The National Security Agency's PRISM surveillance program has sparked a major outcry over phone monitoring, but the less-publicized government accumulation of credit card and other payments data can provide far more granular intelligence, according to payments experts.
"Payments are one of the strongest data elements you can collect. It's the ultimate test of 'big data' and behavioral analytics," says Richard Crone, a payments consultant. "When combined with telephone logs and other data points, payment records are extremely valuable."
The NSA has forged relationships with credit card companies as part of its terrorism security program, according to The Wall Street Journal. MasterCard, Visa, Discover and American Express would not discuss any such relationships with the NSA, nor have the card networks publicly discussed the matter.
"I was in Russia a couple of years ago speaking at a conference. There was some concern there about allowing Visa payments because the people in Russia were concerned about Visa selling information to the CIA. I laughed at the time because I thought it was preposterous," says Avivah Litan, a vice president and security expert at Gartner.
The NSA would not make a representative available for an interview. It has issued a statement defending the broad program, but has not addressed the credit card component.
Beyond the obvious searches for purchases that can tip off potential criminal behaviorsomeone buying fertilizer and cooking materials, for examplepayments data can provide a view into a person's behavioral patterns, as well as reveal where and when a person is at the time of the purchase. Other details on past shopping and Web searches can be matched with GPS details to deepen the quality of the predictive data.
"Google is already using this technology. I searched for Burger King a few weeks back, around noon, while logged in as a Google user. At about 4:30, while I was out, I got an [alert] saying I was an 11-minute drive from the nearest Burger King," Crone says, adding retailers such as Wal-Mart also use similar analysis when building "favorite" lists for consumers. "If [investigators] know where you made a purchase, and what you purchased, and matched that with the [metadata on] calls you made on a phone, that would greatly help the NSA and law enforcement."
The power of payments for law enforcement surveillance is increasing as mobile apps are used for shopping. These apps combine shopping, location, and past purchases to form a profile that is used for marketing, coupons and special offersbut this data also has law enforcement uses.
"Just by looking at a credit card you can produce a behavioral analysis. You can't do that with email. You can eavesdrop on communications between people, but you don't know habits or where people are showing up," Litan says.
The terms of any agreements between the card networks and the government have not emerged, including whether any sharing falls under the Patriot Act, anti-money laundering or "know your customer" laws.
"Know your customer laws are [generally used] at the opening of the account, at the application process and when the institution has to validate and authenticate the user. What's reported [in The Wall Street Journal] goes beyond that. It's data feeds and monitoring," Crone says.
It's unlikely the card companies would share transaction data with the government unless compelled, Litan says.
"I can't imagine they would just share the records," she says. "I've never heard of transaction data or payment information on a credit card used for compliance."
While details on the card aspect of the NSA program are still scarce, the program worries consumer advocate John Simpson.
"We're learning more about this overreach by the day," says Simpson, director of the Consumer Watchdog's Privacy Project. "I can see if you had a specific reason to gather data on a specific individual. Then you'd go get a warrant. "But this [card program] sounds as though it's part of the same sort of dragnet [as the phone program.]"
Other government agencies also collect payment data. The U.S. Treasury Department issues subpoenas to SWIFT as part of the Treasury Department's anti-terrorism finance program.
"The question is around who owns that data, and who has a say in how it's used," says Gareth Lodge, a senior analyst at Celent.
The Consumer Financial Protection Bureau also collects data from various sources that it did not identify. The bureau describes its collection efforts in an email.
Much of the data that CFPB has acquired under its supervisory authority is from third parties that have already collected and compiled the data. The CFPB uses the data to assess and examine compliance with federal consumer financial protection laws, to detect and assess risks to consumers in the credit card marketplace, and to detect and assess risk to the market itself.
The CFPB's program also has drawn opposition, though Simpson says he's not opposed to the intent of the CFPB's program, provided it can be done while protecting privacy. "If they are using the data to find out the average time that it takes people to pay their bills or information about interest rates, I wouldn't have a problem with that," he says.
While there's the obvious difference in mission the law enforcement focus of the NSA vs. the consumer protection mandate of the CFPB data from one agency could in theory be used to inform the work of another provided an information sharing agreement could be reached between the two agencies.
"Credit card payments are just a few fields, so it's not like they would have different data than law enforcement," Litan says. "It's a just a matter of whether they can or are sharing between the agencies."
Correction: an earlier version of this story misstated the National Security Agency's full name.