Bruce Schneier blogs about the Rhode Island man who alleges that his recent $6,522 payment to his JCPenney Platinum MasterCard was reported to the Department of Homeland Security because this payment was "a certain percentage higher" than his normal payment. I discussed this last week here.
Schneier's article is a mixture of good and bad, mostly good. Unlike the original article reporting this, he manages to get the name of the applicable law correct: the Bank Secrecy Act. He has pointers to the way the legislation was amended by the Patriot Act. He has pointers to a couple of excellent debunking posts by Seth Finkelstein, which I'll relink: here and here.
One of the commenters makes the observation that none of the statutes and regulations Schneier links to in his article have anything to do with the claimed facts; as near as I can tell, that's correct. There's more than enough reason to be extremely skeptical of the report.
Unfortunately, Schneier still feels that it's necessary to carp:
… certainly this kind of thing is what financial institutions are required to report under the Patriot Act.
Remember, all the time spent chasing down silly false alarms is time wasted. Finding terrorist plots is a signal-to-noise problem, and stuff like this substantially decreases that ratio: it adds a lot of noise without adding enough signal. It makes us less safe, because it makes terrorist plots harder to find.
Which neatly ignores:
- The Bank Secrecy Act has been around since 1970.
- The ACLU griped
about this back in 1990:
The ACLU said that it was only seven years ago that Congress amended the Bank Secrecy Act to require that banks file so-called "suspicious activity" reports, which banks must file whenever a transaction of $5,000 or more is carried out by a customer.Again, note carefully: the ACLU is talking in 1990 about a seven-year-old amendment to the BSA. Well before the Patriot Act.
- It's far from clear that this case (assuming that
it happened at all) was a "terrorism" investigation;
as Finkelstein points out, Homeland Security does criminal credit
card fraud investigations as well, and it's very probable that
this happened under that umbrella.
By pointing to terrorism and the Patriot Act, Schneier is almost certainly doing some "chasing down" of "silly false alarms" of his own. Again: if you want to raise the bar for reporting of financial transactions to law enforcement agencies, that's fine by me. But saying it's all due to the Patriot Act and terrorism investigators gone wild is just wrong and lazy.
For a much, much worse example, see the recent Slashdot article, which (unsurprisingly) is completely unskeptical of the original report; the light/heat ratio of the hundreds of comments is also quite low. (Maybe zero. Didn't read 'em all.)