SWIFT-Data-SharingLast night I went to bed before I looked at the new SWIFT Agreement giving the US access to all of Europe’s finance data to track for terrorists. Here’s that agreement and here’s a Q&A document about what the agreement does. The agreement is instructive both for what it suggests about the negotiations between the US and EU, but also for what it suggests about the protections the US is willing to grant citizens of other countries that it is not extending to its own citizens.

This is a temporary extension

This is not a permanent agreement. This is a 9 month extension of the SWIFT agreement from February 1 of next year for nine months, meaning the new EU government will begin negotiations on a proposed new agreement immediately.

in July of this year the 27 Member States of the European Union unanimously gave the EU Presidency a mandate to negotiate an agreement with the United States to ensure the transfer of the data and thereby the continuation of the TFTP. In July, it was not known when or indeed whether the Lisbon Treaty would come into force. Accordingly, the mandate is based on the legal mechanism of the EU Treaty which will cease to exist on 1 December when the Lisbon Treaty enters into force. To ensure that the European Parliament is able to exercise its new powers under the new Treaty in this regard, the envisaged Agreement is for a maximum duration of 9 months. The Commission will come forward with a new proposed mandate in early 2010 for a subsequent agreement based on the Lisbon Treaty. [my emphasis]

Note that “maximum duration” language. I’m guessing the US is going to try to bulldoze an agreement through ASAP, presumably before the new government (or, more importantly, activists) settles in.

The envisaged Agreement has a short duration in order to ensure that the European Parliament’s new powers under the Lisbon Treaty will apply to any possible longer term agreement which might replace the envisaged Agreement.

It’ll be interesting to see whether this agreement gets better, or worse, in the coming months.

The agreement claims the data is not used for data-mining

Here’s what the agreement claims the US does with this data.

The [Terrorist Finance Tracking Program] does not involve data mining or any other type of algorithmic or automated profiling or computer filtering. The U.S. Treasury shall ensure the protection of personal data by means of the following safeguards, which shall be applied without discrimination, in particular on the basis of nationality or country of residence.

(a) Provided data shall be processed exclusively for the prevention, investigation, detection, or prosecution of terrorism or its financing;

(b) All searches of Provided Data shall be based upon pre-existing information or evidence which demonstrates a reason to believe that the subject of the search has a nexus to terrorism or its financing;

(c) Each individual TFTP search of Provided Data shall be narrowly tailored, shall demonstrate a reason to believe that the subject of the search has a nexus to terrorism or its financing, and shall be logged, including such nexus to terrorism or its financing required to initiate the search;

(d) Provided data shall be maintained in a secure physical environment, stored separately from any other data, with high-level systems and physical intrusion controls to prevent unauthorized access to the data;

(e) Access to Provided Data shall be limited to analysts investigating terrorism or its financing and to persons involved in the technical support, management, and oversight of the TFTP;

(f) No copies of Provided Data shall be made, other than for disaster recovery back-up purposes;

(g) Provided Data shall not be subject to any manipulation, alteration, or addition and shall not be interconnected with any other database;

(h) Information obtained through this Agreement shall only be shared with law enforcement, public security, or counter terrorism authorities in the United States, European Union, or third states to be used for the purpose of the investigation, detection, prevention, or prosecution of terrorism or its financing;

(i) During the term of this Agreement, the U.S. Treasury Department shall undertake a review to identify all non-extracted data that are no longer necessary to combat terrorism or its financing. Where such data are identified and shall be completed as soon as possible thereafter but in any event no later than 8 months after identification, absent extraordinary technological circumstances;

(j) If it transpires that financial payment messaging data were transmitted which were not requested, the U.S. Treasury Department shall promptly and permanently delete such data and shall inform the relevant Designated Provider and central authority of the request Member State;

(k) Subject to subparagraph (i), all non-extracted data received prior to 20 July 2007 shall be deleted not later than five years after the date;

(l) Subject to subparagraph (i), all non-extracted data received on or after 20 July 2007 shall be deleted not later than five years from receipt; and

(m) Information extracted from Provided Data, including information shared under subparagraph (h), shall be subject to the retention period applicable to the particular government authority according to its particular regulations and record retention schedules.

EU citizens can make sure their data are being protected

Here’s one of the most interesting provisions granted to those in the EU but not (presumably) to those whose data is accessed solely in the US:

Any person has the right to obtain, following requests made at reasonable intervals, without constraint and without excessive delay or expense, confirmation from his or her data protection authority whether all necessary verifications have taken place within the European Union to ensure that his or her data protection rights have been respected in compliance with this Agreement, and, in particular, whether any processing of his or her personal data has taken place in breach of this agreement.

The agreement (and the Q&A document) also list a bunch of provisions they claim provide EU persons some kind of redress but really don’t (this is from the Q&A document):

The Agreement states that any person whose personal data are mishandled in breach of the Agreement is entitled to seek effective legal redress. Under U.S. law for example, the Administrative Procedure Act allows a person who has suffered harm as a result of governmental action to seek judicial review of the action. Also under U.S. law the Inspector General Act would allow, for example, the Inspector General of the U.S. Treasury Department to investigate complaints concerning abuses or deficiencies relating to the administration of the TFTP and to report their findings to the Treasury Secretary and to Congress.

The Agreement specifically invokes attacks prevented

The Q&A document invokes three incidences where the SWIFT data sharing has helped prevent terrorist attacks.

  • TFTP information provided substantial assistance to European governments during investigations into the Al-Qa’ida-directed plot to attack transatlantic airline flights travelling between the EU and the United States. TFTP information provided new leads, corroborated identities and revealed relationships among individuals responsible for this terrorist plot. In mid-September 2009 three individuals were convicted in the UK, and each was sentenced to at least 30 years in prison;
  • In early 2009 TFTP was used to identify financial activity of a Europe-based Al-Qa’ida individual who played a role in the planning of an alleged attack on aircraft. The information was passed to the governments of European and Middle Eastern countries;
  • In summer 2007 the TFTP was used to identify financial activities of members of the Islamic Jihad Union (IJU) in Germany. This information contributed to the investigation and eventual arrest of IJU members plotting to attack sites in Germany. The TFTP continued to provide additional useful information to German authorities following the arrests. The persons subsequently confessed.

Of course, what they don’t say is that because the US had control of the data, they were able to trigger the Pakistani liquid airplane plot early, causing the Brits all manner of hassle actually prosecuting it.



Marcy Wheeler aka Emptywheel is an American journalist whose reporting specializes in security and civil liberties.