit card payments etc.

    Tracking the credit card transactions themselves on the other hand lets them know exactly how much you spend at what stores on what dates, using which credit card.

    The second has a lot more potential for black mail, stalking, etc.

    reply to this | link to this | view in thread ]

  9. identicon
    Michael, Sep 16th, 2013 @ 11:58am

    This is just a preemptive action in case congress defunds them.

    reply to this | link to this | view in thread ]

  10. icon
    RyanNerd (profile), Sep 16th, 2013 @ 12:19pm

    Suck! Suck! Suck!

    reply to this | link to this | view in thread ]

  11. icon
    Zakida Paul (profile), Sep 16th, 2013 @ 12:27pm

    Re: Quick nitpick

    Hey, if MPAA and RIAA can deliberately misuse the word 'steal', why can't we?

    reply to this | link to this | view in thread ]

  12. icon
    Zakida Paul (profile), Sep 16th, 2013 @ 12:28pm

    Of course

    And if I were to grab millions of credit card records, I would face a lengthy jail term.

    Do as we say, not as we do. Utter hypocrites.

    reply to this | link to this | view in thread ]

  13. identicon
    Crusty the Ex-Clown, Sep 16th, 2013 @ 12:40pm

    I still want to know.... they failed to notice LIBOR rigging. Not to mention money laundering by big international banks......

    Just sayin'...........

    reply to this | link to this | view in thread ]

  14. identicon
    Anonymous Coward, Sep 16th, 2013 @ 1:11pm

    so much for the banks saying all our financial services and transactions are 110% safe, then! when is the USG going to come right out and say it? it wants to know what every single person everywhere both on and off the planet is doing, is saying, is writing, is buying, is selling, is making, is destroying, is thinking and where they are going! then it wants the same information about it's 'enemies'!!

    reply to this | link to this | view in thread ]

  15. icon
    limbodog (profile), Sep 16th, 2013 @ 1:15pm

    The terrorists hate us for our credit ratings.

    reply to this | link to this | view in thread ]

  16. identicon
    Anonymous Coward, Sep 16th, 2013 @ 1:31pm

    Re: Re: Quick nitpick

    Because we're better than that.

    If we sink to their level, then they've won anyway. Because they will have corrupted our thinking.

    reply to this | link to this | view in thread ]

  17. identicon
    Anonymous Coward, Sep 16th, 2013 @ 2:07pm

    This shouldn't be a cherry on top of everything that happened, this should have been one of the front-and-center points of the entire scandal.

    They're watching what you say and what you buy. If that doesn't scare the shit out of anyone, then they aren't worth bothering with to begin with.

    reply to this | link to this | view in thread ]

  18. identicon
    Anonymous, Sep 16th, 2013 @ 2:21pm

    Terrorist financing

    Support Osama Bin Laden. Check.
    Support Saddam Hussein. Check.
    Support Syrian "rebels". Check.
    The US government doesn't miss a trick, does it?

    reply to this | link to this | view in thread ]

  19. identicon
    Anonymous, Sep 16th, 2013 @ 3:43pm


    What about debit cards, like those that employees of some companies are paid on? If you have a bank account, you can get all the money off your card. But what if you don't have a bank account? You can go to a store and buy a small, cheap item (like a pack of gum, for example), swipe your card and get the maximum allowed amount of cash back. Sure, they know you bought a pack of gum, but they don't have a clue what you did with that cash.

    reply to this | link to this | view in thread ]

  20. identicon
    Pixelation, Sep 16th, 2013 @ 9:30pm

    A little shocked

    Why the fuck would anyone trust Visa? In fact, why would anyone trust any of the overly large corporations? Microsoft? No. Google? No. Verizon? No. AT&T? Hell No! Intel? Gosh I wish but, no. Amazon, who cares... wait, no.
    The problem is that when the government comes calling they will bend over and spread their cheeks.

    Too big to fail.

    reply to this | link to this | view in thread ]

  21. identicon
    getauto finance, Nov 11th, 2013 @ 2:42am

    Private finance refers to your fiscal management of which anyone or maybe a family model is required to create to obtain, spending budget, spend less, in addition to invest personal means as time passes, looking at several fiscal pitfalls in addition to foreseeable future living activities.

    reply to this | link to this | view in thread ]

  22. identicon
    anonymous, Aug 20th, 2014 @ 2:37am

    Strict action should be taken against the cyber threats.Government should provide the necessary solutions to protect the laws of credit.

    documentary letters of credit software

    reply to this | link to this | view in thread ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.