Spiegel's report is shorter than many of the Guardian and Washington Post articles published over the last few weeks, and is low on details. Nevertheless, it claims that the NSA has a specific project called 'Follow the Money' that acquires financial data from both Swift and Visa, and feeds it into its own database known as Tracfin.
'Tracfin' is, incidentally, also the name of a French task force set up in 1990 to fight money laundering and terrorist financing. There is nothing in the Spiegel report to confirm or deny any connection between the two.
"NSA analysts at an internal conference that year [2011] described in detail how they had apparently successfully searched through [Visa's] complex transaction network for tapping possibilities," reports Spiegel. It implies, but doesn't specify, that this successful search was at least partially responsible for the collection of 180 million transaction records stored within Tracfin by 2011. "Some 84 percent of the data is from credit card transactions."
It isn't explained how the data is collected, but "a VISA spokeswoman ruled out the possibility that data could be taken from company-run networks," says Spiegel.
SWIFT is also named as an NSA target. Documents show "that the NSA spied on the organization on several levels, involving, among others, the agency's 'tailored access operations' division." At the end of last month, TAO was revealed as the NSA's 'elite hacking group.' And last week Bruce Schneier described it as that part of the NSA that attacks endpoint computers. "TAO has a menu of exploits it can serve up against your computer – whether you’re running Windows, Mac OS, Linux, iOS, or something else – and a variety of tricks to get them on to your computer," he wrote in the Guardian.
If both of these statements are correct, then the implication is that the NSA has hacked into the SWIFT system. There is even a hint on how this might have been achieved: "One of the ways the agency accessed the data included reading 'SWIFT printer traffic from numerous banks,' the documents show."
However, the US government already has legal access to SWIFT data under the EU-US terrorist finance tracking programme (TFTP). Back in 2010, EDRI reported, "There have been reports that the US Treasury has received up to 25% of all SWIFT transactions, which number in the billions each year." If this figure is correct it suggests that the US Treasury legally receives a far greater amount of transactional details than the 180 million that the NSA had acquired for its Tracfin database.
Unfortunately, the relationship between the NSA database and the TTFP is not covered. Nevertheless, this new information from Spiegel will only fuel MEP calls for TTFP to be suspended. Last week Dutch deputy Sophie in't Veld demanded that the European commission immediately suspend the TTFP, saying "It is increasingly evident that the NSA data tracking programmes go far beyond the fight against terrorism."
She may even have an unexpected ally. Spiegel describes a GCHQ document concerned about the legal aspects of 'follow the money': "The collection, storage and sharing of politically sensitive data is a deep invasion of privacy, and involved 'bulk data' full of 'rich personal information,' much of which 'is not about our targets,' the document says."
Update
After publishing this article, Visa Inc contacted Infosecurity with the following statement:
“With respect to the claims in the Der Spiegel article, we are not aware of any unauthorized access into our network. Visa takes data security seriously and, in response any [sic] attempted intrusion, we would pursue all available remedies to the fullest extent of the law. Further, it’s Visa’s policy to only provide transaction information in response to a subpoena or other valid legal process.”