In late June, the New York Times revealed that the Treasury Department and the CIA had been engaged in a secret surveillance program. Through the covert Terrorist Finance Tracking Program ("TFTP"), the Administration has reportedly monitored thousands of international funds transfers. The goal was to trace terrorist finances, in an effort to stop money from reaching terrorist groups.
To many, this program seemed similar to the secret telephone surveillance program, which I discussed in a prior column. (Importantly, since then, USA Today has retracted, in part, the article I had relied on, conceding that Verizon and Bell South were not involved.) After all, both programs concern both secrecy and privacy. And in neither case, were individual warrants or grand jury subpoenas obtained in advance to access the relevant information.
For the banking program, the administration has relied instead on broad-reaching "administrative" subpoenas (also known as national security letters, or NSLs), which do not require court approval. As I will explain, this change doesn't render the program illegal. It does, however, mark a significant departure from typical practice in how the government acquires Americans' financial records.
There is a key difference between the two programs: As I noted earlier, the telephone surveillance program violated a federal statute, the Stored Communications Act. In contrast, it seems that, under current U.S. law at least, the banking records program, though secret, is probably legal. Thus, the federal class action lawsuit filed last Friday by Chicago lawyer Steven E. Schwarz, challenging the program, may well fail.
As I have previously noted, it is vitally important for governments to follow the trail of terrorist financing in an effort to curb the funding of violence. Thus, the banking records program may be much more defensible than the NSA telephone surveillance program.
There's one other issue, one that is beyond this column's scope, however: Might TFTP violate European privacy laws? If the U.S. wants to retain the good will of its partners in the fight to curb terrorist financing, it needs to conform to data protection laws abroad, as well as at home.
The TFTP Program, SWIFT's Participation, and How the Program Works
The TFTP was initiated within weeks after 9/11. Since then, government officials have looked at funds-transfer records from a large international database, reflecting funds transfers potentially involving thousands of American citizens as well as U.S. residents or visitors. The program is run out of the CIA, and overseen by the Treasury Department.
The Society for Worldwide Interbank Financial Telecommunication (SWIFT) has cooperated with the program. Based in Belgium, SWIFT is a cooperative owned by more than 2,200 financial institutions. SWIFT hosts a worldwide network through which messages concerning financial transactions are exchanged among about 7,800 banks and other financial institutions. Accordingly, SWIFT allows money to move around the globe between banks, via transactions made on behalf of various customers. Daily, SWIFT routes about 10 million transactions, worth approximately $6 trillion, between banks, brokerage firms, stock exchanges and other financial players. Through the TFTP program, customers' names, bank account numbers, and other identifying information can be obtained.
SWIFT's 25-member board of directors, made up of representatives from global financial institutions, received prior notice of the TFTP program via Treasury Department subpoenas. After the New York Times made the program public, SWIFT released an official press statement asserting that it did provide records to the United States in compliance with the subpoenas, but claiming that "SWIFT received significant protections and assurances as to the purpose, confidentiality, oversight and control of the limited sets of data produced under the subpoenas". (I'll discuss those protections and limitations below.)
The TFTP already has claimed several successes: Officials say it led to the 2003 capture, in Thailand of "Hambali," a person believed to be the mastermind of the 2002 Bali resort bombing.
In addition, officials said the TFTP had identified a Brooklyn resident, Uzair Paracha, who was convicted on terrorism-related charges last year. Paracha reportedly aided an al Qaeda operative in Pakistan by agreeing to launder funds worth $200,000 through a Pakistani bank.
The Limitations the Government Says It Has Placed on the TFTP
Government officials have said that the TFTP has a number of limitations:
First, it is only used to trace transactions of people suspected of having ties to terrorist groups such as Al Qaeda. Before a search can be run against the data, government analysts must first explain how the target of the search is connected to a terrorism investigation. SWIFT's own auditors are able to review the searches in real time and to block them if they have any concerns about the purported link to terrorism.
Second, SWIFT's data does not allow the government to track routine financial activity, like a withdrawal using an American ATM from an account at an American bank.
Third, SWIFT's data is not provided in real time -- SWIFT generally turns it over several weeks after it is generated.
Fourth, the data can be used only for terrorism investigations - not for investigating other domestic crimes such as tax evasion or drug trafficking. Thus, at least the program is designed to prevent using a fake terrorism link as a pretext for using SWIFT data to further an investigation of garden-variety U.S. crimes.
Fifth, a record is kept of every search that is done. And these records are reviewed by an outside auditing firm, Booz Allen Hamilton, SWIFT's auditors, or both.
One Reason the TFTP Appears Legal: No Fourth Amendment Protection for Bank Records
These limitations, interestingly, are imposed either by the government itself, or by SWIFT; they are not imposed by U.S. law.
In 1976, in United States v. Miller, the Supreme Court ruled that the Fourth Amendment does not cover financial transaction records held by third parties such as banks, since there is no legitimate expectation of privacy in such records.
This result is the polar opposite of the result the Court had reached nine years earlier, in United States v. Katz, regarding the Fourth Amendment and telephone calls. There, it reasoned that even a call from a public telephone booth was cloaked in a legitimate expectation of privacy, for there, there - as in other contexts where he might make a call - the caller "is surely entitled to assume that the words he utters into the mouthpiece will not be broadcast to the world."
Other Reasons the TFTP Appears Legal: An RFPA Exception, and IEEPA Authorization
A 1978 statute, the Right to Financial Privacy Act ("RFPA"), does impose some limits upon how government entities can access customer financial records - but it allows this access to be accomplished via an authorized administrative subpoena, not just via a court-issued warrant. And the USA Patriot Act specifically blesses the use of administrative subpoenas as long as the information is relevant to an ongoing terrorism investigation.
Moreover, although the RFPA requires that the customer whose records are at issue receive prior notice, so he can challenge the records request in court, it makes an exception for "foreign intelligence" matters, where no such notice need be given.
Only one ambiguity thus remains: Rather than asking for records of particular individuals from designated banks, the Treasury Department and CIA have been seeking records using broader administrative subpoenas that are not necessarily linked to individual suspects or particular banks.
Critics fear that, without the need for individualization - and hence, individualized suspicion - government requests may simply be privacy-violating fishing expeditions. No wonder, then, that the ACLU has criticized the program.
It's possible - but unlikely - that this critique is not only a policy argument, but also a valid legal one. Such broad subpoenas - again, a departure from a prior practice - may not have been anticipated by Congress when it passed the RFPA. In this sense, it remains possible that the TFTP may be held to violate the RFPA.
Still, the government has several strong defenses to a claim that it violated the RFPA: First, the International Emergency Economic Powers Act (IEEPA) gives the president what legal experts say is wide authority to "investigate, regulate or prohibit" foreign transactions in responding to "an unusual and extraordinary threat." Terrorism in the wake of 9/11 arguably poses just such a threat. Second, Treasury officials contend that SWIFT - as a "messaging service," not a "financial institution" - doesn't even come within the RFPA in the first place.
Is the TFTP Legal in Other Countries? A Pending, and Important Question
Finally, does the TFTP comply with European and international data protection law?
Privacy International, a London human rights group says no: It has filed complaints in 32 countries -- all 25 European Union nations, Canada, Australia, Iceland, New Zealand, Liechtenstein, Switzerland, and Norway, and Hong Kong, alleging that SWIFT has violated European and Asian privacy laws. The group has thus asked regulators to "intervene to seek the immediate suspension of the disclosure program pending legal review."
Privacy International argues that the program may come under foreign law because it involves "the mass transfer of data from the SWIFT centre in Belgium to the United States, and possibly direct access by US authorities both to data held within Belgium and data residing in SWIFT centers worldwide."
The Belgian Justice Minister has ordered an investigation into the U.S.'s use of the data, as has Canada's Privacy Commissioner.
The Bush Administration should clarify quickly whether the TFTP compiles with data protection laws in other countries. While following the money is important, when it comes to the effectiveness of our counterterrorism measures, it is also vital that the U.S. government comply with all relevant privacy safeguards and laws as it chases the money around the globe.
Anita Ramasastry is an Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. She has previously written on business law, cyberlaw, and other legal issues for this site, which contains an archive of her columns.