The National Security Agency isn’t just snooping into phone and online communications. It also appears to be keeping a close eye on credit card transactions. Why? And what can they see?
The presumed purpose of NSA’s credit card tracking is to help it stop terrorism. Agents hope to ferret out terrorists who are buying bomb ingredients, visiting hotbeds of radicalism, and moving funds illicitly. But the program’s reach is so broad, some say it will inevitably sweep up purchases made by innocent American citizens, as well.
“There is a long history in the government looking at the credit card transactions in specific cases where they’re trying to solve a crime,” says Madeline Aufsesser, a senior analyst at the Aite Group. In the current case dominating the news lately, though, the evidence seems to indicate that this operation wasn’t so much about looking for a needle in a haystack as sweeping up the entire haystack for analysis.
According to unnamed sources in the Wall Street Journal on Friday, the NSA has been obtaining purchase information from credit card companies. The Journal didn’t specify what type of credit card providers were providing information to the NSA; it could be networks like Visa and MasterCard, third-party processors, or issuing banks like Bank of America and Chase.
It’s believed that the NSA can’t tell exactly what you’re buying: paint thinner, Justin Timberlake CDs, baked beans. But they can see a disturbing amount of information. What’s more, the tracking almost certainly involves a continuous stream of data; it’s not a one-off incident.
(MORE: The Civil Liberties Freak-Out Harms U.S. Democracy)
Networks are most likely giving the government “metadata.” That is, the credit card issuers could provide the NSA details such as an account or card number, where and when a purchase was made, and for how much. Even though the exact items purchased aren’t revealed, Brian Krebs, who blogs at KrebsOnSecurity.com, says “merchant category codes” in such data give clues about what was bought.
If the NSA is collecting data at the processor level, “at that point the transaction gets cleared and posts to an account, so, yes, you can track it down to a person,” Aufsesser says.
The NSA conceivably could — and probably would — be able get the names of individual account holders from banks issuing credit cards. “I don’t see how you would anonymize it,” says Al Pascual, senior analyst for security, risk and fraud for Javelin Strategy & Research.
But even if the NSA is only getting broader network metadata, Jeffrey Carr, CEO of cybersecurity firm Taia Global, says sophisticated data mining could connect transactions to actual people. If the agency also has social media profile information (which, presumably, it does), phone, and email correspondence metadata — which recent revelations of NSA’s data-gathering operations would seem to support — agents can find out exactly who you are.
“They might not know what was purchased, but if you have all that other information, you can certainly build out a profile,” Carr says. It’s even conceivable that with an account number but no name, the government could turn to an online merchant or service provider where a credit card number was used or stored and track down a person that way.
Following the leaked Verizon court order, the Obama Administration has defended its actions by pointing to two instances when terrorists were intercepted after their correspondence raised a red flag. Experts say a similar mentality is at work here.
“Based on what we’ve seen so far based on PRISM, that makes me think they’re going to be looking at weapons-making capability,” Pascual says. As the Boston Marathon bombings illustrate, a tactic today’s terrorists use to stay under the radar is using common purchases (pressure cooker, nails, ball bearings) to create weapons. A red flag may be raised with the NSA if agents detect several of these everyday items being purchased at the same time and/or in unusually large quantities.
Experts say the government is probably also looking for evidence of terror-related travel; metadata can’t tell the NSA agents where someone is flying, but they could put two and two together if they see airline purchases followed by transactions that take place overseas.
The NSA also is likely closely eyeballing prepaid debit card activity. “Prepaid is a giant mess,” Krebs says. “There are a myriad ways that people can move money into and out of prepaid cards,” he says, adding that many providers don’t make sure names and addresses match up. “It is much easier for people to obtain cards under false identities and pretenses,” he says. Criminals of all kinds — terrorists, drug dealers, money launderers — exploit this loophole.
Krebs points out that following the money is a reliable tactic for tracking down terrorist groups and plots. That doesn’t make this kind of broad-brush data-gathering any less unnerving, though. Experts say this data-gathering probably focuses on purchases made in the U.S., unlike the information from around the globe the agency is getting from phone companies and Internet providers.
(MORE: Policing the Web: How Google’s Cops Track Down Bad Ads)
Technically, there are safeguards in place to keep American citizens out of the NSA’s dragnet, but that’s not to say the agency wouldn’t turn over dirt dug up on an American citizen over to a sister agency like the FBI. “I think it’s important that we don’t lose focus on the bigger picture,” Carr says. “The NSA is just one agency.”
“The ability to mine credit — and I’m assuming debit — card transactions would give the government broad powers to closely monitor and profile the day-to-day activities of a majority of Americans,” Krebs says.
Besides basic concerns about privacy, some worry about the possibility of the NSA creating profiles based on purchase transaction metadata that generate false positives, especially if someone has card information stolen or personal information exposed in a data breach. “You don’t have a guarantee that just because you’re innocent, somebody isn’t going to make a mistake and misidentify your intentions or who you are,” says Carr.