-
34c3 preroll
-
Herald: Welcome everybody to our next
talk: Financial surveillance, Exposing the
-
global banking watch lists. I think
everybody in this room would agree that
-
mass surveillance is a very bad idea, and
that of course also goes for financial
-
surveillance. And our next two speakers,
Jasmin Klofta and Tom Wills, are two
-
investigative journalists, who have
uncovered, how the system of financial
-
surveillance works. And I'm pretty sure
that you are just as excited as me to find
-
out what they have found out. So, please
give them a warm round of applause!
-
applause
-
Jasmin Klofta: So hello, nice to see you
all. Microphone's not on I think? Be cool.
-
I think the headset doesn't work.
Herald: Audio? Well you know there's
-
always a litttle thing that doesn't work,
whatever this is. For the talk we just had before,
-
there was a live demo, it was very well
planned - still something went wrong. I think
-
everybody in the audience had a lot of
empathy, because nobody wants to be in
-
that position. But I think we just fixed
the problem. Is it fixed? Is it about to
-
be fixed?
Jasmin: I will try a little bit, yes!
-
Herald: There we go! Round of applause,
now we go!
-
Jasmin: We can start!
applause
-
Jasmin: So, it's nice to see you all, so
happy that so many people came. I want to
-
introduce to you: this is Tom - he's the
data journalist working on investigations
-
at the Times of London and he specializes
in a set of techniques such as data
-
mining, which can reveal wrongdoing and
lead to stories that benefit the public.
-
Tom Wills: And this is Jasmin, she's an
investigative journalist working in
-
Hamburg for Panorama at the broadcaster
NDR, which is part of the ARD network, and
-
she focuses on politics, the digital
economy, and surveillance. And we're going
-
to tell you tonight about findings of an
investigation we conducted this year as
-
part of an international collaboration,
and our colleagues were Eveline, Stefania,
-
Lars, and Cora. And Jasmin.
Jasmin: Yeah, and together we investigated
-
the leaked database and published in June
this year our stories in the UK, in
-
Germany, in the US, Netherlands, Belgium,
and Italy. So what was our story? We
-
investigated, that innocent people around
the world have been wrongly added to a
-
watch list of terrorists and criminals.
This watch list of high risk people and
-
organization is compiled by Thomson
Reuters, a British firm, and sold to
-
almost all the world's major banks, as
well as police forces, intelligence
-
agencies, and non-government organization.
It's called World-Check and the leak gave
-
us the opportunity to review the entire
database for the first time.
-
Tom: So, what exactly is World-Check? Well,
if you want to open a bank account, we
-
know that the bank might your credit
rating to see if you are a reliable
-
borrower. But how does the bank know, if
you're a criminal, or a terrorist, or a
-
potential money launderer? One of the
checks that most banks will do, is run your
-
name against the World-Check watchlist,
and they might look in here. If your bank
-
finds your name on the list, they might
refuse your application, or they might
-
subject your financial transactions to
extra scrutiny, or if you're an existing
-
customer, they might even
close your account.
-
Jasmin: So, Thomson Reuters says about
their list that it is to find hidden risk.
-
The list is of heightened risk people and
organizations, such as terrorists,
-
fraudsters, or senior public officials,
who might try to use the account to handle
-
corrupt funds. So they want to be kind of
an early warning system for hidden risk.
-
And banks are even forced to use these kinds
of lists by regulation, they have to take
-
steps to comply with sanctions and
international and domestic law against
-
money laundering and terror financing. And
of course we all want less terrorism, and of
-
course we want less money laundering,
that's clear. And to put it in a World-Check
-
words, it's to help identify
relationships or risk by providing highly
-
structured intelligence profiles and
heightening risk individuals and entities
-
globally. But since 9/11, governments have
to put more and more pressure on banks to
-
identify terrorists and money launderers
among their customers. So, Thomson Reuters
-
advertises even World-Check with warnings
about recent fines and settlements against
-
banks for violating sanctions. Maybe you
know the.. this one story: HSBC had a
-
historic 1.9 billion dollar payment to US
authorities to settle money-laundering
-
allegation in 2012, and that's one of the
most famous example that the banks, of
-
course, fear very much. So if you look for
information how the information is
-
collected, Thomson Reuters says it
compiles a list using hundreds of
-
thousands of reputable sources in the
public domain. You got to remember that
-
slide, and especially the word "reputable
sources", because we will come back to
-
that a little bit later.
Tom: So how do they collect this
-
information? Well, Thomson Reuters
researchers look into public sources,
-
ranging from EU sanction lists, to local
newspapers in order to find names to add
-
to the database. In total, Thomson Reuters
says that World-Check contains profiles on
-
over two million entities, and that it's
adding 20.000 profiles a month, and
-
updating 40.000. So the list is growing all
the time. Now, this is a job advert for a
-
position as a World-Check researcher in
Washington DC and it states, that among the
-
many responsibilities you need to write
more than 220 highly structured and
-
sourced biographical intelligence profiles
every month. I think it's really nice of
-
them to be so upfront about the workload.
And that's about 1 hour per profile,
-
if you're working full time. So it must be
quite a challenge if you are the assistant
-
research associate to maintain accuracy
and quality under that kind of workload.
-
Jasmin: So not many people had heard of
this list until recently but it's one of
-
the biggest of its kind. According to a
World-Check datasheet the service is used
-
by over 300 intelligence and government
agencies, 9 out of the world's top 10 law
-
firms and 49 of the world's 50 largest
banks. Overall more than 6000 customers
-
from 170 countries are reportedly on their
customer list. The content of the list is
-
secret because Thomson Reuters doesn't
tell people when it adds them to the list
-
and banks are forbidden from passing on
the information. Access is only granted
-
after a vetting process, so the user has
to sign a nondisclosure agreement and also
-
using the database is quite expensive. A
year's access can cost up to 1 million
-
euro.
Tom: In recent years there have been some
-
excellent investigations by other
journalists, who've highlighted some
-
possible issues with World-Check. The BBC
has been investigating why HSBC closed the
-
account of Finsbury Park Mosque in London
without any explanation. The BBC
-
researchers found that the mosque had been
listed in World-Check in the terrorism
-
category. So that may have been part of
the bank's decision. VICE news was also
-
able to view some of the entries in World-
Check through a client of Thomson Reuters
-
and they discovered more examples of
questionable entries. So we knew that
-
there was something potentially going on
with this database, but it mostly remained
-
confidential and nobody had been able to
view the entire database in order to find
-
out, whether there were wider
issues with the system.
-
Jasmin: But then there was a leak: In
summer 2016 this security researcher Chris
-
Vickery was doing what he very much likes
to do. He was scanning the internet for
-
CouchDB instances exposed to the world
without any username or password. Well,
-
you can imagine what comes next.
applause
-
Jasmin: He would contact the owners to
encourage them to secure the data but he
-
found something really interesting, and
that was the copy of the World-Check
-
database from 2014. With him finding it
the question came up in his head: He
-
asked: "I have a terrorism blacklist. I
have a copy, should it be shared?" Chris
-
posted on Reddit to say that he was facing
a dilemma about, whether to release the
-
entire database or not. Because on the one
hand the database was apparently compiled
-
from public sources, so: what's the
problem with publishing public sources?
-
The World-Check is a system that is used
to make decisions about people's lives and
-
secrets, so maybe transparency would be in
their interest. But on the other hand it
-
contained personal data relating to
millions of people, who might suffer harm
-
if the information was disclosed. Since it
is not so easy to ask the 2 million
-
people, if he's allowed to publish it, he
was asking himself so what now to do.
-
Thanks to the previous work of the BBC
advice we as journalists had reason to
-
believe, it would be in the public
interest to review this data. So we made
-
contact with Chris and before viewing the
leaked data we considered of course the
-
ethical, legal and security implications.
Tom: We had a chance to fully reveal how
-
the system works for the first time. And
this is what the file looked like:
-
laughter
Jasmin: Isn't it beautiful?
-
Tom: We agreed with Chris that we would
use the data to do responsible journalism,
-
but not to publish the data itself, so we
can't show you the full database in this
-
presentation. When we received the data it
was a 4 GB JSON line delimited file with
-
no documentation. The first thing I had to
do was write a parser in Python. I started
-
to flatten this JSON file into a CSV file.
Then we had a 4 GB CSV file and I loaded
-
that into Postgres in order that we could
do some analysis of the contents of this
-
database. So this is an abridged version
of the field list showing you the really
-
key pieces of data on each of these
profiles. We've got an ID, we've got an
-
entity type, that is, if this is a person
or an organization, for people there were
-
first names, surnames, aliases. Position
would be: if you're a politician, this
-
would say what your position is in the
government. The categories were really
-
interesting, because these might be that
you're a politician as mentioned or might
-
be that you're in the terrorism category
or the financial crime category. We've got
-
dates of birth and countries and
nationalities, obviously those are really
-
important so that banks can identify the
customers correctly. Information text was
-
possibly the most interesting part of the
data. And then we had various links to
-
other profiles, the source URLs which
turned out to be really crucial and the
-
dates on which the records have been
created and updated. You know, some of
-
these fields were self-explanatory, but we
really needed to see what this database
-
looked like to the end-user to understand
how this information would be interpreted.
-
Like any good investigative journalists ..
we of course turned to Google. After a
-
bit of experimentation we discovered the
magic words: searching for "you are
-
strictly prohibited from disclosing or
copying the content of this service".
-
applause
-
Tom: And sure enough we find some examples
of profiles from World-Check, which people
-
may or may not realize are on the internet
and accessible through Google. Some of
-
these are from the Panama papers, so
obviously the person who put that one
-
there knew what they were doing. The first
example in this result is interesting
-
though because we have the word "intranet"
in the URL and we should perhaps tell this
-
company that their intranet is not an
intranet.
-
laughter
-
Jasmin: Maybe they found out by
themselves.
-
Tom: They know now, hopefully. This
example is actually from a magazine in
-
Brazil which published World-Check
profiles that they obtained as part of an
-
investigation. This was really useful
because we could see exactly what the data
-
looks like to the end-user. This profile
belongs to Eduardo da Cunha, who was the
-
former leader of the Brazilian Chamber of
Deputies and as I said it was published by
-
the magazine. We can see here the
categories that he's been assigned: in
-
this case he's a political individual and
he's a PEP. PEP stands for politically
-
exposed person. This is a term in anti-
money-laundering legislation that means
-
this person is in senior public office and
they are potentially in a position to take
-
bribes and launder corrupt funds. It
doesn't mean necessarily that they've done
-
anything wrong, but the money laundering
rules say that banks have to scrutinize
-
these people very carefully. So if you are
a politician you might be called up by
-
your bank and they would say we need to
interview you about your sources of income
-
in order to establish what the legitimate
level of income is and if you exceed that
-
level you'll be reported to the
authorities. The definition of PEP also
-
includes the immediate family of the
public officials and we'll see that on the
-
next slide. When we scroll down after the
age and date of birth we've got these
-
links to other profiles: These are the
Brazilian politician's immediate family
-
members, who have their own profiles. Then
further down we've got the reports, so in
-
this case this politician was actually
accused of doing something wrong, it
-
wasn't just that they're a politically
exposed person. There's a report of an
-
allegation of corruption there and since
this profile was published it turned out
-
that he was convicted of corruption. So
this is an example of a profile of
-
somebody who turned out to be guilty. Now
that we understood what a profile looked
-
like we started to analyze the scope of
the database.
-
This table shows for each country how many
people were profiled in World-Check as it
-
stood in 2014, which was the date of the
copy of the database that Chris Vickery
-
found online. We're showing here for each
country with at least 5000 entries the
-
number of non-PEPs, so that could be
people in the terrorism or the crime
-
category or it could be various other
things. The number of PEPs: we would
-
expect them to be senior public officials
but it's interesting that there are a lot
-
of countries where there are tens of
thousands of PEPs and so that suggests
-
that perhaps they've cast the net quite
wide there. We're also giving numbers of
-
relatives of PEPs. We spent a lot of time
browsing the data for our countries and
-
querying the database to understand the
types of the different types of people
-
who've been included. And then everyone in
our collaboration started finding people
-
who really didn't belong on the list. And
we started to ask: How did these innocent
-
people end up on this watchlist?
Jasmin: We were for example really
-
surprised to find Greenpeace, 16
Greenpeace activists, on the list, who
-
were arrested for peacefully protesting
this "Star Wars" missile defense program
-
in 2001. They were listed under the
general category "crime". That was a bit
-
weird, because they did plead guilty to
criminal trespass, but never served time
-
for this minor charge. But 12 years later,
they would still be on that list.
-
Tom: This is another example, this time
from the UK, from a town called Chelmsford
-
in the South of England. This woman is
Jackie Arnott and she was listed in the
-
politically exposed persons category along
with a record of all her civic activities.
-
So here she is at work, volunteering for
an organization called "Harvest for the
-
Homeless". This is a local campaign in
Chelmsford that was collecting food for
-
people in need. Jackie Arnott is not a
senior public official as you might expect
-
a politically exposed person to be. In
fact her only connection to power seemed
-
to be that her husband Allen had been the
mayor of Chelmsford, which is a ceremonial
-
position. Now to a different town in the
South of England: this is leafy Kingston
-
upon Thames. This is a view of the town
hall: it's all very genteel and this is
-
one of Kingston's local politicians: Yogan
Yoganathan. You can see the letters MBE,
-
member of the British Empire, after his
name. He was given an honour by the Queen
-
for his services to local government and
community relations in Kingston upon
-
Thames. Among his activities he was a
peace campaigner. He campaigned for peace
-
in Sri Lanka and that led to him being
listed in World-Check and being linked to
-
allegedly the Tamil Tiger terrorist
organization, which is an extremely
-
serious and very upsetting claim to have
made about you, not least if you're a
-
peace campaigner. The World-Check database
gave the source for this allegation as a
-
Sri Lankan government website which in
2007, at the height of the civil war in
-
Sri Lanka, has said: These guys in London
organising peace protests about Sri Lanka,
-
they're all Tamil Tiger terrorists. And
that allegation had made its way into the
-
World Check database and Mr. Yoganathan
said he was very hurt by this allegation
-
and this was completely untrue and
completely without any other basis in
-
fact.
Jasmin: So remember when we said, you
-
should remember this slide because of the
beautiful words "reputable sources". If
-
you read a little bit further Thomson
Reuters says: "researchers are bound to
-
comply with strict research criteria and
must remain objective at all time". Well
-
it seems that the research team was a
little bit flexible on these rules. The
-
reasons why innocent people showed up on
the list were very often the problem of
-
these "reputable" sources and handling
them. Now we would like to show you some
-
of the sources and we put together a
little ranking for you.
-
laughter
Jasmin: You might all know that one. Yeah,
-
Wikipedia. We thought we give number 5 to
Wikipedia. In thousands of profiles World-
-
Check used Wikipedia as a source. Well
here you still might think: okay it's only
-
for general information, so maybe it's
fine. What about the next one?
-
Tom: Well at number 4 we have conspiracy
sites: this one is called cyberclass.net
-
and it has all the educational resources
you might need on alternative accounts of
-
the 9/11 attacks. World-Check research has
also cited it in a profile of a British
-
businessman, which of course was
used by the banks.
-
Jasmin: Number 3, also really interesting:
We found state-run sites or state-run
-
propaganda you must say, also used as
sources, for example China Daily. It's the
-
biggest newspaper in China and state-owned
and even though it's not an official organ
-
of the Chinese Communist Party, it's
considered to be a quasi-party newspaper.
-
Because of this commentary that you see on
the right side, it's saying that there's a
-
terrorist group, the Tibetan Youth
Congress, the prominent diaspora
-
organization, is listed as a terrorist
group on World-Check. What we found
-
pretty, I don't know how to say it.. the
research team used this article as the
-
only source for this profile recording the
Chinese government's accusations.
-
Tom: At number 2 we have a website that
unfortunately you might have heard of:
-
Hundreds of listings referenced reports on
Breitbart. At the time, Breitbart was
-
selectively reporting on what it called
"black crime" and there was a whole tag
-
page for what they called "black crime".
There were hundreds of listings that
-
referred to reports that have been carried
on Breitbart. But number 1 ...
-
Jasmin: Our number 1 ...
Tom: We have Stormfront which, if you
-
haven't heard of it, it's a forum for
white supremacists. It was founded in 1995
-
by a former Ku Klux Klan member and there
were several listings that referred to
-
Stormfront. Among them listings for two
black British people containing links to a
-
discussion thread on the forum.
Jasmin: So the problem really is that
-
World-Check uses all the sources that they
can find, which is fine, but it seems that
-
they don't differ between a news site, a
propaganda site, extremist sites, whatever
-
site. And all the sources and information
they collect, but they don't weight it or
-
rate it or assess the information. So for
example, if a state attorney accuses a
-
person or if a competitor blackened
somebody in a media report, the
-
information gets into the World-Check
database without any filtering and there
-
is no final verification of this or any
accusation.
-
Tom: World-Check found an interesting way
to deal with this problem of unreliable
-
sources or potentially unreliable sources:
In the profiles they've added this general
-
legal notice. Here they mention that
everyone who views this database should
-
carry out independent checks to verify the
information. They later added a further
-
disclaimer saying: If this profile
contains negative allegations it should be
-
assumed that such allegations are denied.
This is an interesting legal concept, that
-
you can carry these extremely damaging
accusations that people are linked to
-
terrorist groups, but of course you can
tell your customers to assume that the
-
allegations are denied and to check the
information out themselves. We found many
-
people on the list that had encountered
difficulties with their banks and that
-
raises the question of whether some banks
and users of the list were able to heed
-
this warning and launch their own
investigations after seeing adverse claims
-
in World-Check. In fact, somebody I spoke
to as part of my research who works for a
-
bank said that they were under such
pressure that if they found an adverse
-
listing in World-Check, it would be
extremely difficult for them to disprove
-
it, you know, given the time that was
available. This is one issue. But besides
-
the problems with the sources and the lack
of verification of the information there
-
is another reason why innocent people have
ended up in this watchlist: Our research
-
showed that the database carries entries
for people who are merely accused or
-
investigated over possible crimes without
being charged or convicted. Reports of
-
minor convictions are kept on file for
years after the event as we saw with
-
Greenpeace. and sometimes people had been
cleared of their charges but their entries
-
hadn't been updated to reflect that
information. So innocent people just kept
-
being guilty in the world of the database.
Jasmin: For example like him, so please
-
meet the terrorist Andrej Holm, or at
least that's what World-Check suggested
-
for a couple of years. Holm, maybe some of
you know him, is a very well-known
-
sociologist and later he was a short time,
in German "Baustaatssekretär". Maybe in
-
English at something like housing
secretary in the Berlin State Government.
-
He was targeted by the Federal
prosecutor's office ten years ago. The
-
suspicion was: Membership in a terrorist
group. He was arrested at the end of July
-
2007 and detained for 3 weeks. Holm had
obviously been investigated because he had
-
being critical of the displacement of
poorer people and cities and he wrote it
-
in a very similar way or similar words to
a left-wing extremist group active at that
-
time. But in the end the suspicion that he
could be a member himself proved totally
-
unfounded and in 2010 all procedures
against Holm were discontinued. He was
-
even compensated for his imprisonment. In
the end for the state and justice Holm was
-
innocent. But when Holm wanted to become a
customer at Norisbank two years later in
-
2012, the institute refused to open his
bank account and that even without any
-
explanation. That was when Holm still did
not know that he was on the watchlist of
-
World-Check. When we told him and we
talked to him he said: I have a bad
-
feeling when my life is recorded there
without me being aware of it or having any
-
influence on it. Even years later such an
entry can permanently make life
-
significantly more difficult. But
apparently there are institutions that
-
rely on World-Check or similar databases.
When we talked to the Norisbank they said
-
that the Name List screening, that's what
it's called, was an essential part of
-
fulfilling the legal requirements for
combating financial criminality. It's
-
about preventing money laundering, they
said. And the due diligence check would
-
use many different databases as data
sources. I found a little bit funny that
-
they wouldn't talk about at all about the
case from Mr. Holm and they said: They
-
cannot give any information because
of data protection reasons.
-
Tom: We saw in the marketing brochure that
Thomson Reuters say that 49 of 50 of the
-
world's biggest banks use World-Check. We
had a pretty strong idea that most of the
-
big-name banks would be using it. But for
my UK audience I wanted to confirm that
-
the high street names that my readers
would be familiar with had used this
-
database. I had information that the Co-
operative Bank among several other big
-
names had used World Check and I asked
them to confirm that that was the case.
-
And this is what they said: "I can confirm
that the Co-operative Bank doesn't use and
-
has not used World-Check." Well, this was
an interesting response. I went back to
-
Google and I did a site-search on LinkedIn
for World-Check and the Co-operative Bank
-
and this is what I found: This is Michael,
he says he is a high-risk case-analyst at
-
the Co-operative Bank and his previous
position in 2015: he was an anti-money-
-
laundering analyst and this gives the
description of his responsibilities. At
-
the bottom there you can see that that
included exiting customers where necessary
-
if they were found outside the bank's risk
appetite, which is a euphemism for: he can
-
close your account if you're too risky. So
this was quite obviously a considerable
-
responsibility and then further down in
the job description he says that he used
-
systems including World-Check to make
these decisions.
-
So I went back to the Co-operative Bank
press spokesperson and sent them an
-
attachment to see what they had to say
about this. And the reply came: "I can
-
confirm that we do not use World-Check and
any access to that database the bank had
-
was in excess of 5 years ago." So they
admitted that they had used the database,
-
but they're now saying that they don't use
it anymore. I think this is an indication
-
of exactly how much secrecy there is on
the part of the banks and resistance to
-
any kind of accountability. You know,
they're questioned by a journalist from a
-
national newspaper, they give completely
inaccurate information about whether they
-
had used this system and only admitted it
when they were confronted with evidence to
-
the contrary. You know, if you're a Co-
operative Bank customer, you really ought
-
to have a right to know what is being done
with your data and how decisions about you
-
are being made. This is all enshrined in
data-protection law and this seems to be
-
at odds with all of those principles.
So we put all of the findings from the
-
different countries to Thomson Reuters and
they didn't really come back to us on any
-
of their specific cases, but they gave us
a statement. One of the things they said
-
was that "Individuals can contact us, if
they believe any of the information held
-
is inaccurate and we would urge them to do
so." This is quite tricky, if your bank is
-
not allowed to tell you, why your account
has been closed. The bank is certainly not
-
allowed to show you your listing on World-
Check. We have to admit that you can
-
submit a subject access request to Thomson
Reuters, if you have a hunch that you
-
might be on the list, and then you can
find out and obviously you could challenge
-
your information. But whether that would
be acted upon is another question. Thomson
-
Reuters said they provide identifying
information such as dates of birth and
-
this will be verified with reputable and
official sources. On some of the
-
unreliable sources they said: "If blog
content appears it is only as a supporting
-
source for that secondary information and
is clearly identified as such". We don't
-
know if they've made improvements to the
database since 2014, so it may be that
-
things are different from the snapshot we
saw, but that's what they said.
-
And then they said: "In conclusion, it's
important to point out that the inclusion
-
in World-Check does not imply guilt of any
crime and every record states, if this
-
profile contains negative allegations it
should be assumed that such allegations
-
are denied. The accuracy of the
information found in the underlying media
-
sources should be verified with the
profile subject before any action is
-
taken." One final point they made is that
there are competing databases to World-
-
Check. So LexisNexis and Dow Jones also
produce watchlists and we don't know if
-
there are similar problems with those
lists. Why has this happened? You know, we
-
mentioned that banks are under huge
pressure from governments to weed out
-
terrorists and money launderers among
their customer bases and what's the
-
environment in which this has come about?
We don't have a full answer to this
-
question, but I want to show you one email
that gives a sense of the atmosphere and
-
the paranoia that has led
to the current regime.
-
So this email is from a man who says he's
the World Check's General Counsel. It was
-
sent in 2002 to a US Treasury consultation
and so this is a public document. He
-
declares his interests, he says he works
for a company that sells a product to help
-
financial institutions conduct money
laundering checks. Obviously this is a
-
short time after 9/11 and he argues that
under the Patriot Act financial
-
institutions must be proactive about
tackling money laundering. He exerts the
-
considerable moral pressure, even going so
far as to suggest that the banks were
-
helping the terrorists by their lack of
action. So he writes: "The U.S. is in a
-
war on terror and the front lines of the
war are at the doorsteps of every US
-
financial institution. US financial
institutions are inadvertently aiding and
-
abetting domestic terror against American
citizens." This is just one company's
-
viewpoint, I'm sure the US Treasury took
in lots of different viewpoints when they
-
were forming this legislation, but I think
this gives a nice sense of the kinds of
-
arguments that were being made. If you
want more on the wider context of this
-
there's a really good book called
"Speculative Security" by Marieke de Goede
-
which goes into this in more detail.
So can the system be improved or repaired?
-
Again, we don't give an answer to this
question but some thoughts have occurred
-
to us: There could be better selection of
sources used to compile this kind of list.
-
Perhaps you would narrow it down a bit
more to the official sanctions lists and
-
people who are actually convicted of
crimes. Those kinds of categories of
-
sources, maybe news reports in reputable
outlets, perhaps news reports that are
-
confirmed by more than one outlet, that
kind of thing. You could also indicate the
-
quality of the information. So if you're
going to insist on republishing the fact
-
that the Sri Lankan government has accused
a person of terrorism, maybe you would
-
flag up that the Sri Lankan government
certainly at that time did not have a good
-
record for reliability on who it was
accusing of being terrorists. You could
-
also give rights of reply to people: So on
your credit history you can go to a credit
-
reference agency, see what is said about
you and reply to the criticisms of you
-
that are made there. They could think
about doing that. There is an initiative
-
to make an open-source sanctions watchlist
at opensanctions.org, which of course
-
brings lots of advantages and everyone can
see what is said about them on the list.
-
And I think there's also the wider
question of whether we actually want banks
-
to have this responsibility of predicting
and foreseeing crime among their
-
customers. Do we want the private sector
to do that job or do we want that
-
responsibility to be squarely on the
judicial system or on the criminal justice
-
system? So with that ...
Jasmin: So...
-
Tom: Go on.
Jasmin: No, go on.
-
Tom: We'll be very happy to take your
questions and these are all contact
-
details, so thank you very
much for your attention.
-
applause
-
Herald: Thank you very much for this
-
super-interesting talk. I have good news
for all of you: we have about 20 minutes
-
time for Q&A, so please pile up at the
microphones, if you have any questions, of
-
which I am sure there are many. We are
going to start with one question from the
-
Internet.
Internet-Question: Considering the
-
database is still online has it undergone
changes to conform to GDPR?
-
Tom: I don't think we have any information
on that, sorry.
-
Herald: Alright, thanks, let's start with
another question from microphone number 1.
-
Mic1: Thank you. If he was the general
council for the World Check company, at
-
what point was it acquired by Thomson
Reuters? Or was it already part of Thomson
-
Reuters?
Tom: It wasn't at that point, it was some
-
years later. An interesting point actually
about his job title is that, if you go on
-
his LinkedIn page, he does have a law
degree, this guy, but his job title at
-
world check in 2002 was not General
Council, but a Head of Business
-
Development. I don't know, if that's just
a mistake on his LinkedIn.
-
Herald: Maybe another question from
microphone number 3.
-
Mic3: So I want to know, if I make a
request to access my data will that put me
-
on the list?
And my actual question is: Where did they
-
get the names from? Because essentially
the analyst that does 220 profiles a day,
-
does he get to pick the names?
Jasmin: Yes. So if you put a request to
-
World Check your name will not be on the
list afterwards. So you can do it if you
-
want. And this is how it works: The
research team goes through the internet
-
and looks for articles and picks out names
and puts them in.
-
Mic3: Ok, so they should be people, who
don't go on Stormfront essentially to pick
-
names. Because is that what's happening?
Like they hire people and they go on
-
Stormfront all day and randomly pick
names? No, but seriously?
-
Jasmin: I don't know, if they do it like
that, but somehow they came up with the
-
source, yes.
Mic3: Okay, thanks!
-
Herald: Microphone number 4.
Mic4: Hey, thanks for the talk. You've
-
mentioned a few people that were on there
wrongfully, but what percentage are
-
actually wrong on there of the profiles
that you viewed?
-
Tom: We don't have a percentage, we think
it's a minority, there are lots of people,
-
who did do bad things and get onto the
list. But of course it undermines the
-
credibility of the entire database, when
there are you know many many examples that
-
we were able to find without even it's not
like we read all 2 million profiles, so
-
who knows. But obviously it's a very good
question.
-
Jasmin: I think it's an excellent
question, but I have to admit that we
-
didn't review all the 2.2 million
profiles.
-
Herald: Alright, mic number 2, please.
Mic2: Thank you for your work on this
-
really important subject. I myself ended
up on that list and lost my bank for two
-
years because of it. With how essential
banking is in the modern world to get
-
paid, to pay your bills, to do anything,
what options to people who have had their
-
banks or organizations like Finsbury Park
that have had their banks closed and on
-
these lists have? Especially with their
lists being so ubiquitous amongst all of
-
the major banks?
Tom: Well, Finsbury Park Mosque went to
-
court, and they sued Thomson Reuters
successfully and after that Thomson
-
Reuters changed the listing and admitted
that they had been wrong to list them in
-
the terrorism category. Obviously that's
not an option that's available to
-
everybody, I think the first step is to
request your data from Thomson Reuters to
-
see exactly what was being said about you
and then go from there. But it's very
-
difficult.
Jasmin: But for example Mr. Holm, he
-
didn't get a account at Norisbank, but he
ended up in another bank that didn't use
-
World Check and that was the Berliner
Sparkasse.
-
Herald: Alright, I think it's the
internet's turn again to ask a question.
-
Internet-Q: Would you agree that the
purpose of such a list is to protect not
-
only the banks from rotten customers, but
also the public from terrorism or the bad
-
businesses that could harm us? And if yes,
isn't that sacrificing a few for the
-
benefit of many?
Jasmin: I think, you shouldn't sacrifice a
-
few for the many, because it would be so
easy to make it better. We saw that these
-
sources were so obviously weird and wrong
and so, I think it wouldn't be necessary,
-
if they were to check the list a lot
better.
-
Herald: Mic number 1, please.
Mic1: Hi, great presentation. Did you find
-
any evidence of banks and such
organizations on disclosing information
-
about their customers towards Thomson
Reuters?
-
Tom: I don't think we saw any sign of
that. It does look like they stick to the
-
public sources. There were various entries
that had three-letter acronyms next to
-
them like CIA and various things. But I
think in all of those cases it turned out
-
that the CIA, or whoever, had said
something publicly about that person. So
-
it didn't seem that there was any covert
cooperation in either direction.
-
Herald: Mic number 3, please.
Mic3: Thank you for your work. Obviously,
-
it's disheartening to see such sites as
Stormfront and Breitbart being, well,
-
cited as sources. In your work did you
find how much of the of the data was
-
supported by these so-called "reputable
sources", these extremist sites as the
-
category.
Jasmin: How many?
-
Tom: It depended on the site. I think
Breitbart was hundreds of entries. They
-
were focused around a particular country,
which wasn't the US, it was another
-
country. Which suggested to us that
potentially it had been a researcher, who
-
had a particular fondness for Breitbart,
who had decided to use that as a source.
-
So there seem to be a lot of variation
between different countries in the mix of
-
sources that have been used.
Herald: Mic number 4, please.
-
Mic4: Hi, thanks. I work on cryptocurrency
stuff, so obviously have a long-standing
-
interest in financial privacy and
openness. There was a really interesting,
-
although terribly written book, I would
not recommend it, but was written by
-
someone, who was at US Treasury and
crafted kind of post 9/11 policy around
-
sanctions. One of the things he said in
the book was immediately after 9/11 they
-
were willing to put people on the
sanctions list and block you from the
-
entire international financial system at
80% certainty level. So if they're about
-
80% confident that you are somehow related
to terrorism, they would just kick you
-
out. So I was wondering, if.. because I
know a lot of the interest in preventing
-
mass surveillance is all about making it
more expensive, so as to force people to
-
target it more specifically. I was
wondering, if you had any thoughts on what
-
kind of direction people should be
thinking about going in terms of forcing
-
more targeting of preventing people from
international financial access. Instead of
-
allowing it to be so broad and you know
controlled by so few.
-
Tom: Use cash.
Jasmin: These were already some good
-
thoughts.
Tom: I mean, I think we should ask our
-
government for accountability on this kind
of surveillance, as we would with a
-
communication surveillance or any other
kind of surveillance. But we've only just
-
looked at one part of this system, we've
looked at this one watchlist, but this is
-
part of a whole range of stuff that's
going on. So I think we should continue to
-
look at financial surveillance alongside
other forms of surveillance.
-
Herald: Alright, Mic number 2, please.
Mic2: I have a question concerning the
-
Financial Action Task Force, which is an
intergovernmental organization
-
compromising both European Union countries
and GCC. Have you confronted them with the
-
work that thousand in the banks are doing?
Jasmin: I didn't.
-
Tom: We haven't been to them directly, but
one of the really useful things that we
-
pick it up from the Financial Action Task
Force is that their definition of politically
-
exposed person talks about senior public
officials and this database seemed to go
-
way further than that. So there seems to
be an interesting discussion going on
-
about where the limits of this kind of
surveillance should be drawn. You might
-
take the view that heads of state, there's
not really any problem with surveilling
-
their financial activity, but when you
start to cast the net wider then this kind
-
of thing seems to have more worrying
implications.
-
Herald: Internet, if you got a question,
fire away.
-
Internet-Q: It looks like Thomson Reuters
basically says you can't disclose the
-
information you find in our system,
because we have the copyright on it. So
-
are there any jurisdictions that have a
law that would require banks to report
-
what information was used to determine
that someone was considered a risk?
-
Jasmin: No, there's no law that the banks
has to say it, but as Tom mentioned before
-
the people that think that they're on a
list they can confront will check with
-
this.
Tom: And I think in some jurisdictions
-
there are exemptions from subject access
request rights for anti money laundering
-
purposes. I'm not sure exactly how big a
part that plays but that may be part of
-
the reason why banks think that they can
just deny people any answers to why these
-
decisions have been made.
Herald: Mic number 1, please.
-
Mic1: Thank you for the excellent talk.
You mentioned that legal regulations
-
require that banks use some kind of
blacklist. Do you know what criteria these
-
regulations cite? So quality control
doesn't seem to be among them. Could you
-
start your own list and send it to banks?
Jasmin: You're right, quality control
-
seems not to be part of it. But the
regulation is, for example, the, I don't
-
know the English word, "Sorgfaltspflicht"
(due diligence obligations) for the
-
customer. You have to make sure that the
customer is not a criminal or a terrorist.
-
And there are many regulations asking for
it. For example, the EG money laundering
-
law from starting 1991 and then it got newer in
2001, 2005. So that's mainly the part that
-
we focused on because it's the part
that's important for the World Check
-
database.
Herald: Alright, Mic number 3, please.
-
Mic3: Thanks for the talk. You did find a
lot of people who are on the list
-
wrongfully and I'm curious if you informed
them that they are on the list or if you
-
informed the company that they had these
people on the list that shouldn't be
-
there. Especially I'm interested what
happened to the Greenpeace activists you
-
mentioned. Do you have any information if
they are still on the list or not?
-
Jasmin: All the cases that we showed to
you, all the ones we talked to, we
-
confronted them and we asked them, if we
can publish their case and all of them
-
went to World Check and asked if they are
on the list, and asked also to delete them
-
on the list and I think in almost all the
cases the people actually were deleted.
-
Tom: I think in some of them at least.
And as Jasmin said, we were very careful
-
only to publish people's names, if they
had given their consent for us to do that.
-
The response I got from Jackie Arnott, who
was the woman in pink, who you saw in the
-
presentation, was that the last time she
had any adverse attention from the
-
authorities was when she went on holiday
in the 1980s to the Eastern Block and she
-
got a phone call from the British Foreign
Office to say: "What are you doing? Going
-
over there?" And this was what came to her
mind, when we told her about her listing
-
in World Check.
Herald: Thanks. Mic number 4, please.
-
Mic4: Thanks, in the LinkedIn profile you
showed there were a few other systems, I
-
think Dow Jones and one other, do they
suck as badly as World Check?
-
Jasmin: Well we did check them and there
was no leak yet. But if there will be,
-
maybe we can tell you next year. Applause
Herald: Alright, Mic number 2.
-
Mic2: Hi, thank you. Can you go one slide
back? Thank you. I was wondering, because
-
you said that their sources were like
terribly wrong and weird and I was
-
wondering, if we assume that they are not
wrong and weird, but they're there that
-
they are working perfectly well and that
all of these questions like the answer to
-
all these questions was: It's working
perfectly well. Who would be the
-
people, who it's working perfectly well
for? And who especially is targeted here?
-
And is there any possibility of action in
that scenario, in this possible world, in
-
which this was working perfectly well as
it is?
-
Tom: I think maybe there are two different
answers for the politically exposed
-
persons and for the people accused of
terrorism. I think for politically exposed
-
persons, to me, you can make quite a strong
case that senior public officials should be
-
subject to the financial surveillance. You
know, if you are a prime minister and
-
suddenly you have millions of pounds
flowing through your bank account, maybe
-
that's a legitimate..
Mic2: No, sorry. I was not asking, what
-
are the perfect normative conditions under
which this would function. I was asking,
-
given the state of things as it is now was
the perfect way of working, who would it
-
be perfect for? Who is the real
beneficiary of this wrong and weird way of
-
working? That's my question.
Tom: Well, I don't think it benefits the
-
public. Because I don't think this is a
real serious way of stopping terrorism and
-
I'm not even sure that it's a real serious
way of stopping political corruption.
-
Because actually we looked into some of
the cases that came out through the Panama
-
papers and similar things, which showed
sometimes that banks had looked at a
-
person's World Check listing, seen that
they were in the watch list, but said:
-
This is actually a very lucrative client.
So we're going to keep banking them. So
-
there are two sides to it and I think
that's a very important question.
-
Herald: Internet, it's your turn again.
Internet-Q: Tom, considering the
-
proprietor of your newspaper, Rupert
Murdoch, was there any kind of pressure as
-
to what you published about them?
Tom: About World Check, well, that's a
-
question for the internet, isn't it? No.
Herald: Microphone number 1, please.
-
Mic1: Yeah, two questions. The first is
about deletion: Did I get it right that
-
there's no established mechanism or
process, as well as it is known, for
-
deletion of datasets in that database?
-
So they claim how many thousands
sounds of records they add and they
-
update. So there is some procedure for
reading but none for deletion. It's
-
obviously weird. The second is about
asking them what they have in the records,
-
if they have a record about me, for example,
could I just ask them? And they should
-
answer me? Are there some conditions, are
there costs for it? And maybe guessing:
-
How would they react if, say, 15000 people
would ask the question?
-
Jasmin: About the deletion of data, you're
totally right. There seems to be no
-
process in reviewing the data that all the
data that shouldn't be in there is not in
-
there anymore. That's a problem, because
as we know everybody has the right to
-
be forgotten in the internet. And to the
second question, you can ask them, you can
-
go there and write them an email and ask
them, if you're included in the database.
-
But what they say if 15000 people would
ask them, I don't know. Maybe you can ask
-
them that.
Tom: And remember they're very productive,
-
they could do 220 profiles in a month, I
was writing them, so truly they can handle
-
15,000 requests, I think.
Herald: Mic number 3, please.
-
Mic3: Have you found any evidence that the
customers were pushing sources on World
-
Check, that some of the customers might
have used them just as a filtering
-
mechanism and push sources that wouldn't
be normally checked?
-
Tom: We don't have any evidence of that.
But you do raise an important point, that
-
some of the banks said: Well, we use lots
of sources. And some of the banks said: Of
-
course, we wouldn't just go on a World
Check listing. But again, it's very
-
difficult to know exactly what was the
information that HSBC considered, when
-
they closed the mosque's account, because
that is all subject to secrecy.
-
Herald: Mic number 4, please.
Mic4: Can I please also ask you to go to
-
the previous slide?
Jasmin: Of course.
-
Mic4: I think the problem is we are
focusing too much on the list itself. I
-
have difficulties imagining that we can
control all these lists, which are
-
circulating, which are being created by
different companies. I think the problem
-
arises, when they are used. So I don't
know if we can really achieve through
-
legislation or through some kind of
control better sources, better information
-
quality, or whatever. Maybe it should be
at the point where they are used I in
-
banks, there should be really the
legislative mechanism, the kind of legal
-
mechanism to solve this. I am imagining,
for instance, if the bank uses sources
-
like these and denies the person to open
an account. Or the same case with all
-
these lists which exist for phone
companies and lots of lists like that in
-
different sectors, if that person is
denied the account opening, there could be
-
a mechanism by which the person would
force the bank or the institution to
-
disclose the sources and to initiate some
kind of legal procedure. This would mean..
-
Herald: Would you be so kind as to develop
a question? Because a lot of other people
-
still have questions and we have only a
few minutes left, thank you very much.
-
applause
Mic4: The question is: Do you think it
-
should be rather that we focus on the
banks or the points, where this
-
information is used, rather than talk
about the companies which make these lists?
-
Jasmin: I think that's a really good
question, because it's actually a question
-
of who takes the responsibility for a
decision? And the funny thing is that
-
World-Check puts all the weird sources in
it, but still says: "Oh general legal
-
sentences, you have to check by
yourself.." and then the bank says: "No,
-
in World Check, there was a list and this
name was on the list." So right now we
-
have the scenario that people don't feel
responsibility and I think that's the
-
problem.
Herald: Alright, we have time for exactly
-
one last question and I hope you don't
mind, if I give it to the internet,
-
because everybody else has the chance to
catch the speakers later. So if there's
-
one, please fire away.
Internet-Q: Are there any high-profile
-
politicians on the list?
Tom: Yes, I mean the politicians that you
-
would expect to be on the list, heads of
state, were on the list, so I guess at
-
least that part of the system is working.
Herald: Please give another huge round of
-
applause to our speakers but this super
informative talk. Thank you so much.
-
Tom: Thank you!
-
34c3 postroll
-
subtitles created by c3subtitles.de
in the year 2019. Join, and help us!
