The Central Intelligence Agency is building a vast database of international money transfers that includes millions of Americans’ financial and personal data, officials familiar with the program say.
The CIA, as a foreign-intelligence agency, is barred from targeting Americans in its intelligence collection. But it can conduct domestic operations for foreign intelligence purposes. The CIA program is meant to fill what U.S. officials see as an important gap in their ability to track terrorist financing world-wide, current and former U.S. officials said.
The program serves as the latest example of blurred lines between foreign and domestic intelligence as technology globalizes many activities carried out by citizens and terrorists alike. The CIA program also demonstrates how other U.S. spy agencies, aside from the NSA, are using the same legal authority to collect data such as details of financial transactions.
The Central Intelligence Agency is building a vast database of international money transfers that includes millions of Americans’ financial and personal data, such as Social Security numbers, Devlin Barrett reports. Photo: Getty Images.
In this case, the secret surveillance court has authorized the Federal Bureau of Investigation to work with the CIA to collect large amounts of data on international transactions, including those of Americans, as part of the agency’s terrorism investigations.
The data collected by the CIA doesn’t include any transactions that are solely domestic, and the majority of records collected are solely foreign, but they include those to and from the U.S., as well. In some cases, it does include data beyond basic financial records, such as U.S. Social Security numbers, which can be used to tie the financial activity to a specific person. That has raised concerns among some lawmakers who learned about the program this summer, according to officials briefed on the matter.
Former U.S. government officials familiar with the program said it has been useful in discovering terrorist relationships and financial patterns. If a CIA analyst searches the data and discovers possible suspicious terrorist activity in the U.S., the analyst provides that information to the FBI, a former official said.
The CIA declined to comment on specific programs but said its operations comply with the law and face oversight from Congress, the FISA Court and internal watchdogs. “The CIA protects the nation and upholds the privacy rights of Americans by ensuring that its intelligence-collection activities are focused on acquiring foreign intelligence and counterintelligence in accordance with U.S. laws,” said agency spokesman Dean Boyd.
The FBI declined to comment.
A U.S. intelligence official said that any spy-agency operation under FISA Court orders require “strict compliance with the law and with those court orders.” Orders would include procedures to safeguard the privacy of people in the U.S.; require training of those with access to information; prohibit searches not specifically authorized; and limit how long data may be retained, the official said.
In a typical money transfer, a person goes to a company such as Western Union and uses cash or a credit card to send funds to someone else. The recipient can pick up funds at a local money-transfer office. This process differs from, say, a bank transfer, in which funds might be moved from one account to another.
Details about money transfers are kept by the companies providing the service; that information is turned over to the CIA under court orders. Former officials named wire-transfer giant Western Union as a participant.
The full roster of participants couldn’t be learned. Other large, global money-transfer companies include MoneyGram; there are numerous smaller firms.
“We collect consumer information to comply with the Bank Secrecy Act and other laws,” said Western Union spokeswoman Luella D’Angelo, naming a law that requires banks to report suspicious transactions. “In doing so, we also protect our consumers’ privacy and work to prevent consumer fraud.”
A MoneyGram spokeswoman said, “We have reporting obligations related to suspicious transactions, money laundering and other financial crimes around the world. The laws to which we are subject generally prohibit us from discussing details.” She also said, “We value our customers’ privacy and work hard to protect it.”
The data is obtained from companies in bulk, then placed in a dedicated database. Then, court-ordered rules are applied to “minimize,” or mask, the information about people in the U.S. unless that information is deemed to be of foreign-intelligence interest, a former U.S. official said.
A limited number of analysts are allowed to search the database with queries that meet court-approved standards. This is similar to the way NSA handles its phone-data program.
Money-transfer companies are “highly, highly aware of their obligations under the Patriot Act,” said Robert Pargac, a director in global investigations and compliance at Navigant Consulting Inc. who has worked at several such companies. Western Union said last month it would be spending about 4% of its revenue in 2014 on compliance with rules under the Patriot Act, the Treasury Department’s Office of Foreign Assets Control and other anti-money-laundering and terrorist-financing requirements.
The likely existence of bulk collection programs other than phone-records data has been mentioned in a recently declassified opinion from a judge on the Foreign Intelligence Surveillance Court, which approves such programs.
This past September, the Director of National Intelligence declassified FISA Court opinions that sharply criticized NSA for operating the phone program in violation of court-ordered privacy standards. The court also criticized NSA for repeatedly misrepresenting surveillance programs to it. Former officials said that CIA has run into some compliance issues, but they weren’t on par with the problems NSA encountered.
Some officials who have overseen surveillance programs, like Timothy Edgar, a former top privacy lawyer at the Office of the Director of National Intelligence and the National Security Council in the Bush and Obama administrations, say it is time for the government to make known what categories of data are being obtained under broad Patriot Act authorities.
“The public has a right to know about the broad outlines of how the government is collecting information on them,” he said, noting that the FISA Court has noted the existence of other collection programs. “As a matter of basic good governance, the government should be more transparent about these kinds of collection programs.”
The CIA and the Treasury Department have a different program that collects transactions between financial institutions from the Belgian cooperative known as the Society for Worldwide Interbank Communication, or Swift. That program doesn’t collect data from person-to-person transfers.
The money-transfer program appears to have been inspired by details of the Sept. 11, 2001, terrorist plot, in which the al Qaeda hijackers were able to move about $300,000 to U.S.-based bank accounts without arousing suspicion. In part, it was because the transactions were comparably small and fit the pattern of the remittances used by immigrants or foreign visitors to send money home.
Some of the transfers were between bank accounts, but some moved through person-to-person transfers. In 2000, Sept. 11 plot facilitator Ramzi Binalshibh made a series of transfers, totaling more than $10,000, from Germany to the U.S., where they were collected by hijacker Marwan al-Shehhi. Two transfers were through MoneyGram and two through Western Union.
After the 2001 attacks, the CIA worked with Western Union, which voluntarily helped set up a program to collect data on money transfers between the U.S. and overseas, as well as purely foreign ones with voluntary compliance from companies, as has been previously reported.
That program was institutionalized by 2006 and continues under a controversial authority tucked into a part of the Patriot Act known as Section 215. That law permits the government to obtain “tangible things,” including records, as long as the government shows it is reasonable to believe they are “relevant” to a terrorism investigation.
Under that provision, the U.S. government secretly interpreted the term “relevant” to permit collection of records on millions of people not necessarily under suspicion. That secret interpretation, used to justify the legality of the phone-records program, was brought to light in the wake of the revelations by former NSA contractor Edward Snowden.
The interpretation also was used by CIA as the legal underpinning of its bulk financial-records effort under the money-transfer program, officials said.
Money transfer forms differ depending on location and type. But they ask for the names, addresses and telephone numbers of senders and receivers. Depending on the transfer, senders and receivers also may be asked to provide the date and place of their birth. In most locations in the U.S., people sending $1,000 or more must provide an ID such as a driver’s license. People sending $3,000 or more must provide additional ID, such as a Social Security number or passport.
Lawmakers have asked repeatedly whether intelligence agencies are using the Patriot Act to collect financial or other information in bulk outside the phone-records program. In public forums, officials have either mentioned that the information is classified or focused on whether the NSA collects such data, with no mention of the CIA or other agencies. Several lawmakers from both parties are seeking to curb the ability to use the Patriot Act for bulk collection of records.