The CIA is Monitoring European SWIFT Transactions (And the EU Hands It to Them)

Under the Bush Administration’s lengthy “War on Terrorism”, the United States started the Terrorist Finance Tracking Program (TFTP) to mine financial information from the international SWIFT network. The US Treasury Department implemented this program in the early 2000s to track terrorist funding. That was handled in secret before the media got wind of the operation in 2006. These practices were even kept secret from the Senate Intelligence Oversight Committee.

That didn’t sit well with the European Parliament, though. That lodged several protests against the United States’ SWIFT data-mining practices. These complaints included growing concerns over the United States extracting European citizens’ personal data while claiming it’s for terrorist detection and “to create terrorist activity predictions”. Despite the US authorities’ claim that the media undermined the US foreign security interests with this leak, the cat was now well out of the bag.

Here’s what that program’s implications mean for you: The US blatantly disregarded data protection laws to secretly gather people’s financial information from other countries (many of which were likely US citizens as well) without a warrant or subpoena. In a pure Machiavellian move, as far as those involved in this program were concerned, the end justified the means.

Despite this going on for years, recent developments have brought a new level of scrutinization over the US’s SWIFT data-mining practices. Some evidence may indicate that the program undermined the EU-US TFTP agreement and misused EU and US citizens’ data.

What Is SWIFT?

A group of international banks founded SWIFT in 1973 to help standardize financial transactions and communication between banks. SWIFT stands for Society for Worldwide Interbank Financial Telecommunication. Think of it as a bank’s version of a postal service that tracks and facilitates transfers and payment records between banks using the Bank Identification Code (BIC) or SWIFT code (these terms are interchangeable).

Today, the SWIFT network reportedly handles an average of 42.0 million FIN messages per day. That includes both payments and securities transactions. SWIFT has access to 4 billion accounts and 11,000 institutions in more than 200 countries. If you’ve ever sent or received money overseas, your transaction has likely used SWIFT. Most SWIFT traffic is centered in Europe, followed by North and South America.

A Quick History of the TFTP

Uncovering the Full Scope of the CIA SWIFT Scandal (2001 – 2006)

After the story broke in 2006, it came to light that both SWIFT (a Belgian company) and Belgium’s central bank had been aware of the US’s actions since 2002. Yet, they had failed to report it. After SWIFT became aware of the data mining, the US started applying administrative subpoenas. In compliance, SWIFT just handed over millions of data sets. Controversy soon followed, with parties calling for both SWIFT and the authorities to take action.

At the time, Stuart Levey, Under Secretary at the Treasury Department told the NY Times: “ without doubt, [it’s] a legal and proper use of our authorities.” Except, after careful review, Belgian authorities concluded that the US’s actions were in direct breach of both Belgian and EU privacy laws. Despite the uproar, no one was ever charged or fined.

After the scandal came to light, the SWIFT moved its Operating Center from Culpeper, Virginia to Diessenhofen, Switzerland. That meant the US could no longer freely access mass amounts of SWIFT data. That move and the continued outrage from EU authorities forced US officials to come up with a plan B. The US started negotiations to extract SWIFT’s data sets using legal means in 2007.

Reaching an Agreement (2007 – 2015)

According to various online sources, the US “conceded” by granting SWIFT the Safe Harbor Status. Safe Harbor was negotiated between the EU and US in 2000 to let EU companies that trade in the United States continue practicing their trade while complying with EU privacy laws.

In 2008, an Australian consulting company named Galexia claimed the US’s regulator oversight was questionable with regards to Safe Harbor. In 2015, the European Court of Justice (ECJ) declared Safe Harbor invalid. New talks between the EU and US are underway to establish a new “framework for transatlantic data flows”.

In 2010, the EU also agreed to hand over financial messaging data to the United States as part of a SWIFT Agreement that was set up after some persuasion from US authorities. No source can provide information on what this entailed. In 2013, the European Parliament called on the EU Commission to suspend this agreement after Edward Snowden’s NSA revelations came to light. The agreement is still in place without any further (official) changes.

Unfortunately, when it came to light that the United States was monitoring EU citizens’ private transactions, the uproar didn’t last very long. That often happens with public outrage, but in this case it was exacerbated by limited coverage filled with complicated legalese. The EU also quickly bowed to the US’s wishes to hand over SWIFT data, even if it was under “legal terms” this time.

Renewed Scrutiny (2015 – Present)

The TFTP program lived on without public scrutiny or official oversight in the last 5 years. In a letter sent by Sens. Ron Wyden of Oregon and Martin Heinrich of New Mexico in April 2021 (and recently declassified), they expressed concern over the US’s handling of data.

I’ve seen speculation that their letter, which mentions bulk data handled by the CIA, talks (at least in part) about the US’s SWIFT data-mining practices. Their letter also mentions “It [CIA] has done so entirely outside the statutory framework that Congress and the public believe govern this collection”. While this letter only speaks about concerns for the privacy violations of US citizens, it realistically has international implications as well.

Screenshot from a document with some words blacked out

Both senators are part of the Senate Intelligence Oversight Committee, which should have been made aware of how the CIA is collecting and handling this data. The fact that the CIA–and any other involved officials–conducted their work without transparency (again) speaks volumes. It shows a blatant disregard for working within the legal framework to gather and protect private individuals’ data.

Fighting Terrorism (and Crime?)

The United States claims this bulk collection of citizens’ data is necessary to protect its people and interests against terrorist activities. Its main defense is that this financial data can help US authorities track and predict terrorist plans and activities. Here’s a snippet from a 2015 report released by the Foundation of Defense on the CIA’s SWIFT data mining practices:

Screenshot of a passage from a government PDF report

Despite that argument, US authorities have already proven they are more than willing to use this data to prosecute unrelated individuals on non-terrorism crimes. In 2012, the Danish newspaper Berlingske reported that US authorities had seized money being transferred over SWIFT from Denmark to Germany by a Danish citizen. The businessman in question had reportedly bought Cuban cigars for his business from a supplier in Germany for about $20,000.

US authorities said this person had violated the United States embargo against Cuba to justify the action. The US refused to pay back these funds, even after EU officials ridiculed the US for applying their laws on a legal business transaction in another country. That action proved the US is willing to use the data they gather to predict terrorist action abroad to police European citizens with impunity.

According to the Copenhagen Post, something similar happened in 2008 when the US froze the transaction of a Danish woman who tried to buy six dresses from Pakistan.

Ignoring the Rule of Law and Individual Rights

In 2015, Congress passed legis­la­tion that prohibited the NSA and CIA under the Foreign Intel­li­gence Surveil­lance Act of 1978 (FISA) from surveillance on US citizens. It keeps these agencies, theoretically, from collecting bulk data about US citizens both in the US and abroad. The thing is, the US’s SWIFT data mining undoubtedly includes US citizens’ data, which directly violates that law.

On top of that, the US has proven it’s willing to violate the rights of foreign nationals who use international transfers, regardless of whether their transactions were legal. Even though a similar instance hasn’t happened since, nothing is stopping US officials from doing it again. It doesn’t seem the US has any consequences for violating international laws or personal rights either.

If countries aren’t willing to uphold individuals’ rights, it’s up to you to protect yourself from surveillance. Unfortunately, no one can do much about the SWIFT issue besides spreading awareness right now, unless an alternative payment network is introduced. That said, you can use a VPN to protect your online privacy against many forms of government spying.

CyberGhost VPN uses the ultra-secure 256-bit AES encryption standard. It forms a protective tunnel around your connection and keeps governments out. When you connect to one of our secure thousands of servers worldwide, your online browsing becomes secure and more private. Get in touch with our 24/7 Customer Support if you have any more questions.

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*