(from the April, 2015 CCPA Monitor, https://www.policyalternatives.ca/monitor/index.php)
By Matthew Behrens
A recent run-of-the-mill telemarketing call from one of Canada’s largest credit companies took on a threatening tone. Who knew that owning a credit card whose purchases produced redeemable points for free groceries also entailed an insidious tradeoff that invaded our privacy and left a chilling aftertaste?
Informed that failure to answer certain questions would result in forfeiture of the card, I resigned myself to ten minutes of wasted time and, following the usual gobbledygook about disclosure, was asked if anyone in my immediate and extended family had ever “held one of the following offices or positions in or on behalf of a foreign country: a head of state or government; a member of the executive council of government or member of a legislature; a deputy minister (or equivalent); an ambassador or an ambassador's attaché or counsellor; a military general (or higher rank); a president of a state-owned company or bank; a head of a government agency; a judge; or a leader or president of a political party in a legislature.”
The question was chilling, for though I could honestly answer no, whose business was it to ask? It concerned me that immigrants might be flagged if they answered affirmatively, and perhaps asked further questions about their relationship to, for example, overseas political parties that the Canadian government deemed unsavoury.
Recovering my composure, I asked to speak with a supervisor, who informed me that “like any financial institution in Canada we are required by law to collect this information,” and that the answers would have no effect on my credit rating. If that were the case, I pressed, why were they asking these personal questions, and with whom were they sharing the answers?
Interrogation by Proxy
The answer was eerie: the company needed to determine, on behalf of the federal government, whether I or any family member would be what’s known as a “politically exposed foreign person.” But how did they determine who of their 1.5 million cardholders to call? The Canadian government, the supervisor explained (in the same tone he’d adopt if he were going over car giveaway contest rules), provides the company a list of cardholders to question.
“They tell us, ‘We need you people to read these cardholders this legal disclosure, get a clear yes or no at the end of it, and tell us once you’ve had it updated.’ We make a note on the account that it has been done. We pull the information and send it to the government.”
When I asked to see the company’s policy with respect to any mandate to undertake investigative work on behalf of the government, I was told, “Anything about our internal policy for generating accounts that we will ask questions along those lines is internal policy and unfortunately nobody’s going to be able to disclose that information to you.”
The supervisor asked if there was “anything else we can do for you today,” but I hung up the phone. An internet search employing language from my questioning led me to the source of this disturbing call: the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), a measure passed in 2000 by the Chretien Liberals that created the Financial Transactions and Reports Analysis Centre (FINTRAC), a “financial intelligence” unit that sounded about as threatening as an actuarial table.
Since FINTRAC’s mission is “detection and deterrence of money laundering and terrorist financing,” it appeared that the calls my credit card company was making played into the tiresome trope that terrorism is imported with immigrants to Canada. Nevertheless, since June 2008, according to the FINTRAC website, “financial entities, securities dealers, money services businesses and life insurance companies, brokers and agents have to determine if their clients are politically exposed foreign persons.”
Every Institution a Fink
While the suite of “anti-terror” measures introduced in 2001 drew far more attention with the understandably frightening prospect of preventative detention and secret investigatory hearings, FINTRAC’s mandate and practice quietly touch just about every resident of the country. As of March 2012, FINTRAC’s databases were home to some 165 million reports containing Canadians’ personal information. According to Canada’s Privacy Commissioner, “These reports might include transactions such as, but not limited to, down payments for house and vehicle purchases, wire transfers received by international students residing in Canada, or funds sent by parents in Canada to children who are studying abroad.”
FINTRAC’s enabling legislation requires some 300,000 entities – everything from casinos, accountants and banks to life insurance companies, real estate firms and dealers in precious metals and stones – to collect and hold personal client information that is transmitted to FINTRAC, often without the knowledge or consent of the individual. In 2006, amendments to the act enabled FINTRAC to share even more such personal information with law enforcement, security agencies, the Canada Revenue Agency, and the Canadian Border Services Agency (CBSA). The Senate Standing Committee on National Security heard last December that FINTRAC made 1,143 disclosures to law enforcement agencies in 2013‑14, a 25% increase over the previous reporting year. Of those, 234 were allegedly connected to terrorist financing.
Reporting the transfer of large amounts of money – any cross-border movement equal to or greater than $10,000 must be reported to FINTRAC – is likely to ensnare a great majority of people with perfectly legitimate reasons who nonetheless will risk the stain of suspicion. For example, a group of Canadian Muslims attending the Mecca pilgrimage may have entrusted such amounts of cash to their group leader, whose name will be duly reported from the airport before departure. When that information is shared with other government agencies, will it lead to future airport shakedowns either at home or in an overseas point of entry?
It would appear, however, that no amount of money is too small to trigger what is known as a “suspicious transaction report (STR),” the measure by which a bank or real estate agent, in playing the role of community cop, lets FINTRAC know something may be amiss. In her 2013 audit of FINTRAC, Privacy Commissioner Jennifer Stoddart found numerous STRs “where there were no reasonable grounds to suspect money laundering or terrorist financing activities.” One young professional who purchased three bank drafts worth $100,000 was reported because “the amount of money simply did not match his age” while a shopkeeper who deposited into a bank account a grand total of $570 in 100, 50, 20 and 10 dollar bills was similarly reported, though with no explanation.
Confusion over financial regulations and unclear reporting requirements have led some entities to over-report in an abundance of caution. One lawyer felt compelled to turn in his long-time client because he was unsure whether or not to report a home purchase in which the deposit was released directly to the seller instead of the seller’s lawyer.
Two federal inquiries (O’Connor, Iacobucci) that critiqued the creation and subsequent sharing of inaccurate and inflammatory information – which led to the overseas detention and torture of four Canadian citizens – are potent reminders of how the free flow of personal information has dire consequences.
False Labelling in Databases
Stoddart’s 2009 privacy audit of FINTRAC found exactly those kinds of inflammatory allegations in the agency’s Terrorist Property Reports (TPRs), which allege certain properties in or outside Canada are owned or controlled by terrorists. Almost 50% of those reports had been filed on the basis of a “possible match” to terrorist listings. Disturbingly, “Where identity could not be confirmed, FINTRAC did not pursue further analysis; however, the information remained in FINTRAC’s database. The practice, by default, was to retain these reports regardless of whether or not there was knowledge, belief, or suspicion of terrorist affiliation.” In other words, a Muslim cleric who runs a rural summer camp – anonymously reported but never confirmed as a terrorist property – stays in a database that is shared with CBSA, CSIS, and the RCMP, with utterly predictable consequences for that individual as well as anyone who regularly attends his mosque.
The presumption of guilt and a desire to play spy games that underlies so much of state security appears to be affecting decision-making at FINTRAC as well. The Privacy Commissioner found one such instance of this trend when FINTRAC encouraged a financial institution – unsure what to submit regarding a large cash transaction – to send along whatever it felt, even if it was excessive. “FINTRAC acknowledged that although the data in question was information that technically should not be included and would certainly cause problems in regards to privacy, it may be of added value to have additional information on the transaction for intelligence or analytical purposes,” Stoddart wrote. She noted her concern that “a reporting entity could interpret the message conveyed by FINTRAC in the above example as applying to other types of reports and information.” Thus, the compelling-sounding rationale of “intelligence” and “analysis” becomes a one-size-fits-all justification for increased collection and sharing of personal information.
FINTRAC continues to hold extraneous personal information, including Social Insurance Numbers, health card and related medical information, as well as an unknown number of STRs that did not meet the $10,000 threshold. FINTRAC’s practice of collecting and retaining such information, the Privacy Commissioner found in 2013, presents “a significant risk to privacy by making accessible information which should never have been obtained.” This latest finding follows on a 2009 call to destroy extraneous FINTRAC holdings, but the agency replied at the time that it did not have the technological capacity to do so. Since then, they have politely refused altogether, instead developing a separate database - allegedly inaccessible to their analysts - that will store the information that is supposed to be deleted.
FINTRAC’s self-image of brave number-crunchers playing their part in a world at war is based on the untested assumption that money is a key driver in terrorism plots. As Tufts University International Business Professor Ibrahim Warde points out in The Price of Fear: The Truth Behind the Financial War on Terror, in a culture that refuses to explore the social and political roots of non-state terrorism, money becomes a default “cause,” even though relatively little is required to conduct a terrorist attack, “and such amounts can easily bypass the formal banking system.” Given the elastic definition of terror and the need to produce convictions, minor financial irregularities or petty crime are easily elevated to “terrorist financing” cases, a finding underscored by the 9/11 Commission. Indeed, as author Jonathan Randal points out, the “war against terrorist finances” has “nabbed few bad guys, ruined many innocents, frozen little hot money, and vastly complicated worldwide banking for the greater glory of a burgeoning American bureaucracy.”
Major Privacy Concerns
As the collection, retention, and sharing of personal information is set to escalate even further with the Harper government’s new anti-terrorism legislation (C-51), a January, 2015 survey found 90% of Canadians had privacy concerns, with 73% saying they feel they have less protection of their personal information in their daily lives. While transparency in the digital age is limited to non-existent (a March 2014 report from University of Toronto researchers found Canadian internet service providers scored an average 1.5 out of 10 on issues like warrantless provision of information to government authorities, with millions of such requests granted annually to state security agencies), most Canadians are caught in a conundrum that arises out of financial arrangements we all make to survive in a cruel economy.
Indeed, the fine print of my lengthy, previously unread credit card agreement informs me that my “personal information may also be stored, accessed, or used outside of Canada [where it would be] subject to the laws of that jurisdiction.” In other words, if the information is sitting on a U.S. server or has been shared with the FBI, it then is subject to provisions of the U.S. Patriot Act, under whose mandate a personal credit card donation to an overseas relief agency in a troubled country could cause someone problems crossing the U.S. border.
Meantime, like their brethren in the more clearly identified state security world (i.e., CSIS and the RCMP), FINTRAC seems rather insouciant about its appearance of lawlessness. As the Ottawa Citizen reported in March 2014, “Canada’s anti-money laundering agency believes it can legally collect and keep personal information such as social insurance numbers, despite the objections of the federal privacy commissioner.” Embassy magazine also reported in February, 2015 that FINTRAC is now encouraging "financial institutions to go as far as analyzing their clients’ public social media activity when investigating suspicious transactions."
While I still do not know why I was flagged by FINTRAC (was it for being outspoken on issues of national security or signing a petition condemning the TD Bank’s closing of bank accounts for customers suspected of Iranian heritage?), it is reasonable to expect that those annoying dinner-hour telemarketing phone calls are sure to get a lot more interesting.
FINTRAC Fast Facts
What: Financial Transactions and Reports Analysis Centre (Canada's “financial intelligence” unit)
When: Founded in 2000 under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act
Why: “to facilitate the detection, prevention and deterrence of money laundering and the financing of terrorist activities, while ensuring the protection of personal information under our control.”
2013/14 budget: $51,704,183
Employees: 343
Entities reporting to FINTRAC: 300,000+
Files held on Canadians: 165 million+
Concerns: Privacy Commissioner notes concern with “collection of data where there was no demonstrated need to collect and retain it,” refusal to delete personal, private information in FINTRAC databases that exceeds its mandate, “security procedures not always followed,” “inconsistent data minimization practices”, “quality control lacks privacy component,” “additional work is required to ensure consent is meaningful,” and 50% of recommendations made during a 2009 audit were still not satisfactorily implemented in 2013. Embassy magazine reported in February, 2015 that FINTRAC is now encouraging "financial institutions to go as far as analyzing their clients’ public social media activity when investigating suspicious transactions."
No comments:
Post a Comment