Privacy and Security In the Balance

  Before the dust had settled from the World Trade Center collapse in Septem-ber 2001, First Data Corp. called the FBI to offer its assistance. That is the first assertion on the first page of a new book recounting worldwide terrorist hunts, war and tough issues of liberty versus national security stirred up by the worst terrorist attacks on American soil.
  Ron Suskind, a Pulitzer Prize-winning former Wall Street Journal reporter, begins "The One Percent Doctrine: Deep Inside America's Pursuit of its Enemies Since 9/11" with an exchange between FBI employees: "At noon on September 13, a passing agent ducked his head into the office of [FBI financial crimes section chief] Dennis Lormel. He said someone had called from the Omaha FBI office. A company called First Data Corporation, with a huge processing facility out there, wanted to help in any way it could."
  The FBI soon installed agents in First Data's Omaha, Neb., processing facilities, where they monitored credit card and Western Union transactions, often as they occurred, according to Suskind. "They were deep inside a Fortune 500 company, a place where federal agents had never roamed so freely, prowling through First Data's massive computer banks. ... Billing addresses were matched with charging history, locations matched with dates."
  It is the kind of literary journalism that includes such scene setting as: "A red-eyed Lormel looked up from his desk. 'Oh, that's big,' he said, breaking into a weary smile."
  Such passages have led many to assume Lormel and former CIA Director George Tenet are among 100 unnamed sources Suskind says he interviewed. He also claims 19,000 pages of supporting documents.
  First Data would not talk about the book beyond a written statement: "Neither Mr. Suskind nor his publisher contacted First Data or Western Union before the publication of his book. Because many of Mr. Suskind's statements concern national security, we will not comment on his work."
  Asked in a separate interview about First Data's policies regarding providing data to federal agencies, CEO Henry C. "Ric" Duques tells Cards&Payments, "We get requests for information all the time that are covered by subpoenas. When the government gives you a subpoena, you have no choice. It occurs, and when it occurs with a government subpoena, we abide by the law."
  Of course, First Data is not alone among payments industry participants providing data to government crime fighters. Whether voluntarily or by requirement, banks and nonbanks in the U.S. long have disclosed information about certain customers and transactions to investigators. But the industry and government sometimes differ on how much consumer data is acceptable to share.
  Few in the payments industry like to discuss data-sharing matters, and several key players C&P contacted would not comment about First Data or about their own policies.
  Indeed, Visa USA would only cite a written statement from Vice President Rhonda Bentz: "Our long-standing policy is not to produce any transaction data to the government unless required by a subpoena, summons or court order."
  MasterCard also declined to comment beyond a statement: "MasterCard seeks to balance ... privacy concerns while cooperating with government inquiries. While we are unable to reveal the nature of the information requested and/or submitted in response to government inquiries at this time, we work with government agencies within the boundaries and provisions as set forth by law."
  Occasionally, government agencies will pursue data using the U.S. legal system. A federal court in California, for example, is considering whether eBay's PayPal division must comply with a so-called John Doe summons.
  In that case, the Internal Reve-nue Service wants records related to funds moved through PayPal accounts using MasterCard, Visa and American Express cards issued by banks in traditional tax-haven countries such as Antigua and Switzerland. The summons covers thousands of accounts active from 2000 through 2004.
  A PayPal spokesperson says that while the company finds the current summons overly broad, PayPal complies with narrower requests from law enforcers investigating specific crimes by individual accountholders, and the company volunteers evidence of suspicious activities to authorities.
  "Our customer privacy is very important to us," the spokesperson says. "One of the reasons buyers like to use our service is it protects their information. At the same time, we have very close relationships with law enforcement for specific cases."
  Banks and money-services businesses long have filed suspicious activity reports on any transactional behavior that seems fishy or meets parameters requiring reporting. Since the USA Patriot Act of 2001 made reporting requirements more stringent, banks have at times buried the Treasury's Financial Crimes Enforcement Network with filings of just-in-case reports. And many have closed the accounts of law-abiding money services businesses instead of risk the chance their customers' clients might transmit illegal funds.
  Now the Treasury Department is considering a proposal to set up an automated reporting system for all cross-border transactions within certain parameters, whether or not bankers deem them suspicious.
  "It will waste resources that can be better used and will distract our focus from the genuine risks to our financial system and our nation," Wayne Abernathy, American Bankers Association's executive director of financial institutions policy and regulatory affairs, wrote Treasury Secretary Henry M. Paulson Jr.
  Abernathy tells C&P he believes a better method of data sharing is the one that caused Bush Administration officials to charge the New York Times with treason for revealing it in June. After September 2001, a Belgium-based international banking consortium called the Society for Worldwide International Financial Communication, or SWIFT, began providing Treasury officials with more limited records of messages exchanged between banks conducting cross-border transactions.
  "The attitude among members of the ABA is the SWIFT program is a good example of a targeted data-collection effort," Abernathy says. "People recognize looking at the SWIFT program that it has a due process and privacy protection."
  Abernathy says bankers are concerned about consumer reaction to the prospect of government agencies collecting their transaction histories. "We are worried what that does to consumer confidence in the banking industry," he says.
  According to Suskind, executives at First Data's Western Union division were uncomfortable with the FBI's decision to transfer that part of the company's alleged cooperative arrangement to CIA jurisdiction. "If it seems that Western Union is a front for the CIA, we'll go out of business," Suskind recounts a Western Union executive telling Tenet in an meeting. Tenet responds, "I know we're asking a lot. But this country is in a fight for its survival. What I'm asking is that you and your company be patriots."
  Though on the New York Times Bestseller List, "The One Percent Doctrine" has not drawn as much attention from media as did previous news of NSA telephone monitoring and SWIFT data sharing.
  Whether in the spotlight or out of it, payments industry decision makers will continue to wrestle with issues of constitutional privacy and national security.
  (c) 2006 Cards&Payments and SourceMedia, Inc. All Rights Reserved.
  http://www.cardforum.com http://www.sourcemedia.com