DOJ's 'Hotwatch' Real-Time Surveillance of Credit Card Transactions

Email Print
FacebookTwitterShare

 

 
 

A
10-page
Powerpoint presentation (pdf)
that I recently obtained through
a Freedom of Information Act Request to the Department of Justice,
reveals that law enforcement agencies routinely seek and obtain
real-time surveillance of credit card transaction. The government’s
guidelines reveal that this surveillance often occurs with a simple
subpoena, thus sidestepping any Fourth Amendment protections.

Background

On October
11, 2005, the US Attorney from the Eastern District of New York
submitted a court filing in the case of In re Application For Pen
Register and Trap and Trace Device With Cell Site Location Authority
(Magistrate’s Docket No. 05-1093), which related to the use of pen
register requests for mobile phone location records.

In that case,
the US Attorney’s office relied on authority they believed
was contained in the All Writs Act to justify their request for
customer location information. In support of its claim, the office
stated
that:

Currently,
the government routinely applies for and upon a showing of relevance
to an ongoing investigation receives “hotwatch” orders
issued pursuant to the All Writs Act. Such orders direct a credit
card issuer to disclose to law enforcement each subsequent credit
card transaction effected by a subject of investigation immediately
after the issuer records that transaction.

A search of
Google, LexisNexis and Westlaw revealed nothing related to "hotwatch"
orders, and so I
filed a FOIA request
to find out more. If the government "routinely"
applies for and obtains hotwatch orders, why wasn’t there more information
about these.

It took a year
and a half to learn anything. The Executive office of US Attorneys
at the Department of Justice located 10 pages of relevant information,
but decided to withhold them in full. I filed my first ever FOIA
appeal, which was successful, albeit very slow, and finally received
those 10 pages this week.

As the document
makes clear, Federal law enforcement agencies do not limit their
surveillance of US residents to phone calls, emails and geo-location
information. They are also interested in calling cards, credit cards,
rental cars and airline reservations, as well as retail shopping
clubs.

The document
also reveals that DOJ’s preferred method of obtaining this information
is via an administrative subpoena. The only role that courts play
in this process is in issuing non-disclosure orders to the banks,
preventing them from telling their customers that the government
has spied on their financial transactions. No Fourth Amendment analysis
is conducted by judges when issuing such non-disclosure orders.

While Congress
has required that the courts compile and publish detailed
statistical reports
on the degree to which law enforcement agencies
engage in wiretapping, we currently have no idea how often law enforcement
agencies engage in real-time surveillance of financial transactions.

Reprinted
with permission from DubFire.

December
4, 2010

Christopher
Soghoian [send him mail]
is a Ph.D. Candidate in the School
of Informatics and Computing at Indiana University
and is advised
in his graduate studies by Markus
Jakobsson
. His research interests include data security and
privacy, cyber law, policy as well as phishing and other forms of
applied deception. He enjoys working at the intersection of applied
computer security, law and policy. His activism has resulted in
the successful passage of an amendment to Indiana’s data breach
laws, a congressional investigation of security flaws at the Transportation
Security Administration as well as several media firestorms. He
has consulted for, worked at or interned with the Berkman Center
for Internet & Society, the Palo Alto Research Center (PARC), the
American Civil Liberties Union (ACLU) of Northern California, the
Electronic Privacy Information Center (EPIC), NTT DoCoMo Euro Labs,
Google, Apple and IBM Research Zurich. Visit his website.

2010 DubFire

Email Print
FacebookTwitterShare
  • LRC Blog

  • LRC Podcasts