Welcome, everybody, to our next talk, financial surveillance, exposing the global banking

watch list. I think everybody in this room would agree that mass surveillance is a very bad idea, and that, of course, also goes for financial surveillance. And our next two speakers are two investigative journalists who have uncovered how this system of financial surveillance works, and I'm pretty sure that you are just as excited as me

to find out what they have found out, so please give them a warm round of applause. I think the headset doesn't work.

Audio? Well, you know, there's always a little thing that doesn't work, whatever it is. For the talk we just had before, there was a live demo. It was very well planned, still something went wrong.

I think everybody in the audience had a lot of empathy because nobody wants to be in that position, but I think we just fixed the problem. Is it fixed? Is it about to be fixed? I will try a little bit, yes. There we go. Round of applause. Now we go. We can start.

So, it's nice to see you all. So happy that so many people came. I want to introduce to you, this is Tom, he's a data journalist working on investigations at the Times of London, and he specialises in a set of techniques such as data mining, which can reveal wrongdoing and lead to stories that benefit the public.

And this is Yasmin. She's an investigative journalist working in Hamburg for Panorama at the broadcaster NDR, which is part of the ARD network, and she focuses on politics, the digital economy, and surveillance. We're going to tell you tonight about the findings of an investigation we conducted this year as part of an international collaboration, and our colleagues were Evelyn, Stefania,

Lars, and Cora. And Yasmin? Yes. And together we investigated the leaked database and published in June this year our stories in the UK, in Germany, in the US, Netherlands, Belgium, and Italy.

So what was our story? We investigated that innocent people around the world have been wrongly added to a watch list of terrorists and criminals. This watch list of high-risk people and organisation is compiled by Thomson Reuters, a British firm, and sold to almost all the world's major banks, as well as police forces,

intelligence agencies, and non-government organisation. It's called WorldCheck. And the leak gave us the opportunity to review the entire database for the first time.

So what exactly is WorldCheck? Well, if you want to open a bank account, we know that the bank might check your credit rating to see if you are a reliable borrower, but how does the bank know if you're a criminal or a terrorist or a potential money launderer? One of the checks that most banks will do is run your name against the WorldCheck watch list, and they might log in here.

If your bank finds your name on the list, they might refuse your application, or they might subject your financial transactions to extra scrutiny, or if you're an existing customer, they might even close your account. So Thomson Reuters says about the list that it is to find hidden risk.

The list is of heightened risk people and organisations such as terrorists, fraudsters, or senior public officials who might try to use the account to handle corrupt funds. So they want to be kind of an early warning system for hidden risk.

And banks are even forced to use these kinds of lists by regulation. They have to take steps to comply with sanctions and international and domestic law against money laundering and terror financing. And of course, we all want less terrorism and of course we want less money laundering, that's clear.

And to put it in WorldCheck's words, it's to help identify relationships or risk by providing highly structured intelligence profiles and heightening risk individuals and entities globally. But since 9-11, governments have to put more and more pressure on banks to identify terrorists

and money launderers among their customers. So Thomson Reuters's advertisers even WorldCheck with warnings about recent fines and settlements against banks for violating sanctions. Maybe you know this one story, HSBC had a historic $1.9 billion payment to US authorities

to settle a money laundering allegation in 2012 and that's one of the most famous examples that the banks of course fear very much. So if you look for information, how the information is collected, Thomson Reuters says

it compiles the list using hundreds of thousands of reputable sources in the public domain. You've got to remember that slide and especially the word reputable sources because we will come back to that a little bit later. So how do they collect this information?

Well, Thomson Reuters's researchers look into public sources ranging from EU sanction lists to local newspapers in order to find names to add to the database. In total, Thomson Reuters says that WorldCheck contains profiles on over 2 million entities and that it's adding 20,000 profiles a month and updating 40,000.

So the list is growing all the time. Now, this is a job advert for a position as a WorldCheck researcher in Washington DC and it states that among the many responsibilities, you need to write more than 220 highly structured

and sourced biographical intelligence profiles every month. I think it's really nice of them to be so upfront about the workload and that's about one hour per profile if you're working full time. So it must be quite a challenge if you are the assistant research associate to maintain accuracy and quality under that kind of workload.

So not many people had heard of this list until recently but it's one of the biggest of its kind. According to a WorldCheck data sheet, the service is used by over 300 intelligence and government agencies, 9 out of world top 10 law firms and 49 of the world's 50 largest banks.

So overall, more than 6,000 customers from 170 countries are reportedly on the customer list. So the content of the list is secret because Thomson Reuters doesn't tell people when it adds them to the list and banks are forbidden from passing on the information.

Access is only granted after a vetting process. So the user has to sign a non-disclosure agreement and also using the database is quite expensive. A year's access can cost up to 1 million euro.

So in recent years, there have been some excellent investigations by other journalists who've highlighted some possible issues with WorldCheck. So the BBC had been investigating why HSBC closed the account of Finsbury Park mosque in London without any explanation and the BBC researchers found that the mosque had been listed in WorldCheck

in the terrorism category. So that may have been part of the bank's decision. And advice news was also able to view some of the entries in WorldCheck through a client of Thomson Reuters and they discovered more examples of questionable entries. So we knew that there was something potentially going on with this database

but it mostly remained confidential and nobody had been able to view the entire database in order to find out whether there were wider issues with the system. But then there was a leak. In summer 2016, this security researcher, Chris Vickery, was doing what he very much likes to do.

He was scanning the internet for CouchDB instances exposed to the world without any username or password. Well, you can imagine what comes next. So he would contact the owners to encourage them to secure their data

but he found something really interesting and that was the copy of the WorldCheck database from 2014. And with him finding it, the question came up in his head. He asked, I have a terrorism blacklist. I have a copy, should it be shared?

Chris posted on Reddit to say that he was facing a dilemma about whether to release the entire database or not. Because on the one hand, the database was apparently compiled from public sources so what's the problem with publishing public sources? And the WorldCheck is a system that is used to make decisions about people's lives and secrets

so maybe transparency would be in their interest. But on the other hand, it contained personal data relating to millions of people who might suffer harm if the information was disclosed. So since it is not so easy to ask the two million people

if he's allowed to publish it, he was asking himself, so what now to do? And thanks to the previous work of the BBC and Vice, we as journalists had reason to believe it would be in the public interest to review this data. So we made contact with Chris and before viewing the leaked data,

we considered of course the ethical, legal and security implications. So we had a chance to fully reveal how the system works for the first time and this is what the file looked like. So we agreed with Chris that we would use the data

to do responsible journalism but not to publish the data itself. So we can't show you the full database in this presentation. When we received the data, it was a 4GB JSON line delimited file with no documentation. So the first thing I had to do was write a parser in Python.

Well, I decided to flatten this JSON file into a CSV file and then we had a 4GB CSV file and I loaded that into Postgres in order that we could do some analysis of the contents of this database. So this is an abridged version of the field list showing you the really key pieces of data on each of these profiles.

So we've got an ID, we've got an entity type, so that was, is this a person or an organisation? For people, there were first names, surnames, aliases. Position would be, if you're a politician, this would say what your position is in the government.

Categories were really interesting because these might be that you're a politician, as mentioned, or it might be that you're in the terrorism category or the financial crime category. We've got dates of birth and countries and nationalities. Obviously, those are really important so that banks can identify the customers correctly.

Information text was possibly the most interesting part of the data. And then we had various links to other profiles. The source URLs, which turned out to be really crucial, and the dates on which the records have been created and updated. So some of these fields were self-explanatory,

but we really needed to see what this database looked like to the end user to understand how this information would be interpreted. So like any good investigative journalist, we of course turned to Google. And after a bit of experimentation, we discovered the magic words, searching for quotes,

you are strictly prohibited from disclosing or copying the content of this service. And sure enough, we find some examples of profiles from WorldCheck, which people may or may not realise are on the internet and accessible through Google.

Some of these are from the Panama Papers, so obviously the person who put that one there knew what they were doing. The first example in this result is interesting, though, because we have the word intranet in the URL, and we should perhaps tell this company that their intranet is not an intranet. Maybe they found out by themselves.

They know now, hopefully. So this example is actually from a magazine in Brazil, which published a WorldCheck profile that they obtained as part of an investigation. So this was really useful because we could see exactly what the data looked like to the end user. And this profile belongs to Eduardo da Cunha,

who was the former leader of the Brazilian Chamber of Deputies, and as I say, it was published by the magazine. So we can see here the category that he's been assigned. In this case, he's a political individual, and he's a PEP. PEP stands for Politically Exposed Person, and this is a term in anti-money laundering legislation

that means this person is in senior public office, and they are potentially in a position to take bribes and launder corrupt funds. It doesn't mean necessarily that they've done anything wrong, but the money laundering rules say that banks have to scrutinise these people very carefully. So if you are a politician, you might be called up by your bank,

and they would say, we need to interview you about your sources of income in order to establish what the legitimate level of income is, and if you exceed that level, you'll be reported to the authorities. The definition of PEP also includes the immediate family of the public officials, and we'll see that on the next slide.

So when we scroll down, after the age and date of birth, we've got these links to other profiles. So these are the Brazilian politicians, immediate family members who have their own profiles, and then further down, we've got the reports.

So in this case, this politician was actually accused of doing something wrong. It wasn't just that they're a politically exposed person. There's a report of an allegation of corruption there, and since this profile was published, it's turned out that he was convicted of corruption. So this is an example of a profile of somebody who turned out to be guilty.

So now that we understood what a profile looked like, we started to analyse the scope of the database. So this table shows for each country how many people were profiled in WorldCheck as it stood in 2014, which was the date of the copy of the database that Chris Vickery found online.

So we're showing here for each country with at least 5,000 entries, the number of non-PEPs, so that could be people in the terrorism or the crime category, or it could be various other things, the number of PEPs, so we would expect them to be senior public officials,

but it's interesting that there are a lot of countries where there are tens of thousands of PEPs, and so that suggests that perhaps they've cast the net quite wide there, and we're also giving numbers of relatives of PEPs. So we spent a lot of time browsing the data for our countries and querying the database to understand

the different types of people who'd been included. And then everyone in our collaboration started finding people who really didn't belong on the list, and we started to ask, how did these innocent people end up on this watch list? So we were, for example, really surprised to find green piece,

16 green piece activists on the list who were arrested for peacefully protesting the Star Wars missile defense program in 2001, and they were listed under the general category crime. And that was a bit weird, because they did plead guilty to criminal trespass

but never served time for this minor charge, but 12 years later, they would be still on that list. So this is another example, this time from the UK, from a town called Chelmsford in the south of England, and this woman is Jackie Arnott,

and she was listed in the politically exposed persons category, along with a record of all her civic activities. So here she is at work volunteering for an organization called Harvest for the Homeless. This is a local campaign in Chelmsford that was collecting food for people in need.

Jackie Arnott is not a senior public official, as you might expect a politically exposed person to be. In fact, her only connection to power seemed to be that her husband, Alan, had been the mayor of Chelmsford, which is a ceremonial position.

And now to a different town in the south of England. This is Leafy, Kingston-upon-Thames. This is a view of the town hall. It's all very genteel, and this is one of Kingston's local politicians, Yogan Yoganathan. You can see the letters MBE, member of the British Empire after his name.

He was given an honor by the Queen for his services to local government and community relations in Kingston-upon-Thames. And among his activities, he was a peace campaigner. He campaigned for peace in Sri Lanka, and that led to him being listed in WorldCheck and being linked to,

allegedly, the Tamil Tiger terrorist organization, which is an extremely serious and very upsetting claim to have made about you, not least if you're a peace campaigner. And the WorldCheck database gave the source for this allegation as a Sri Lankan government website, which in 2007, at the height of the civil war in Sri Lanka,

had said, these guys in London organizing peace protests about Sri Lanka, they're all Tamil Tiger terrorists. And that allegation had made its way into the WorldCheck database. And Mr. Yoganathan said that he was very hurt by this allegation, and this was completely untrue

and completely without any other basis, in fact. So remember when we said you should remember this slide because of the beautiful words, reputable sources. If you read a little bit further, Thomson Reuters says, researchers are bound to comply with strict research criteria

and must remain objective at all time. Well, that seems that the research team was a little bit flexible on these rules. The reason why innocent people showed up on the list were very often the problem of these reputable sources

and handling them. So now we would like to show you some of the sources and we put together a little ranking for you. You might all know that one. Yeah, Wikipedia. We thought we give number five to Wikipedia.

In thousands of profiles, WorldCheck uses Wikipedia as a source. Well, here you still might think, okay, it's only for general information, so maybe it's fine. What about the next one? Well, at number four we have conspiracy sites. This one is called cyberclass.net,

and it has all the educational resources you might need on alternative accounts of the 9-11 attacks. WorldCheck researchers also cited it in a profile of a British businessman, which of course was used by the banks. Number three, also really interesting, we found state-run sites,

or state-run propaganda, you must say, also used as sources. For example, China Daily. It's the biggest newspaper in China and state-owned, and even though it's not an official organ of the Chinese Communist Party, it's considered to be a quasi-party newspaper.

So because of this commentary that you see on the right side, it's saying that there's a terrorist group, the Tibetan Youth Congress, the prominent diaspora organization, is listed as a terrorist group on WorldCheck. And what we found, pretty, I don't know how to say it,

the research team used this article as the only source for this profile recording the Chinese government's accusations. So at number two we have a website that unfortunately you might have heard of. Hundreds of listings referenced reports on Breitbart,

and at the time, Breitbart was selectively reporting on what it called black crime, and there was a whole tag page for what they called black crime, and there were hundreds of listings that referred to reports that had been carried on Breitbart. But number one. Our number one.

We have Stormfront, which if you haven't heard of it, it's a forum for white supremacists. It was founded in 1995 by a former Ku Klux Klan member, and there were several listings that referred to Stormfront, among them listings for two black British people containing links to a discussion thread on the forum.

So the problem really is that WorldCheck uses all the sources that they can find, which is fine, but it seems that they don't differ between a new site, a propaganda site, extremist sites, whatever site, and all the sources and information that they collect

but they don't weight it or rate it or assess the information. So for example, if a state attorney accuses a person or if a competitor blackens somebody in a media report, the information gets into the WorldCheck database without any filtering, and there is no final verification of this

or any accusation. So WorldCheck found an interesting way to deal with this problem of unreliable sources or potentially unreliable sources. In the profiles, they've added this general legal notice. And here they mention that everyone who views this database

should carry out independent checks to verify the information. And they later added a further disclaimer saying, if this profile contains negative allegations, it should be assumed that such allegations are denied. So this is an interesting legal concept

that you can carry these extremely damaging accusations that people are linked to terrorist groups, but of course you can tell your customers to assume that the allegations are denied and to check the information out themselves. We found many people on lists that had encountered difficulties with their banks,

and that raises the question of whether some banks and users of the list were able to heed this warning and launch their own investigations after seeing adverse claims in WorldCheck. In fact, somebody I spoke to as part of my research who works for a bank said that they were under such pressure that if they found an adverse listing in WorldCheck,

it would be extremely difficult for them to disprove it, you know, given the time that it was available. So this is one issue. But besides the problems with the sources and the lack of verification of the information,

there is another reason why innocent people have ended up in this watch list. Our research showed that the database carries entries for people who are merely accused or investigated over possible crimes without being charged or convicted. Reports of minor convictions are kept on file for years after the event, as we saw with Greenpeace,

and sometimes people had been cleared of their charges, but their entries hadn't been updated to reflect that information. So innocent people just kept being guilty in the world of the database. For example, like him. So please meet the terrorist, Andre Holm, or at least that's what WorldCheck suggested

for a couple of years. Holm, maybe some of you know him, is a very well-known sociologist, and later he was a short time, in German, it's Baustadze Greteer, maybe in English it's something like housing secretary in the Berlin state government. And he was targeted by the federal prosecutor's office

10 years ago. The suspicion was membership in a terrorist group. So he was arrested at the end of July 2007 and detained for three weeks. So Holm had obviously been investigated because he had been critical of the displacement of poorer people in cities, and he wrote it in a very similar way,

or so similar words, to a left-wing extremist group active at that time. But in the end, the suspicion that he could be a member himself proved totally unfounded. And in 2010, all procedures against Holm were discontinued.

So he was even compensated for his imprisonment. So in the end, for the state and justice, Holm was innocent. But when Holm wanted to become a customer at Norris Bank two years later in 2012, the institute refused to open its bank account.

And that even without any explanation. And that was when Holm still did not know that he was on the watch list of world check. When we told him and we talked to him, he said, I have a bad feeling when my life is recorded there

without me being aware of it or having any influence on it. So even years later, such an entry can permanently make life significantly more difficult. But apparently there are institutions that rely on world check or similar databases. When we talked to the Norris Bank,

they said that the nameless screening, that's what it's called, was an essential part of fulfilling the legal requirements for combating financial criminality. It's about preventing money laundering, they said. And the due diligence check would use many different databases as data sources.

And I found it a little bit funny that they wouldn't talk about at all about the case from Mr. Holm, and they said they cannot give any information because of data protection reasons. So we saw in the marketing brochure

that Thomson Reuters say that 49 of 50 of the world's biggest banks use world check. So we had a pretty strong idea that most of the big name banks would be using it. But for my UK audience, I wanted to confirm that the high street names that my readers would be familiar with had used this database.

So I had information that the cooperative bank, among several other big names, had used world check. And I asked them to confirm that that was the case. And this is what they said. I can confirm that the cooperative bank doesn't use and has not used world check. Well, this was an interesting response.

I went back to Google, and I did a site search on LinkedIn for world check and the cooperative bank. And this is what I found. This is Michael. He is a, well, he says he is a high risk case analyst at the cooperative bank.

And his previous position in 2015, he was an anti-money laundering analyst. And this gives a description of his responsibilities. And at the bottom there, you can see that that included exiting customers where necessary if they were found outside the bank's risk appetite, which is a euphemism for he can close your account

if you're too risky. So this was quite obviously a considerable responsibility. And then further down in the job description, he says that he used systems including world check to make these decisions. So I went back to the cooperative bank press spokesperson

and sent them an attachment to see what they had to say about this. And the reply came, I can confirm that we do not use world check and that any access to that database that the bank had was in excess of five years ago. So they admitted that they had used the database, but they're now saying that they don't use it anymore.

And I think this is an indication of exactly how much secrecy there is on the part of the banks and resistance to any kind of accountability. They're questioned by a journalist from a national newspaper. They give completely inaccurate information about whether they had used this system

and only admitted it when they were confronted with evidence to the contrary. And if you're a cooperative bank customer, you really ought to have a right to know what is being done with your data and how decisions about you are being made. This is all enshrined in data protection law, and this seems to be at odds with all of those principles.

So we put all of the findings from the different countries to Thomson Reuters, and they didn't really come back to us on any of the specific cases, but they gave us a statement. One of the things they said was that individuals can contact us

if they believe any of the information held is inaccurate, and we would urge them to do so. This is quite tricky if your bank is not allowed to tell you why your account has been closed. The bank is certainly not allowed to show you your listing and world check. We have to admit that you can submit

a subject access request to Thomson Reuters if you have a hunch that you might be on the list, and then you can find out, and then obviously you could challenge your information, but whether that would be acted upon is another question. Thomson Reuters said they provide identifying information such as dates of birth,

and this will be verified with reputable and official sources. On some of the unreliable sources, they said if blog content appears, it is only as a supporting source for that secondary information and is clearly identified as such. We don't know if they've made improvements to the database since 2014,

so it may be that things are different from the snapshot we saw, but that's what they said. And then they said in conclusion, it's important to point out that inclusion in world check does not imply guilt of any crime, and every record states if this profile contains negative allegations, it should be assumed that such allegations are denied.

The accuracy of the information found in the underlying media sources should be verified with the profile subject before any action is taken. And one final point they made is that there are competing databases to world check, so LexisNexis and Dow Jones also produce watch lists, and we don't know if there are similar problems

with those lists. So why has this happened? We mentioned that banks are under huge pressure from governments to weed out terrorists and money launderers among their customer bases, and what's the environment in which this has come about?

We don't have a full answer to this question, but I want to show you one email that gives a sense of the atmosphere and the paranoia that has led to the current regime. So this email is from a man who says he's the world check's general counsel. It was sent in 2002 to a US Treasury consultation,

and so this is a public document. And he declares his interests. He says he works for a company that sells a product to help financial institutions conduct money laundering checks. And obviously this is a short time after 9-11, and he argues that under the Patriot Act,

financial institutions must be proactive about tackling money laundering. He exerts considerable moral pressure, even going so far as to suggest that the banks were helping the terrorists by their lack of action. So he writes, the US is in a war on terror, and the front lines of the war are at the doorsteps of every US financial institution. US financial institutions are inadvertently

aiding and abetting domestic terror against American citizens. So this is just one company's viewpoint. I'm sure the US Treasury took in lots of different viewpoints when they were forming this legislation, but I think this gives a nice sense of the kinds of arguments that were being made.

And if you want more on the wider context of this, there's a really good book called Speculative Security by Marica de Gerda, which goes into this in more detail. So can the system be improved or repaired? Again, we don't give an answer to this question, but some thoughts have occurred to us.

There could be better selection of sources used to compile this kind of list. Perhaps you would narrow it down a bit more to the official sanctions lists and people who are actually convicted of crimes, those kinds of categories of sources, maybe news reports in reputable outlets,

perhaps news reports that are confirmed by more than one outlet, that kind of thing. You could also indicate the quality of the information. So if you're going to insist on republishing the fact that the Sri Lankan government has accused a person of terrorism, maybe you would flag up that the Sri Lankan government

certainly at that time did not have a good record for a liability on who it was accusing of being terrorists. You could also give rights of reply to people. So on your credit history, you can go to a credit reference agency, see what is said about you, and reply to the criticisms of you that are made there. They could think about doing that.

There is an initiative to make an open source sanctions watch list at opensanctions.org, which of course brings lots of advantages and everyone can see what is said about them on the list. And I think there's also the wider question of whether we actually want banks to have this responsibility of predicting and foreseeing crime among their customers.

Do we want the private sector to do that job or do we want that responsibility to be squarely on the judicial system or on the criminal justice system? So with that, go on. No, go on. We'll be very happy to take your questions and these are our contact details.

So thank you very much for your attention. Thank you very much for this super interesting talk. I have good news for all of you. We have about 20 minutes time for Q&A,

so please pile up at the microphones if you have any questions, of which I'm sure there are many. We are going to start with one question from the internet. Considering the database is still online, has it undergone changes to conform to GDPR?

I don't think we have any information on that, sorry. All right, thanks. Let's start with another question from microphone number one. Thank you. He was the General Counsel for the World Check Company. At what point was it acquired by Thomson Reuters or was it already part of Thomson Reuters?

It wasn't at that point. It was some years later. An interesting point actually about his job title is that if you go on his LinkedIn page, he does have a law degree, this guy, but his job title at World Check in 2002 was not General Counsel, but Head of Business Development. I don't know if that's just a mistake

on his LinkedIn, maybe. Thanks, another question from microphone number three. Yeah, so I want to know if I make a request to access my data, will that put me on the list? And that's not my actual question. My actual question is where did they get the names from? Because essentially the analyst

that does 220 profiles a day, does he get to pick the names? Yes. So if you put a request to World Check, your name will not be on the list afterwards. So you can do it if you want. And this is how it works. The research team goes through the internet and looks for articles and picks out names and puts them in.

Okay, so they should pick people who don't go on Stormfront essentially to pick names. Because is that what's happening? Like they hire people and they go on Stormfront all day and randomly pick names? No, but seriously. I don't know if they do it like that, but somehow they came up with the source, yes.

Okay, thanks. Microphone number four. Hey, thank you for the talk. You've mentioned a few people that were on there, wrongfully, but what percentage are actually wrongfully on there of profiles that you've viewed? We don't have a percentage. I mean, we think it's a minority.

There are lots of people who did do bad things and get onto the list. But of course it undermines the credibility of the entire database when there are many, many examples that we were able to find, you know, without even, it's not like we read all two million profiles, so who knows? But yeah, obviously it's a very good question.

I think it's an excellent question, but I have to admit that we didn't review all the 2.2 million profiles. All right, mic number two, please. I'd like to thank you for your work on this really important subject. I myself ended up on that list and lost my bank for two years because of it.

With how essential banking is in the modern world, to get paid, to pay your bills, to do anything, what options do people who have had their banks or organizations like Finsbury Park, that have had their banks closed and are on these lists have, especially with their list being so ubiquitous

amongst all of the major banks? Well, Finsbury Park mosque went to court and they sued Thomson Reuters successfully. And after that Thomson Reuters changed the listing and admitted that they had been wrong to list them in the terrorism category. Obviously that's not an option that's available to everybody.

I think the first step is to request your data from Thomson Reuters to see exactly what's being said about you and then go from there. But it's very difficult. But for example, Mr. Hall, he didn't get an account at Norris Bank, but he ended up in another bank that didn't use WorldCheck

and that was the Berdina-Sparkhasse. That's why I have to do it. Really? All right, I think it's the internet's turn again to ask a question. Would you agree that the purpose of such a list is to protect not only the banks from rotten customers, but also the public from terrorism or other bad businesses that could harm us?

And if yes, isn't that sacrificing a few for the benefit of many? I think you shouldn't sacrifice a few for the many because it would be so easy to make it better. We saw that these sources were so obviously weird and wrong and so I think it wouldn't be necessary

if they would check the list a lot better. Mic number one, please. Hi, great presentation. Did you find any evidence of banks and such organisations

on disclosing information about their customers towards Thomson Reuters? I don't think we saw any sign of that. It does look like the stick to the public sources. There were various entries that had three-letter acronyms next to them, like CIA and various things,

but I think in all of those cases, it turned out that the CIA or whoever had said something publicly about that person, so it didn't seem that there was any covert cooperation between in either direction. Mic number three, please. Thank you for your work. Obviously it's disheartening to see such sites

as Stormfront and Breitbart being cited as sources. In your work, did you find how much of the data was supported by these so-called reputable sources, these extremist sites as the category? How many?

It depended on the site, so I think Breitbart was hundreds of entries. They were focused around a particular country, which it wasn't the US, it was another country, which suggested to us that potentially it had been a researcher who had a particular fondness for Breitbart who had decided to use that as a source.

So there seemed to be a lot of variation between different countries in the mix of sources that have been used. Mic number four, please. Hi, thanks. I work on cryptocurrency stuff, so I obviously have a longstanding interest in financial privacy and openness. So there was a really interesting,

although terribly written book, I would not recommend it, but it was written by someone who was at US Treasury and crafted kind of post-9-11 policy around sanctions. And one of the things he said in the book was immediately after 9-11, they were willing to put people on the sanctions list and block you from the entire international

financial system at a 80% surety level. So if they're about 80% confident that you are somehow related to terrorism, they would just kick you out. So I was wondering if, because I know a lot of the interest in preventing mass surveillance is all about making it more expensive so as to force people

to target it more specifically. I was wondering if you had any thoughts on kind of what direction people should be thinking about going in terms of forcing more targeting of these kinds of preventing people from international financial access instead of allowing it to be so broad and controlled by so few.

Use cash? These were already so good thoughts. I mean, I think we should ask our governments for accountability on this kind of surveillance

as we would with communications surveillance or any other kind of surveillance. And I think we've only just looked at one part of this system. We've looked at this one watch list. But this is part of a whole range of stuff that's going on. So I think we should continue to look at financial surveillance alongside

other forms of surveillance. All right, mic number two, please. Thank you very much for your talk. I have a question concerning the Financial Action Task Force, which is an intergovernmental organization compromising both European Union countries and GCC. Have you confronted them with the work that Thompson and the banks are doing?

I didn't. We haven't been to them directly. But one of the really useful things that we picked up from the Financial Action Task Force is that their definition of politically exposed person talks about senior public officials. And this database seems to go way further than that.

So there seems to be an interesting discussion going on about where the limits of this kind of surveillance should be drawn. And you might take the view that heads of state, there's not really any problem with surveilling their financial activity. But when you start to cast the net wider,

then this kind of thing seems to have more worrying implications. Internet, if you got a question, fire away. It looks like Thompson's writers basically says, you can't disclose the information you find in our system because we have the copyright on it. So are there any jurisdictions that have a law

that would require banks to report what information was used to determine that someone was considered a risk? No, there's no law that the banks has to say it. But as Tom mentioned before, the people that think that they are on a list, they can confront world check with us. And I think in some jurisdictions,

there are exemptions from subject access request rights for anti-money laundering purposes. I'm not sure exactly how big a part that plays, but that may be part of the reason why banks think that they can just deny people any answers to why these decisions have been made.

Mic number one, please. Thank you for the excellent talk. You mentioned that legal regulations require that banks use some kind of blacklist. Do you know what criteria this regulation cite? So, quality control doesn't seem to be among them. Could you start your own list and sell it to banks?

You're right, quality control seems not to be part of it. But so the regulation is, for example, the, I don't know the English word, the Zorgweitsflicht for the customer. You have to make sure that the customer is not a criminal or a terrorist or, and there are many regulations asking for it.

For example, the EG money laundering law from starting in 91 and then it got newer done in 2001, 2005. So, that's mainly the part that we focused on because it's the part that's important for the WorldCheck database.

All right, mic number three, please. Thanks for the talk. You did find a lot of people who are on the list wrong, fully, and I'm curious if you informed them that they are on the list, or if you informed the company that they had these people on the list and they shouldn't be there. And especially I'm interested what happened

to the Greenpeace activists you mentioned. Have you any information if they are still on the list or not? All the cases that we showed to you, all the ones we talked to, we confronted them and we asked them if we can publish their case. And all of them went to WorldCheck

and asked if they are on the list and asked also to delete them on the list. And I think in almost all the cases, the people actually were deleted on the list. Yeah, I think in some of them at least.

And as Yasmin said, we were very careful only to publish people's names if they had given their consent for us to do that. The response I got from Jackie Arnot, who was the woman in pink who you saw in the presentation, was that the last time she had any adverse attention

from the authorities was when she went on holiday in the 80s to the Eastern Bloc and she got a phone call from the British Foreign Office to say, what are you doing going over there? And this was what came to her mind when we told her about her listing in WorldCheck. Thanks, mic number four, please.

Thanks. In the LinkedIn profile you showed, there were a few other systems, I think Dow Jones and one other, do they suck as badly as WorldCheck? Well, we did check them, there was no leak yet. But if there will be, maybe we can tell you next year. All right, mic number two.

Hi, thank you. Can you go one slide back? One slide back. Thank you. I was wondering because you said that, for example, that the sources were like terribly wrong and weird. And I was wondering if we assume that they're not wrong and weird, but that they're working perfectly well and that all of these questions,

like the answer to all of these questions was, it's working perfectly well. Who would be the people it's working perfectly well for and who especially is targeted here? And is there any possibility of action in that scenario, in this possible world

in which this was working perfectly well? As it is, that's the question, right? I think maybe there are two different answers for the politically exposed persons and for the people accused of terrorism and so on. I think politically exposed persons, to me, you can make quite a strong case that senior public officials should be subject

to financial surveillance. If you are a prime minister and suddenly you have millions of pounds flowing through your bank account, maybe that's a legitimate. Sorry, I think this is a misunderstanding. I was not asking what are the perfect normative conditions under which this would function. I was asking, given that the state of things as it is now

was the perfect way of working, who would it be perfect for? Like who is the real beneficiary of this wrong and weird way of working? That's my question. Well, I don't think it benefits the public

because I don't think this is a real serious way of stopping terrorism and I'm not even sure that it's a real serious way of stopping political corruption because actually we looked into some of the cases that came out through the Panama Papers and similar things which showed sometimes that banks had looked

at a person's world check listing and seen that they were in the watch list but said this is actually a very lucrative client so we're going to keep banking them. And so there are two sides to it and I think that's a very important question. Internet, it's your turn again. Tom, considering the proprietor of your newspaper,

Rupert Murdoch, was there any kind of pressure as to what you published about them? About world check? Oh, that's a question from the internet, isn't it? No. All right, microphone number one, please. Yeah, two questions. The first is about deletion. Did I get it right that there's no established mechanism

or process as well as it's known for deletion of data sets in that database? So they claim how many thousands of records they add and they update that. There is some procedure for reading

but none for deletion. It's obviously weird. And the second is about asking them what they have in their records. If they have a record about me, for example, could I just ask them and they should answer me

and there are some conditions, are there codes for it? And while maybe guessing how would they react if say some 15,000 people would ask us a question. About the deletion of data, you're totally right.

There seems to be no process in reviewing the data that way that all the data that shouldn't be in there is still not in there anymore. So that's the problem because as we know, everybody has the right to be forgotten in the internet and to this second question, you can ask them,

you can go there and write them an email and ask them if you were included in the database but what they say if 15,000 people would ask them, I don't know, maybe you can ask them that. Remember, they're very productive. They could do 220 profiles in a month just writing them.

So truly they can handle 15,000 requests, I think. Mic number three, please. Hi, have you found any evidence that the customers were pushing sources on WorldCheck that some of the customers might have used them just as a filtering mechanism and push sources that wouldn't be normally checked?

We don't have any evidence of that but you do raise an important point that some of the banks said, well, we use lots of sources and some of the banks said, of course, we wouldn't just go on a WorldCheck listing

but again, it's very difficult to know exactly what was the information that HSBC considered when they closed the mosques account because that is all subject to secrecy. Mic number four, please. Can I please also ask you to go to the previous slide? Of course.

I think the problem is we are focusing too much on the list itself and I have difficulties imagining that we can control all these lists which are circulating, which are being created by different companies. I think the problem arises when they are used so I don't know if we can really achieve

through legislation or through some kind of control better sources, better information quality or whatever and maybe it should be at the point where they are used i.e. in banks where there should be really the legislative mechanism, the kind of legal mechanism

to solve this. I'm imagining, for instance, if the bank uses sources like these and denies the person to open an account or the same case with all these lists which exist for phone companies

and there are lots of lists like that in different sectors. If that person is denied the account opening, there could be a mechanism by which the person would force the bank or the institution to disclose the sources and to initiate some kind of legal procedure which would mean that if the

Excuse me, would you be so kind as to develop a question because a lot of other people still have questions and we have only a few minutes left. Thank you very much. The question is, do you think it should be rather that we focus on the banks or the points where this information is used rather than talk about the companies which make these lists?

I think that's a really good question because it's actually a question of who takes the responsibility for a decision and the funny thing is that Wallcheck puts all the weird sources in it but still says, oh, general legal sentences, you have to check by yourself and then the bank says, no, in Wallcheck, there was a list

and this name was on the list. So right now we have the scenario that people don't feel responsibility and I think that's the problem. All right, we have time for exactly one last questions and I hope you don't mind if I give it to the internet because everybody else has the chance to catch the speakers later. So if there's one, please fire away.

Are there any high profile politicians on the list? Yes, I mean the politicians that you would expect to be on the list, heads of state were on the list. So I guess at least that part of the system is working. All right, so please give another huge round of applause to our speakers for this super informative talk.

Thank you so much. Thank you.