SEC Web snooping plan draws fire

But even before it gets under way, the multimillion-dollar project is running into trouble on privacy grounds.

The mechanism would monitor public Web sites, message boards and chat groups. Anything deemed suspicious -- like the phrase "get rich quick" -- would be copied into a database, analyzed and then indexed for use by SEC investigators in bringing civil proceedings against people suspected of wrongdoing, according to the agency's project-contractor solicitation.

The SEC also wants to grab e-mail addresses and other identifying information that would help unmask message writers and Web-site owners who try to remain anonymous.

Other federal agencies might develop their own automated surveillance, the contracting records indicate. "For us it's a very exciting prospect," said Phyllis J. Cela, acting director of enforcement at the Commodity Futures Trading Commission, which has begun talking to vendors.

But after reviewing the documents and holding discussions with SEC officials, one invited bidder, PricewaterhouseCoopers LLP, advised the agency that it would not participate because the endeavor might impinge on constitutional protections against unlawful search and seizure. Its chief concern: Innocent people would end up in the database. "We had serious concerns about the implications for the privacy of individuals on the Web, and the implications for businesses on the Web," said Beth Trent, a director who leads the firm's Internet compliance unit.

"There are all sorts of legitimate reasons people want to remain anonymous," adds former U.S. Department of Justice computer-crime specialist Scott Charney, now a partner at PricewaterhouseCoopers.

The SEC may also find itself pitted against giant Internet operators who consider even their public chat boards to be proprietary. America Online Inc. (aol), whose boards are cited in the SEC document as a surveillance target, said it routinely forbids anyone from harvesting information from its many thousands of chat rooms and message boards in order to protect the privacy of its customers.

Moreover, the SEC's foray comes at a time when the Federal Trade Commission and many states are scrambling to protect the privacy of Internet users. The threat of regulation and mounting public concern about online tracking by marketers are prompting many Web-site owners to take measures aimed at preventing their customers from being snooped on.

SEC officials say they intend to address Web companies' concerns. "The Securities and Exchange Commission has a history of abiding with the letter and spirit of privacy laws and policies, and we will continue to maintain that position during this procurement," said George C. Brown, an assistant general counsel.

The SEC also said it won't gather e-mail or other communications that don't appear in public forums, or make a record of people who simply visit a Web site or board but don't post any messages. And any information collected that doesn't indicate possible wrongdoing will be discarded. The agency also said the contractor will be bound by a strict nondisclosure agreement.

The database project grew out of the SEC's frustration with trying to battle bad guys in cyberspace. The Internet is expanding quickly, and scanning it manually with traditional search engines is tedious at best.

Then there's the problem of anonymity. As most cyberchatters decline to identify themselves, the SEC must often subpoena records from chat-board owners before it can get an investigation rolling. Some boards don't make that easy, said John Reed Stark, the SEC's chief Internet enforcement officer. "We're subpoenaing under incredible time constraints in these investigations," Stark said. "In some instances you're dealing with companies that are just starting out, and in other instances they are growing at phenomenal rates that are making other demands on their time."

AOL goes a step further. Because the SEC brings civil complaints and not criminal charges, AOL treats the agency the same way it treats the many companies that bring defamation suits against chatters and subpoena records from AOL to identify the service's customers. It alerts its customers and gives them 14 days to block the subpoenas.

Stark said he doesn't quarrel with AOL's policy but notes that the SEC strives to find other ways to identify message writers. "Sometimes we can figure out who people are through old-fashioned detective work," he said, declining to elaborate.

Congress awarded the SEC an extra $12.5 million this year primarily for Internet enforcement, an SEC spokesman said. The agency declined to say how much the database project would cost, but people familiar with the proposal said it could easily cost $1 million or more a year.

The request for proposals, sent in January to 107 companies, calls for the development of a Web "crawler" to scan the Internet. It would be programmed to search for as many as 40 words or phrases that could indicate wrongdoing. The SEC won't disclose its red flags, but investigators now type such phrases as "get rich quick" and "free stock" into search engines when they scan the Internet manually.

Bidders were asked to conduct a trial run searching for Web sites that offer prime bank instruments, which the SEC said typically promise unrealistic rates of return. But the sweeping nature of the surveillance project is evident in a disclaimer from the SEC, warning that bidders "should not conclude that Web sites identified through the search performed in this sample task ... are in violation of the federal securities laws or that further investigation is warranted or will be conducted by the SEC."

Once the surveillance is under way, the contractor would search for such matters as improper use of the SEC's name, impersonating a public company or its officers, fictitious news releases or news reports, and disclosure of nonpublic information, the bid documents show.

The accumulated data would be sorted, ranked and then -- in a second phase of the project -- compared with securities data and financial news to better home in on possible fraud. For example, suspicious Internet chat that may have moved a stock's price would be made a higher priority for investigators.

In compiling Internet messages, the SEC said, "Contractor shall include the following minimum information pertaining to each indexed message: the date of posting; title line; the groups to which posted; nature of discussions; and the disclosed affiliation, user name and e-mail addresses of individuals posting information." The contractor also has to make the database accessible online to as many as 50 SEC staffers at one time and take steps to prevent unauthorized access.

The SEC "appears to be creating an investigative database in advance of any reasonable suspicions about individuals whose information is being collected," Trent said. Another concern, she added, is that because individuals won't know information about them has been collected, it isn't clear how the SEC would comply with federal Privacy Act provisions that entitle individuals to correct any false information about them in government databases.

The SEC's Brown said the agency would take responsibility for handling requests for corrections. He added that while the agency is sensitive to constitutional arguments, "the Constitution doesn't give people the right to use the Internet to commit fraud."

The SEC declined to say how many bids it has received, but people familiar with the matter say a leading contender is Cyveillance Inc., an Arlington, Va., company that provides Internet business intelligence to companies. These people say that Cyveillance assisted the SEC in researching the project and teamed with Ernst & Young LLP in bidding for the contract.

Cyveillance officials declined to comment. But in a letter to the SEC, Cyveillance raised several concerns of its own about AOL's likely resistance to having its boards monitored. It also worried that "many of the large service providers or portals with significant populations are extremely protective of crawlers 'mining' their data (Yahoo!, eBay, MSN, etc.); if these companies detect high levels of downloading from their sites, they may choose to deny access to the public material."

AOL declined to comment on the SEC project.

The SEC's Brown said the agency wants to take a cooperative approach to dealing with Internet companies. "Hopefully, AOL and Yahoo will have an interest in the integrity of their boards and in the prevention of fraud, and we will work with them on that," he said.