Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Where to Get Your Pet Squid |
| KittenAuth »
April 10, 2006
You've all heard of the "No Fly List." Did you know that there's a "No-Buy List" as well?
The so-called "Bad Guy List" is hardly a secret. The U.S. Treasury's Office of Foreign Assets Control maintains its "Specially Designated Nationals and Blocked Persons List" to be easily accessible on its public Web site.
Wanna see it? Sure you do. Just key OFAC into your Web browser, and you'll find the 224-page document of the names of individuals, organizations, corporations and Web sites the feds suspect of terrorist or criminal activities and associations.
You might think Osama bin Laden should be at the top of The List, but it's alphabetized, so Public Enemy No. 1 is on Page 59 with a string of akas and spelling derivations filling most of the first column. If you're the brother, daughter, son or sister-in-law of Yugoslavian ex-president Slobodan Milosevic (who died in custody recently), you're named, too, so probably forget about picking up that lovely new Humvee on this side of the Atlantic. Same for Charles "Chuckie" Taylor, son of the recently arrested former president of Liberia (along with the deposed prez's wife and ex-wife).
The Bad Guy List's relevance to the average American consumer? What's not widely known about it is that by federal law, sellers are supposed to check it even in the most common and mundane marketplace transactions.
"The OFAC requirements apply to all U.S. citizens. The law prohibits anyone, not just car dealers, from doing business with anyone whose name appears on the Office of Foreign Assets Control's Specially Designated Nationals list," says Thomas B. Hudson, senior partner at Hudson Cook LLP, a law firm in Hanover, Md., and publisher of Carlaw and Spot Delivery, legal-compliance newsletters and services for car dealers and finance companies.
Hudson says that, according to the law, supermarkets, restaurants, pawnbrokers, real estate agents, everyone, even The Washington Post, is prohibited from doing business with anyone named on the list. "There is no minimum amount for the transactions covered by the OFAC requirement, so everyone The Post sells a paper to or a want ad to whose name appears on the SDN list is a violation," says Hudson, whose new book, "Carlaw -- A Southern Attorney Delivers Humorous Practical Legal Advice on Car Sales and Financing," comes out this month. "The law applies to you personally, as well."
But The Bad Guy List law (which predates the controversial Patriot Act) not only is "perfectly ridiculous," it's impractical, says Hudson. "I understand that 95 percent of the people whose names are on the list are not even in the United States. And if you were a bad guy planning bad acts, and you knew that your name was on a publicly available list that people were required to check in order to avoid violating the law, how dumb would you have to be to use your own name?"
Compliance is also a big problem. Think eBay sellers are checking the list for auction winners? Or that the supermarket checkout person is thanking you by name while scanning a copy of The List under the counter? Not likely.
Posted on April 10, 2006 at 6:23 AM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
That's amazing. It seems that in order to comply with the law, a vending machine will have to check the identity of the customer before selling him or her a soda!
@Michael: yes, AFAICT.
"Laws like this that are so ridiculous that no one obeys them do nothing to inspire respect in our legal system," says Hudson.
No, but they do make for a lovely soviet police state.
"it's impractical", says Hudson.
Not at all! It is easy to download the list to a PDA and use it to check for suspected terrorists. All citizens should be required to carry an anti-terrorist PDA right next to their constitutionally "mandated" handgun.
Of course it will not catch any terrorists, but maybe people will feel good about "doing everything possible in the war against terrorism".
Bruce, think "Wire Transfers". It's the fastest and easiest way to move your ill-gotten gains. Since many of these folks [their money, not them] are in Europe (western & eastern) it's more difficult to move money around to US banks (that also have overseas operations). They can't run down to the BofA in downtown Strasburg and wire $10 million to the Caymen Islands.
We have to check every wire against the OFAC list every day. [Just in case Fidel is moving his $ again :-)].
Since when was practicality a requirement for national security measures. This has gotten even more ludicrious under the Patriot Act and the Bush government.
We wouldn't need to ban cigarette lighters from airplanes if the TSA and DHS actually did their real jobs... but Bush's administration has never been about real security, just job security...usually theirs.
"That's amazing. It seems that in order to comply with the law, a vending machine will have to check the identity of the customer before selling him or her a soda!"
You can't be too careful. Some of those soft drinks are pretty amazing. We don't want terrorists to have access to Mountain Dew, for example.
"Some of those soft drinks are pretty amazing."
I have read that some of these sodas have high levels of substances that can induce cancer. They are hazardous to our health, probably a greater treat than terrorism. Maybe we should ONLY sell them to terrorists. ;-)
If the soft drinks cause cancer, there's no doubt that the terrorists are buying them to build some sort of biological weapon...
I worked for a mortgage banking firm a few years ago, and I can confirm that part of our checks on people who wanted to have some money for a house was to do a search on their name on that OFAC page. Seemed a little silly that part of my workflow was hitting ctrl-F on an unencrypted web page.
Seems like the perfect application for a Bloom Filter! It keeps the actual list secret, gives some false positives, and (most importantly) you can add names but can't remove them.
(I wish I were joking about this)
And of course, this Awesome Power to Screw Up People's Lives will only be used for good purposes.
The web site appears to be unavailable.
Is this the first instance of a "Schneierdotting" :-)
Is this not another instance of "how to really screw over anyone with a similar name to a terrorist"?
So, if a terrorist doesn't like someone, start using their name as an alias. Then their name will get added to the list.
Looks like self-advertisement for the lawyer's book... When was the last prosecution? It's relevant for banking transactions as mentioned by earlier comments.
"Same for Charles "Chuckie" Taylor, son of the recently arrested former president of Liberia"
Thanks Bruce. You should know that you done your bit in he GWOT; since I recenently received an email from "Chuckie" with a very intriguing business proposition. These internets sure are amazing.
These names are a joke, right? Just how many folks called "Ahmed Mohammed" can you imagine there are? Or does the block only apply if he signs his order "a.k.a. Ahmed the Egyptian"? (assuming he chooses to write in latin script with this form of letters). Pity any other Egyptians called Ahmed.
Or there's "Abu *" - e.g. "father of *".
> The web site appears to be unavailable.
> Is this the first instance of a "Schneierdotting" :-)
No, that's happened before (last time in December if I recall). Schneierdotting is less frequent, but it still occurs (usually with destination hosts with *really* small bandwidth allocations).
Of course, usually Bruce posts papers (which are on university nets with "fat pipes") or articles from some newspaper (ditto).
And for anyone who wants to join the terrorists, or to help them out in any way, its a perfect list of contacts, advisors, suppliers, etc.
It's probably a best seller in some parts of the Middle East...
You'll be surprised, but when I recently visited the branch of Citibank in Moscow, Russia (in a rather out-of-the-way location) in order to exchange $100 into local russian currency, i was, sure, asked for a passport and printed a receipt. The receipt was stamped by the nice red "Sanctions/SDN Verified".
It was a routine street level operation, and it made me laughing, imagining somebody like Mira Milosevic going to Citi to change the bill to buy some bread :)
The NYT obviously does not check the list, they have a Charles Taylor doing book and film reviews.
"The OFAC requirements apply to all U.S. citizens. "
I just found myself a market niche:
I'll open an OFAC-agnostic produce stand.
"Having trouble buying your vegetables?
Come on over to Gerd's No-OFAC fruits&vegetables".
My business will flourish and prosper, until
my name makes it onto the list also ;-)
okay, i found the list, is there any angle i can play to sell goods and services to these people, maybe as part of an affinity program?
"You can't be too careful. Some of those soft drinks are pretty amazing. We don't want terrorists to have access to Mountain Dew, for example."
If Osama does the Dew, it's all over.....
This law is only impractical if you think its purpose is to stop people selling to the "Bad Guys."
If, instead, you realize that this law, like so many others, is meant to make it easier to prosecute as wide a number of people as possible, then you see that it is a very effective law.
A famous example of this "type" of law is our tax code being used to prosecute mobsters, prostitutes, drug dealers, and other "Bad Guys."
Another example is the use of data recovery professionals to find out if you ever had anything illegal on your computer. Even if it was in temp files, and even if you said, "eeewww! I don't want to be seeing crap like that! I'd better delete that right now and never go back!" These "types" of laws allow them to go after you if they wish.
It's purely to make life easier for the prosecutors.
Greetings, I am Enid Taylor, wife of former President of Liberia, Charles Taylor. I need your assistence for a business transaction. There will be NO RISK to you. Currently I have 50000 (FIFTY THOUSAND) humvees in a car lot in Texas, but I am unable to access them due to the OFAC list. I propose to transfer them to your name so you can collect, and then you transfer 60% of the humvees to me, keeping the remainder as your profit.
Greetings, I am Bob, whose name just happens to resemble that of an alias of a cousin of a suspected terrorist sympathisers mother in law.
I currently have $50 in my account but find myself unable to buy milk and bread at the local shop.
In return for your assistance you can keep 3 slices of bread (white or wholemeal, your choice) and a glass of milk.
Wow - what a great resource for matching SSN, passport and DOB records! ;)
I know most (if not all?) banks in france have an "OFAC filter" running with their SWIFT installations. As one poster guessed, it does generate many false positives. One large institution I worked for had a dedicated team to handle these.
Hah. This WP reporter just heard about OFAC? He doesn't know from stuff. This bad guy list has been in place for years and years. What's more, your great country has a wonderful set of sanctions against bad countries including, of course, that island in the Caribbean which is such a danger to US freedom and democracy. Check out http://www.treas.gov/offices/enforcement/ofac/...
Then there's the even more wonderful Bureau of Industry and Security, part of the Department of Commerce, that regulates in excruciating detail what may and may not be exported from the USA (yes, that means you, if you ever send anything out of the country). To really blow your mind, check out the Export Administration Regulations: http://www.bis.doc.gov/licensing/...
It is not quite as daft as it looks.
For example, if you wanted to donate money to help the Palestinian people, but not terrorists, you would be well advised to check the organisation you donated to was not on the list. If you fail to do so, and donate to "RELIEF COMMITTEE FOR SOLIDARITY WITH
PALESTINE" under one of it's many aliases, or even "BENEVOLENCE INTERNATIONAL NEDERLAND", you could end up in trouble.
SDN compliance is a _major_ pain and you'll notice the best advice the OFAC site gives you is to download the PDF doc of all 5000 names and do a find for each one of your clients against the list. Penalties are stiff - $1mm for unknowingly doing business with someone from the list and $10mm + 30yrs prison for knowingly transacting.
I wrote the SDNcompliance.com website to help alleviate the burden people face in checking their client lists against the SDN. This tool parses the SDN list nightly, indexes it and allows you to export your outlook contacts and match them against the list. It's all free and advertising driven and the solutions I looked at that are out there now by Attus and Bridger Insight are ungodly expensive and horrible interfaces.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.