< Return to Video

34C3 - Financial surveillance

  • 0:00 - 0:15
    34c3 preroll
  • 0:15 - 0:19
    Herald: Welcome everybody to our next
    talk: Financial surveillance, Exposing the
  • 0:19 - 0:24
    global banking watch lists. I think
    everybody in this room would agree that
  • 0:24 - 0:29
    mass surveillance is a very bad idea, and
    that of course also goes for financial
  • 0:29 - 0:34
    surveillance. And our next two speakers,
    Jasmin Klofta and Tom Wills, are two
  • 0:34 - 0:39
    investigative journalists, who have
    uncovered, how the system of financial
  • 0:39 - 0:44
    surveillance works. And I'm pretty sure
    that you are just as excited as me to find
  • 0:44 - 0:48
    out what they have found out. So, please
    give them a warm round of applause!
  • 0:48 - 0:59
    applause
  • 0:59 - 1:05
    Jasmin Klofta: So hello, nice to see you
    all. Microphone's not on I think? Be cool.
  • 1:05 - 1:14
    I think the headset doesn't work.
    Herald: Audio? Well you know there's
  • 1:14 - 1:19
    always a litttle thing that doesn't work,
    whatever this is. For the talk we just had before,
  • 1:19 - 1:23
    there was a live demo, it was very well
    planned - still something went wrong. I think
  • 1:23 - 1:27
    everybody in the audience had a lot of
    empathy, because nobody wants to be in
  • 1:27 - 1:31
    that position. But I think we just fixed
    the problem. Is it fixed? Is it about to
  • 1:31 - 1:34
    be fixed?
    Jasmin: I will try a little bit, yes!
  • 1:34 - 1:36
    Herald: There we go! Round of applause,
    now we go!
  • 1:36 - 1:41
    Jasmin: We can start!
    applause
  • 1:41 - 1:46
    Jasmin: So, it's nice to see you all, so
    happy that so many people came. I want to
  • 1:46 - 1:51
    introduce to you: this is Tom - he's the
    data journalist working on investigations
  • 1:51 - 1:57
    at the Times of London and he specializes
    in a set of techniques such as data
  • 1:57 - 2:02
    mining, which can reveal wrongdoing and
    lead to stories that benefit the public.
  • 2:02 - 2:05
    Tom Wills: And this is Jasmin, she's an
    investigative journalist working in
  • 2:05 - 2:11
    Hamburg for Panorama at the broadcaster
    NDR, which is part of the ARD network, and
  • 2:11 - 2:15
    she focuses on politics, the digital
    economy, and surveillance. And we're going
  • 2:15 - 2:20
    to tell you tonight about findings of an
    investigation we conducted this year as
  • 2:20 - 2:27
    part of an international collaboration,
    and our colleagues were Eveline, Stefania,
  • 2:27 - 2:34
    Lars, and Cora. And Jasmin.
    Jasmin: Yeah, and together we investigated
  • 2:34 - 2:40
    the leaked database and published in June
    this year our stories in the UK, in
  • 2:40 - 2:45
    Germany, in the US, Netherlands, Belgium,
    and Italy. So what was our story? We
  • 2:45 - 2:50
    investigated, that innocent people around
    the world have been wrongly added to a
  • 2:50 - 2:57
    watch list of terrorists and criminals.
    This watch list of high risk people and
  • 2:57 - 3:01
    organization is compiled by Thomson
    Reuters, a British firm, and sold to
  • 3:01 - 3:06
    almost all the world's major banks, as
    well as police forces, intelligence
  • 3:06 - 3:13
    agencies, and non-government organization.
    It's called World-Check and the leak gave
  • 3:13 - 3:20
    us the opportunity to review the entire
    database for the first time.
  • 3:20 - 3:25
    Tom: So, what exactly is World-Check? Well,
    if you want to open a bank account, we
  • 3:25 - 3:29
    know that the bank might your credit
    rating to see if you are a reliable
  • 3:29 - 3:34
    borrower. But how does the bank know, if
    you're a criminal, or a terrorist, or a
  • 3:34 - 3:38
    potential money launderer? One of the
    checks that most banks will do, is run your
  • 3:38 - 3:43
    name against the World-Check watchlist,
    and they might look in here. If your bank
  • 3:43 - 3:48
    finds your name on the list, they might
    refuse your application, or they might
  • 3:48 - 3:52
    subject your financial transactions to
    extra scrutiny, or if you're an existing
  • 3:52 - 3:57
    customer, they might even
    close your account.
  • 3:57 - 4:03
    Jasmin: So, Thomson Reuters says about
    their list that it is to find hidden risk.
  • 4:03 - 4:09
    The list is of heightened risk people and
    organizations, such as terrorists,
  • 4:09 - 4:13
    fraudsters, or senior public officials,
    who might try to use the account to handle
  • 4:13 - 4:22
    corrupt funds. So they want to be kind of
    an early warning system for hidden risk.
  • 4:22 - 4:28
    And banks are even forced to use these kinds
    of lists by regulation, they have to take
  • 4:28 - 4:33
    steps to comply with sanctions and
    international and domestic law against
  • 4:33 - 4:38
    money laundering and terror financing. And
    of course we all want less terrorism, and of
  • 4:38 - 4:43
    course we want less money laundering,
    that's clear. And to put it in a World-Check
  • 4:43 - 4:48
    words, it's to help identify
    relationships or risk by providing highly
  • 4:48 - 4:53
    structured intelligence profiles and
    heightening risk individuals and entities
  • 4:53 - 5:01
    globally. But since 9/11, governments have
    to put more and more pressure on banks to
  • 5:01 - 5:07
    identify terrorists and money launderers
    among their customers. So, Thomson Reuters
  • 5:07 - 5:13
    advertises even World-Check with warnings
    about recent fines and settlements against
  • 5:13 - 5:20
    banks for violating sanctions. Maybe you
    know the.. this one story: HSBC had a
  • 5:20 - 5:27
    historic 1.9 billion dollar payment to US
    authorities to settle money-laundering
  • 5:27 - 5:32
    allegation in 2012, and that's one of the
    most famous example that the banks, of
  • 5:32 - 5:39
    course, fear very much. So if you look for
    information how the information is
  • 5:39 - 5:44
    collected, Thomson Reuters says it
    compiles a list using hundreds of
  • 5:44 - 5:51
    thousands of reputable sources in the
    public domain. You got to remember that
  • 5:51 - 5:56
    slide, and especially the word "reputable
    sources", because we will come back to
  • 5:56 - 6:01
    that a little bit later.
    Tom: So how do they collect this
  • 6:01 - 6:06
    information? Well, Thomson Reuters
    researchers look into public sources,
  • 6:06 - 6:11
    ranging from EU sanction lists, to local
    newspapers in order to find names to add
  • 6:11 - 6:17
    to the database. In total, Thomson Reuters
    says that World-Check contains profiles on
  • 6:17 - 6:22
    over two million entities, and that it's
    adding 20.000 profiles a month, and
  • 6:22 - 6:30
    updating 40.000. So the list is growing all
    the time. Now, this is a job advert for a
  • 6:30 - 6:35
    position as a World-Check researcher in
    Washington DC and it states, that among the
  • 6:35 - 6:41
    many responsibilities you need to write
    more than 220 highly structured and
  • 6:41 - 6:46
    sourced biographical intelligence profiles
    every month. I think it's really nice of
  • 6:46 - 6:51
    them to be so upfront about the workload.
    And that's about 1 hour per profile,
  • 6:51 - 6:55
    if you're working full time. So it must be
    quite a challenge if you are the assistant
  • 6:55 - 7:02
    research associate to maintain accuracy
    and quality under that kind of workload.
  • 7:02 - 7:07
    Jasmin: So not many people had heard of
    this list until recently but it's one of
  • 7:07 - 7:13
    the biggest of its kind. According to a
    World-Check datasheet the service is used
  • 7:13 - 7:19
    by over 300 intelligence and government
    agencies, 9 out of the world's top 10 law
  • 7:19 - 7:26
    firms and 49 of the world's 50 largest
    banks. Overall more than 6000 customers
  • 7:26 - 7:35
    from 170 countries are reportedly on their
    customer list. The content of the list is
  • 7:35 - 7:39
    secret because Thomson Reuters doesn't
    tell people when it adds them to the list
  • 7:39 - 7:46
    and banks are forbidden from passing on
    the information. Access is only granted
  • 7:46 - 7:51
    after a vetting process, so the user has
    to sign a nondisclosure agreement and also
  • 7:51 - 7:57
    using the database is quite expensive. A
    year's access can cost up to 1 million
  • 7:57 - 8:02
    euro.
    Tom: In recent years there have been some
  • 8:02 - 8:06
    excellent investigations by other
    journalists, who've highlighted some
  • 8:06 - 8:13
    possible issues with World-Check. The BBC
    has been investigating why HSBC closed the
  • 8:13 - 8:19
    account of Finsbury Park Mosque in London
    without any explanation. The BBC
  • 8:19 - 8:23
    researchers found that the mosque had been
    listed in World-Check in the terrorism
  • 8:23 - 8:28
    category. So that may have been part of
    the bank's decision. VICE news was also
  • 8:28 - 8:33
    able to view some of the entries in World-
    Check through a client of Thomson Reuters
  • 8:33 - 8:38
    and they discovered more examples of
    questionable entries. So we knew that
  • 8:38 - 8:42
    there was something potentially going on
    with this database, but it mostly remained
  • 8:42 - 8:47
    confidential and nobody had been able to
    view the entire database in order to find
  • 8:47 - 8:51
    out, whether there were wider
    issues with the system.
  • 8:51 - 8:59
    Jasmin: But then there was a leak: In
    summer 2016 this security researcher Chris
  • 8:59 - 9:03
    Vickery was doing what he very much likes
    to do. He was scanning the internet for
  • 9:03 - 9:10
    CouchDB instances exposed to the world
    without any username or password. Well,
  • 9:10 - 9:19
    you can imagine what comes next.
    applause
  • 9:19 - 9:23
    Jasmin: He would contact the owners to
    encourage them to secure the data but he
  • 9:23 - 9:27
    found something really interesting, and
    that was the copy of the World-Check
  • 9:27 - 9:35
    database from 2014. With him finding it
    the question came up in his head: He
  • 9:35 - 9:41
    asked: "I have a terrorism blacklist. I
    have a copy, should it be shared?" Chris
  • 9:41 - 9:47
    posted on Reddit to say that he was facing
    a dilemma about, whether to release the
  • 9:47 - 9:52
    entire database or not. Because on the one
    hand the database was apparently compiled
  • 9:52 - 10:00
    from public sources, so: what's the
    problem with publishing public sources?
  • 10:00 - 10:04
    The World-Check is a system that is used
    to make decisions about people's lives and
  • 10:04 - 10:09
    secrets, so maybe transparency would be in
    their interest. But on the other hand it
  • 10:09 - 10:15
    contained personal data relating to
    millions of people, who might suffer harm
  • 10:15 - 10:21
    if the information was disclosed. Since it
    is not so easy to ask the 2 million
  • 10:21 - 10:29
    people, if he's allowed to publish it, he
    was asking himself so what now to do.
  • 10:29 - 10:33
    Thanks to the previous work of the BBC
    advice we as journalists had reason to
  • 10:33 - 10:39
    believe, it would be in the public
    interest to review this data. So we made
  • 10:39 - 10:45
    contact with Chris and before viewing the
    leaked data we considered of course the
  • 10:45 - 10:52
    ethical, legal and security implications.
    Tom: We had a chance to fully reveal how
  • 10:52 - 10:56
    the system works for the first time. And
    this is what the file looked like:
  • 10:56 - 11:02
    laughter
    Jasmin: Isn't it beautiful?
  • 11:02 - 11:06
    Tom: We agreed with Chris that we would
    use the data to do responsible journalism,
  • 11:06 - 11:10
    but not to publish the data itself, so we
    can't show you the full database in this
  • 11:10 - 11:17
    presentation. When we received the data it
    was a 4 GB JSON line delimited file with
  • 11:17 - 11:23
    no documentation. The first thing I had to
    do was write a parser in Python. I started
  • 11:23 - 11:30
    to flatten this JSON file into a CSV file.
    Then we had a 4 GB CSV file and I loaded
  • 11:30 - 11:35
    that into Postgres in order that we could
    do some analysis of the contents of this
  • 11:35 - 11:42
    database. So this is an abridged version
    of the field list showing you the really
  • 11:42 - 11:46
    key pieces of data on each of these
    profiles. We've got an ID, we've got an
  • 11:46 - 11:53
    entity type, that is, if this is a person
    or an organization, for people there were
  • 11:53 - 11:58
    first names, surnames, aliases. Position
    would be: if you're a politician, this
  • 11:58 - 12:02
    would say what your position is in the
    government. The categories were really
  • 12:02 - 12:08
    interesting, because these might be that
    you're a politician as mentioned or might
  • 12:08 - 12:12
    be that you're in the terrorism category
    or the financial crime category. We've got
  • 12:12 - 12:16
    dates of birth and countries and
    nationalities, obviously those are really
  • 12:16 - 12:23
    important so that banks can identify the
    customers correctly. Information text was
  • 12:23 - 12:27
    possibly the most interesting part of the
    data. And then we had various links to
  • 12:27 - 12:33
    other profiles, the source URLs which
    turned out to be really crucial and the
  • 12:33 - 12:40
    dates on which the records have been
    created and updated. You know, some of
  • 12:40 - 12:46
    these fields were self-explanatory, but we
    really needed to see what this database
  • 12:46 - 12:51
    looked like to the end-user to understand
    how this information would be interpreted.
  • 12:51 - 12:56
    Like any good investigative journalists ..
    we of course turned to Google. After a
  • 12:56 - 13:01
    bit of experimentation we discovered the
    magic words: searching for "you are
  • 13:01 - 13:07
    strictly prohibited from disclosing or
    copying the content of this service".
  • 13:07 - 13:12
    applause
  • 13:12 - 13:17
    Tom: And sure enough we find some examples
    of profiles from World-Check, which people
  • 13:17 - 13:21
    may or may not realize are on the internet
    and accessible through Google. Some of
  • 13:21 - 13:24
    these are from the Panama papers, so
    obviously the person who put that one
  • 13:24 - 13:29
    there knew what they were doing. The first
    example in this result is interesting
  • 13:29 - 13:33
    though because we have the word "intranet"
    in the URL and we should perhaps tell this
  • 13:33 - 13:36
    company that their intranet is not an
    intranet.
  • 13:36 - 13:39
    laughter
  • 13:39 - 13:40
    Jasmin: Maybe they found out by
    themselves.
  • 13:40 - 13:48
    Tom: They know now, hopefully. This
    example is actually from a magazine in
  • 13:48 - 13:53
    Brazil which published World-Check
    profiles that they obtained as part of an
  • 13:53 - 13:57
    investigation. This was really useful
    because we could see exactly what the data
  • 13:57 - 14:03
    looks like to the end-user. This profile
    belongs to Eduardo da Cunha, who was the
  • 14:03 - 14:08
    former leader of the Brazilian Chamber of
    Deputies and as I said it was published by
  • 14:08 - 14:13
    the magazine. We can see here the
    categories that he's been assigned: in
  • 14:13 - 14:18
    this case he's a political individual and
    he's a PEP. PEP stands for politically
  • 14:18 - 14:24
    exposed person. This is a term in anti-
    money-laundering legislation that means
  • 14:24 - 14:29
    this person is in senior public office and
    they are potentially in a position to take
  • 14:29 - 14:33
    bribes and launder corrupt funds. It
    doesn't mean necessarily that they've done
  • 14:33 - 14:37
    anything wrong, but the money laundering
    rules say that banks have to scrutinize
  • 14:37 - 14:42
    these people very carefully. So if you are
    a politician you might be called up by
  • 14:42 - 14:47
    your bank and they would say we need to
    interview you about your sources of income
  • 14:47 - 14:51
    in order to establish what the legitimate
    level of income is and if you exceed that
  • 14:51 - 14:56
    level you'll be reported to the
    authorities. The definition of PEP also
  • 14:56 - 15:01
    includes the immediate family of the
    public officials and we'll see that on the
  • 15:01 - 15:08
    next slide. When we scroll down after the
    age and date of birth we've got these
  • 15:08 - 15:14
    links to other profiles: These are the
    Brazilian politician's immediate family
  • 15:14 - 15:21
    members, who have their own profiles. Then
    further down we've got the reports, so in
  • 15:21 - 15:25
    this case this politician was actually
    accused of doing something wrong, it
  • 15:25 - 15:29
    wasn't just that they're a politically
    exposed person. There's a report of an
  • 15:29 - 15:35
    allegation of corruption there and since
    this profile was published it turned out
  • 15:35 - 15:39
    that he was convicted of corruption. So
    this is an example of a profile of
  • 15:39 - 15:46
    somebody who turned out to be guilty. Now
    that we understood what a profile looked
  • 15:46 - 15:52
    like we started to analyze the scope of
    the database.
  • 15:52 - 15:57
    This table shows for each country how many
    people were profiled in World-Check as it
  • 15:57 - 16:03
    stood in 2014, which was the date of the
    copy of the database that Chris Vickery
  • 16:03 - 16:09
    found online. We're showing here for each
    country with at least 5000 entries the
  • 16:09 - 16:13
    number of non-PEPs, so that could be
    people in the terrorism or the crime
  • 16:13 - 16:18
    category or it could be various other
    things. The number of PEPs: we would
  • 16:18 - 16:22
    expect them to be senior public officials
    but it's interesting that there are a lot
  • 16:22 - 16:28
    of countries where there are tens of
    thousands of PEPs and so that suggests
  • 16:28 - 16:32
    that perhaps they've cast the net quite
    wide there. We're also giving numbers of
  • 16:32 - 16:39
    relatives of PEPs. We spent a lot of time
    browsing the data for our countries and
  • 16:39 - 16:43
    querying the database to understand the
    types of the different types of people
  • 16:43 - 16:49
    who've been included. And then everyone in
    our collaboration started finding people
  • 16:49 - 16:53
    who really didn't belong on the list. And
    we started to ask: How did these innocent
  • 16:53 - 16:59
    people end up on this watchlist?
    Jasmin: We were for example really
  • 16:59 - 17:04
    surprised to find Greenpeace, 16
    Greenpeace activists, on the list, who
  • 17:04 - 17:08
    were arrested for peacefully protesting
    this "Star Wars" missile defense program
  • 17:08 - 17:19
    in 2001. They were listed under the
    general category "crime". That was a bit
  • 17:19 - 17:24
    weird, because they did plead guilty to
    criminal trespass, but never served time
  • 17:24 - 17:33
    for this minor charge. But 12 years later,
    they would still be on that list.
  • 17:33 - 17:38
    Tom: This is another example, this time
    from the UK, from a town called Chelmsford
  • 17:38 - 17:43
    in the South of England. This woman is
    Jackie Arnott and she was listed in the
  • 17:43 - 17:49
    politically exposed persons category along
    with a record of all her civic activities.
  • 17:49 - 17:54
    So here she is at work, volunteering for
    an organization called "Harvest for the
  • 17:54 - 17:58
    Homeless". This is a local campaign in
    Chelmsford that was collecting food for
  • 17:58 - 18:06
    people in need. Jackie Arnott is not a
    senior public official as you might expect
  • 18:06 - 18:11
    a politically exposed person to be. In
    fact her only connection to power seemed
  • 18:11 - 18:16
    to be that her husband Allen had been the
    mayor of Chelmsford, which is a ceremonial
  • 18:16 - 18:25
    position. Now to a different town in the
    South of England: this is leafy Kingston
  • 18:25 - 18:33
    upon Thames. This is a view of the town
    hall: it's all very genteel and this is
  • 18:33 - 18:39
    one of Kingston's local politicians: Yogan
    Yoganathan. You can see the letters MBE,
  • 18:39 - 18:43
    member of the British Empire, after his
    name. He was given an honour by the Queen
  • 18:43 - 18:47
    for his services to local government and
    community relations in Kingston upon
  • 18:47 - 18:53
    Thames. Among his activities he was a
    peace campaigner. He campaigned for peace
  • 18:53 - 19:01
    in Sri Lanka and that led to him being
    listed in World-Check and being linked to
  • 19:01 - 19:06
    allegedly the Tamil Tiger terrorist
    organization, which is an extremely
  • 19:06 - 19:11
    serious and very upsetting claim to have
    made about you, not least if you're a
  • 19:11 - 19:17
    peace campaigner. The World-Check database
    gave the source for this allegation as a
  • 19:17 - 19:23
    Sri Lankan government website which in
    2007, at the height of the civil war in
  • 19:23 - 19:29
    Sri Lanka, has said: These guys in London
    organising peace protests about Sri Lanka,
  • 19:29 - 19:34
    they're all Tamil Tiger terrorists. And
    that allegation had made its way into the
  • 19:34 - 19:39
    World Check database and Mr. Yoganathan
    said he was very hurt by this allegation
  • 19:39 - 19:45
    and this was completely untrue and
    completely without any other basis in
  • 19:45 - 19:50
    fact.
    Jasmin: So remember when we said, you
  • 19:50 - 19:56
    should remember this slide because of the
    beautiful words "reputable sources". If
  • 19:56 - 20:00
    you read a little bit further Thomson
    Reuters says: "researchers are bound to
  • 20:00 - 20:08
    comply with strict research criteria and
    must remain objective at all time". Well
  • 20:08 - 20:14
    it seems that the research team was a
    little bit flexible on these rules. The
  • 20:14 - 20:18
    reasons why innocent people showed up on
    the list were very often the problem of
  • 20:18 - 20:25
    these "reputable" sources and handling
    them. Now we would like to show you some
  • 20:25 - 20:30
    of the sources and we put together a
    little ranking for you.
  • 20:30 - 20:36
    laughter
    Jasmin: You might all know that one. Yeah,
  • 20:36 - 20:43
    Wikipedia. We thought we give number 5 to
    Wikipedia. In thousands of profiles World-
  • 20:43 - 20:50
    Check used Wikipedia as a source. Well
    here you still might think: okay it's only
  • 20:50 - 20:55
    for general information, so maybe it's
    fine. What about the next one?
  • 20:55 - 21:01
    Tom: Well at number 4 we have conspiracy
    sites: this one is called cyberclass.net
  • 21:01 - 21:05
    and it has all the educational resources
    you might need on alternative accounts of
  • 21:05 - 21:11
    the 9/11 attacks. World-Check research has
    also cited it in a profile of a British
  • 21:11 - 21:16
    businessman, which of course was
    used by the banks.
  • 21:16 - 21:21
    Jasmin: Number 3, also really interesting:
    We found state-run sites or state-run
  • 21:21 - 21:27
    propaganda you must say, also used as
    sources, for example China Daily. It's the
  • 21:27 - 21:33
    biggest newspaper in China and state-owned
    and even though it's not an official organ
  • 21:33 - 21:41
    of the Chinese Communist Party, it's
    considered to be a quasi-party newspaper.
  • 21:41 - 21:47
    Because of this commentary that you see on
    the right side, it's saying that there's a
  • 21:47 - 21:52
    terrorist group, the Tibetan Youth
    Congress, the prominent diaspora
  • 21:52 - 21:59
    organization, is listed as a terrorist
    group on World-Check. What we found
  • 21:59 - 22:04
    pretty, I don't know how to say it.. the
    research team used this article as the
  • 22:04 - 22:12
    only source for this profile recording the
    Chinese government's accusations.
  • 22:12 - 22:17
    Tom: At number 2 we have a website that
    unfortunately you might have heard of:
  • 22:17 - 22:24
    Hundreds of listings referenced reports on
    Breitbart. At the time, Breitbart was
  • 22:24 - 22:28
    selectively reporting on what it called
    "black crime" and there was a whole tag
  • 22:28 - 22:33
    page for what they called "black crime".
    There were hundreds of listings that
  • 22:33 - 22:38
    referred to reports that have been carried
    on Breitbart. But number 1 ...
  • 22:38 - 22:43
    Jasmin: Our number 1 ...
    Tom: We have Stormfront which, if you
  • 22:43 - 22:49
    haven't heard of it, it's a forum for
    white supremacists. It was founded in 1995
  • 22:49 - 22:55
    by a former Ku Klux Klan member and there
    were several listings that referred to
  • 22:55 - 23:01
    Stormfront. Among them listings for two
    black British people containing links to a
  • 23:01 - 23:07
    discussion thread on the forum.
    Jasmin: So the problem really is that
  • 23:07 - 23:12
    World-Check uses all the sources that they
    can find, which is fine, but it seems that
  • 23:12 - 23:17
    they don't differ between a news site, a
    propaganda site, extremist sites, whatever
  • 23:17 - 23:24
    site. And all the sources and information
    they collect, but they don't weight it or
  • 23:24 - 23:29
    rate it or assess the information. So for
    example, if a state attorney accuses a
  • 23:29 - 23:34
    person or if a competitor blackened
    somebody in a media report, the
  • 23:34 - 23:39
    information gets into the World-Check
    database without any filtering and there
  • 23:39 - 23:45
    is no final verification of this or any
    accusation.
  • 23:45 - 23:50
    Tom: World-Check found an interesting way
    to deal with this problem of unreliable
  • 23:50 - 23:56
    sources or potentially unreliable sources:
    In the profiles they've added this general
  • 23:56 - 24:03
    legal notice. Here they mention that
    everyone who views this database should
  • 24:03 - 24:08
    carry out independent checks to verify the
    information. They later added a further
  • 24:08 - 24:13
    disclaimer saying: If this profile
    contains negative allegations it should be
  • 24:13 - 24:21
    assumed that such allegations are denied.
    This is an interesting legal concept, that
  • 24:21 - 24:25
    you can carry these extremely damaging
    accusations that people are linked to
  • 24:25 - 24:30
    terrorist groups, but of course you can
    tell your customers to assume that the
  • 24:30 - 24:35
    allegations are denied and to check the
    information out themselves. We found many
  • 24:35 - 24:41
    people on the list that had encountered
    difficulties with their banks and that
  • 24:41 - 24:46
    raises the question of whether some banks
    and users of the list were able to heed
  • 24:46 - 24:51
    this warning and launch their own
    investigations after seeing adverse claims
  • 24:51 - 24:56
    in World-Check. In fact, somebody I spoke
    to as part of my research who works for a
  • 24:56 - 25:02
    bank said that they were under such
    pressure that if they found an adverse
  • 25:02 - 25:08
    listing in World-Check, it would be
    extremely difficult for them to disprove
  • 25:08 - 25:17
    it, you know, given the time that was
    available. This is one issue. But besides
  • 25:17 - 25:22
    the problems with the sources and the lack
    of verification of the information there
  • 25:22 - 25:27
    is another reason why innocent people have
    ended up in this watchlist: Our research
  • 25:27 - 25:31
    showed that the database carries entries
    for people who are merely accused or
  • 25:31 - 25:37
    investigated over possible crimes without
    being charged or convicted. Reports of
  • 25:37 - 25:41
    minor convictions are kept on file for
    years after the event as we saw with
  • 25:41 - 25:46
    Greenpeace. and sometimes people had been
    cleared of their charges but their entries
  • 25:46 - 25:50
    hadn't been updated to reflect that
    information. So innocent people just kept
  • 25:50 - 25:56
    being guilty in the world of the database.
    Jasmin: For example like him, so please
  • 25:56 - 26:02
    meet the terrorist Andrej Holm, or at
    least that's what World-Check suggested
  • 26:02 - 26:07
    for a couple of years. Holm, maybe some of
    you know him, is a very well-known
  • 26:07 - 26:14
    sociologist and later he was a short time,
    in German "Baustaatssekretär". Maybe in
  • 26:14 - 26:19
    English at something like housing
    secretary in the Berlin State Government.
  • 26:19 - 26:23
    He was targeted by the Federal
    prosecutor's office ten years ago. The
  • 26:23 - 26:29
    suspicion was: Membership in a terrorist
    group. He was arrested at the end of July
  • 26:29 - 26:36
    2007 and detained for 3 weeks. Holm had
    obviously been investigated because he had
  • 26:36 - 26:41
    being critical of the displacement of
    poorer people and cities and he wrote it
  • 26:41 - 26:48
    in a very similar way or similar words to
    a left-wing extremist group active at that
  • 26:48 - 26:55
    time. But in the end the suspicion that he
    could be a member himself proved totally
  • 26:55 - 27:04
    unfounded and in 2010 all procedures
    against Holm were discontinued. He was
  • 27:04 - 27:11
    even compensated for his imprisonment. In
    the end for the state and justice Holm was
  • 27:11 - 27:18
    innocent. But when Holm wanted to become a
    customer at Norisbank two years later in
  • 27:18 - 27:24
    2012, the institute refused to open his
    bank account and that even without any
  • 27:24 - 27:33
    explanation. That was when Holm still did
    not know that he was on the watchlist of
  • 27:33 - 27:40
    World-Check. When we told him and we
    talked to him he said: I have a bad
  • 27:40 - 27:44
    feeling when my life is recorded there
    without me being aware of it or having any
  • 27:44 - 27:50
    influence on it. Even years later such an
    entry can permanently make life
  • 27:50 - 27:56
    significantly more difficult. But
    apparently there are institutions that
  • 27:56 - 28:02
    rely on World-Check or similar databases.
    When we talked to the Norisbank they said
  • 28:02 - 28:08
    that the Name List screening, that's what
    it's called, was an essential part of
  • 28:08 - 28:14
    fulfilling the legal requirements for
    combating financial criminality. It's
  • 28:14 - 28:19
    about preventing money laundering, they
    said. And the due diligence check would
  • 28:19 - 28:26
    use many different databases as data
    sources. I found a little bit funny that
  • 28:26 - 28:32
    they wouldn't talk about at all about the
    case from Mr. Holm and they said: They
  • 28:32 - 28:40
    cannot give any information because
    of data protection reasons.
  • 28:40 - 28:44
    Tom: We saw in the marketing brochure that
    Thomson Reuters say that 49 of 50 of the
  • 28:44 - 28:51
    world's biggest banks use World-Check. We
    had a pretty strong idea that most of the
  • 28:51 - 28:56
    big-name banks would be using it. But for
    my UK audience I wanted to confirm that
  • 28:56 - 29:00
    the high street names that my readers
    would be familiar with had used this
  • 29:00 - 29:05
    database. I had information that the Co-
    operative Bank among several other big
  • 29:05 - 29:11
    names had used World Check and I asked
    them to confirm that that was the case.
  • 29:11 - 29:17
    And this is what they said: "I can confirm
    that the Co-operative Bank doesn't use and
  • 29:17 - 29:22
    has not used World-Check." Well, this was
    an interesting response. I went back to
  • 29:22 - 29:30
    Google and I did a site-search on LinkedIn
    for World-Check and the Co-operative Bank
  • 29:30 - 29:36
    and this is what I found: This is Michael,
    he says he is a high-risk case-analyst at
  • 29:36 - 29:44
    the Co-operative Bank and his previous
    position in 2015: he was an anti-money-
  • 29:44 - 29:49
    laundering analyst and this gives the
    description of his responsibilities. At
  • 29:49 - 29:54
    the bottom there you can see that that
    included exiting customers where necessary
  • 29:54 - 29:59
    if they were found outside the bank's risk
    appetite, which is a euphemism for: he can
  • 29:59 - 30:04
    close your account if you're too risky. So
    this was quite obviously a considerable
  • 30:04 - 30:10
    responsibility and then further down in
    the job description he says that he used
  • 30:10 - 30:17
    systems including World-Check to make
    these decisions.
  • 30:17 - 30:22
    So I went back to the Co-operative Bank
    press spokesperson and sent them an
  • 30:22 - 30:29
    attachment to see what they had to say
    about this. And the reply came: "I can
  • 30:29 - 30:34
    confirm that we do not use World-Check and
    any access to that database the bank had
  • 30:34 - 30:40
    was in excess of 5 years ago." So they
    admitted that they had used the database,
  • 30:40 - 30:46
    but they're now saying that they don't use
    it anymore. I think this is an indication
  • 30:46 - 30:52
    of exactly how much secrecy there is on
    the part of the banks and resistance to
  • 30:52 - 30:56
    any kind of accountability. You know,
    they're questioned by a journalist from a
  • 30:56 - 31:00
    national newspaper, they give completely
    inaccurate information about whether they
  • 31:00 - 31:05
    had used this system and only admitted it
    when they were confronted with evidence to
  • 31:05 - 31:10
    the contrary. You know, if you're a Co-
    operative Bank customer, you really ought
  • 31:10 - 31:15
    to have a right to know what is being done
    with your data and how decisions about you
  • 31:15 - 31:20
    are being made. This is all enshrined in
    data-protection law and this seems to be
  • 31:20 - 31:27
    at odds with all of those principles.
    So we put all of the findings from the
  • 31:27 - 31:33
    different countries to Thomson Reuters and
    they didn't really come back to us on any
  • 31:33 - 31:38
    of their specific cases, but they gave us
    a statement. One of the things they said
  • 31:38 - 31:42
    was that "Individuals can contact us, if
    they believe any of the information held
  • 31:42 - 31:50
    is inaccurate and we would urge them to do
    so." This is quite tricky, if your bank is
  • 31:50 - 31:55
    not allowed to tell you, why your account
    has been closed. The bank is certainly not
  • 31:55 - 32:01
    allowed to show you your listing on World-
    Check. We have to admit that you can
  • 32:01 - 32:05
    submit a subject access request to Thomson
    Reuters, if you have a hunch that you
  • 32:05 - 32:09
    might be on the list, and then you can
    find out and obviously you could challenge
  • 32:09 - 32:15
    your information. But whether that would
    be acted upon is another question. Thomson
  • 32:15 - 32:21
    Reuters said they provide identifying
    information such as dates of birth and
  • 32:21 - 32:26
    this will be verified with reputable and
    official sources. On some of the
  • 32:26 - 32:31
    unreliable sources they said: "If blog
    content appears it is only as a supporting
  • 32:31 - 32:37
    source for that secondary information and
    is clearly identified as such". We don't
  • 32:37 - 32:42
    know if they've made improvements to the
    database since 2014, so it may be that
  • 32:42 - 32:46
    things are different from the snapshot we
    saw, but that's what they said.
  • 32:46 - 32:51
    And then they said: "In conclusion, it's
    important to point out that the inclusion
  • 32:51 - 32:56
    in World-Check does not imply guilt of any
    crime and every record states, if this
  • 32:56 - 33:00
    profile contains negative allegations it
    should be assumed that such allegations
  • 33:00 - 33:05
    are denied. The accuracy of the
    information found in the underlying media
  • 33:05 - 33:09
    sources should be verified with the
    profile subject before any action is
  • 33:09 - 33:14
    taken." One final point they made is that
    there are competing databases to World-
  • 33:14 - 33:19
    Check. So LexisNexis and Dow Jones also
    produce watchlists and we don't know if
  • 33:19 - 33:27
    there are similar problems with those
    lists. Why has this happened? You know, we
  • 33:27 - 33:32
    mentioned that banks are under huge
    pressure from governments to weed out
  • 33:32 - 33:37
    terrorists and money launderers among
    their customer bases and what's the
  • 33:37 - 33:41
    environment in which this has come about?
    We don't have a full answer to this
  • 33:41 - 33:48
    question, but I want to show you one email
    that gives a sense of the atmosphere and
  • 33:48 - 33:53
    the paranoia that has led
    to the current regime.
  • 33:53 - 33:58
    So this email is from a man who says he's
    the World Check's General Counsel. It was
  • 33:58 - 34:07
    sent in 2002 to a US Treasury consultation
    and so this is a public document. He
  • 34:07 - 34:11
    declares his interests, he says he works
    for a company that sells a product to help
  • 34:11 - 34:16
    financial institutions conduct money
    laundering checks. Obviously this is a
  • 34:16 - 34:20
    short time after 9/11 and he argues that
    under the Patriot Act financial
  • 34:20 - 34:26
    institutions must be proactive about
    tackling money laundering. He exerts the
  • 34:26 - 34:29
    considerable moral pressure, even going so
    far as to suggest that the banks were
  • 34:29 - 34:33
    helping the terrorists by their lack of
    action. So he writes: "The U.S. is in a
  • 34:33 - 34:38
    war on terror and the front lines of the
    war are at the doorsteps of every US
  • 34:38 - 34:44
    financial institution. US financial
    institutions are inadvertently aiding and
  • 34:44 - 34:50
    abetting domestic terror against American
    citizens." This is just one company's
  • 34:50 - 34:54
    viewpoint, I'm sure the US Treasury took
    in lots of different viewpoints when they
  • 34:54 - 34:59
    were forming this legislation, but I think
    this gives a nice sense of the kinds of
  • 34:59 - 35:05
    arguments that were being made. If you
    want more on the wider context of this
  • 35:05 - 35:09
    there's a really good book called
    "Speculative Security" by Marieke de Goede
  • 35:09 - 35:17
    which goes into this in more detail.
    So can the system be improved or repaired?
  • 35:17 - 35:21
    Again, we don't give an answer to this
    question but some thoughts have occurred
  • 35:21 - 35:28
    to us: There could be better selection of
    sources used to compile this kind of list.
  • 35:28 - 35:33
    Perhaps you would narrow it down a bit
    more to the official sanctions lists and
  • 35:33 - 35:37
    people who are actually convicted of
    crimes. Those kinds of categories of
  • 35:37 - 35:43
    sources, maybe news reports in reputable
    outlets, perhaps news reports that are
  • 35:43 - 35:48
    confirmed by more than one outlet, that
    kind of thing. You could also indicate the
  • 35:48 - 35:54
    quality of the information. So if you're
    going to insist on republishing the fact
  • 35:54 - 35:58
    that the Sri Lankan government has accused
    a person of terrorism, maybe you would
  • 35:58 - 36:03
    flag up that the Sri Lankan government
    certainly at that time did not have a good
  • 36:03 - 36:08
    record for reliability on who it was
    accusing of being terrorists. You could
  • 36:08 - 36:13
    also give rights of reply to people: So on
    your credit history you can go to a credit
  • 36:13 - 36:19
    reference agency, see what is said about
    you and reply to the criticisms of you
  • 36:19 - 36:23
    that are made there. They could think
    about doing that. There is an initiative
  • 36:23 - 36:28
    to make an open-source sanctions watchlist
    at opensanctions.org, which of course
  • 36:28 - 36:33
    brings lots of advantages and everyone can
    see what is said about them on the list.
  • 36:33 - 36:36
    And I think there's also the wider
    question of whether we actually want banks
  • 36:36 - 36:42
    to have this responsibility of predicting
    and foreseeing crime among their
  • 36:42 - 36:46
    customers. Do we want the private sector
    to do that job or do we want that
  • 36:46 - 36:51
    responsibility to be squarely on the
    judicial system or on the criminal justice
  • 36:51 - 36:56
    system? So with that ...
    Jasmin: So...
  • 36:56 - 36:58
    Tom: Go on.
    Jasmin: No, go on.
  • 36:58 - 37:00
    Tom: We'll be very happy to take your
    questions and these are all contact
  • 37:00 - 37:04
    details, so thank you very
    much for your attention.
  • 37:04 - 37:15
    applause
  • 37:15 - 37:16
    Herald: Thank you very much for this
  • 37:16 - 37:20
    super-interesting talk. I have good news
    for all of you: we have about 20 minutes
  • 37:20 - 37:25
    time for Q&A, so please pile up at the
    microphones, if you have any questions, of
  • 37:25 - 37:31
    which I am sure there are many. We are
    going to start with one question from the
  • 37:31 - 37:33
    Internet.
    Internet-Question: Considering the
  • 37:33 - 37:40
    database is still online has it undergone
    changes to conform to GDPR?
  • 37:40 - 37:46
    Tom: I don't think we have any information
    on that, sorry.
  • 37:46 - 37:51
    Herald: Alright, thanks, let's start with
    another question from microphone number 1.
  • 37:51 - 37:56
    Mic1: Thank you. If he was the general
    council for the World Check company, at
  • 37:56 - 38:01
    what point was it acquired by Thomson
    Reuters? Or was it already part of Thomson
  • 38:01 - 38:05
    Reuters?
    Tom: It wasn't at that point, it was some
  • 38:05 - 38:09
    years later. An interesting point actually
    about his job title is that, if you go on
  • 38:09 - 38:15
    his LinkedIn page, he does have a law
    degree, this guy, but his job title at
  • 38:15 - 38:18
    world check in 2002 was not General
    Council, but a Head of Business
  • 38:18 - 38:22
    Development. I don't know, if that's just
    a mistake on his LinkedIn.
  • 38:22 - 38:26
    Herald: Maybe another question from
    microphone number 3.
  • 38:26 - 38:32
    Mic3: So I want to know, if I make a
    request to access my data will that put me
  • 38:32 - 38:38
    on the list?
    And my actual question is: Where did they
  • 38:38 - 38:44
    get the names from? Because essentially
    the analyst that does 220 profiles a day,
  • 38:44 - 38:48
    does he get to pick the names?
    Jasmin: Yes. So if you put a request to
  • 38:48 - 38:53
    World Check your name will not be on the
    list afterwards. So you can do it if you
  • 38:53 - 38:58
    want. And this is how it works: The
    research team goes through the internet
  • 38:58 - 39:02
    and looks for articles and picks out names
    and puts them in.
  • 39:02 - 39:08
    Mic3: Ok, so they should be people, who
    don't go on Stormfront essentially to pick
  • 39:08 - 39:12
    names. Because is that what's happening?
    Like they hire people and they go on
  • 39:12 - 39:17
    Stormfront all day and randomly pick
    names? No, but seriously?
  • 39:17 - 39:21
    Jasmin: I don't know, if they do it like
    that, but somehow they came up with the
  • 39:21 - 39:24
    source, yes.
    Mic3: Okay, thanks!
  • 39:24 - 39:30
    Herald: Microphone number 4.
    Mic4: Hey, thanks for the talk. You've
  • 39:30 - 39:33
    mentioned a few people that were on there
    wrongfully, but what percentage are
  • 39:33 - 39:37
    actually wrong on there of the profiles
    that you viewed?
  • 39:37 - 39:43
    Tom: We don't have a percentage, we think
    it's a minority, there are lots of people,
  • 39:43 - 39:47
    who did do bad things and get onto the
    list. But of course it undermines the
  • 39:47 - 39:52
    credibility of the entire database, when
    there are you know many many examples that
  • 39:52 - 39:59
    we were able to find without even it's not
    like we read all 2 million profiles, so
  • 39:59 - 40:01
    who knows. But obviously it's a very good
    question.
  • 40:01 - 40:04
    Jasmin: I think it's an excellent
    question, but I have to admit that we
  • 40:04 - 40:08
    didn't review all the 2.2 million
    profiles.
  • 40:08 - 40:15
    Herald: Alright, mic number 2, please.
    Mic2: Thank you for your work on this
  • 40:15 - 40:21
    really important subject. I myself ended
    up on that list and lost my bank for two
  • 40:21 - 40:27
    years because of it. With how essential
    banking is in the modern world to get
  • 40:27 - 40:34
    paid, to pay your bills, to do anything,
    what options to people who have had their
  • 40:34 - 40:38
    banks or organizations like Finsbury Park
    that have had their banks closed and on
  • 40:38 - 40:42
    these lists have? Especially with their
    lists being so ubiquitous amongst all of
  • 40:42 - 40:47
    the major banks?
    Tom: Well, Finsbury Park Mosque went to
  • 40:47 - 40:52
    court, and they sued Thomson Reuters
    successfully and after that Thomson
  • 40:52 - 40:57
    Reuters changed the listing and admitted
    that they had been wrong to list them in
  • 40:57 - 41:01
    the terrorism category. Obviously that's
    not an option that's available to
  • 41:01 - 41:06
    everybody, I think the first step is to
    request your data from Thomson Reuters to
  • 41:06 - 41:11
    see exactly what was being said about you
    and then go from there. But it's very
  • 41:11 - 41:15
    difficult.
    Jasmin: But for example Mr. Holm, he
  • 41:15 - 41:20
    didn't get a account at Norisbank, but he
    ended up in another bank that didn't use
  • 41:20 - 41:24
    World Check and that was the Berliner
    Sparkasse.
  • 41:24 - 41:30
    Herald: Alright, I think it's the
    internet's turn again to ask a question.
  • 41:30 - 41:34
    Internet-Q: Would you agree that the
    purpose of such a list is to protect not
  • 41:34 - 41:40
    only the banks from rotten customers, but
    also the public from terrorism or the bad
  • 41:40 - 41:46
    businesses that could harm us? And if yes,
    isn't that sacrificing a few for the
  • 41:46 - 41:51
    benefit of many?
    Jasmin: I think, you shouldn't sacrifice a
  • 41:51 - 41:57
    few for the many, because it would be so
    easy to make it better. We saw that these
  • 41:57 - 42:05
    sources were so obviously weird and wrong
    and so, I think it wouldn't be necessary,
  • 42:05 - 42:09
    if they were to check the list a lot
    better.
  • 42:09 - 42:18
    Herald: Mic number 1, please.
    Mic1: Hi, great presentation. Did you find
  • 42:18 - 42:23
    any evidence of banks and such
    organizations on disclosing information
  • 42:23 - 42:27
    about their customers towards Thomson
    Reuters?
  • 42:27 - 42:33
    Tom: I don't think we saw any sign of
    that. It does look like they stick to the
  • 42:33 - 42:38
    public sources. There were various entries
    that had three-letter acronyms next to
  • 42:38 - 42:42
    them like CIA and various things. But I
    think in all of those cases it turned out
  • 42:42 - 42:48
    that the CIA, or whoever, had said
    something publicly about that person. So
  • 42:48 - 42:53
    it didn't seem that there was any covert
    cooperation in either direction.
  • 42:53 - 42:58
    Herald: Mic number 3, please.
    Mic3: Thank you for your work. Obviously,
  • 42:58 - 43:03
    it's disheartening to see such sites as
    Stormfront and Breitbart being, well,
  • 43:03 - 43:10
    cited as sources. In your work did you
    find how much of the of the data was
  • 43:10 - 43:16
    supported by these so-called "reputable
    sources", these extremist sites as the
  • 43:16 - 43:20
    category.
    Jasmin: How many?
  • 43:20 - 43:27
    Tom: It depended on the site. I think
    Breitbart was hundreds of entries. They
  • 43:27 - 43:31
    were focused around a particular country,
    which wasn't the US, it was another
  • 43:31 - 43:36
    country. Which suggested to us that
    potentially it had been a researcher, who
  • 43:36 - 43:40
    had a particular fondness for Breitbart,
    who had decided to use that as a source.
  • 43:40 - 43:46
    So there seem to be a lot of variation
    between different countries in the mix of
  • 43:46 - 43:51
    sources that have been used.
    Herald: Mic number 4, please.
  • 43:51 - 43:56
    Mic4: Hi, thanks. I work on cryptocurrency
    stuff, so obviously have a long-standing
  • 43:56 - 44:02
    interest in financial privacy and
    openness. There was a really interesting,
  • 44:02 - 44:06
    although terribly written book, I would
    not recommend it, but was written by
  • 44:06 - 44:12
    someone, who was at US Treasury and
    crafted kind of post 9/11 policy around
  • 44:12 - 44:16
    sanctions. One of the things he said in
    the book was immediately after 9/11 they
  • 44:16 - 44:21
    were willing to put people on the
    sanctions list and block you from the
  • 44:21 - 44:26
    entire international financial system at
    80% certainty level. So if they're about
  • 44:26 - 44:32
    80% confident that you are somehow related
    to terrorism, they would just kick you
  • 44:32 - 44:37
    out. So I was wondering, if.. because I
    know a lot of the interest in preventing
  • 44:37 - 44:41
    mass surveillance is all about making it
    more expensive, so as to force people to
  • 44:41 - 44:46
    target it more specifically. I was
    wondering, if you had any thoughts on what
  • 44:46 - 44:51
    kind of direction people should be
    thinking about going in terms of forcing
  • 44:51 - 44:58
    more targeting of preventing people from
    international financial access. Instead of
  • 44:58 - 45:02
    allowing it to be so broad and you know
    controlled by so few.
  • 45:02 - 45:12
    Tom: Use cash.
    Jasmin: These were already some good
  • 45:12 - 45:20
    thoughts.
    Tom: I mean, I think we should ask our
  • 45:20 - 45:24
    government for accountability on this kind
    of surveillance, as we would with a
  • 45:24 - 45:29
    communication surveillance or any other
    kind of surveillance. But we've only just
  • 45:29 - 45:34
    looked at one part of this system, we've
    looked at this one watchlist, but this is
  • 45:34 - 45:39
    part of a whole range of stuff that's
    going on. So I think we should continue to
  • 45:39 - 45:42
    look at financial surveillance alongside
    other forms of surveillance.
  • 45:42 - 45:49
    Herald: Alright, Mic number 2, please.
    Mic2: I have a question concerning the
  • 45:49 - 45:53
    Financial Action Task Force, which is an
    intergovernmental organization
  • 45:53 - 45:59
    compromising both European Union countries
    and GCC. Have you confronted them with the
  • 45:59 - 46:05
    work that thousand in the banks are doing?
    Jasmin: I didn't.
  • 46:05 - 46:09
    Tom: We haven't been to them directly, but
    one of the really useful things that we
  • 46:09 - 46:14
    pick it up from the Financial Action Task
    Force is that their definition of politically
  • 46:14 - 46:21
    exposed person talks about senior public
    officials and this database seemed to go
  • 46:21 - 46:26
    way further than that. So there seems to
    be an interesting discussion going on
  • 46:26 - 46:32
    about where the limits of this kind of
    surveillance should be drawn. You might
  • 46:32 - 46:36
    take the view that heads of state, there's
    not really any problem with surveilling
  • 46:36 - 46:41
    their financial activity, but when you
    start to cast the net wider then this kind
  • 46:41 - 46:44
    of thing seems to have more worrying
    implications.
  • 46:44 - 46:48
    Herald: Internet, if you got a question,
    fire away.
  • 46:48 - 46:53
    Internet-Q: It looks like Thomson Reuters
    basically says you can't disclose the
  • 46:53 - 46:59
    information you find in our system,
    because we have the copyright on it. So
  • 46:59 - 47:03
    are there any jurisdictions that have a
    law that would require banks to report
  • 47:03 - 47:07
    what information was used to determine
    that someone was considered a risk?
  • 47:07 - 47:12
    Jasmin: No, there's no law that the banks
    has to say it, but as Tom mentioned before
  • 47:12 - 47:18
    the people that think that they're on a
    list they can confront will check with
  • 47:18 - 47:21
    this.
    Tom: And I think in some jurisdictions
  • 47:21 - 47:29
    there are exemptions from subject access
    request rights for anti money laundering
  • 47:29 - 47:34
    purposes. I'm not sure exactly how big a
    part that plays but that may be part of
  • 47:34 - 47:39
    the reason why banks think that they can
    just deny people any answers to why these
  • 47:39 - 47:43
    decisions have been made.
    Herald: Mic number 1, please.
  • 47:43 - 47:48
    Mic1: Thank you for the excellent talk.
    You mentioned that legal regulations
  • 47:48 - 47:53
    require that banks use some kind of
    blacklist. Do you know what criteria these
  • 47:53 - 47:59
    regulations cite? So quality control
    doesn't seem to be among them. Could you
  • 47:59 - 48:03
    start your own list and send it to banks?
    Jasmin: You're right, quality control
  • 48:03 - 48:08
    seems not to be part of it. But the
    regulation is, for example, the, I don't
  • 48:08 - 48:10
    know the English word, "Sorgfaltspflicht"
    (due diligence obligations) for the
  • 48:10 - 48:18
    customer. You have to make sure that the
    customer is not a criminal or a terrorist.
  • 48:18 - 48:24
    And there are many regulations asking for
    it. For example, the EG money laundering
  • 48:24 - 48:34
    law from starting 1991 and then it got newer in
    2001, 2005. So that's mainly the part that
  • 48:34 - 48:39
    we focused on because it's the part
    that's important for the World Check
  • 48:39 - 48:43
    database.
    Herald: Alright, Mic number 3, please.
  • 48:43 - 48:48
    Mic3: Thanks for the talk. You did find a
    lot of people who are on the list
  • 48:48 - 48:54
    wrongfully and I'm curious if you informed
    them that they are on the list or if you
  • 48:54 - 48:58
    informed the company that they had these
    people on the list that shouldn't be
  • 48:58 - 49:04
    there. Especially I'm interested what
    happened to the Greenpeace activists you
  • 49:04 - 49:09
    mentioned. Do you have any information if
    they are still on the list or not?
  • 49:09 - 49:15
    Jasmin: All the cases that we showed to
    you, all the ones we talked to, we
  • 49:15 - 49:20
    confronted them and we asked them, if we
    can publish their case and all of them
  • 49:20 - 49:31
    went to World Check and asked if they are
    on the list, and asked also to delete them
  • 49:31 - 49:37
    on the list and I think in almost all the
    cases the people actually were deleted.
  • 49:37 - 49:46
    Tom: I think in some of them at least.
    And as Jasmin said, we were very careful
  • 49:46 - 49:51
    only to publish people's names, if they
    had given their consent for us to do that.
  • 49:51 - 49:57
    The response I got from Jackie Arnott, who
    was the woman in pink, who you saw in the
  • 49:57 - 50:01
    presentation, was that the last time she
    had any adverse attention from the
  • 50:01 - 50:06
    authorities was when she went on holiday
    in the 1980s to the Eastern Block and she
  • 50:06 - 50:13
    got a phone call from the British Foreign
    Office to say: "What are you doing? Going
  • 50:13 - 50:17
    over there?" And this was what came to her
    mind, when we told her about her listing
  • 50:17 - 50:21
    in World Check.
    Herald: Thanks. Mic number 4, please.
  • 50:21 - 50:26
    Mic4: Thanks, in the LinkedIn profile you
    showed there were a few other systems, I
  • 50:26 - 50:31
    think Dow Jones and one other, do they
    suck as badly as World Check?
  • 50:31 - 50:36
    Jasmin: Well we did check them and there
    was no leak yet. But if there will be,
  • 50:36 - 50:41
    maybe we can tell you next year. Applause
    Herald: Alright, Mic number 2.
  • 50:41 - 50:49
    Mic2: Hi, thank you. Can you go one slide
    back? Thank you. I was wondering, because
  • 50:49 - 50:55
    you said that their sources were like
    terribly wrong and weird and I was
  • 50:55 - 50:58
    wondering, if we assume that they are not
    wrong and weird, but they're there that
  • 50:58 - 51:02
    they are working perfectly well and that
    all of these questions like the answer to
  • 51:02 - 51:07
    all these questions was: It's working
    perfectly well. Who would be the
  • 51:07 - 51:15
    people, who it's working perfectly well
    for? And who especially is targeted here?
  • 51:15 - 51:21
    And is there any possibility of action in
    that scenario, in this possible world, in
  • 51:21 - 51:26
    which this was working perfectly well as
    it is?
  • 51:26 - 51:32
    Tom: I think maybe there are two different
    answers for the politically exposed
  • 51:32 - 51:37
    persons and for the people accused of
    terrorism. I think for politically exposed
  • 51:37 - 51:43
    persons, to me, you can make quite a strong
    case that senior public officials should be
  • 51:43 - 51:47
    subject to the financial surveillance. You
    know, if you are a prime minister and
  • 51:47 - 51:50
    suddenly you have millions of pounds
    flowing through your bank account, maybe
  • 51:50 - 51:56
    that's a legitimate..
    Mic2: No, sorry. I was not asking, what
  • 51:56 - 52:01
    are the perfect normative conditions under
    which this would function. I was asking,
  • 52:01 - 52:08
    given the state of things as it is now was
    the perfect way of working, who would it
  • 52:08 - 52:15
    be perfect for? Who is the real
    beneficiary of this wrong and weird way of
  • 52:15 - 52:21
    working? That's my question.
    Tom: Well, I don't think it benefits the
  • 52:21 - 52:27
    public. Because I don't think this is a
    real serious way of stopping terrorism and
  • 52:27 - 52:31
    I'm not even sure that it's a real serious
    way of stopping political corruption.
  • 52:31 - 52:36
    Because actually we looked into some of
    the cases that came out through the Panama
  • 52:36 - 52:41
    papers and similar things, which showed
    sometimes that banks had looked at a
  • 52:41 - 52:46
    person's World Check listing, seen that
    they were in the watch list, but said:
  • 52:46 - 52:52
    This is actually a very lucrative client.
    So we're going to keep banking them. So
  • 52:52 - 52:55
    there are two sides to it and I think
    that's a very important question.
  • 52:55 - 52:59
    Herald: Internet, it's your turn again.
    Internet-Q: Tom, considering the
  • 52:59 - 53:04
    proprietor of your newspaper, Rupert
    Murdoch, was there any kind of pressure as
  • 53:04 - 53:10
    to what you published about them?
    Tom: About World Check, well, that's a
  • 53:10 - 53:15
    question for the internet, isn't it? No.
    Herald: Microphone number 1, please.
  • 53:15 - 53:20
    Mic1: Yeah, two questions. The first is
    about deletion: Did I get it right that
  • 53:20 - 53:27
    there's no established mechanism or
    process, as well as it is known, for
  • 53:27 - 53:32
    deletion of datasets in that database?
  • 53:32 - 53:38
    So they claim how many thousands
    sounds of records they add and they
  • 53:38 - 53:45
    update. So there is some procedure for
    reading but none for deletion. It's
  • 53:45 - 53:53
    obviously weird. The second is about
    asking them what they have in the records,
  • 53:53 - 53:59
    if they have a record about me, for example,
    could I just ask them? And they should
  • 53:59 - 54:09
    answer me? Are there some conditions, are
    there costs for it? And maybe guessing:
  • 54:09 - 54:16
    How would they react if, say, 15000 people
    would ask the question?
  • 54:16 - 54:22
    Jasmin: About the deletion of data, you're
    totally right. There seems to be no
  • 54:22 - 54:31
    process in reviewing the data that all the
    data that shouldn't be in there is not in
  • 54:31 - 54:37
    there anymore. That's a problem, because
    as we know everybody has the right to
  • 54:37 - 54:44
    be forgotten in the internet. And to the
    second question, you can ask them, you can
  • 54:44 - 54:50
    go there and write them an email and ask
    them, if you're included in the database.
  • 54:50 - 54:56
    But what they say if 15000 people would
    ask them, I don't know. Maybe you can ask
  • 54:56 - 54:58
    them that.
    Tom: And remember they're very productive,
  • 54:58 - 55:03
    they could do 220 profiles in a month, I
    was writing them, so truly they can handle
  • 55:03 - 55:08
    15,000 requests, I think.
    Herald: Mic number 3, please.
  • 55:08 - 55:15
    Mic3: Have you found any evidence that the
    customers were pushing sources on World
  • 55:15 - 55:19
    Check, that some of the customers might
    have used them just as a filtering
  • 55:19 - 55:26
    mechanism and push sources that wouldn't
    be normally checked?
  • 55:26 - 55:35
    Tom: We don't have any evidence of that.
    But you do raise an important point, that
  • 55:35 - 55:39
    some of the banks said: Well, we use lots
    of sources. And some of the banks said: Of
  • 55:39 - 55:43
    course, we wouldn't just go on a World
    Check listing. But again, it's very
  • 55:43 - 55:48
    difficult to know exactly what was the
    information that HSBC considered, when
  • 55:48 - 55:52
    they closed the mosque's account, because
    that is all subject to secrecy.
  • 55:52 - 55:59
    Herald: Mic number 4, please.
    Mic4: Can I please also ask you to go to
  • 55:59 - 56:01
    the previous slide?
    Jasmin: Of course.
  • 56:01 - 56:08
    Mic4: I think the problem is we are
    focusing too much on the list itself. I
  • 56:08 - 56:13
    have difficulties imagining that we can
    control all these lists, which are
  • 56:13 - 56:18
    circulating, which are being created by
    different companies. I think the problem
  • 56:18 - 56:23
    arises, when they are used. So I don't
    know if we can really achieve through
  • 56:23 - 56:28
    legislation or through some kind of
    control better sources, better information
  • 56:28 - 56:36
    quality, or whatever. Maybe it should be
    at the point where they are used I in
  • 56:36 - 56:44
    banks, there should be really the
    legislative mechanism, the kind of legal
  • 56:44 - 56:50
    mechanism to solve this. I am imagining,
    for instance, if the bank uses sources
  • 56:50 - 56:58
    like these and denies the person to open
    an account. Or the same case with all
  • 56:58 - 57:04
    these lists which exist for phone
    companies and lots of lists like that in
  • 57:04 - 57:10
    different sectors, if that person is
    denied the account opening, there could be
  • 57:10 - 57:15
    a mechanism by which the person would
    force the bank or the institution to
  • 57:15 - 57:21
    disclose the sources and to initiate some
    kind of legal procedure. This would mean..
  • 57:21 - 57:27
    Herald: Would you be so kind as to develop
    a question? Because a lot of other people
  • 57:27 - 57:30
    still have questions and we have only a
    few minutes left, thank you very much.
  • 57:30 - 57:33
    applause
    Mic4: The question is: Do you think it
  • 57:33 - 57:37
    should be rather that we focus on the
    banks or the points, where this
  • 57:37 - 57:42
    information is used, rather than talk
    about the companies which make these lists?
  • 57:42 - 57:45
    Jasmin: I think that's a really good
    question, because it's actually a question
  • 57:45 - 57:50
    of who takes the responsibility for a
    decision? And the funny thing is that
  • 57:50 - 57:54
    World-Check puts all the weird sources in
    it, but still says: "Oh general legal
  • 57:54 - 58:00
    sentences, you have to check by
    yourself.." and then the bank says: "No,
  • 58:00 - 58:04
    in World Check, there was a list and this
    name was on the list." So right now we
  • 58:04 - 58:10
    have the scenario that people don't feel
    responsibility and I think that's the
  • 58:10 - 58:13
    problem.
    Herald: Alright, we have time for exactly
  • 58:13 - 58:17
    one last question and I hope you don't
    mind, if I give it to the internet,
  • 58:17 - 58:20
    because everybody else has the chance to
    catch the speakers later. So if there's
  • 58:20 - 58:24
    one, please fire away.
    Internet-Q: Are there any high-profile
  • 58:24 - 58:29
    politicians on the list?
    Tom: Yes, I mean the politicians that you
  • 58:29 - 58:33
    would expect to be on the list, heads of
    state, were on the list, so I guess at
  • 58:33 - 58:38
    least that part of the system is working.
    Herald: Please give another huge round of
  • 58:38 - 58:43
    applause to our speakers but this super
    informative talk. Thank you so much.
  • 58:43 - 58:45
    Tom: Thank you!
  • 58:45 - 58:51
    34c3 postroll
  • 58:51 - 59:09
    subtitles created by c3subtitles.de
    in the year 2019. Join, and help us!
Title:
34C3 - Financial surveillance
Description:

more » « less
Video Language:
English
Duration:
59:06

English subtitles

Revisions