Another day brings yet another “revelation” based on documents leaked by Edward Snowden. This time, Der Spiegel revealed the details of an NSA programme known as “follow the money”, through which the agency has been monitoring millions of financial transactions.
The two organisations named by Der Spiegel were Visa and SWIFT, suggesting that, somehow, the NSA was able to capture data from transactions processed by these global financial bodies, who between them serve millions of people.
We are now primed to react with indignity every time the NSA is exposed as prying into a new aspect of our daily lives but perhaps it’s time to start thinking more constructively about our response. Are the concerns being expressed actually the right ones?
Anyone who believes that their financial transactions are not being monitored has never had a credit card cloned. When it happened to me, I was astonished that the technology from my credit card provider was able to spot differences in my spending pattern as soon as they occurred.
Within a couple of days, the company had contacted me about the unusual spending. Some of the flagged transactions were most assuredly not me. Buying industrial sewing machines and making hundreds of calls to China from phone boxes in Waterloo stand out quite plainly against my regular habits. But the company was able to make far more nuanced assumptions based on what appeared to be a deep understanding of my habits.
Buying children’s shoes from a shop in my local town could well have been me but somehow the company knew it wasn’t. Sure enough, it is always my wife who buys the shoes
Every single transaction that was flagged to me as being fraudulent was accurate. Even down to buying petrol, apparently because I buy petrol for very similar amounts each time.
I was rather pleased that some automated system was watching my transactions and was able to spot the errant spending. I wasn’t thinking at the time that this was some great invasion of privacy, although it did force me to conclude that I am a little predictable.
Interestingly, the system had also spotted some false transactions that I could have been predicted to make because they were made in several places simultaneously, which was obviously impossible when they were geographically so far apart. It wasn’t just my predictability but there was some automated intelligence being applied.
My lack of a sense of invasion of privacy was in large part due to the fact that I was one among thousands, hundreds of thousands of customers who were being processed in the search for aberrant behaviour patterns.
And so it is with the large volumes of meta data that intelligence agencies collect about telephone calls. Hence, I was neither surprised nor felt my privacy had been violated when that practice was revealed.
Similarly, let’s for a moment suppose that the NSA, among many others I’m sure, is looking at millions of financial transactions, as is claimed by Der Spiegel. Does that mean that it scrutinises my accounts and takes note each time I fill up at the petrol station? Of course not.
Like credit card companies, the NSA would be looking for patterns of behaviour that might be of interest to it - linkages that show how money is being moved around and used in activities which it has a mission to prevent. The biggest clue is in the name: Follow The Money.
Law enforcement agencies have been doing this for years. When a fraud is committed or money laundered via multiple accounts, the agencies attempt to trace where that money has gone. But of course, someone has to first spot that pattern to determine it is worthy of further investigation.
In many ways they have a much easier time these days, now that everything is done electronically. Several decades ago, when many records were kept in local bank branches, the process would have taken a long time, but there cannot be anywhere on Earth that is not now part of electronic funds transfer systems. How else would you be able to draw out cash in some far flung ATM when on your exotic holiday?
The more our lives become reliant upon electronic systems, and our interconnectedness, the more we can assume others will wish to take an interest in that data as a means of determining if we somehow stand out from the crowd.
One of the biggest safeguards to date in securing our data from regime change has been the inability to store these vast volumes of data for long periods. That is changing. The cost, size and expense of operating huge data stores is falling at an increasing rate. We have moved from megabytes to gigabytes to terabytes in a only a few years and now larger systems can consider storing petabytes and exabytes. These were unimaginable quantities of data only a few years ago.
Your transactions will be amongst the millions of financial transactions allegedly being hoovered up. But unless the systems monitoring that data flow somehow connect you to something or someone of interest, an intelligence organisation, even one as large as the NSA, would simply not have the capacity to take a personal interest in you.
So, instead of shaking our fists when we find agencies monitoring our financial dealings, perhaps we should take a tip from the credit card companies and take a more nuanced approach.
We should be identifying our specific concerns - asking how long our data is being kept, what checks and balances are in place to stop that data being misused, and perhaps what constitutes unusual patterns of behaviour to us and the people looking out for them.
Personally, I believe that countries such as the US and UK are more likely to ensure that proper checks and balances are in place than many other countries who care far less about civil liberties. Still, that doesn’t mean we should just accept monitoring regardless. The idea often advocated that if you have done nothing wrong and have nothing to hide, you shouldn’t worry about monitoring is flawed. Governments change and what makes someone of interest today can change with that change of regime.
There must be checks and balances: processes to make sure that we are not targeted for political, economic or other reasons that do not represent a real danger. Most importantly we don’t want our data retained “just in case” someone might find a use for it in future.