As I noted last night, the US has been violating the spirit of its agreement with the EU on access to the SWIFT database–the database tracking international financial transfers. Rather than giving Europol specific, written requests for data, it has been giving it generic requests backed by oral requests the Europol staffers are not supposed to record. That arrangement makes it impossible to audit the requests the US is making, as required by the agreement between the US and EU.

But not only does our cheating make us an arrogant data octopus, it may suggest we’re violating our own internal safeguards on the program.

Back when Lichtblau and Risen first exposed the SWIFT program, they described how it initially operated under emergency powers. On such terms, SWIFT turned over its entire database.

Indeed, the cooperative’s executives voiced early concerns about legal and corporate liability, officials said, and the Treasury Department’s Office of Foreign Asset Control began issuing broad subpoenas for the cooperative’s records related to terrorism. One official said the subpoenas were intended to give Swift some legal protection.

Underlying the government’s legal analysis was the International Emergency Economic Powers Act, which Mr. Bush invoked after the 9/11 attacks. The law gives the president what legal experts say is broad authority to “investigate, regulate or prohibit” foreign transactions in responding to “an unusual and extraordinary threat.”

[snip]

Within weeks of 9/11, Swift began turning over records that allowed American analysts to look for evidence of terrorist financing. Initially, there appear to have been few formal limits on the searches.

“At first, they got everything — the entire Swift database,” one person close to the operation said.

But then they put in more safeguards. One of those safeguards was to have an outside auditing firm review the requests to make sure they were based on actual leads about actual suspected terrorists.

Officials realized the potential for abuse, and narrowed the program’s targets and put in more safeguards. Among them were the auditing firm, an electronic record of every search and a requirement that analysts involved in the operation document the intelligence that justified each data search. Mr. Levey said the program was used only to examine records of individuals or entities, not for broader data searches.

[snip]

Swift executives have been uneasy at times about their secret role, the government and industry officials said. By 2003, the executives told American officials they were considering pulling out of the arrangement, which began as an emergency response to the Sept. 11 attacks, the officials said. Worried about potential legal liability, the Swift executives agreed to continue providing the data only after top officials, including Alan Greenspan, then chairman of the Federal Reserve, intervened. At that time, new controls were introduced.

Among the safeguards, government officials said, is an outside auditing firm that verifies that the data searches are based on intelligence leads about suspected terrorists. “We are not on a fishing expedition,” Mr. Levey said. “We’re not just turning on a vacuum cleaner and sucking in all the information that we can.”

In addition, SWIFT could veto any search.

Swift representatives would be stationed alongside intelligence officials and could block any searches considered inappropriate, several officials said.

So in 2006, when the NYT broke this story, the program supposedly had the following safeguards:

  • Documentation by analysts of the intelligence that justified the search
  • An electronic record of every search
  • An audit by an outside firm that verifies that intelligence justified the search
  • Veto power by SWIFT over any particular search

Also, at that time, Stuart Levey claimed the program was targeted exclusively at “individuals or entities,” they were not, “just turning on a vacuum cleaner and sucking in all the information that we can.”

But here’s what we learned yesterday, almost five years after the program was exposed: the program is not making specific requests. Rather, according to EU members who have read the report, it involves the transfer of bulk data. And whether or not there are records internally that an outside auditing firm can audit, those records are not being shared with the Europeans who are, by law, empowered to do a similar audit. In fact, the US is deliberately avoiding creating the kind of records that can be audited by relying on oral requests.