October 22, 2006

SWIFT breach - SWIFT broke the law, the laws have changed, the ECB ducks responsibility

European data protection authorities empanelled an investigation, alongside their companion privacy commissioners. Their verdict? SWIFT broke the law.

The Belgian-based consortium known as Swift, which handles money transfers among banks, violated European privacy regulations when it turned over confidential transaction information to the Central Intelligence Agency and other American agencies, Belgium's privacy protection commission concluded today. ... Under European Union law, companies may not transfer confidential personal data to an entity in another country unless that country's privacy protections are deemed adequate. The union does not consider American protections adequate because the United States has never enacted comprehensive data protection laws. Under that rule, the commission found, Swift acted without a legal basis when it sent the data to the United States.

Swift has defended the transfers on the ground that, because it has offices in the United States, it was bound by United States law, and had no choice but to turn over the data after the Treasury Department issued broad administrative subpoenas to it.

The commission rejected this argument, saying Swift was still subject to Belgian rules, regardless of Swift's American subsidiary and its legal obligations. "Swift should have realized that exceptional measures based on American rules do not legitimize hidden, systemic violations of fundamental European principles related to data protection over a long period of time," the commission wrote.

Others agreed. This is not helped by SWIFT's ducking and weaving. SWIFT may have provided some evidentiary information in paper form:

Both SWIFT and the U.S. authorities say records were subpoenaed as part of targeted investigations into suspected terrorist activity. In its defense, SWIFT reiterated on Monday that it received "significant protections and assurances" that the data transferred to the U.S. was used confidentially.

But -- rumour has it -- the subpoenas have not been supplied to EU investigators, and we already know that UST passes the information on for other purposes / investigations, as mentioned here before.

Quintessenz points out that their answers were evasive, and I'd agree. They must think the public are muggins, but they did let some things slip out:

No, SWIFT does can not provide this type of data. It is important to understand that SWIFT does not have the means to read the information inside a message. SWIFT can only read the information necessary to route the messages across its network from bank A to bank B. In this respect SWIFT is similar to a postal service.

Yet, the investigation concluded that SWIFT was not simply a messaging service, and was in practice a financial institution. Is SWIFT suggesting that SWIFT can't see the content? In that case, what is the motivation of the US-Treasury interest? We already know that banks send lots of messages between each other, so this would seem to be a comment of quite extraordinary strangeness, and SWIFT's case may depend on the answer to this question.

The investigation also concluded that SWIFT had not advised its overseers to sufficient extent, had acted independently, and had acted more as principal than as agent. In other words, SWIFT is responsible. Consider these three statements, by SWIFT, from diverse sources:

The US Treasury cannot search the data for evidence of nonterrorist related crime. SWIFT has explicitly excluded searches for tax evasion, economic espionage, money laundering or other criminal activity.
In a statement signed by SWIFT's CEO Leonard H. Schrank, the company said the U.S. Treasury does not have unlimited access to data stored by SWIFT, and the information it got was used only "for the exclusive purpose of terrorism investigations."
The laws haven't changed. The environment of terrorism hasn't changed. SWIFT is well aware of the laws and regulations people are concerned about. The Board is monitoring the situation on a regular basis. Beyond that, SWIFT cannot comment.

With the extraordinary powers Congress passed a month ago, SWIFT's agreement is no longer a barrier of any import. The laws have changed. When President Bush signed the act into law that destroys habeus corpus, Military Commissions Act, he also signed in the ability to designate anyone as a terrorist. Without recourse.

SWIFT data may now be requested on discretion without any high degree of proof, simply on the say-so of the requestor.

Who's looking like a muggins now? The European privacy investigation wasn't fooled, and correctly rejected the argument that SWIFT was under US law; if the compliance broke European law, then the New York office of SWIFT should not have had the data in the first place. Again, Quintessenz asks:

As this process has been going for nearly five years why did SWIFT not cease to store all datasets in the New York headquarter?

To ensure the reliability and resilience of its network, SWIFT has redundant systems spanning multiple continents, including operating centres located on different continents. Each operating centre is an active backup to the other and is designed to independently manage SWIFT's entire operations, if required. In other words, messages are mirrored and stored for retrieval purposes during 124 days in both operating centres. This architecture has been in place for decades.

No muggins, that Erich Moechel ... From SWIFT again:

"We informed the overseers. What their position was in most cases was this didn't pose a risk for the financial stability of the financial system and that's what their remit is. So they didn't need to inform others and SWIFT wasn't legally bound to inform anyone else," said the spokesman.

"These discussions were held at the highest level between SWIFT's board and its overseers. None of them raised any objection."

So were are the regulators in this mess? The ECB remains under pressure. As mentioned, the central banks have to be involved in this one because they are the only regulators with credibility in the area. Begging out on some pretext then must be examined with the highest degree of skepticism.

The ECB is part of a group of central banks that oversee SWIFT informally but have no legal power to sanction it.

"The group considered that this matter would not have financial-stability implications and therefore concluded it fell totally outside the remit of the oversight role," [ECB President] Trichet said.

"We did not give SWIFT any blessing in their compliance with these subpoenas. SWIFT remains fully responsible for its decision," he said, adding that it was not up to the ECB, but SWIFT, to decide whether to inform European institutions.

Yet. their mandate is only loosely financial stability; when called upon, they quite happily dive into other areas. Here's how Ben Bernanke, the new Chairman of the Federal Reserve, puts it:

Historically, the goals of banking regulation have included the safety and soundness of bank operations, the stability of the broader financial system, the promotion of competition and efficiency in banking, assistance to law enforcement, consumer protection, and broader social objectives.

In many of these cases, it takes a very open imagination to create the nexus between central bank activities and these areas of interest, so the hand-waving of the European Central Bank at this point is like watching a man drown, and assuming it is the lifeguard's responsibility to save him.

This is justly called a scandal for the underhanded way in which the US Treasury breached the SWIFT databases. It wasn't that the EU wouldn't have done a deal, it was that the UST felt it necessary to keep it secret so as to not ask the Europeans.

Secrecy is a bad policy. Kerckhoffs said it a century ago, and it remains as true today. The need to show that some enemy could benefit from seeing your operations is a flimsy excuse alongside the massive danger you do to your own side when you hide things from your own people, and let them fester.

Which leads into that other "government secrets" case. Judge Taylor, who a month or two back ruled one of the Bush domestic spying programmes illegal, has rejected arguments to stop the programme. Instead, she has gave the government a week to get a reversal from the Appeals court, and effectively underlined the suggestion that the "government secrets" argument is being used to hide bad stuff, not good stuff.

Normally, we try and keep clear of politics, and stick to FC. Hence, the SWIFT breach represents a fascinating case of governance gone wrong in a major system of FC import. But it wouldn't be right to exclude mention of the broader canvas such as the suspension of habeas corpus in the US of A. In the latest of a long series of bills, American lawmakers have shown themselves willing to hand over all power to an exective branch, and SWIFT is happy to comply with that.

As we come into the November USA election madness, some might be asking, "Where the American people?" Most don't know or care. I think a comment on Bruce Schneier's blog had it best:

"We're better than that."

No we're not.

Strike the American people. Strike their Congress. The only thing left is the judiciary and other nations, and I'm not holding my breath over the European's response. Judge Taylor's case and the SWIFT breach in Europe bear watching closely.

Posted by iang at October 22, 2006 11:14 AM | TrackBack

The laws have been changed very recently in the United Kingdom as well:

Following Chancellor of the Exchequer (and probably Prime Minister in waiting) Gordon Brown's re-iteration of his "Bletchley Park" plans to track down terrorist finance in his

"Speech by the Rt Hon Gordon Brown MP, Chancellor of the Exchequer, on "Meeting the terrorist challenge" given to Chatham House, 10 October 2006"

"By putting to work the most modern of forensic accounting techniques and bringing the expertise of the private sector - the accountancy, law and financial sectors - together with the public sector, we can create what some will call a modern 'Bletchley Park' with forensic accounting of such intricacy and sophistication in tracking finance and connections that it can achieve, for our generation, the same results as code breaking at the original Bletchley Park did sixty years ago."

(Are the modern day equivalents of Alan Turing etc. all now working for the Her Majesty's Treasury ?)

The Labour Government has granted itself massive new powers (without bothering to have them debated in Parliament), which do seem to be exactly the sort of thing needed to put pressure on SWIFT or Western Union or VISAnet or PayPal or any other individual British citizen or company registered in the UK.

"Statutory Instrument 2006 No. 2657
The Terrorism (United Nations Measures) Order 2006"
which into force on the 12th October 2006.

This Order in Council (therefore not debated by Parliament) includes:

1) The ability to designate anybody (not just alleged Taliban or AL Qaida members as previous, now revoked, Orders did) as a terrorist, and to freeze their funds or financial assets, without having to show any actual evidence to a Court.

2) Criminal penalties of up to 7 years in prison for trading financially with a "designated" person.

3) Up to 2 years in prison for breaching any Confidentiality orders, or for not handing over any document etc.

4) This probably also includes the power to demand any Encrypted document in plaintext i.e. the equivalent of an as not yet in force Regulation of Investigatory Powers Act 2000 section 49 Disclosure Notice, without the power to actually ask for Decryption Keys themselves.

5) A carte blanche exemption

"7. An action done under this Schedule is not to be treated as a breach of any restriction imposed by statute or otherwise."

i.e. the Data Protection Act, the Financial Services Authority rules on Insider Trading, the Common Law Duty of Confidentiality, and any European Union Directives are all circumvented.

6) The data can be handed over to

"(ii) any person in the service of the United Nations, the Council of the European Union, the European Commission or the Government of any country;"

i.e. a huge number of people could be legally made privy to your supposed financial "secrets".

7) An exemption from criminal liability for actions taken under this Order.

9) The power to delegate these Treasury powers under this Order to anybody.

There is no Statutory Code of Practice to limit the infinite powers granted under this Order.

See: "Chancellor Gordon Brown further extends his financial snooping powers"

Have the other world financial centres where SWIFT operates also now brought in new legislation to cover the backsides of the bureaucrats involved in the SWIFT scandal, with respect to current and future mass financial surveillance operations ?

Posted by: Watching Them, Watching Us at October 22, 2006 08:23 PM

The title of this post as published in a garbled form, and even the correction was wrong...

Posted by: SWIFT's a Beach at October 23, 2006 08:16 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.