0:00:00.000,0:00:15.090
<i>34c3 preroll</i>

0:00:15.090,0:00:19.290
Herald: Welcome everybody to our next[br]talk: Financial surveillance, Exposing the

0:00:19.290,0:00:24.290
global banking watch lists. I think[br]everybody in this room would agree that

0:00:24.290,0:00:29.040
mass surveillance is a very bad idea, and[br]that of course also goes for financial

0:00:29.040,0:00:34.280
surveillance. And our next two speakers,[br]Jasmin Klofta and Tom Wills, are two

0:00:34.280,0:00:39.180
investigative journalists, who have[br]uncovered, how the system of financial

0:00:39.180,0:00:43.500
surveillance works. And I'm pretty sure[br]that you are just as excited as me to find

0:00:43.500,0:00:47.939
out what they have found out. So, please[br]give them a warm round of applause!

0:00:47.939,0:00:58.739
<i>applause</i>

0:00:58.739,0:01:04.761
Jasmin Klofta: So hello, nice to see you[br]all. Microphone's not on I think? Be cool.

0:01:04.761,0:01:14.189
I think the headset doesn't work.[br]Herald: Audio? Well you know there's

0:01:14.189,0:01:18.740
always a litttle thing that doesn't work,[br]whatever this is. For the talk we just had before,

0:01:18.740,0:01:23.270
there was a live demo, it was very well[br]planned - still something went wrong. I think

0:01:23.270,0:01:26.650
everybody in the audience had a lot of[br]empathy, because nobody wants to be in

0:01:26.650,0:01:30.769
that position. But I think we just fixed[br]the problem. Is it fixed? Is it about to

0:01:30.769,0:01:33.509
be fixed?[br]Jasmin: I will try a little bit, yes!

0:01:33.509,0:01:35.941
Herald: There we go! Round of applause,[br]now we go!

0:01:35.941,0:01:40.511
Jasmin: We can start![br]<i>applause</i>

0:01:40.511,0:01:45.899
Jasmin: So, it's nice to see you all, so[br]happy that so many people came. I want to

0:01:45.899,0:01:50.680
introduce to you: this is Tom - he's the[br]data journalist working on investigations

0:01:50.680,0:01:56.519
at the Times of London and he specializes[br]in a set of techniques such as data

0:01:56.519,0:02:02.030
mining, which can reveal wrongdoing and[br]lead to stories that benefit the public.

0:02:02.030,0:02:05.369
Tom Wills: And this is Jasmin, she's an[br]investigative journalist working in

0:02:05.369,0:02:11.001
Hamburg for Panorama at the broadcaster[br]NDR, which is part of the ARD network, and

0:02:11.001,0:02:15.370
she focuses on politics, the digital[br]economy, and surveillance. And we're going

0:02:15.370,0:02:20.270
to tell you tonight about findings of an[br]investigation we conducted this year as

0:02:20.270,0:02:26.550
part of an international collaboration,[br]and our colleagues were Eveline, Stefania,

0:02:26.550,0:02:34.310
Lars, and Cora. And Jasmin.[br]Jasmin: Yeah, and together we investigated

0:02:34.310,0:02:39.500
the leaked database and published in June[br]this year our stories in the UK, in

0:02:39.500,0:02:45.490
Germany, in the US, Netherlands, Belgium,[br]and Italy. So what was our story? We

0:02:45.490,0:02:50.250
investigated, that innocent people around[br]the world have been wrongly added to a

0:02:50.250,0:02:56.640
watch list of terrorists and criminals.[br]This watch list of high risk people and

0:02:56.640,0:03:01.200
organization is compiled by Thomson[br]Reuters, a British firm, and sold to

0:03:01.200,0:03:06.040
almost all the world's major banks, as[br]well as police forces, intelligence

0:03:06.040,0:03:13.150
agencies, and non-government organization.[br]It's called World-Check and the leak gave

0:03:13.150,0:03:19.860
us the opportunity to review the entire[br]database for the first time.

0:03:19.860,0:03:25.020
Tom: So, what exactly is World-Check? Well,[br]if you want to open a bank account, we

0:03:25.020,0:03:29.310
know that the bank might your credit[br]rating to see if you are a reliable

0:03:29.310,0:03:34.000
borrower. But how does the bank know, if[br]you're a criminal, or a terrorist, or a

0:03:34.000,0:03:38.380
potential money launderer? One of the[br]checks that most banks will do, is run your

0:03:38.380,0:03:43.260
name against the World-Check watchlist,[br]and they might look in here. If your bank

0:03:43.260,0:03:47.570
finds your name on the list, they might[br]refuse your application, or they might

0:03:47.570,0:03:52.100
subject your financial transactions to[br]extra scrutiny, or if you're an existing

0:03:52.100,0:03:56.920
customer, they might even[br]close your account.

0:03:56.920,0:04:02.760
Jasmin: So, Thomson Reuters says about[br]their list that it is to find hidden risk.

0:04:02.760,0:04:08.730
The list is of heightened risk people and[br]organizations, such as terrorists,

0:04:08.730,0:04:13.100
fraudsters, or senior public officials,[br]who might try to use the account to handle

0:04:13.100,0:04:21.860
corrupt funds. So they want to be kind of[br]an early warning system for hidden risk.

0:04:21.860,0:04:27.600
And banks are even forced to use these kinds[br]of lists by regulation, they have to take

0:04:27.600,0:04:32.700
steps to comply with sanctions and[br]international and domestic law against

0:04:32.700,0:04:38.230
money laundering and terror financing. And[br]of course we all want less terrorism, and of

0:04:38.230,0:04:42.900
course we want less money laundering,[br]that's clear. And to put it in a World-Check

0:04:42.900,0:04:48.310
words, it's to help identify[br]relationships or risk by providing highly

0:04:48.310,0:04:52.990
structured intelligence profiles and[br]heightening risk individuals and entities

0:04:52.990,0:05:00.700
globally. But since 9/11, governments have[br]to put more and more pressure on banks to

0:05:00.700,0:05:06.990
identify terrorists and money launderers[br]among their customers. So, Thomson Reuters

0:05:06.990,0:05:12.860
advertises even World-Check with warnings[br]about recent fines and settlements against

0:05:12.860,0:05:19.790
banks for violating sanctions. Maybe you[br]know the.. this one story: HSBC had a

0:05:19.790,0:05:26.530
historic 1.9 billion dollar payment to US[br]authorities to settle money-laundering

0:05:26.530,0:05:31.800
allegation in 2012, and that's one of the[br]most famous example that the banks, of

0:05:31.800,0:05:38.800
course, fear very much. So if you look for[br]information how the information is

0:05:38.800,0:05:44.120
collected, Thomson Reuters says it[br]compiles a list using hundreds of

0:05:44.120,0:05:51.050
thousands of reputable sources in the[br]public domain. You got to remember that

0:05:51.050,0:05:55.990
slide, and especially the word "reputable[br]sources", because we will come back to

0:05:55.990,0:06:00.770
that a little bit later.[br]Tom: So how do they collect this

0:06:00.770,0:06:05.730
information? Well, Thomson Reuters[br]researchers look into public sources,

0:06:05.730,0:06:11.389
ranging from EU sanction lists, to local[br]newspapers in order to find names to add

0:06:11.389,0:06:17.260
to the database. In total, Thomson Reuters[br]says that World-Check contains profiles on

0:06:17.260,0:06:22.370
over two million entities, and that it's[br]adding 20.000 profiles a month, and

0:06:22.370,0:06:29.580
updating 40.000. So the list is growing all[br]the time. Now, this is a job advert for a

0:06:29.580,0:06:35.389
position as a World-Check researcher in[br]Washington DC and it states, that among the

0:06:35.389,0:06:41.090
many responsibilities you need to write[br]more than 220 highly structured and

0:06:41.090,0:06:45.510
sourced biographical intelligence profiles[br]every month. I think it's really nice of

0:06:45.510,0:06:50.740
them to be so upfront about the workload.[br]And that's about 1 hour per profile,

0:06:50.740,0:06:55.310
if you're working full time. So it must be[br]quite a challenge if you are the assistant

0:06:55.310,0:07:02.500
research associate to maintain accuracy[br]and quality under that kind of workload.

0:07:02.500,0:07:07.280
Jasmin: So not many people had heard of[br]this list until recently but it's one of

0:07:07.280,0:07:12.520
the biggest of its kind. According to a[br]World-Check datasheet the service is used

0:07:12.520,0:07:19.000
by over 300 intelligence and government[br]agencies, 9 out of the world's top 10 law

0:07:19.000,0:07:26.440
firms and 49 of the world's 50 largest[br]banks. Overall more than 6000 customers

0:07:26.440,0:07:34.590
from 170 countries are reportedly on their[br]customer list. The content of the list is

0:07:34.590,0:07:39.470
secret because Thomson Reuters doesn't[br]tell people when it adds them to the list

0:07:39.470,0:07:45.940
and banks are forbidden from passing on[br]the information. Access is only granted

0:07:45.940,0:07:51.229
after a vetting process, so the user has[br]to sign a nondisclosure agreement and also

0:07:51.229,0:07:56.979
using the database is quite expensive. A[br]year's access can cost up to 1 million

0:07:56.979,0:08:02.389
euro.[br]Tom: In recent years there have been some

0:08:02.389,0:08:06.110
excellent investigations by other[br]journalists, who've highlighted some

0:08:06.110,0:08:12.680
possible issues with World-Check. The BBC[br]has been investigating why HSBC closed the

0:08:12.680,0:08:18.610
account of Finsbury Park Mosque in London[br]without any explanation. The BBC

0:08:18.610,0:08:22.580
researchers found that the mosque had been[br]listed in World-Check in the terrorism

0:08:22.580,0:08:28.270
category. So that may have been part of[br]the bank's decision. VICE news was also

0:08:28.270,0:08:32.759
able to view some of the entries in World-[br]Check through a client of Thomson Reuters

0:08:32.759,0:08:37.540
and they discovered more examples of[br]questionable entries. So we knew that

0:08:37.540,0:08:42.279
there was something potentially going on[br]with this database, but it mostly remained

0:08:42.279,0:08:46.689
confidential and nobody had been able to[br]view the entire database in order to find

0:08:46.689,0:08:51.440
out, whether there were wider[br]issues with the system.

0:08:51.440,0:08:59.189
Jasmin: But then there was a leak: In[br]summer 2016 this security researcher Chris

0:08:59.189,0:09:03.290
Vickery was doing what he very much likes[br]to do. He was scanning the internet for

0:09:03.290,0:09:10.140
CouchDB instances exposed to the world[br]without any username or password. Well,

0:09:10.140,0:09:18.749
you can imagine what comes next.[br]<i>applause</i>

0:09:18.749,0:09:23.231
Jasmin: He would contact the owners to[br]encourage them to secure the data but he

0:09:23.231,0:09:27.180
found something really interesting, and[br]that was the copy of the World-Check

0:09:27.180,0:09:35.010
database from 2014. With him finding it[br]the question came up in his head: He

0:09:35.010,0:09:41.490
asked: "I have a terrorism blacklist. I[br]have a copy, should it be shared?" Chris

0:09:41.490,0:09:47.139
posted on Reddit to say that he was facing[br]a dilemma about, whether to release the

0:09:47.139,0:09:52.260
entire database or not. Because on the one[br]hand the database was apparently compiled

0:09:52.260,0:09:59.829
from public sources, so: what's the[br]problem with publishing public sources?

0:09:59.829,0:10:04.030
The World-Check is a system that is used[br]to make decisions about people's lives and

0:10:04.030,0:10:09.420
secrets, so maybe transparency would be in[br]their interest. But on the other hand it

0:10:09.420,0:10:14.689
contained personal data relating to[br]millions of people, who might suffer harm

0:10:14.689,0:10:20.850
if the information was disclosed. Since it[br]is not so easy to ask the 2 million

0:10:20.850,0:10:28.760
people, if he's allowed to publish it, he[br]was asking himself so what now to do.

0:10:28.760,0:10:33.360
Thanks to the previous work of the BBC[br]advice we as journalists had reason to

0:10:33.360,0:10:39.160
believe, it would be in the public[br]interest to review this data. So we made

0:10:39.160,0:10:44.540
contact with Chris and before viewing the[br]leaked data we considered of course the

0:10:44.540,0:10:51.889
ethical, legal and security implications.[br]Tom: We had a chance to fully reveal how

0:10:51.889,0:10:55.889
the system works for the first time. And[br]this is what the file looked like:

0:10:55.889,0:11:01.729
<i>laughter</i>[br]Jasmin: Isn't it beautiful?

0:11:01.729,0:11:05.829
Tom: We agreed with Chris that we would[br]use the data to do responsible journalism,

0:11:05.829,0:11:09.519
but not to publish the data itself, so we[br]can't show you the full database in this

0:11:09.519,0:11:16.519
presentation. When we received the data it[br]was a 4 GB JSON line delimited file with

0:11:16.519,0:11:23.299
no documentation. The first thing I had to[br]do was write a parser in Python. I started

0:11:23.299,0:11:30.269
to flatten this JSON file into a CSV file.[br]Then we had a 4 GB CSV file and I loaded

0:11:30.269,0:11:35.069
that into Postgres in order that we could[br]do some analysis of the contents of this

0:11:35.069,0:11:42.029
database. So this is an abridged version[br]of the field list showing you the really

0:11:42.029,0:11:46.360
key pieces of data on each of these[br]profiles. We've got an ID, we've got an

0:11:46.360,0:11:52.610
entity type, that is, if this is a person[br]or an organization, for people there were

0:11:52.610,0:11:57.740
first names, surnames, aliases. Position[br]would be: if you're a politician, this

0:11:57.740,0:12:02.270
would say what your position is in the[br]government. The categories were really

0:12:02.270,0:12:07.610
interesting, because these might be that[br]you're a politician as mentioned or might

0:12:07.610,0:12:12.019
be that you're in the terrorism category[br]or the financial crime category. We've got

0:12:12.019,0:12:15.509
dates of birth and countries and[br]nationalities, obviously those are really

0:12:15.509,0:12:23.449
important so that banks can identify the[br]customers correctly. Information text was

0:12:23.449,0:12:27.439
possibly the most interesting part of the[br]data. And then we had various links to

0:12:27.439,0:12:32.920
other profiles, the source URLs which[br]turned out to be really crucial and the

0:12:32.920,0:12:39.749
dates on which the records have been[br]created and updated. You know, some of

0:12:39.749,0:12:45.660
these fields were self-explanatory, but we[br]really needed to see what this database

0:12:45.660,0:12:51.149
looked like to the end-user to understand[br]how this information would be interpreted.

0:12:51.149,0:12:56.260
Like any good investigative journalists ..[br]we of course turned to Google. After a

0:12:56.260,0:13:00.850
bit of experimentation we discovered the[br]magic words: searching for "you are

0:13:00.850,0:13:06.989
strictly prohibited from disclosing or[br]copying the content of this service".

0:13:06.989,0:13:11.509
<i>applause</i>

0:13:11.509,0:13:17.221
Tom: And sure enough we find some examples[br]of profiles from World-Check, which people

0:13:17.221,0:13:21.231
may or may not realize are on the internet[br]and accessible through Google. Some of

0:13:21.231,0:13:24.250
these are from the Panama papers, so[br]obviously the person who put that one

0:13:24.250,0:13:28.569
there knew what they were doing. The first[br]example in this result is interesting

0:13:28.569,0:13:32.800
though because we have the word "intranet"[br]in the URL and we should perhaps tell this

0:13:32.800,0:13:36.220
company that their intranet is not an[br]intranet.

0:13:36.220,0:13:38.670
<i>laughter</i>

0:13:38.670,0:13:40.299
Jasmin: Maybe they found out by[br]themselves.

0:13:40.299,0:13:48.209
Tom: They know now, hopefully. This[br]example is actually from a magazine in

0:13:48.209,0:13:52.799
Brazil which published World-Check[br]profiles that they obtained as part of an

0:13:52.799,0:13:57.079
investigation. This was really useful[br]because we could see exactly what the data

0:13:57.079,0:14:03.259
looks like to the end-user. This profile[br]belongs to Eduardo da Cunha, who was the

0:14:03.259,0:14:07.809
former leader of the Brazilian Chamber of[br]Deputies and as I said it was published by

0:14:07.809,0:14:12.879
the magazine. We can see here the[br]categories that he's been assigned: in

0:14:12.879,0:14:17.829
this case he's a political individual and[br]he's a PEP. PEP stands for politically

0:14:17.829,0:14:23.610
exposed person. This is a term in anti-[br]money-laundering legislation that means

0:14:23.610,0:14:28.949
this person is in senior public office and[br]they are potentially in a position to take

0:14:28.949,0:14:32.600
bribes and launder corrupt funds. It[br]doesn't mean necessarily that they've done

0:14:32.600,0:14:36.999
anything wrong, but the money laundering[br]rules say that banks have to scrutinize

0:14:36.999,0:14:41.869
these people very carefully. So if you are[br]a politician you might be called up by

0:14:41.869,0:14:46.569
your bank and they would say we need to[br]interview you about your sources of income

0:14:46.569,0:14:50.929
in order to establish what the legitimate[br]level of income is and if you exceed that

0:14:50.929,0:14:55.800
level you'll be reported to the[br]authorities. The definition of PEP also

0:14:55.800,0:15:00.899
includes the immediate family of the[br]public officials and we'll see that on the

0:15:00.899,0:15:07.619
next slide. When we scroll down after the[br]age and date of birth we've got these

0:15:07.619,0:15:13.549
links to other profiles: These are the[br]Brazilian politician's immediate family

0:15:13.549,0:15:21.119
members, who have their own profiles. Then[br]further down we've got the reports, so in

0:15:21.119,0:15:25.239
this case this politician was actually[br]accused of doing something wrong, it

0:15:25.239,0:15:29.240
wasn't just that they're a politically[br]exposed person. There's a report of an

0:15:29.240,0:15:34.779
allegation of corruption there and since[br]this profile was published it turned out

0:15:34.779,0:15:38.939
that he was convicted of corruption. So[br]this is an example of a profile of

0:15:38.939,0:15:45.540
somebody who turned out to be guilty. Now[br]that we understood what a profile looked

0:15:45.540,0:15:52.199
like we started to analyze the scope of[br]the database.

0:15:52.199,0:15:56.879
This table shows for each country how many[br]people were profiled in World-Check as it

0:15:56.879,0:16:03.239
stood in 2014, which was the date of the[br]copy of the database that Chris Vickery

0:16:03.239,0:16:09.089
found online. We're showing here for each[br]country with at least 5000 entries the

0:16:09.089,0:16:13.200
number of non-PEPs, so that could be[br]people in the terrorism or the crime

0:16:13.200,0:16:17.981
category or it could be various other[br]things. The number of PEPs: we would

0:16:17.981,0:16:22.369
expect them to be senior public officials[br]but it's interesting that there are a lot

0:16:22.369,0:16:27.689
of countries where there are tens of[br]thousands of PEPs and so that suggests

0:16:27.689,0:16:32.459
that perhaps they've cast the net quite[br]wide there. We're also giving numbers of

0:16:32.459,0:16:39.239
relatives of PEPs. We spent a lot of time[br]browsing the data for our countries and

0:16:39.239,0:16:43.129
querying the database to understand the[br]types of the different types of people

0:16:43.129,0:16:48.600
who've been included. And then everyone in[br]our collaboration started finding people

0:16:48.600,0:16:52.600
who really didn't belong on the list. And[br]we started to ask: How did these innocent

0:16:52.600,0:16:58.579
people end up on this watchlist?[br]Jasmin: We were for example really

0:16:58.579,0:17:03.509
surprised to find Greenpeace, 16[br]Greenpeace activists, on the list, who

0:17:03.509,0:17:08.049
were arrested for peacefully protesting[br]this "Star Wars" missile defense program

0:17:08.049,0:17:18.529
in 2001. They were listed under the[br]general category "crime". That was a bit

0:17:18.529,0:17:24.230
weird, because they did plead guilty to[br]criminal trespass, but never served time

0:17:24.230,0:17:32.860
for this minor charge. But 12 years later,[br]they would still be on that list.

0:17:32.860,0:17:37.539
Tom: This is another example, this time[br]from the UK, from a town called Chelmsford

0:17:37.539,0:17:43.210
in the South of England. This woman is[br]Jackie Arnott and she was listed in the

0:17:43.210,0:17:49.210
politically exposed persons category along[br]with a record of all her civic activities.

0:17:49.210,0:17:53.820
So here she is at work, volunteering for[br]an organization called "Harvest for the

0:17:53.820,0:17:58.330
Homeless". This is a local campaign in[br]Chelmsford that was collecting food for

0:17:58.330,0:18:05.659
people in need. Jackie Arnott is not a[br]senior public official as you might expect

0:18:05.659,0:18:10.809
a politically exposed person to be. In[br]fact her only connection to power seemed

0:18:10.809,0:18:16.150
to be that her husband Allen had been the[br]mayor of Chelmsford, which is a ceremonial

0:18:16.150,0:18:24.690
position. Now to a different town in the[br]South of England: this is leafy Kingston

0:18:24.690,0:18:33.220
upon Thames. This is a view of the town[br]hall: it's all very genteel and this is

0:18:33.220,0:18:38.659
one of Kingston's local politicians: Yogan[br]Yoganathan. You can see the letters MBE,

0:18:38.659,0:18:42.630
member of the British Empire, after his[br]name. He was given an honour by the Queen

0:18:42.630,0:18:47.270
for his services to local government and[br]community relations in Kingston upon

0:18:47.270,0:18:52.970
Thames. Among his activities he was a[br]peace campaigner. He campaigned for peace

0:18:52.970,0:19:01.480
in Sri Lanka and that led to him being[br]listed in World-Check and being linked to

0:19:01.480,0:19:05.769
allegedly the Tamil Tiger terrorist[br]organization, which is an extremely

0:19:05.769,0:19:10.740
serious and very upsetting claim to have[br]made about you, not least if you're a

0:19:10.740,0:19:17.159
peace campaigner. The World-Check database[br]gave the source for this allegation as a

0:19:17.159,0:19:23.490
Sri Lankan government website which in[br]2007, at the height of the civil war in

0:19:23.490,0:19:28.960
Sri Lanka, has said: These guys in London[br]organising peace protests about Sri Lanka,

0:19:28.960,0:19:34.019
they're all Tamil Tiger terrorists. And[br]that allegation had made its way into the

0:19:34.019,0:19:39.450
World Check database and Mr. Yoganathan[br]said he was very hurt by this allegation

0:19:39.450,0:19:44.980
and this was completely untrue and[br]completely without any other basis in

0:19:44.980,0:19:50.070
fact.[br]Jasmin: So remember when we said, you

0:19:50.070,0:19:56.240
should remember this slide because of the[br]beautiful words "reputable sources". If

0:19:56.240,0:20:00.440
you read a little bit further Thomson[br]Reuters says: "researchers are bound to

0:20:00.440,0:20:07.670
comply with strict research criteria and[br]must remain objective at all time". Well

0:20:07.670,0:20:13.560
it seems that the research team was a[br]little bit flexible on these rules. The

0:20:13.560,0:20:18.100
reasons why innocent people showed up on[br]the list were very often the problem of

0:20:18.100,0:20:25.019
these "reputable" sources and handling[br]them. Now we would like to show you some

0:20:25.019,0:20:29.669
of the sources and we put together a[br]little ranking for you.

0:20:29.669,0:20:35.950
<i>laughter</i>[br]Jasmin: You might all know that one. Yeah,

0:20:35.950,0:20:42.549
Wikipedia. We thought we give number 5 to[br]Wikipedia. In thousands of profiles World-

0:20:42.549,0:20:49.649
Check used Wikipedia as a source. Well[br]here you still might think: okay it's only

0:20:49.649,0:20:55.020
for general information, so maybe it's[br]fine. What about the next one?

0:20:55.020,0:21:00.669
Tom: Well at number 4 we have conspiracy[br]sites: this one is called cyberclass.net

0:21:00.669,0:21:05.259
and it has all the educational resources[br]you might need on alternative accounts of

0:21:05.259,0:21:11.130
the 9/11 attacks. World-Check research has[br]also cited it in a profile of a British

0:21:11.130,0:21:15.940
businessman, which of course was[br]used by the banks.

0:21:15.940,0:21:21.320
Jasmin: Number 3, also really interesting:[br]We found state-run sites or state-run

0:21:21.320,0:21:27.230
propaganda you must say, also used as[br]sources, for example China Daily. It's the

0:21:27.230,0:21:32.720
biggest newspaper in China and state-owned[br]and even though it's not an official organ

0:21:32.720,0:21:40.980
of the Chinese Communist Party, it's[br]considered to be a quasi-party newspaper.

0:21:40.980,0:21:46.509
Because of this commentary that you see on[br]the right side, it's saying that there's a

0:21:46.509,0:21:51.519
terrorist group, the Tibetan Youth[br]Congress, the prominent diaspora

0:21:51.519,0:21:58.950
organization, is listed as a terrorist[br]group on World-Check. What we found

0:21:58.950,0:22:04.450
pretty, I don't know how to say it.. the[br]research team used this article as the

0:22:04.450,0:22:12.290
only source for this profile recording the[br]Chinese government's accusations.

0:22:12.290,0:22:17.360
Tom: At number 2 we have a website that[br]unfortunately you might have heard of:

0:22:17.360,0:22:23.539
Hundreds of listings referenced reports on[br]Breitbart. At the time, Breitbart was

0:22:23.539,0:22:27.730
selectively reporting on what it called[br]"black crime" and there was a whole tag

0:22:27.730,0:22:32.549
page for what they called "black crime".[br]There were hundreds of listings that

0:22:32.549,0:22:38.320
referred to reports that have been carried[br]on Breitbart. But number 1 ...

0:22:38.320,0:22:42.950
Jasmin: Our number 1 ...[br]Tom: We have Stormfront which, if you

0:22:42.950,0:22:48.740
haven't heard of it, it's a forum for[br]white supremacists. It was founded in 1995

0:22:48.740,0:22:54.530
by a former Ku Klux Klan member and there[br]were several listings that referred to

0:22:54.530,0:23:00.840
Stormfront. Among them listings for two[br]black British people containing links to a

0:23:00.840,0:23:06.570
discussion thread on the forum.[br]Jasmin: So the problem really is that

0:23:06.570,0:23:11.929
World-Check uses all the sources that they[br]can find, which is fine, but it seems that

0:23:11.929,0:23:17.409
they don't differ between a news site, a[br]propaganda site, extremist sites, whatever

0:23:17.409,0:23:24.070
site. And all the sources and information[br]they collect, but they don't weight it or

0:23:24.070,0:23:28.660
rate it or assess the information. So for[br]example, if a state attorney accuses a

0:23:28.660,0:23:33.799
person or if a competitor blackened[br]somebody in a media report, the

0:23:33.799,0:23:38.570
information gets into the World-Check[br]database without any filtering and there

0:23:38.570,0:23:45.010
is no final verification of this or any[br]accusation.

0:23:45.010,0:23:49.940
Tom: World-Check found an interesting way[br]to deal with this problem of unreliable

0:23:49.940,0:23:55.730
sources or potentially unreliable sources:[br]In the profiles they've added this general

0:23:55.730,0:24:02.659
legal notice. Here they mention that[br]everyone who views this database should

0:24:02.659,0:24:08.299
carry out independent checks to verify the[br]information. They later added a further

0:24:08.299,0:24:13.259
disclaimer saying: If this profile[br]contains negative allegations it should be

0:24:13.259,0:24:20.740
assumed that such allegations are denied.[br]This is an interesting legal concept, that

0:24:20.740,0:24:25.049
you can carry these extremely damaging[br]accusations that people are linked to

0:24:25.049,0:24:29.870
terrorist groups, but of course you can[br]tell your customers to assume that the

0:24:29.870,0:24:35.489
allegations are denied and to check the[br]information out themselves. We found many

0:24:35.489,0:24:41.019
people on the list that had encountered[br]difficulties with their banks and that

0:24:41.019,0:24:46.370
raises the question of whether some banks[br]and users of the list were able to heed

0:24:46.370,0:24:51.149
this warning and launch their own[br]investigations after seeing adverse claims

0:24:51.149,0:24:56.491
in World-Check. In fact, somebody I spoke[br]to as part of my research who works for a

0:24:56.491,0:25:01.880
bank said that they were under such[br]pressure that if they found an adverse

0:25:01.880,0:25:07.769
listing in World-Check, it would be[br]extremely difficult for them to disprove

0:25:07.769,0:25:16.649
it, you know, given the time that was[br]available. This is one issue. But besides

0:25:16.649,0:25:21.840
the problems with the sources and the lack[br]of verification of the information there

0:25:21.840,0:25:26.721
is another reason why innocent people have[br]ended up in this watchlist: Our research

0:25:26.721,0:25:31.289
showed that the database carries entries[br]for people who are merely accused or

0:25:31.289,0:25:36.740
investigated over possible crimes without[br]being charged or convicted. Reports of

0:25:36.740,0:25:40.899
minor convictions are kept on file for[br]years after the event as we saw with

0:25:40.899,0:25:46.029
Greenpeace. and sometimes people had been[br]cleared of their charges but their entries

0:25:46.029,0:25:50.029
hadn't been updated to reflect that[br]information. So innocent people just kept

0:25:50.029,0:25:56.330
being guilty in the world of the database.[br]Jasmin: For example like him, so please

0:25:56.330,0:26:01.950
meet the terrorist Andrej Holm, or at[br]least that's what World-Check suggested

0:26:01.950,0:26:07.360
for a couple of years. Holm, maybe some of[br]you know him, is a very well-known

0:26:07.360,0:26:13.950
sociologist and later he was a short time,[br]in German "Baustaatssekretär". Maybe in

0:26:13.950,0:26:18.740
English at something like housing[br]secretary in the Berlin State Government.

0:26:18.740,0:26:22.760
He was targeted by the Federal[br]prosecutor's office ten years ago. The

0:26:22.760,0:26:29.090
suspicion was: Membership in a terrorist[br]group. He was arrested at the end of July

0:26:29.090,0:26:35.649
2007 and detained for 3 weeks. Holm had[br]obviously been investigated because he had

0:26:35.649,0:26:40.769
being critical of the displacement of[br]poorer people and cities and he wrote it

0:26:40.769,0:26:48.480
in a very similar way or similar words to[br]a left-wing extremist group active at that

0:26:48.480,0:26:54.559
time. But in the end the suspicion that he[br]could be a member himself proved totally

0:26:54.559,0:27:04.250
unfounded and in 2010 all procedures[br]against Holm were discontinued. He was

0:27:04.250,0:27:10.929
even compensated for his imprisonment. In[br]the end for the state and justice Holm was

0:27:10.929,0:27:18.099
innocent. But when Holm wanted to become a[br]customer at Norisbank two years later in

0:27:18.099,0:27:24.500
2012, the institute refused to open his[br]bank account and that even without any

0:27:24.500,0:27:32.739
explanation. That was when Holm still did[br]not know that he was on the watchlist of

0:27:32.739,0:27:39.559
World-Check. When we told him and we[br]talked to him he said: I have a bad

0:27:39.559,0:27:44.320
feeling when my life is recorded there[br]without me being aware of it or having any

0:27:44.320,0:27:50.309
influence on it. Even years later such an[br]entry can permanently make life

0:27:50.309,0:27:56.299
significantly more difficult. But[br]apparently there are institutions that

0:27:56.299,0:28:02.350
rely on World-Check or similar databases.[br]When we talked to the Norisbank they said

0:28:02.350,0:28:07.789
that the Name List screening, that's what[br]it's called, was an essential part of

0:28:07.789,0:28:14.009
fulfilling the legal requirements for[br]combating financial criminality. It's

0:28:14.009,0:28:18.830
about preventing money laundering, they[br]said. And the due diligence check would

0:28:18.830,0:28:25.929
use many different databases as data[br]sources. I found a little bit funny that

0:28:25.929,0:28:31.840
they wouldn't talk about at all about the[br]case from Mr. Holm and they said: They

0:28:31.840,0:28:39.740
cannot give any information because[br]of data protection reasons.

0:28:39.740,0:28:44.490
Tom: We saw in the marketing brochure that[br]Thomson Reuters say that 49 of 50 of the

0:28:44.490,0:28:50.580
world's biggest banks use World-Check. We[br]had a pretty strong idea that most of the

0:28:50.580,0:28:55.720
big-name banks would be using it. But for[br]my UK audience I wanted to confirm that

0:28:55.720,0:28:59.889
the high street names that my readers[br]would be familiar with had used this

0:28:59.889,0:29:05.289
database. I had information that the Co-[br]operative Bank among several other big

0:29:05.289,0:29:10.950
names had used World Check and I asked[br]them to confirm that that was the case.

0:29:10.950,0:29:16.559
And this is what they said: "I can confirm[br]that the Co-operative Bank doesn't use and

0:29:16.559,0:29:22.160
has not used World-Check." Well, this was[br]an interesting response. I went back to

0:29:22.160,0:29:29.649
Google and I did a site-search on LinkedIn[br]for World-Check and the Co-operative Bank

0:29:29.649,0:29:36.059
and this is what I found: This is Michael,[br]he says he is a high-risk case-analyst at

0:29:36.059,0:29:43.959
the Co-operative Bank and his previous[br]position in 2015: he was an anti-money-

0:29:43.959,0:29:48.989
laundering analyst and this gives the[br]description of his responsibilities. At

0:29:48.989,0:29:53.980
the bottom there you can see that that[br]included exiting customers where necessary

0:29:53.980,0:29:59.279
if they were found outside the bank's risk[br]appetite, which is a euphemism for: he can

0:29:59.279,0:30:04.429
close your account if you're too risky. So[br]this was quite obviously a considerable

0:30:04.429,0:30:09.610
responsibility and then further down in[br]the job description he says that he used

0:30:09.610,0:30:17.080
systems including World-Check to make[br]these decisions.

0:30:17.080,0:30:22.490
So I went back to the Co-operative Bank[br]press spokesperson and sent them an

0:30:22.490,0:30:28.909
attachment to see what they had to say[br]about this. And the reply came: "I can

0:30:28.909,0:30:33.950
confirm that we do not use World-Check and[br]any access to that database the bank had

0:30:33.950,0:30:39.940
was in excess of 5 years ago." So they[br]admitted that they had used the database,

0:30:39.940,0:30:45.929
but they're now saying that they don't use[br]it anymore. I think this is an indication

0:30:45.929,0:30:51.639
of exactly how much secrecy there is on[br]the part of the banks and resistance to

0:30:51.639,0:30:55.549
any kind of accountability. You know,[br]they're questioned by a journalist from a

0:30:55.549,0:31:00.200
national newspaper, they give completely[br]inaccurate information about whether they

0:31:00.200,0:31:05.099
had used this system and only admitted it[br]when they were confronted with evidence to

0:31:05.099,0:31:09.799
the contrary. You know, if you're a Co-[br]operative Bank customer, you really ought

0:31:09.799,0:31:15.119
to have a right to know what is being done[br]with your data and how decisions about you

0:31:15.119,0:31:20.029
are being made. This is all enshrined in[br]data-protection law and this seems to be

0:31:20.029,0:31:27.470
at odds with all of those principles.[br]So we put all of the findings from the

0:31:27.470,0:31:33.309
different countries to Thomson Reuters and[br]they didn't really come back to us on any

0:31:33.309,0:31:37.820
of their specific cases, but they gave us[br]a statement. One of the things they said

0:31:37.820,0:31:42.480
was that "Individuals can contact us, if[br]they believe any of the information held

0:31:42.480,0:31:49.929
is inaccurate and we would urge them to do[br]so." This is quite tricky, if your bank is

0:31:49.929,0:31:55.260
not allowed to tell you, why your account[br]has been closed. The bank is certainly not

0:31:55.260,0:32:00.980
allowed to show you your listing on World-[br]Check. We have to admit that you can

0:32:00.980,0:32:05.019
submit a subject access request to Thomson[br]Reuters, if you have a hunch that you

0:32:05.019,0:32:09.340
might be on the list, and then you can[br]find out and obviously you could challenge

0:32:09.340,0:32:15.010
your information. But whether that would[br]be acted upon is another question. Thomson

0:32:15.010,0:32:20.639
Reuters said they provide identifying[br]information such as dates of birth and

0:32:20.639,0:32:26.360
this will be verified with reputable and[br]official sources. On some of the

0:32:26.360,0:32:31.460
unreliable sources they said: "If blog[br]content appears it is only as a supporting

0:32:31.460,0:32:37.039
source for that secondary information and[br]is clearly identified as such". We don't

0:32:37.039,0:32:41.710
know if they've made improvements to the[br]database since 2014, so it may be that

0:32:41.710,0:32:46.429
things are different from the snapshot we[br]saw, but that's what they said.

0:32:46.429,0:32:51.119
And then they said: "In conclusion, it's[br]important to point out that the inclusion

0:32:51.119,0:32:55.950
in World-Check does not imply guilt of any[br]crime and every record states, if this

0:32:55.950,0:33:00.269
profile contains negative allegations it[br]should be assumed that such allegations

0:33:00.269,0:33:04.679
are denied. The accuracy of the[br]information found in the underlying media

0:33:04.679,0:33:08.510
sources should be verified with the[br]profile subject before any action is

0:33:08.510,0:33:13.740
taken." One final point they made is that[br]there are competing databases to World-

0:33:13.740,0:33:19.289
Check. So LexisNexis and Dow Jones also[br]produce watchlists and we don't know if

0:33:19.289,0:33:26.810
there are similar problems with those[br]lists. Why has this happened? You know, we

0:33:26.810,0:33:31.539
mentioned that banks are under huge[br]pressure from governments to weed out

0:33:31.539,0:33:36.940
terrorists and money launderers among[br]their customer bases and what's the

0:33:36.940,0:33:41.499
environment in which this has come about?[br]We don't have a full answer to this

0:33:41.499,0:33:47.789
question, but I want to show you one email[br]that gives a sense of the atmosphere and

0:33:47.789,0:33:52.750
the paranoia that has led[br]to the current regime.

0:33:52.750,0:33:57.870
So this email is from a man who says he's[br]the World Check's General Counsel. It was

0:33:57.870,0:34:06.510
sent in 2002 to a US Treasury consultation[br]and so this is a public document. He

0:34:06.510,0:34:10.820
declares his interests, he says he works[br]for a company that sells a product to help

0:34:10.820,0:34:16.270
financial institutions conduct money[br]laundering checks. Obviously this is a

0:34:16.270,0:34:20.489
short time after 9/11 and he argues that[br]under the Patriot Act financial

0:34:20.489,0:34:25.600
institutions must be proactive about[br]tackling money laundering. He exerts the

0:34:25.600,0:34:28.949
considerable moral pressure, even going so[br]far as to suggest that the banks were

0:34:28.949,0:34:33.090
helping the terrorists by their lack of[br]action. So he writes: "The U.S. is in a

0:34:33.090,0:34:37.729
war on terror and the front lines of the[br]war are at the doorsteps of every US

0:34:37.729,0:34:43.540
financial institution. US financial[br]institutions are inadvertently aiding and

0:34:43.540,0:34:49.810
abetting domestic terror against American[br]citizens." This is just one company's

0:34:49.810,0:34:53.801
viewpoint, I'm sure the US Treasury took[br]in lots of different viewpoints when they

0:34:53.801,0:34:58.800
were forming this legislation, but I think[br]this gives a nice sense of the kinds of

0:34:58.800,0:35:04.790
arguments that were being made. If you[br]want more on the wider context of this

0:35:04.790,0:35:09.350
there's a really good book called[br]"Speculative Security" by Marieke de Goede

0:35:09.350,0:35:17.180
which goes into this in more detail.[br]So can the system be improved or repaired?

0:35:17.180,0:35:21.070
Again, we don't give an answer to this[br]question but some thoughts have occurred

0:35:21.070,0:35:27.510
to us: There could be better selection of[br]sources used to compile this kind of list.

0:35:27.510,0:35:33.260
Perhaps you would narrow it down a bit[br]more to the official sanctions lists and

0:35:33.260,0:35:36.690
people who are actually convicted of[br]crimes. Those kinds of categories of

0:35:36.690,0:35:42.560
sources, maybe news reports in reputable[br]outlets, perhaps news reports that are

0:35:42.560,0:35:47.750
confirmed by more than one outlet, that[br]kind of thing. You could also indicate the

0:35:47.750,0:35:53.760
quality of the information. So if you're[br]going to insist on republishing the fact

0:35:53.760,0:35:57.810
that the Sri Lankan government has accused[br]a person of terrorism, maybe you would

0:35:57.810,0:36:03.320
flag up that the Sri Lankan government[br]certainly at that time did not have a good

0:36:03.320,0:36:07.520
record for reliability on who it was[br]accusing of being terrorists. You could

0:36:07.520,0:36:12.550
also give rights of reply to people: So on[br]your credit history you can go to a credit

0:36:12.550,0:36:18.540
reference agency, see what is said about[br]you and reply to the criticisms of you

0:36:18.540,0:36:22.610
that are made there. They could think[br]about doing that. There is an initiative

0:36:22.610,0:36:28.480
to make an open-source sanctions watchlist[br]at opensanctions.org, which of course

0:36:28.480,0:36:33.040
brings lots of advantages and everyone can[br]see what is said about them on the list.

0:36:33.040,0:36:36.430
And I think there's also the wider[br]question of whether we actually want banks

0:36:36.430,0:36:42.120
to have this responsibility of predicting[br]and foreseeing crime among their

0:36:42.120,0:36:46.390
customers. Do we want the private sector[br]to do that job or do we want that

0:36:46.390,0:36:50.540
responsibility to be squarely on the[br]judicial system or on the criminal justice

0:36:50.540,0:36:56.140
system? So with that ...[br]Jasmin: So...

0:36:56.140,0:36:58.140
Tom: Go on.[br]Jasmin: No, go on.

0:36:58.140,0:37:00.430
Tom: We'll be very happy to take your[br]questions and these are all contact

0:37:00.430,0:37:03.730
details, so thank you very[br]much for your attention.

0:37:03.730,0:37:14.815
<i>applause</i>

0:37:14.815,0:37:16.120
Herald: Thank you very much for this

0:37:16.120,0:37:20.250
super-interesting talk. I have good news[br]for all of you: we have about 20 minutes

0:37:20.250,0:37:25.060
time for Q&amp;A, so please pile up at the[br]microphones, if you have any questions, of

0:37:25.060,0:37:30.550
which I am sure there are many. We are[br]going to start with one question from the

0:37:30.550,0:37:33.120
Internet.[br]Internet-Question: Considering the

0:37:33.120,0:37:40.410
database is still online has it undergone[br]changes to conform to GDPR?

0:37:40.410,0:37:46.390
Tom: I don't think we have any information[br]on that, sorry.

0:37:46.390,0:37:50.640
Herald: Alright, thanks, let's start with[br]another question from microphone number 1.

0:37:50.640,0:37:55.770
Mic1: Thank you. If he was the general[br]council for the World Check company, at

0:37:55.770,0:38:01.170
what point was it acquired by Thomson[br]Reuters? Or was it already part of Thomson

0:38:01.170,0:38:04.970
Reuters?[br]Tom: It wasn't at that point, it was some

0:38:04.970,0:38:09.070
years later. An interesting point actually[br]about his job title is that, if you go on

0:38:09.070,0:38:15.110
his LinkedIn page, he does have a law[br]degree, this guy, but his job title at

0:38:15.110,0:38:18.500
world check in 2002 was not General[br]Council, but a Head of Business

0:38:18.500,0:38:21.590
Development. I don't know, if that's just[br]a mistake on his LinkedIn.

0:38:21.590,0:38:25.670
Herald: Maybe another question from[br]microphone number 3.

0:38:25.670,0:38:32.430
Mic3: So I want to know, if I make a[br]request to access my data will that put me

0:38:32.430,0:38:38.170
on the list?[br]And my actual question is: Where did they

0:38:38.170,0:38:43.600
get the names from? Because essentially[br]the analyst that does 220 profiles a day,

0:38:43.600,0:38:48.180
does he get to pick the names?[br]Jasmin: Yes. So if you put a request to

0:38:48.180,0:38:53.270
World Check your name will not be on the[br]list afterwards. So you can do it if you

0:38:53.270,0:38:57.980
want. And this is how it works: The[br]research team goes through the internet

0:38:57.980,0:39:02.110
and looks for articles and picks out names[br]and puts them in.

0:39:02.110,0:39:08.060
Mic3: Ok, so they should be people, who[br]don't go on Stormfront essentially to pick

0:39:08.060,0:39:12.120
names. Because is that what's happening?[br]Like they hire people and they go on

0:39:12.120,0:39:17.470
Stormfront all day and randomly pick[br]names? No, but seriously?

0:39:17.470,0:39:21.420
Jasmin: I don't know, if they do it like[br]that, but somehow they came up with the

0:39:21.420,0:39:23.740
source, yes.[br]Mic3: Okay, thanks!

0:39:23.740,0:39:29.530
Herald: Microphone number 4.[br]Mic4: Hey, thanks for the talk. You've

0:39:29.530,0:39:33.060
mentioned a few people that were on there[br]wrongfully, but what percentage are

0:39:33.060,0:39:36.810
actually wrong on there of the profiles[br]that you viewed?

0:39:36.810,0:39:42.680
Tom: We don't have a percentage, we think[br]it's a minority, there are lots of people,

0:39:42.680,0:39:47.190
who did do bad things and get onto the[br]list. But of course it undermines the

0:39:47.190,0:39:52.450
credibility of the entire database, when[br]there are you know many many examples that

0:39:52.450,0:39:58.720
we were able to find without even it's not[br]like we read all 2 million profiles, so

0:39:58.720,0:40:01.160
who knows. But obviously it's a very good[br]question.

0:40:01.160,0:40:03.910
Jasmin: I think it's an excellent[br]question, but I have to admit that we

0:40:03.910,0:40:07.890
didn't review all the 2.2 million[br]profiles.

0:40:07.890,0:40:14.700
Herald: Alright, mic number 2, please.[br]Mic2: Thank you for your work on this

0:40:14.700,0:40:20.580
really important subject. I myself ended[br]up on that list and lost my bank for two

0:40:20.580,0:40:26.910
years because of it. With how essential[br]banking is in the modern world to get

0:40:26.910,0:40:33.580
paid, to pay your bills, to do anything,[br]what options to people who have had their

0:40:33.580,0:40:37.570
banks or organizations like Finsbury Park[br]that have had their banks closed and on

0:40:37.570,0:40:42.230
these lists have? Especially with their[br]lists being so ubiquitous amongst all of

0:40:42.230,0:40:46.880
the major banks?[br]Tom: Well, Finsbury Park Mosque went to

0:40:46.880,0:40:52.300
court, and they sued Thomson Reuters[br]successfully and after that Thomson

0:40:52.300,0:40:56.830
Reuters changed the listing and admitted[br]that they had been wrong to list them in

0:40:56.830,0:41:00.790
the terrorism category. Obviously that's[br]not an option that's available to

0:41:00.790,0:41:05.871
everybody, I think the first step is to[br]request your data from Thomson Reuters to

0:41:05.871,0:41:10.990
see exactly what was being said about you[br]and then go from there. But it's very

0:41:10.990,0:41:14.510
difficult.[br]Jasmin: But for example Mr. Holm, he

0:41:14.510,0:41:19.820
didn't get a account at Norisbank, but he[br]ended up in another bank that didn't use

0:41:19.820,0:41:23.840
World Check and that was the Berliner[br]Sparkasse.

0:41:23.840,0:41:29.780
Herald: Alright, I think it's the[br]internet's turn again to ask a question.

0:41:29.780,0:41:34.370
Internet-Q: Would you agree that the[br]purpose of such a list is to protect not

0:41:34.370,0:41:39.650
only the banks from rotten customers, but[br]also the public from terrorism or the bad

0:41:39.650,0:41:45.800
businesses that could harm us? And if yes,[br]isn't that sacrificing a few for the

0:41:45.800,0:41:51.360
benefit of many?[br]Jasmin: I think, you shouldn't sacrifice a

0:41:51.360,0:41:56.550
few for the many, because it would be so[br]easy to make it better. We saw that these

0:41:56.550,0:42:04.740
sources were so obviously weird and wrong[br]and so, I think it wouldn't be necessary,

0:42:04.740,0:42:09.190
if they were to check the list a lot[br]better.

0:42:09.190,0:42:17.560
Herald: Mic number 1, please.[br]Mic1: Hi, great presentation. Did you find

0:42:17.560,0:42:22.650
any evidence of banks and such[br]organizations on disclosing information

0:42:22.650,0:42:27.160
about their customers towards Thomson[br]Reuters?

0:42:27.160,0:42:32.640
Tom: I don't think we saw any sign of[br]that. It does look like they stick to the

0:42:32.640,0:42:37.760
public sources. There were various entries[br]that had three-letter acronyms next to

0:42:37.760,0:42:42.370
them like CIA and various things. But I[br]think in all of those cases it turned out

0:42:42.370,0:42:47.760
that the CIA, or whoever, had said[br]something publicly about that person. So

0:42:47.760,0:42:53.010
it didn't seem that there was any covert[br]cooperation in either direction.

0:42:53.010,0:42:58.400
Herald: Mic number 3, please.[br]Mic3: Thank you for your work. Obviously,

0:42:58.400,0:43:03.080
it's disheartening to see such sites as[br]Stormfront and Breitbart being, well,

0:43:03.080,0:43:10.080
cited as sources. In your work did you[br]find how much of the of the data was

0:43:10.080,0:43:15.660
supported by these so-called "reputable[br]sources", these extremist sites as the

0:43:15.660,0:43:19.540
category.[br]Jasmin: How many?

0:43:19.540,0:43:26.980
Tom: It depended on the site. I think[br]Breitbart was hundreds of entries. They

0:43:26.980,0:43:30.850
were focused around a particular country,[br]which wasn't the US, it was another

0:43:30.850,0:43:35.810
country. Which suggested to us that[br]potentially it had been a researcher, who

0:43:35.810,0:43:40.460
had a particular fondness for Breitbart,[br]who had decided to use that as a source.

0:43:40.460,0:43:45.820
So there seem to be a lot of variation[br]between different countries in the mix of

0:43:45.820,0:43:51.130
sources that have been used.[br]Herald: Mic number 4, please.

0:43:51.130,0:43:55.720
Mic4: Hi, thanks. I work on cryptocurrency[br]stuff, so obviously have a long-standing

0:43:55.720,0:44:01.560
interest in financial privacy and[br]openness. There was a really interesting,

0:44:01.560,0:44:06.060
although terribly written book, I would[br]not recommend it, but was written by

0:44:06.060,0:44:11.970
someone, who was at US Treasury and[br]crafted kind of post 9/11 policy around

0:44:11.970,0:44:16.000
sanctions. One of the things he said in[br]the book was immediately after 9/11 they

0:44:16.000,0:44:20.890
were willing to put people on the[br]sanctions list and block you from the

0:44:20.890,0:44:26.150
entire international financial system at[br]80% certainty level. So if they're about

0:44:26.150,0:44:31.630
80% confident that you are somehow related[br]to terrorism, they would just kick you

0:44:31.630,0:44:37.450
out. So I was wondering, if.. because I[br]know a lot of the interest in preventing

0:44:37.450,0:44:41.360
mass surveillance is all about making it[br]more expensive, so as to force people to

0:44:41.360,0:44:45.990
target it more specifically. I was[br]wondering, if you had any thoughts on what

0:44:45.990,0:44:51.350
kind of direction people should be[br]thinking about going in terms of forcing

0:44:51.350,0:44:57.510
more targeting of preventing people from[br]international financial access. Instead of

0:44:57.510,0:45:02.220
allowing it to be so broad and you know[br]controlled by so few.

0:45:02.220,0:45:12.350
Tom: Use cash.[br]Jasmin: These were already some good

0:45:12.350,0:45:19.940
thoughts.[br]Tom: I mean, I think we should ask our

0:45:19.940,0:45:23.610
government for accountability on this kind[br]of surveillance, as we would with a

0:45:23.610,0:45:29.230
communication surveillance or any other[br]kind of surveillance. But we've only just

0:45:29.230,0:45:33.720
looked at one part of this system, we've[br]looked at this one watchlist, but this is

0:45:33.720,0:45:39.320
part of a whole range of stuff that's[br]going on. So I think we should continue to

0:45:39.320,0:45:42.440
look at financial surveillance alongside[br]other forms of surveillance.

0:45:42.440,0:45:48.880
Herald: Alright, Mic number 2, please.[br]Mic2: I have a question concerning the

0:45:48.880,0:45:53.260
Financial Action Task Force, which is an[br]intergovernmental organization

0:45:53.260,0:45:58.950
compromising both European Union countries[br]and GCC. Have you confronted them with the

0:45:58.950,0:46:04.760
work that thousand in the banks are doing?[br]Jasmin: I didn't.

0:46:04.760,0:46:09.010
Tom: We haven't been to them directly, but[br]one of the really useful things that we

0:46:09.010,0:46:14.100
pick it up from the Financial Action Task[br]Force is that their definition of politically

0:46:14.100,0:46:20.550
exposed person talks about senior public[br]officials and this database seemed to go

0:46:20.550,0:46:26.170
way further than that. So there seems to[br]be an interesting discussion going on

0:46:26.170,0:46:32.110
about where the limits of this kind of[br]surveillance should be drawn. You might

0:46:32.110,0:46:36.250
take the view that heads of state, there's[br]not really any problem with surveilling

0:46:36.250,0:46:41.410
their financial activity, but when you[br]start to cast the net wider then this kind

0:46:41.410,0:46:43.910
of thing seems to have more worrying[br]implications.

0:46:43.910,0:46:48.140
Herald: Internet, if you got a question,[br]fire away.

0:46:48.140,0:46:52.790
Internet-Q: It looks like Thomson Reuters[br]basically says you can't disclose the

0:46:52.790,0:46:58.680
information you find in our system,[br]because we have the copyright on it. So

0:46:58.680,0:47:02.540
are there any jurisdictions that have a[br]law that would require banks to report

0:47:02.540,0:47:06.830
what information was used to determine[br]that someone was considered a risk?

0:47:06.830,0:47:12.080
Jasmin: No, there's no law that the banks[br]has to say it, but as Tom mentioned before

0:47:12.080,0:47:18.140
the people that think that they're on a[br]list they can confront will check with

0:47:18.140,0:47:21.150
this.[br]Tom: And I think in some jurisdictions

0:47:21.150,0:47:28.920
there are exemptions from subject access[br]request rights for anti money laundering

0:47:28.920,0:47:34.110
purposes. I'm not sure exactly how big a[br]part that plays but that may be part of

0:47:34.110,0:47:38.820
the reason why banks think that they can[br]just deny people any answers to why these

0:47:38.820,0:47:42.790
decisions have been made.[br]Herald: Mic number 1, please.

0:47:42.790,0:47:47.510
Mic1: Thank you for the excellent talk.[br]You mentioned that legal regulations

0:47:47.510,0:47:52.900
require that banks use some kind of[br]blacklist. Do you know what criteria these

0:47:52.900,0:47:58.800
regulations cite? So quality control[br]doesn't seem to be among them. Could you

0:47:58.800,0:48:02.520
start your own list and send it to banks?[br]Jasmin: You're right, quality control

0:48:02.520,0:48:08.210
seems not to be part of it. But the[br]regulation is, for example, the, I don't

0:48:08.210,0:48:10.460
know the English word, "Sorgfaltspflicht"[br](due diligence obligations) for the

0:48:10.460,0:48:17.520
customer. You have to make sure that the[br]customer is not a criminal or a terrorist.

0:48:17.520,0:48:24.100
And there are many regulations asking for[br]it. For example, the EG money laundering

0:48:24.100,0:48:34.490
law from starting 1991 and then it got newer in[br]2001, 2005. So that's mainly the part that

0:48:34.490,0:48:38.680
we focused on because it's the part[br]that's important for the World Check

0:48:38.680,0:48:42.930
database.[br]Herald: Alright, Mic number 3, please.

0:48:42.930,0:48:47.840
Mic3: Thanks for the talk. You did find a[br]lot of people who are on the list

0:48:47.840,0:48:54.090
wrongfully and I'm curious if you informed[br]them that they are on the list or if you

0:48:54.090,0:48:58.210
informed the company that they had these[br]people on the list that shouldn't be

0:48:58.210,0:49:03.990
there. Especially I'm interested what[br]happened to the Greenpeace activists you

0:49:03.990,0:49:08.590
mentioned. Do you have any information if[br]they are still on the list or not?

0:49:08.590,0:49:15.080
Jasmin: All the cases that we showed to[br]you, all the ones we talked to, we

0:49:15.080,0:49:20.450
confronted them and we asked them, if we[br]can publish their case and all of them

0:49:20.450,0:49:31.140
went to World Check and asked if they are[br]on the list, and asked also to delete them

0:49:31.140,0:49:37.420
on the list and I think in almost all the[br]cases the people actually were deleted.

0:49:37.420,0:49:46.090
Tom: I think in some of them at least.[br]And as Jasmin said, we were very careful

0:49:46.090,0:49:51.250
only to publish people's names, if they[br]had given their consent for us to do that.

0:49:51.250,0:49:57.000
The response I got from Jackie Arnott, who[br]was the woman in pink, who you saw in the

0:49:57.000,0:50:00.570
presentation, was that the last time she[br]had any adverse attention from the

0:50:00.570,0:50:05.500
authorities was when she went on holiday[br]in the 1980s to the Eastern Block and she

0:50:05.500,0:50:12.790
got a phone call from the British Foreign[br]Office to say: "What are you doing? Going

0:50:12.790,0:50:16.640
over there?" And this was what came to her[br]mind, when we told her about her listing

0:50:16.640,0:50:21.130
in World Check.[br]Herald: Thanks. Mic number 4, please.

0:50:21.130,0:50:25.941
Mic4: Thanks, in the LinkedIn profile you[br]showed there were a few other systems, I

0:50:25.941,0:50:30.810
think Dow Jones and one other, do they[br]suck as badly as World Check?

0:50:30.810,0:50:36.160
Jasmin: Well we did check them and there[br]was no leak yet. But if there will be,

0:50:36.160,0:50:41.090
maybe we can tell you next year. <i>Applause</i>[br]Herald: Alright, Mic number 2.

0:50:41.090,0:50:48.950
Mic2: Hi, thank you. Can you go one slide[br]back? Thank you. I was wondering, because

0:50:48.950,0:50:54.530
you said that their sources were like[br]terribly wrong and weird and I was

0:50:54.530,0:50:57.680
wondering, if we assume that they are not[br]wrong and weird, but they're there that

0:50:57.680,0:51:02.300
they are working perfectly well and that[br]all of these questions like the answer to

0:51:02.300,0:51:07.230
all these questions was: It's working[br]perfectly well. Who would be the

0:51:07.230,0:51:15.310
people, who it's working perfectly well[br]for? And who especially is targeted here?

0:51:15.310,0:51:21.200
And is there any possibility of action in[br]that scenario, in this possible world, in

0:51:21.200,0:51:25.980
which this was working perfectly well as[br]it is?

0:51:25.980,0:51:31.870
Tom: I think maybe there are two different[br]answers for the politically exposed

0:51:31.870,0:51:37.190
persons and for the people accused of[br]terrorism. I think for politically exposed

0:51:37.190,0:51:42.700
persons, to me, you can make quite a strong [br]case that senior public officials should be

0:51:42.700,0:51:46.760
subject to the financial surveillance. You[br]know, if you are a prime minister and

0:51:46.760,0:51:50.270
suddenly you have millions of pounds[br]flowing through your bank account, maybe

0:51:50.270,0:51:56.100
that's a legitimate..[br]Mic2: No, sorry. I was not asking, what

0:51:56.100,0:52:00.970
are the perfect normative conditions under[br]which this would function. I was asking,

0:52:00.970,0:52:08.182
given the state of things as it is now was[br]the perfect way of working, who would it

0:52:08.182,0:52:15.010
be perfect for? Who is the real[br]beneficiary of this wrong and weird way of

0:52:15.010,0:52:20.730
working? That's my question.[br]Tom: Well, I don't think it benefits the

0:52:20.730,0:52:26.560
public. Because I don't think this is a[br]real serious way of stopping terrorism and

0:52:26.560,0:52:31.270
I'm not even sure that it's a real serious[br]way of stopping political corruption.

0:52:31.270,0:52:35.890
Because actually we looked into some of[br]the cases that came out through the Panama

0:52:35.890,0:52:41.100
papers and similar things, which showed[br]sometimes that banks had looked at a

0:52:41.100,0:52:46.020
person's World Check listing, seen that[br]they were in the watch list, but said:

0:52:46.020,0:52:51.820
This is actually a very lucrative client.[br]So we're going to keep banking them. So

0:52:51.820,0:52:54.970
there are two sides to it and I think[br]that's a very important question.

0:52:54.970,0:52:59.280
Herald: Internet, it's your turn again.[br]Internet-Q: Tom, considering the

0:52:59.280,0:53:04.030
proprietor of your newspaper, Rupert[br]Murdoch, was there any kind of pressure as

0:53:04.030,0:53:09.780
to what you published about them?[br]Tom: About World Check, well, that's a

0:53:09.780,0:53:15.310
question for the internet, isn't it? No.[br]Herald: Microphone number 1, please.

0:53:15.310,0:53:19.790
Mic1: Yeah, two questions. The first is[br]about deletion: Did I get it right that

0:53:19.790,0:53:26.821
there's no established mechanism or[br]process, as well as it is known, for

0:53:26.821,0:53:32.061
deletion of datasets in that database?

0:53:32.061,0:53:38.270
So they claim how many thousands[br]sounds of records they add and they

0:53:38.270,0:53:45.060
update. So there is some procedure for[br]reading but none for deletion. It's

0:53:45.060,0:53:52.880
obviously weird. The second is about [br]asking them what they have in the records,

0:53:52.880,0:53:59.460
if they have a record about me, for example,[br]could I just ask them? And they should

0:53:59.460,0:54:08.680
answer me? Are there some conditions, are[br]there costs for it? And maybe guessing:

0:54:08.680,0:54:16.040
How would they react if, say, 15000 people[br]would ask the question?

0:54:16.040,0:54:22.480
Jasmin: About the deletion of data, you're[br]totally right. There seems to be no

0:54:22.480,0:54:31.230
process in reviewing the data that all the[br]data that shouldn't be in there is not in

0:54:31.230,0:54:37.170
there anymore. That's a problem, because[br]as we know everybody has the right to

0:54:37.170,0:54:44.100
be forgotten in the internet. And to the[br]second question, you can ask them, you can

0:54:44.100,0:54:50.190
go there and write them an email and ask[br]them, if you're included in the database.

0:54:50.190,0:54:56.320
But what they say if 15000 people would[br]ask them, I don't know. Maybe you can ask

0:54:56.320,0:54:58.320
them that.[br]Tom: And remember they're very productive,

0:54:58.320,0:55:02.840
they could do 220 profiles in a month, I[br]was writing them, so truly they can handle

0:55:02.840,0:55:07.780
15,000 requests, I think.[br]Herald: Mic number 3, please.

0:55:07.780,0:55:15.270
Mic3: Have you found any evidence that the[br]customers were pushing sources on World

0:55:15.270,0:55:19.440
Check, that some of the customers might[br]have used them just as a filtering

0:55:19.440,0:55:26.340
mechanism and push sources that wouldn't[br]be normally checked?

0:55:26.340,0:55:35.010
Tom: We don't have any evidence of that.[br]But you do raise an important point, that

0:55:35.010,0:55:38.830
some of the banks said: Well, we use lots[br]of sources. And some of the banks said: Of

0:55:38.830,0:55:42.950
course, we wouldn't just go on a World[br]Check listing. But again, it's very

0:55:42.950,0:55:48.430
difficult to know exactly what was the[br]information that HSBC considered, when

0:55:48.430,0:55:51.800
they closed the mosque's account, because[br]that is all subject to secrecy.

0:55:51.800,0:55:58.520
Herald: Mic number 4, please.[br]Mic4: Can I please also ask you to go to

0:55:58.520,0:56:00.670
the previous slide?[br]Jasmin: Of course.

0:56:00.670,0:56:07.530
Mic4: I think the problem is we are[br]focusing too much on the list itself. I

0:56:07.530,0:56:13.420
have difficulties imagining that we can[br]control all these lists, which are

0:56:13.420,0:56:17.590
circulating, which are being created by[br]different companies. I think the problem

0:56:17.590,0:56:22.860
arises, when they are used. So I don't[br]know if we can really achieve through

0:56:22.860,0:56:28.170
legislation or through some kind of[br]control better sources, better information

0:56:28.170,0:56:36.130
quality, or whatever. Maybe it should be [br]at the point where they are used I in

0:56:36.130,0:56:44.330
banks, there should be really the[br]legislative mechanism, the kind of legal

0:56:44.330,0:56:50.180
mechanism to solve this. I am imagining,[br]for instance, if the bank uses sources

0:56:50.180,0:56:58.090
like these and denies the person to open[br]an account. Or the same case with all

0:56:58.090,0:57:03.830
these lists which exist for phone[br]companies and lots of lists like that in

0:57:03.830,0:57:09.620
different sectors, if that person is[br]denied the account opening, there could be

0:57:09.620,0:57:14.910
a mechanism by which the person would[br]force the bank or the institution to

0:57:14.910,0:57:20.770
disclose the sources and to initiate some[br]kind of legal procedure. This would mean..

0:57:20.770,0:57:26.901
Herald: Would you be so kind as to develop[br]a question? Because a lot of other people

0:57:26.901,0:57:30.170
still have questions and we have only a[br]few minutes left, thank you very much.

0:57:30.170,0:57:33.351
<i>applause</i>[br]Mic4: The question is: Do you think it

0:57:33.351,0:57:37.350
should be rather that we focus on the[br]banks or the points, where this

0:57:37.350,0:57:41.930
information is used, rather than talk[br]about the companies which make these lists?

0:57:41.930,0:57:45.490
Jasmin: I think that's a really good[br]question, because it's actually a question

0:57:45.490,0:57:49.830
of who takes the responsibility for a[br]decision? And the funny thing is that

0:57:49.830,0:57:54.180
World-Check puts all the weird sources in[br]it, but still says: "Oh general legal

0:57:54.180,0:58:00.260
sentences, you have to check by[br]yourself.." and then the bank says: "No,

0:58:00.260,0:58:04.480
in World Check, there was a list and this[br]name was on the list." So right now we

0:58:04.480,0:58:10.190
have the scenario that people don't feel[br]responsibility and I think that's the

0:58:10.190,0:58:13.050
problem.[br]Herald: Alright, we have time for exactly

0:58:13.050,0:58:16.540
one last question and I hope you don't[br]mind, if I give it to the internet,

0:58:16.540,0:58:20.440
because everybody else has the chance to[br]catch the speakers later. So if there's

0:58:20.440,0:58:23.520
one, please fire away.[br]Internet-Q: Are there any high-profile

0:58:23.520,0:58:28.790
politicians on the list?[br]Tom: Yes, I mean the politicians that you

0:58:28.790,0:58:32.950
would expect to be on the list, heads of[br]state, were on the list, so I guess at

0:58:32.950,0:58:38.270
least that part of the system is working.[br]Herald: Please give another huge round of

0:58:38.270,0:58:42.906
applause to our speakers but this super[br]informative talk. Thank you so much.

0:58:42.906,0:58:44.764
Tom: Thank you!

0:58:44.764,0:58:50.925
<i>34c3 postroll</i>

0:58:50.925,0:59:08.867
subtitles created by c3subtitles.de[br]in the year 2019. Join, and help us!