Mar 30 2016

How does your bank know your dog’s not a terrorist?

The curious incident of the dog named “Dash” has spotlighted a type of outsourced surveillance and control of our everyday activities that typically operates invisibly but that is much more pervasive than most people in the USA imagine.

We were contacted last week by KTVU News to help explain what happened to Bruce Francis, a disabled San Francisco man whose online request to send a check to pay the person who walks his service dog was refused by Chase Bank. The memo line on the check read, “for Dash”, Dash being the name of Mr. Francis’ dog.

Chase initially accepted the check request. Later, however, the bank told Mr. Francis that it had declined to issue the check, and refused to do so unless and until Mr. Francisco provided a satisfactory explanation and/or evidence (satisfactory to Chase, that is) that the check wasn’t intended for an illegal purpose or entity.

Why would a bank refuse to honor a check request? Are bank customers required to justify to our bankers why, or to whom, we want to send our money?

Under U.S. law, the surprising answer is that banks and other financial institutions are required to act as police informers, profiling transactions and reporting customers to a little-known but financially powerful Federal law enforcement agency on mere suspicion of even unwitting violation of an array of Federal laws imposing sanctions on various entities including alleged “drug kingpins”, contributors of “material support” to terrorism (including such seemingly non-material forms of support as legal services, Web sites, and propaganda), and entities associated (in different ways depending on the country) with governments or entire countries disfavored by the U.S., including Cuba and Iran.

Banks (or contractors to which they outsource this work) scan all manner of financial transactions, from debit and credit card payments, electronic funds transfers, and paper checks to automobile and home loan and new-account applications.  As with airline reservations, these transactions are scored according to secret profiling algorithms that take into consideration government-supplied and commercial blacklists and watchlists, identity-based transaction histories and other databases, phonetic and other “fuzzy matching” rules, and other rules embodying security, fraud, “pre-crime“, and risk management criteria.

In the case of Mr. Francis’ check request, these robots flagged the name of his dog on the memo line (“for Dash”) as vaguely similar to “Daesh”, one of several English transliterations of a crude phonetic rendering of an Arabic acronym for a name sometimes applied to — although rejected and denounced by — one grouping of the Islamic State in Iraq and Syria (ISIS).

As Mr. Francis told KTVU, stopping payment of any check identified on the memo line as being “for ISIS” would amount to, “Stopping the world’s stupidest terrorist.”

Is this the way Congress intended Federal sanctions laws to work? Maybe, maybe not. But Chase Bank’s refusal to pay Mr. Francis’ dog-walker because the bank’s robotic profiling algorithm flagged his dog’s name as “suspicious” is typical of how these laws do (or don’t) work in practice.

Federal financial blacklists and requirements for banks to block blacklisted entities and activities are enforced by the Office of Foreign Assets Control (OFAC), a division of the Department of the Treasury that has long been notorious for its heavy-handed practices and lack of transparency or accountability.

Banks are themselves under heavy financial pressure from OFAC to err on the side of refusing to execute “suspicious” transactions, to reverse the presumption of innocence, and to put the burden of proof on the customer — as Chase did with Mr. Francis — to explain who we want to pay, and to justify what we want to do with our money.  In 2006, for example, J.P. Morgan Chase — the parent company of Chase Bank — agreed to pay $88 million in civil penalties in a settlement with OFAC for processing electronic funds transfers “directly or indirectly for the benefit”, in whole or in part, of entities on various OFAC blacklists, and for failing to provide “complete information relative to any transaction” about which OFAC requested details. That’s real money, even for a bank as big as Chase.

It’s scarcely surprising, given the potential cost of offending OFAC, that no bank has challenged OFAC’s demands for policing of customers and our activities.

By inducing banks to take these actions, OFAC achieves a more intrusive level of financial surveillance and control than the government would have legal authority to carry out directly, while avoiding transparency (banks’ actions aren’t subject to the Freedom of Information Act or the Privacy Act) or direct accountability, and maintaining a degree of plausible deniability.

If banks’ and other financial institutions’ profiling and payment-blocking practices or demands for customers to explain and justify ourselves are challenged, OFAC can claim that it isn’t responsible for how banks decide which customers, payees, or transactions to block. OFAC just imposes crushing fines on any bank that allows transactions that OFAC determines, after the fact, to have violated any of the complicated, often ambiguous, and sometimes contradictory sanctions laws.  The only rational business decision for a for-profit corporation is that the risk of running afoul of OFAC is many times the potential liability for an improperly blocked transaction.

The default becomes, “No”. Once Mr. Francis’ check was “flagged” by automated processing, payment was stopped until a human looked at the check request and manually overrode the “hold” to authorize payment. Automated processing operated not as an “alert” system, but as an interlock with de facto authority delegated to robots to freeze the entire bank account without notice, at any time, on the basis of secret algorithms and datasets.

Like the “no-fly” list and other DHS “watchlists” (blacklists), OFAC’s list of  “Specially Designated Nationals” subject to financial sanctions contains common names, ambiguous and imprecise translations and transliterations, and incomplete identifying information about many listed entities.The inevitable result is that innocent people find their everyday financial activities blocked, and constantly face the impossible challenge of proving their innocence and/or proving that they or those with whom they are trying to do business aren’t other unrelated people or entities about which they may know nothing.

While there are statutory criteria for the designation of entities subject to financial sanctions (unlike the no-fly list and related watchlists/blacklists, for which the standards, if any, are officially secret), the laws and regulations imposing these sanctions are complex and confusing. It can be impossible for anyone to determine, in advance, which transactions will provoke OFAC to impose sanctions on the parties making, receiving, and/or processing a payment. You can request an opinion in advance from OFAC as to the legality of a specified action, but it can take a year or more to get an answer, by which time the answer may be moot. Even communicating about possible transactions can be deemed by OFAC to constitute proscribed “facilitation” of sanctions violations.

What happened to Mr. Francis and his unpaid dog-walker is relatively minor. The check was eventually issued after the check request and Mr. Francis’ explanation of his dog’s name was reviewed by a human. But it’s the tip of an iceberg of the larger problem of OFAC overreach and injustice, as described in these 2007 and 2014 reports from the Lawyers’ Committee for Civil Rights of the San Francisco Bay Area. And the problem of OFAC is in turn just part of an even larger pattern of outsourced surveillance, algorithmic profiling, and control by what the ACLU has aptly labeled the “Surveillance-Industrial Complex” of private and commercial actors conscripted by government carrots and sticks.

Mar 07 2016

The cost of requiring ID for library cards

To: Julie Holcomb, Abigail Franklin, Darryl Moore, Jim Novosel, Winston Burton, City of Berkeley <bolt@ci.berkeley.ca.us>
From: Eric Neville
Subject: The cost of requiring ID for library cards
Date: Mon, 7 Mar 2016 09:05:15 -0800
Dear Board of Library Trustees:

Sometimes the cost of how we do things sneaks up on us. I grew up visiting the Berkeley Public Main Library, but I was concerned recently when I was required to provide picture identification to renew my library card.

I don’t actually recall how long this has been policy. The reference librarian, who had a few years on me, said it’s been policy for as long as he remembers. But I also know that previously I personally had occasion to return a four-inch-thick law book that had apparently been taken from Main’s reference section, and which I found on the street a few blocks away, so current policy is certainly not a perfect protection for library resources. Indeed, no policy can be perfect, but can at best be struck to balance costs. These costs become more challenging to reckon with when the they are intangible, as they are for principles.

But principles do matter, such as when librarians opposed portions of the USA PATRIOT Act:

My concern stems from the intersection between the ill-founded presumption that identity documents ensure against abuse and the surreptitious cost to society that presumptive ID expectation inflicts.

What’s Wrong With Showing ID?

Read More