Another Terrorist Watchlist Leaks, This One Compiled By Thomson Reuters

from the and-by-their-lists-you-shall-know-them dept

Another terrorism-related database has leaked -- this one produced by an entity best known for its news agency. Security researcher Chris Vickery first unveiled it on Reddit.

A few years ago, Thomson Reuters purchased a company for $530 million. Part of this deal included a global database of "heightened-risk individuals" called World-Check that Thomson Reuters maintains to this day. According to Vice.com, World-Check is used by over 300 government and intelligence agencies, 49 of the 50 biggest banks, and 9 of the top 10 global law firms. The current-day version of the database contains, among other categories, a blacklist of 93,000 individuals suspected of having ties to terrorism. I have obtained a copy of the World-Check database from mid-2014. No hacking was involved in my acquisition of this data. I would call it more of a leak than anything, although not directly from Thomson Reuters. The exact details behind that can be shared at a later time.

Thomson Reuters' "global screening solution" pulls from hundreds of other databases, including sanctions lists, law enforcement lists, and compiled data from regulatory agencies. The collection doesn't cause too many problems in the United States, but as Joseph Cox of Motherboard points out, it's a bit more a problem when deployed in Europe.

Although World-Check is based on public information, European privacy laws impose strong restrictions on the collection, storage, and publication of information about individuals. For that reason, the database can only be used for screening purposes by customers vetted by Thomson Reuters.

The end result of all this data is a blacklist of 93,000 individuals with suspected ties to terrorism. Like other terrorism-related databases, the Thomson Reuters list also draws some interesting conclusions about certain organizations.

However, World-Check can sometimes flag those not involved in crime. As VICE News previously found, the database has listed major charities, activists, and mainstream religious institutions under the label of “terrorism.” Those include the Council on American-Islamic Relations’ (CAIR) executive director Nihad Awad; Liberal Democrat politician Maajid Nawaz, who founded the counter-extremism organisation Quilliam, and former World Bank and Bank of England advisor Mohamed Iqbal Asaria. None of these people have ever faced terrorism charges, VICE News adds.

Thomson Reuters has now closed the leak -- which, according to a statement released to Motherboard, appears to have originated outside of the company, possibly by one its contractors.

After the publication of this article, a spokesperson from Thomson Reuters wrote in an email that the company had contacted the third party responsible for the leak and that they had taken down the information. "We have also spoken to the third party to ensure there will be no repetition of this unacceptable incident," the spokesperson added.

It also spoke to Vickery, raising the somewhat dubious defense that everyone else is doing it, why not us?

One important point that they would like to highlight (and something I'll agree with): Thomson Reuters is not the only company gathering this kind of data and putting together this type of database. They may be a leader in the industry, but it's not fair to vilify them as if they were the only company in the market.

That statement of collective guilt doesn't do much to answer Vickery's question raised during deliberations about leaking the list publicly:

At the very least, this should jump-start a little online conversation regarding the appropriateness of having private entities maintain lists utilized by government agencies and banks.

As we've seen from other terrorism blacklists, the US government is no better at drawing conclusions or checking its lists for false positives on a regular basis. The fact that Thomson Reuters database pulls from hundreds of sources is probably better than the FBI/DHS method of shrugging people onto terrorist watchlists based on hunches, surnames, or camera ownership. It's still disturbing that a private entity can control access to various services around the world by selling a watchlist to corporate customers, but there's no reason to believe this private blacklist is any worse than those compiled by various governments.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: leaks, terrorist watch lists, terrorists, watchlists

Companies: thomson reuters