KAI RYSSDAL: This is Marketplace, from American Public Media. I'm Kai Ryssdal. Monday will be five years since September 11th. The first plane hit the North Tower a little past 8:45 in the morning. By the end of the day, the government was already asking businesses to help it find suspected terrorists.
ROBERT O'HARROW:"After 9/11, the government turned to almost any institution you can think of that collects information -- customer information. So we know, for example, that they got rental car information, storage facilities, hotels, airline passenger manifests."
Robert O'Harrow's a reporter for the Washington Post. He's also written a book about government surveillance since the attacks. It's called No Place to Hide.
O'HARROW:"The data that they collected sounds very mundane, and in many instances it is, but when you put it together you can find patterns and links that you can't see if you're just an old-fashioned gumshoe."
Using that information to find terrorists only works if there's a steady supply of it. From across all industries. Think about the big phone companies giving their customer records to the National Security Agency. Or discount airline JetBlue giving personal details about its passengers to the TSA.
More than ever before, businesses have your most private information. What your Social Security number is and how much you make are practically child's play. They can track your cell phone calls and know exactly where you are. And they're sharing almost all of that with the government. Peter Swire is professor of law at Ohio State University. During the Clinton Administration, he was chief privacy advisor for the White House.
PETER SWIRE:"The change from history is that your personal records used to be in your control. They were in your lock box, in your house or whatever. Today those records are at the bank, they're at the doctor's office, they're in the phone company records, and the government can go to these third parties and say, 'Let's see what he's got.' And the third parties can turn over enormously detailed records of where you've been, who you've talked to, and all the rest. The Fourth Amendment hasn't kept up with that. So the government is the Sheriff, and business is Deputy Dog, faithfully doing what the government says."
RYSSDAL:"What's your perception of the balance that businesses keep between disclosing customer information and maintaining their privacy when the government comes knockin' on the door?"
PETER SWIRE:"Right after 9/11, we were all in emergency mode; we didn't know if 9/11 was one of ten attacks that would happen in the next month or two. And it makes a lot of sense, in those first days of urgency, to do really extraordinary things to react to the threat. I felt that way; I think pretty much all of us did. Now it's five years later. For business, that means that there should be greater clarity about what they're supposed to share and what they're not supposed to share. The phone companies, for instance, got in a tough situation, where there were lawful ways to get the record requests and give them to government, but government was asking for them outside of those channels."
RYSSDAL:"The big piece of legislation since September 11, of course, was the PATRIOT Act. It's been renewed, in various parts and forms since then. But what else has been done, by Congress and by the president, legislatively, to make these sorts of data and business records accessible?"
PETER SWIRE:"The Homeland Security Act, creating Homeland Security and then authorizing certain collection, is one of the steps towards surveillance. But there's also been little nuggets put into authorization bills, giving the CIA and the FBI and the NSA additional authorities they didn't have before. One part of the PATRIOT Act that got less attention was a very large expansion of so-called 'money laundering laws,' which put its obligations on not just banks but many other companies -- pawnshops, gambling casinos, and the rest. These organizations are supposed to know their customers and give in what are called 'suspicious activity reports' if they see any transactions that don't fit the normal pattern."
We'll hear more from Peter Swire in couple of minutes. But we wanted to look at some of those changes to banking rules he was mentioning. They've had an enormous effect on financial services companies. And Annie Baxter reports those rules are shaking out some of the industry's smallest players.
ANNIE BAXTER: One of the unexpected fronts in the war on terror is BankCherokee. It's a community bank in St. Paul, Minnesota.
Teller:"There you go Val, have a good weekend... You guys doing anything this weekend?"
Teller:"Painting. Whoa, yay!"
BAXTER: Even though the tellers already know most of the customers by name, BankCherokee has to be extra cautious about the identity of the people it serves. Banks now have to check customers' names against a list of prohibited people. And they're encouraged to file 'suspicious activity reports' if a customer's transactions seem fishy. That's because laws passed after 9/11 beefed up security standards in the Bank Secrecy Act. It's a set of laws that previously had more to do with detecting money laundering and tax evasion than terrorism.
Bill Patient is BankCherokee's compliance officer. He says it's the bank's moral obligation to help prevent terrorism. Still, getting his bank in line with the post-9/11 security rules requires a lot of extra resources.
BILL PATIENT:"It's more and more time consuming, obviously more expensive for us, just in terms of complying with that body of law. If it used to be 25% of my time, it's probably now 40% of my time."
BAXTER: Farther down the financial services food chain, even businesses offering money wire services are now subject to the same security rules as banks. That's true for big companies like Western Union, and smaller money transfer businesses. In Minnesota, a dozen or so of those companies cater to refugees from the war-torn country Somalia.
Abdullahi Hassan runs one of those businesses. He says his customers' money wires typically involve small sums-- they send a few hundred dollars a month back to their families in Somalia. But just the same, Hassan meticulously documents every transaction for security purposes.
ABDULLAHI HASSAN:"We are writing down the serial number for every hundred dollar or fifty dollar we give, to make sure nobody says 'you gave us a counterfeit dollar.' And we are doing everything in our powers to follow the letter of the law."
BAXTER: In spite of Hassan's efforts to be vigilant, he was told by his bank that it no longer wants to carry his business account. A number of banks nationwide are closing the accounts of companies that wire money abroad. Banks can't always vouch for what happens at the other end of international transactions. And yet, their necks are on the line if the money ends up in terrorists' hands.
Abdullahi Hassan says he might lose his business if his bank drops him. And that could have grave consequences for his livelihood -- and the livelihood of the people in Somalia who receive his customers' money transfers. Many of them rely on that money to survive. Hassan says he'd do whatever it takes to step up his security measures, if it would make things easier on his bank. He'd even go to Somali villages and guarantee that the people receiving the wired funds aren't security threats.
HASSAN:"We are prepared to go back in the villages, take anybody who deals with us, get their fingerprint, get their picture, have them in our system. We are willing to do that."
BAXTER: Banker Bill Patient hasn't had to ask for such extensive documentation from any of his customers yet. But he says he's still handing over a lot of data to the government, and sometimes he wonders to what end.
PATIENT:"We've got all of this data; how much actually led to something? That's a question all of us have. After all this effort and all these resources, what success have we had?"
BAXTER: Just the same, Bill Patient doesn't see an end in sight to the push for information. If anything, he imagines the government will probably ask for yet more.
I'm Annie Baxter, for Marketplace.
RYSSDAL: That was Annie Baxter in St. Paul. Let's pick up on her last line, about the chances of government wanting increasingly more information. And turn back to Ohio State law professor Peter Swire.
SWIRE:"There's no logical limit to who gets asked. If you look in Attorney General Gonzales' or the other people in the administration's, requests for data, you cannot find a limit to how much they want to know. In addition to that, with some of the secrecy orders that we have under the Foreign Intelligence Surveillance Act and the PATRIOT Act, now if it's the real estate company, if it's the landlord being asked about the tenant, if it's rental car companies, and a lot of other people, they can be facing these secrecy orders and be facing a government request, and if they think it's over-reaching, it's against the law for them to even tell that it's going on."
RYSSDAL:"Now I'm wondering where the line is between information that is directly pertinent to the war on terror, and just grabbing what you can because you can."
SWIRE:"You know, a current example of the 'grab what you can' is the so-called 'data retention request' from the Attorney General. He's saying that because some people use the Internet to look at child porn, and they do a few hundred prosecutions a year, now the Internet Service Providers are supposed to keep everybody's surfing records and e-mail records for two years. Because it's going to help in the fight against child porn, and they've mentioned, 'and also maybe for terrorism.' That's a very different Internet, and a different business on the Internet, than we thought we had. One of the changes in the PATRIOT Act was, it used to be, when they went for people's phone records, under national security letters, they would get the target person's phone records. One of the PATRIOT Act changes is they can now ask for the entire database. Just a little change in language, but instead of asking for the record of the suspect, now they can ask for the entire database."
RYSSDAL:"September 11, obviously, was a catalyst for a lot of this merging of government desire for what businesses have on file. Do you think, though, in some way, it was inevitable?"
SWIRE:"Inevitably, we're computerizing records. Inevitably we have sensors; we have new detail on your cell phone, and your Internet things, and everything you do. So the level of detail is up, and the cost of sharing is down. So it's just going to be easier, over time, to share data in lots and lots of ways. One of my big themes is: Accept that. Benefit from it when it's sensible to use the data. But at the same time, build in the checks and balances, build in the categories of what's worth sharing and what's not worth sharing, so that we have a structure where people have some privacy, where computer security is respected, where the government's not just saying 'Trust us, we'll take everything and tell you later what we think is OK.'"
RYSSDAL: Peter Swire teaches law at Ohio State. He's also a fellow at the Center for American Progress. There's more coverage of how September 11th changed your personal security on our Web site. It's marketplace.org. You can also listen to our broadcast from September 11th, 2001 there.