EU-US bank spying deal on verge of collapse

May cancel SWIFT agreement on CIA access to private records

European Union regulators are on the verge of cancelling an agreement that lets U.S. intelligence agencies pull data on bank transactions by Europeans if the data is relevant to anti-terrorism investigations.

The "SWIFT agreement" went into effect in 2009, after a long series of arguments and protests from European members of parliament and privacy advocates who regarded it as a blatant power grab that violated the rights of both individual Europeans and their governments.

The agreement gave U.S. intelligence agencies legal cover for a series of data raids on a U.S.-based facility of the Society for Worldwide Interbank Financial Telecommunication (SWIFT), an international exchange that transfers trillions of dollars per day between the U.S. and members of the EU.

The raids started, under subpoenas that required SWIFT executives to remain quiet about them, shortly after the terrorist attacks on the World Trade Center in 2001.

Using the SWIFT servers, U.S. investigators from the Central Intelligence Agency and Treasury Department could copy out data on almost any international transfer – whether large bank deals or payments from private citizens.

The New York Times and other U.S. newspapers broke the story about the “Terrorist Finance Tracking Program” in 2006, setting off howls of protest from Europe.

As a result of the U.S. name, the SWIFT deal is also known as the Terrorist Finance Tracking Program (TFTP) Agreement (PDF with text of the agreement).

"Why does the US Secretary of Defense Donald Rumsfeld need to know when I transfer some money from Rabobank to the Sparkasse bank?" complained Luxembourg's Foreign Minister Jean Asselborn.

European ministers demanded the data flow be cut off to preserve privacy and prevent the possibility of industrial espionage if the U.S. passed financial data to Russia or China as part of an investigation, for example.

SWIFT was forced to move its data center from Belgium to Switzerland after the Belgian government forbade new transfers to the U.S. Other factions demanded the SWIFT facility in the U.S. be eliminated completely to preserve the integrity of the two-thirds of SWIFT transactions that take place in Europe.

After painful negotiations that collapsed several times, the U.S. and EU agreed on a set of criteria under which U.S. intelligence agencies could request access to specific SWIFT data and EU governments could do the same.

At least one classified report claimed several investigations that were helped by the SWIFT data and deveral attacks that were headed off, including the 2007 capture of three German members of a Pakistan-based group affiliated with al-Queda.

A report last week [quickview of a PDF] from the Europol Joint Supervisory Body (JSB) found that requests for information from European agencies were almost always turned down, while requests from the U.S. went through without a hitch despite failing criteria set up in the agreement to protect it. [Here's the JSB page with the report PDF and an overview of Europol inspections.]

Many of the U.S. requests were too vague to satisfy the criteria, and the number of oral requests was so high that verifying their validity was impossible, the report found.

"We have given our trust to the other EU institutions, but our trust has been betrayed," said Sophia in 't Veld, a Dutch member of the European Parliament who is involved in discussions over scrapping it. "This should be kept in mind when they want our approval for other agreements."

The European Commission is due to release its evaluation of the agreement today.

Kevin Fogarty writes about enterprise IT for ITworld. Follow him on Twitter @KevinFogarty.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon