Did credit card companies collaborate with the FBI's grocery data mining program?
Recent media reports reveal that the FBI sifted through 2005-2006 San Francisco grocery store receipts looking for would-be terrorists. Did the grocery stores give up this info, or did Visa and Mastercard hand over the data? Was this legal?
The Congressional Quarterly's Jeff Stein recently reported that the FBI went trawling through grocery store records in order to track down Iranian terror cells. In his article, he writes, "like Hansel and Gretel hoping to follow their bread crumbs out of the forest, the FBI sifted through customer data collected by San Francisco-area grocery stores in 2005 and 2006, hoping that sales records of Middle Eastern food would lead to Iranian terrorists." The program, however, was short lived and was quickly "torpedoed by the head of the FBI's criminal investigations division, Michael A. Mason, who argued that putting somebody on a terrorist list for what they ate was ridiculous -- and possibly illegal."
Wired News' always excellent Threat Level blogger Ryan Singel, who highlighted Stein's article yesterday, ponders the methods through which the FBI got access to the records. Ryan writes, "It's not clear how the FBI got the records to sift through in the first place - did grocery stores volunteer the data or get served with national security letters or the dread[ed] Section 215 of the Patriot Act."
As I will outline in this blog post, I don't believe that the grocery stores gave up any customer data - the credit card companies did. But first, a disclaimer: I have no sources at all for my argument today. I have nothing to back it up other than a gut feeling. Thus, this blog post should be read as an editorial, and in no way as a solid piece of investigative journalism.
Before we get too deep into this, lets cover a few basic concepts.
First: ethnic shoppers, be they Mexican, Iranian, Indian or Chinese, generally do not buy the foods from their home countries at American grocery stores. They buy them at small, ethnic food stores specializing in foreign foods. The major grocery chains do not cater to these customers, and generally stock inferior (and overpriced) goods. No self-respecting Indian chef buys his spices from Safeway, just as Koreans seeking a kimchi fix do not go to Whole Foods. Most obvious of all, no Iranian, or any other religious Muslim buys their meat at major American grocery stores, for one simple reason: it's not halal.
Second: Small ethnic grocery stores generally do not track their customers' purchases. While the major chains all seem to have adopted
evil tracking "store loyalty" cards, your average mom and pop Mexican market is likely to have a single cash register at the front of the store. No fancy computers through which to give consumers a five percent discount in exchange for having their transactions tracked.
While Whole Foods can go through their purchase logs to see which customers purchased specific middle-eastern food items, the small ethnic markets simply don't have this kind of data. All they could provide, if forced to, would be the names associated with every credit card used for any past transactions. The actual food items purchased, be it a candy bar, or a metric ton of terrorist-tahini, would remain a secret.
With that out of the way, lets re-examine the information presented by Jeff Stein. Did the FBI compel or politely ask Safeway and Whole Foods to trawl through their extensive purchase databases, and hand over the names of customers who bought falafel mix? Not likely. Ok, what about a different approach. Did the FBI go to every middle eastern market in the San Francisco bay area and ask the owners to hand over their credit card receipts? This too, is not so likely.
FBI agents are not stupid. What is far more likely, I believe, is that agents contacted the major credit card companies (Visa, Mastercard and American Express), gave them a list of all of the middle eastern markets in the Bay area, and asked for the names and addresses of every person who had purchased anything at any of the stores. This would be a far easier method, and frankly, would be less likely to cause alarm to the general public (as they most likely would never find out).
The FBI already pays three telecom companies, including AT&T and Verizon, about $1.8 million a year to process written "emergency" requests for telephone and internet records. The CIA and US Treasury Department have been getting access to data on every international financial transaction crossing the SWIFT network since 2001. Furthermore, a recent FBI audit found that in at least 14 investigations, counterintelligence FBI agents improperly gathered full credit reports from financial institutions, exercising authority provided by the USA Patriot Act but meant to be applied only in counter-terrorism cases.
Law enforcement and intelligence agencies routinely use financial records, including credit reports as part of their investigations. More than likely, every Visa and Mastercard transaction around the world goes through a US server at some point. This is a valuable source of data, and frankly, if the NSA doesn't already have access to this data, someone there should probably be fired. Given the fact that the telecom companies get paid to respond to FBI requests, it's quite likely that the major credit card networks also have streamlined processes through which they can respond to law enforcement requests (and get paid for their time and effort, of course).
If the credit card companies can already be forced to give up the purchase history of a legitimate suspect in an investigation, it is not too hard to imagine that they could be forced, or paid, to provide data with a more broad request.
The legality of such a program, if it exists, will make for a great debate amongst legal scholars. It would also seem, by my amateur reading of the current Senate proposals for telecom immunity, that the credit card companies would also be let off the hook if they did actually violate any laws in handing over vast amounts of customer data.
Interesting times, indeed.