How the Arizona Attorney General Created a Secretive, Illegal Surveillance Program to Sweep up Millions of Our Financial Records

New records obtained by the ACLU shed light on the scope of a mass surveillance program keeping tabs on Americans’ financial data.

Fikayo Walter-Johnson, Former Paralegal, ACLU's Speech, Privacy, and Technology Project

Nathan Freed Wessler, Deputy Director, ACLU Speech, Privacy, and Technology Project

Last year, Sen. Ron Wyden raised alarms about one of the largest government surveillance programs in recent memory. Sen. Wyden revealed that the Arizona attorney general’s office, in collaboration with the Phoenix Field Office of the Department of Homeland Security’s Homeland Security Investigations, had engaged in the indiscriminate collection of money transfer records for transactions exceeding $500 sent to or from Arizona, California, New Mexico, and Texas, as well as to or from Mexico. Any time anyone in the U.S. used companies like Western Union or MoneyGram to send or receive money to or from one of these states or Mexico — whether to send a remittance home, or help a relative with an emergency expense, or pay a bill — a record of their transaction was deposited into a database controlled by the Arizona attorney general and shared with other law enforcement agencies.

Sen. Wyden’s revelation left significant questions about the scope and legality of this program unanswered, so the ACLU and the ACLU of Arizona submitted a public records request to the Arizona attorney general’s office to learn more. Today, we are sharing more than 200 documents that shed light on this mass surveillance of Americans’ sensitive financial data.

The records show the state of Arizona sending at least 140 illegal subpoenas to money transfer companies to compel them to turn over customers’ private financial data, amassing it in a huge database and giving virtually unfettered access to thousands of officers from hundreds of law enforcement agencies across the country. The database, run by an organization called the Transaction Record Analysis Center (TRAC), contained 145 million records of people’s financial transactions as of 2021, and we have reason to believe it’s still growing.

Western Union, MoneyGram, and other financial services companies often serve people who otherwise may not have access to bank accounts or traditional financial services, such as immigrant workers sending money back home to their families and people without credit scores. Because members of marginalized communities rely heavily on these services rather than traditional banks, the burden of this government surveillance falls disproportionately on those already most vulnerable to law enforcement overreach.

Further, the secrecy surrounding law enforcement access to the TRAC database has far-reaching implications for people who are accused of crimes based on this data but may not have learned it was used to investigate them. We now know of three criminal prosecutions involving TRAC records, but that is surely a tiny fraction, and criminal defense attorneys and judges need to know more.

This bulk law enforcement surveillance practice traces back to 2006. That year, the Arizona attorney general attempted to identify money transfers related to illegal activity and decided to issue administrative subpoenas to Western Union seeking information on all money transfers for more than $300 to or from a particular state in Mexico. Western Union — one of the world’s largest money-transfer businesses — resisted the requests, and a state appellate court held that the subpoenas violated Arizona law because they were overbroad and represented a bid for “limitless” investigative power. Unsatisfied, the Arizona attorney general sued Western Union under a state anti-money laundering law, and in 2010 the two sides reached a settlement. Western Union agreed to turn over records of all money transfers exceeding $500 to or from the Southwest border states and to or from Mexico for the next four years.

The parties signed a second settlement agreement in 2014, which both continued the requirement that Western Union turn over customer records, and also established TRAC, a nominally independent organization that would house all the records. In fact, TRAC was funded through hundreds of thousands of dollars in payments from Western Union and controlled by the Arizona attorney general’s office.

When the second settlement agreement expired in 2019, the Arizona attorney general’s office turned to the Department of Homeland Security, which started issuing subpoenas to Western Union and directed the company to continue turning customers’ sensitive financial records over to TRAC. We now know that those subpoenas are illegal under federal law, and once Sen. Wyden raised questions about their use in early 2022, DHS withdrew them.

But it wasn’t just Western Union. Sen. Wyden reported that dozens of other companies were also sending customers’ money transfer information to TRAC, but there was little public information about which companies, how this was happening, or why — until now.

Early reporting described the disclosures to TRAC by money transfer companies other than Western Union as “voluntary.” We now know that’s not quite right.

From 2014 to 2021, Arizona attorneys general issued at least 140 administrative subpoenas to money transfer companies, each requesting that the company periodically provide customer transaction records for the next year. Those subpoenas were issued under the same state statute that the Arizona Court of Appeals held in 2006 could not be used for these kinds of indiscriminate requests for money transfer records. This means the Arizona attorney general’s office knowingly issued 140 illegal subpoenas to build an invasive data repository.

The documents we obtained reveal the enormous scale of this surveillance program. According to the minutes of TRAC board meetings we obtained, the database of people’s money transfer records grew from 75 million records from 14 money service businesses in 2017 to 145 million records from 28 different companies in 2021. By 2021, 12,000 individuals from 600 law enforcement agencies had been provided with direct log-in access to the database. By May 2022, over 700 law enforcement entities had or still have access to the TRAC database, ranging from a sheriff’s office in a small Idaho county, to the Los Angeles and New York police departments, to federal law enforcement agencies and military police units.

Our review of internal TRAC records revealed 440 local agencies, 80 state agencies, 53 federal agencies, and 152 field offices of specific federal agencies with access to this revealing personal information. These documents also reveal that TRAC is actively encouraging use of these records by these agencies; in one year alone, TRAC personnel conducted 32 trainings for over 550 new users.

The records also show that the federal government is more involved in the surveillance program than previously understood. One document indicates that the Drug Enforcement Administration sent a subpoena to a payment processing company for customer records, resulting in yet more data added to TRAC. And minutes of TRAC Board meetings explain that Immigration and Customs Enforcement and Customs and Border Protection began funding TRAC’s budget after the settlement with Western Union expired.

The human toll of this kind of government surveillance is grave. It can have far-reaching consequences for people’s lives — particularly for members of communities of color, who are disproportionately subject to unjustified surveillance. This is especially harmful because it subjects everyday people to unwarranted scrutiny by law enforcement, and allows the government to amass information about millions of people’s ordinary activities without justification. This kind of routine surveillance is corrosive, and it chills the very kind of speech and association on which democracy depends.

These records paint a damning portrait of government overreach. The government should not be allowed to abuse subpoenas and sweep up millions of records on a huge number of people without any basis for suspicion. This financial surveillance program is built on repeated violations of the law and must be shut down.