«

»

Campaign notebook: 2006: the US bank data scandal and the Grand-Uncle of PRISM

money series: different country money banknotes texture

By Simon Davies

Some readers will recall the 2006 controversy over SWIFT and the secret grab by US agencies for the world’s financial transaction data. These notes detailing one element of that campaign – like those I published yesterday on the 1997 ECHELON action – may be useful to PRISM campaigners.

 

SWIFT is the closest you’ll ever get to a James Bond scenario. Almost every bank account in the world can be linked to it through a global protocol that binds hundreds of millions of unique International Bank Account Number (IBAN) codes.

Taking on Goliath

It was a particularly steamy afternoon in the late summer of 2006, and for the past half hour my colleague Gus Hosein and I had been suffering ridicule at the hands of one of the world’s most influential banking executives.

Our antagonist was Leonard Schrank, who since 1992 had been the gatekeeper for the entire global interchange of money – or at least to the extent annually of around two hundred trillion dollars of it. He was making no secret of his hatred of everything we stood for.

Schrank was CEO of the Society for Worldwide Interbank Financial Telecommunications, otherwise known as SWIFT. This vast, secretive corporation comprises just about every finance and banking entity on earth. Whenever funds are transferred across borders and between banks, SWIFT executes the transaction. The equivalent of the entire annual tax revenue of the United States passes through its system every eight hours.

SWIFT is the closest you’ll ever get to a James Bond scenario. Almost every bank account in the world can be linked to it through a global protocol that binds hundreds of millions of unique International Bank Account Number (IBAN) codes. You’ll find your own unique IBAN bank account number somewhere in the corner of your bank statement. SWIFT also knows what it is.

The controller (Registrar) of the IBAN system happens to be SWIFT, and through those codes the organization manages the world’s money flow via two giant computer systems, the location of which until recently has been a closely guarded secret. When a request is made to transfer funds between banks the SWIFT computers match the code with the corresponding bank transaction reference and then generates a message and an authorization that (often instantly) permits the monetary exchange to take place.

The laws of dozens of countries that protect the privacy and confidentiality of bank customers were being breached wholesale, and yet banks, customers and even governments had been kept in the dark about the deal.

We were here in this anonymous London office building because SWIFT had requested the meeting in the hope that we’d call off a campaign that had caused unprecedented reputational damage to the organization. As it turned out, things didn’t go quite the way SWIFT’s advisers had hoped.

The saga began three months earlier when the New York Times revealed that Schrank had cut a secret deal with the White House to silently ship to the US Treasury (and beyond that, to the three-letter agencies) the confidential personal details of customers using SWIFT from throughout the world. The information – possibly on millions of people – was allegedly for counter terrorism purposes. At the time there was no legal basis for the disclosure and no limits placed on which agencies could use the data or for what purposes. The laws of dozens of countries that protect the privacy and confidentiality of bank customers were being breached wholesale, and yet banks, customers and even governments had been kept in the dark about the deal.

In short, a mass of confidential personal information was being covertly and illegally shipped to secretive US organisations without the knowledge or consent of customers or host governments in violation of all international and diplomatic conventions and with the full support and encouragement of the White House. George Bush’s friend Schrank had authored the deal.

Within hours of receiving information about the arrangement we began a global campaign to force an end to the deal. At stake were the integrity of the White House, the legal basis of global counter-terrorism arrangements and the credibility of a big chunk of the world’s financial payments system.

In short, a mass of confidential personal information was being covertly and illegally shipped to secretive US organisations without the knowledge or consent of customers or host governments in violation of all international and diplomatic conventions and with the full support and encouragement of the White House.

Now two key opposing sides  – Privacy International and SWIFT – were meeting for the first time for high stakes, and yet to everyone’s astonishment the session degenerated within minutes into name-calling and cheap power tactics. Even the most powerful organisations lose their balance when forced outside their experience.

This encounter quickly became one of the oddest meetings in our long and colourful career as privacy activists. It ended as pointlessly as it had begun, with Shrank theatrically hurling his contacts book around the flawless teak conference table and us issuing a parting shot to the effect that if he didn’t budge, then his enterprise would bleed like a stuck pig.

Within months the finance giant was found to be in violation of law, Schrank was out of a job and the corporation was forced to relocate its processing operations to Switzerland where it could continue its (now less) covert arrangements under legal cover.

Leveraging the regulators

Three months earlier Eric Lichtblau at the New York Times called to tip us off about the story – a thriller that brought the lightning rods of power, deception, hypocrisy and secrecy into convergence. Bring those four dynamics into a campaign and you’re almost always on a winner.

Lichtblau’s plan was to publish the revelations initially as a kick at the White House, but he needed a follow-up story on the global reaction. That’s where we came into the picture. In short, what was Europe going to do about the situation? After all, America – in effect – had stolen the privacy of countless European citizens.

This wasn’t a case of just getting a quote in a newspaper.  We wanted to bring an end to this deal, but we couldn’t rely on media to carry the weight. It’s rare for a media story to last more than a few days unless somebody creates a follow-up action. We guessed the issue would play in the press for a while, but its shelf life would be limited. This was a complex issue and was likely to be a One Trick Pony of a story – two ponies at most, after which media would move on. After a short media firestorm the company could just retreat to its bunker with additional buttressing by the White House.

All good campaigners live by the maxim “good strategy ensures you’ll always be quoted, but great strategy hands you the headline”. But to have the headline you have to “be” the story, not merely add to it.  We had to not only turn this issue from a story to a campaign, but because of its magnitude it had to be a campaign fought on our turf. We couldn’t rely on European governments to initiate action, and the US Democrats would most likely be reluctant to attack any measure that – unlawful or not – was done in the name of national security.

The Times was running this story in less than 48 hours and we knew if we weren’t in the first wave of the story, we’d be at a campaign disadvantage. By “campaign” I don’t mean just PR. Anyone can get PR. All you need to do is pile a hundred albino kittens in a giant pantomime shoe and the TV will come in droves – but such tactics won’t win a complex campaign.

Within months the finance giant was found to be in violation of law, Schrank was out of a job and the corporation was forced to relocate its processing operations to Switzerland where it could continue its (now less) covert arrangements under legal cover.

We agreed the only way we could get sustained press coverage, keep in the forefront of the issue, unite the European authorities to take action, strike at the Bush Administration and kick SWIFT was to launch the equivalent of a multi rocket strike on the entire landscape. That would give us a few days of exposure and buy enough time to line up some of the parliaments to take action. The players were so powerful and entrenched that nothing short of this would have any impact whatever.

Working around the clock we prepared detailed complaints that we planned to simultaneously lodge with privacy regulators in every European country (such regulators are in charge of enforcing privacy law in a way similar to the function of the US Federal Trade Commission).

Canada’s privacy commissioners were already on red alert over inadequate US data handling policies that compromised the privacy rights of Canadians. Our hope was the SWIFT complaints would tip them over edge and inspire them to threaten suspension of financial information. A long shot maybe, but they’re sometimes a maverick bunch up there on such issues.

In this case the sheer shock value of this story could – with the right handling – unify the privacy regulators. If we could do that in 30 hours then SWIFT will get its kicking, European parliaments would signal their concern and the US would raise the diplomatic traffic light to amber. If our push for unification among the European regulators was disregarded we could anecdotally use the failure to lobby the European Parliament for reform.

In all, we prepared suits in 38 countries, not counting complaints to international bodies. We batched them out before the paper was published to give regulators time to form a response. To the best of our knowledge it was the most extensive privacy action in history.

In most cases it’s only when you’ve lost control of a major campaign that you have any hope of winning it.

What we didn’t realize at the time was that in an attempt to head off the scandal parts of the Washington administration were proposing that Bush be wheeled out that day to casually mention the affair and talk of global union on counter terrorism. The plan never saw the light of day and the Times led with the story.

European press caught up with the story after 48 hours – a lag that is not unusual – but we at least succeeded in locking our actions into the first wave of press. The regulators were already waking up to the gravity of the case and began investigating. What we didn’t know until two years later is that our complaint strategy forced all the European regulators for the first time ever to work together in collaboration – a structural reform that continues to this day and that has influenced the new proposed EU data protection framework.

The issue built a head of steam in Europe as regulators found the nerve to criticize the banking giant. Some of SWIFT’’s actions were ruled in breach of law and the entire operation was eventually required to move to Switzerland.

Within three months we weren’t even in the story. The SWIFT affair had moved on to a different and more rarified level with different players. That’s a crucial part of the bigger campaigning issue, and it relates especially to actions that are complex and tiered. Know when to let go. In most cases it’s only when you’ve lost control of a major campaign that you have any hope of winning it. On this occasion it could hardly be said that we won – but we created some wins.