OSD 267: I showed you my data, please respond
“In the future, everyone’s gun purchases will be famous for 15 minutes.”
Some news from world of data privacy flew under the radar a few weeks ago. A House of Representatives committee released a report on financial institutions sharing data with the federal government.
The opening of the report includes the biggest revelation from it:
As part of the oversight conducted by the Committee on the Judiciary and the Select Subcommittee on the Weaponization of the Federal Government, the Committee and Select Subcommittee received testimony from retired FBI Supervisory Intelligence Analyst George Hill on February 7, 2023. Mr. Hill testified that Bank of America (BoA) provided the FBI — voluntarily and without any legal process — with a list of individuals who had made transactions in the Washington, D.C., metropolitan area with a BoA credit or debit card between January 5 and January 7, 2021, and that individuals who had previously purchased a firearm with a BoA debit card or credit card were elevated to the top of the list regardless of when or where the purchase was made.
In his transcribed interview, Mr. Hill stated:
The Bank of America, with no directive from the FBI, data-mined its customer base. And they data-mined a date range of 5 to 7 January [of 2021] any BOA customer who used a BOA product. And by “BOA product”, I mean a debit card or a credit card. They compiled that list. And then, on top of that list, they put anyone who had purchased a firearm during any date. So it was a huge list ….
The background is that the FBI was investigating the January 6, 2021 riot, and they realized that financial institutions would have relevant data to mine. So they reached out to a list of banks to suggest a friendly meeting where they could brainstorm “the best approach to information sharing, both strategic and operational, related to the Capitol Riots”:
Bank of America went above and beyond with their homework, and handed the FBI a list of every customer who had both made purchases in DC between January 5-7 and had ever purchased a firearm.
A few notes on this:
Bank of America was absolutely not required to give that data to the FBI. There’s an old school of institutions that views the government as a special partner who should get unusual, off-the-books access to data. The new school (which is an admittedly much shorter list of companies) recognizes that the government is, for better or worse, an important entity a company must deal with in good faith — but that those dealings have to be governed by the rule of law and need to treat users’ rights as sacrosanct.
“Bank of America was absolutely not required to give that data to the FBI.” Well, weren’t they? If you get a letter from the local mafia boss saying, “I’m building a consortium of local businesses that are willing to help me out with some things, but you’re not required to participate”, then how free, really, are you to decline? This isn’t as far-fetched as it sounds. NRA v. Vullo, the pending SCOTUS case, is about exactly this issue — a government agency with the power to fine, charge, or shut down a business contacting that business and giving “voluntary” guidance about how the business should operate.
The incentives are for financial institutions to err on the side of oversharing data with the government. The US government, for example, requires institutions to file a SAR (“suspicious activity report”) any time they detect suspicious activity on their rails. What is suspicious activity? Here’s FinCEN’s description:
Suspicious activity is any conducted or attempted transaction or pattern of transactions that you know, suspect or have reason to suspect meets any of the following conditions:
Involves money from criminal activity.
Is designed to evade Bank Secrecy Act requirements,
whether through structuring or other means.
Appears to serve no business or other legal purpose
and for which available facts provide no reasonable
explanation.
Involves use of the money services business to
facilitate criminal activity.
What does it mean that you had “reason to suspect” that a customer’s activity would later be deemed suspicious by the government? That’s up to the government. Failure to file a SAR that the government later decides you should have filed is punishable by fines for the bank and prison for bank employees.
This leads to the expected result: banks file a lot of SARs. There’s no cost to filing too many, and there are ruinous costs to filing too few. The number of SARs filed goes up each year (reaching 3.6 million in 2022), and the Cato Institute reports that only 4% of SARs warranted any additional review from law enforcement. FinCEN doesn’t report on how many of those 4% are ultimately found to be criminal. In the meantime, banks are forcibly deputized to send data on millions of customers directly to the government.
With all of that context, of course Bank of America overshared data to the FBI. When a bank gets big enough, its choice are either play ball or play with fire.
In the gun rights space, revelations like this sometimes lead to a resort to luddism or isolationism. Use cash. Retreat to only gun-rights-friendly platforms. That’s understandable. But it’s also dangerous. If gun rights are going to keep growing, it’s going to be by taking advantage of all the modern tools that the most vibrant ecosystems use. Not by self-handicapping.
That’s easy said than done. Technology can be a force for decentralizing power, but on some trajectories it can do the opposite. From “OSD 137: Centralization and decentralization, the two problems that keep solving each other”:
This is the part of the essay where we say, “This is why large, centralized databases are inherently dangerous. Chuck them into Mount Doom and decentralize everything. Whether it’s an accident, intentional misuse by whoever has the data, or action by a hostile third party, bad things are going to happen.”
And that’s true. Bad things are going to happen. But the hard part is that centralization exists because it solves problems that decentralization introduces.
To use a non-gun example: cryptocurrency used to be fully decentralized. Then people built centralized structures and companies on top of it, because users wanted things like break-glass transaction reversals, insurance, protection from theft and fraud, etc. Then those centralized levers became handy attack vectors for actors who were hostile to the underlying decentralized infra. So then people started working on decentralized replacements for those centralized levers. Rinse and repeat.
You see the same dynamic in internet infra, with content policies that started at the fluffiest parts of the product layer now having cat-and-moused all the way down to the level of cloud hosting.
You see it with encryption, where every few years there’s a debate about whether strong encryption is going to remain legal, and the response is that governments and big companies shoot holes in it. Then decentralized actors run around up-armoring the ecosystem before the next wave of attacks on centralized choke points.
This stuff is a drunken walk, tottering back and forth between centralization and decentralization. If you get upset about those swings, you’re going to have a bad time, because the swings are inevitable. The high-order bit isn’t whether the swings happen, it’s whether they tend in any particular direction over time. The drunk totters between centralization and decentralization, but does each swing leave him a little bit closer to decentralization?
To use another metaphor: you’ll lose your shirt betting on a truly random coin. But a coin that you know comes up heads 50.1% of the time will make you rich. Over time, small trends make a big difference.
Modern tech can cut against gun rights when it’s commandeered by the government, but at the same time we all get more and more access to the same tools that large companies use. In the long run, the benefits will accrue more to individual freedom than to attempts to suppress it.
This week’s links
OSD’s Chuck Rossi on the Liberal Gun Owners podcast
Good discussion. Part 2 here.
B Squared Mfg explains his handbuilt clone of the BR55 battle rifle from Halo
Super cool, complete with a working ammo counter like in the game. This was featured in the latest Garand Thumb video.
Thread on the attempted xz utils backdoor
Impressive sophistication.
Read the preface of David Yamane’s new book Gun Curious
He’s one of the only sociologists approaching gun ownership without the assumption that it is a pathology.
Lewis Hamilton at Taran Tactical
Normalization 👏
More about Open Source Defense
Merch
Rep OSD.
OSD Discord server
If you like this newsletter and want to talk live with the people behind it, join the Discord server. The OSD team is there along with tons of readers. See you there.
There's a reason I fired Bank of America years ago.
"In the gun rights space, revelations like this sometimes lead to a resort to luddism or isolationism. Use cash. Retreat to only gun-rights-friendly platforms. That’s understandable. But it’s also dangerous. If gun rights are going to keep growing, it’s going to be by taking advantage of all the modern tools that the most vibrant ecosystems use. Not by self-handicapping."
This reminds me of how, due to narrowing restrictions, the gun industry itself is reduced to operating on a 1950's-60's type business plan. Cash on Hand. Print and word of mouth advertising. So. Much. Paper. The industry isn't ALLOWED to join the 21st century in any meaningful way, and those of us who consume from that industry are likewise not allowed the benefits of technology that has helped every other industry, but you can damn well count on any technology that can be used against us can and will with immediacy.
I absolutely do not want banks sharing the details of my financial transactions with the government, firearms or otherwise. But... this is not actually all that out of the ordinary.
Financial institutions don't just share data like this with anyone... but they do _sell it_ to just about everyone. This is, for example, why you will see advertisements for whatever you just bought when you're scrolling through social media. The advertiser ecosystem has accessed your financial transactions data, associated it with you as a user, somehow, and then made the questionable assumption that you obviously want to buy more of whatever you just bought.
Further, so, I have not read anything about this incident other than what is written in this blog post, but it's not clear to me: did BoA _share_ this information with the government, or did they _sell it_ to the government? I remember a talk at a hackerspace I attended, over a decade ago now, where a local cop told us that it is _routine_ for social media platforms to hand over data to the government, and they love to do it, because they get to bill hundreds of dollars an hour for the engineering work involved in preparing that data.
In light of this... look, I'm not saying I approve of what the government is doing. But the government is just doing what private industry already does, and nobody is up in arms about this kind of thing when a private a company does it. I think they should, but, there's a large gap between is and ought.