US Web snooping plan draws fire

Bidders and service providers oppose multimillion-dollar automated surveillance project on privacy grounds

The US Securities and Exchange Commission (SEC) is moving to create an automated surveillance system that would scour the Internet for people who violate securities law. The agency has begun receiving proposals from vendors, which have conducted trial runs in recent weeks.

But even before it gets under way, the multimillion-dollar project is running into trouble on privacy grounds. The mechanism would monitor public Web sites, message boards and chat groups. Anything deemed suspicious -- like the phrase "get rich quick" -- would be copied into a database, analysed and then indexed for use by SEC investigators in bringing civil proceedings against people suspected of wrongdoing, according to the agency's project-contractor solicitation.

The SEC also wants to grab email addresses and other identifying information that would help unmask message writers and Web-site owners who try to remain anonymous.

Other federal agencies might develop their own automated surveillance, the contracting records indicate. "For us it's a very exciting prospect," said Phyllis Cela, acting director of enforcement at the Commodity Futures Trading Commission, which has begun talking to vendors.

But after reviewing the documents and holding discussions with SEC officials, one invited bidder, PricewaterhouseCoopers advised the agency that it would not participate because the endeavor might impinge on constitutional protections against unlawful search and seizure. Its chief concern is that innocent people would end up in the database. "We had serious concerns about the implications for the privacy of individuals on the Web, and the implications for businesses on the Web," said Beth Trent, a director who leads the firm's Internet compliance unit.

"There are all sorts of legitimate reasons people want to remain anonymous," adds former US Department of Justice computer-crime specialist Scott Charney, now a partner at PricewaterhouseCoopers.

The SEC may also find itself pitted against giant Internet operators who consider even their public chat boards to be proprietary. America Online, whose boards are cited in the SEC document as a surveillance target, said it routinely forbids anyone from harvesting information from its many thousands of chat rooms and message boards to protect the privacy of its customers.

Moreover, the SEC's foray comes at a time when the Federal Trade Commission and many states are scrambling to protect the privacy of Internet users. The threat of regulation and mounting public concern about online tracking by marketers is prompting many Web-site owners to take measures aimed at preventing their customers from being snooped on.

SEC officials say they intend to address Web companies' concerns. "The Securities and Exchange Commission has a history of abiding with the letter and spirit of privacy laws and policies, and we will continue to maintain that position during this procurement," said George C. Brown, an assistant general counsel.

The SEC also said it won't gather email or other communications that don't appear in public forums, or make a record of people who simply visit a Web site or board but don't post any messages. And any information collected that doesn't indicate possible wrongdoing will be discarded. The agency also said the contractor will be bound by a strict nondisclosure agreement.

The database project grew out of the SEC's frustration with trying to battle bad guys in cyberspace. The Internet is expanding quickly, and scanning it manually with traditional search engines is tedious at best.

Then there's the problem of anonymity. As most cyberchatters decline to identify themselves, the SEC must often subpoena records from chat-board owners before it can get an investigation rolling. Some boards don't make that easy, said John Reed Stark, the SEC's chief Internet enforcement officer. "We're subpoenaing under incredible time constraints in these investigations," Stark said. "In some instances you're dealing with companies that are just starting out, and in other instances they are growing at phenomenal rates that are making other demands on their time."

AOL goes a step further. Because the SEC brings civil complaints and not criminal charges, AOL treats the agency the same way it treats the many companies that bring defamation suits against chatters and subpoena records from AOL to identify the service's customers. It alerts its customers and gives them 14 days to block the subpoenas.

Stark said he doesn't quarrel with AOL's policy but notes that the SEC strives to find other ways to identify message writers. "Sometimes we can figure out who people are through old-fashioned detective work," he said, declining to elaborate.

Congress awarded the SEC an extra $12.5m (£7.6m) this year primarily for Internet enforcement, an SEC spokesman said. The agency declined to say how much the database project would cost, but people familiar with the proposal said it could easily cost $1m or more a year.

The request for proposals, sent in January to 107 companies, calls for the development of a Web "crawler" to scan the Internet. It would be programmed to search for as many as 40 words or phrases that could indicate wrongdoing. The SEC won't disclose its red flags, but investigators now type such phrases as "get rich quick" and "free stock" into search engines when they scan the Internet manually.

Bidders were asked to conduct a trial run searching for Web sites that offer prime bank instruments, which the SEC said often promise unrealistic rates of return. But the sweeping nature of the surveillance project is evident in a SEC disclaimer, which warns that bidders "should not conclude that Web sites identified through the search performed in this sample task... are in violation of the federal securities laws or that further investigation is warranted or will be conducted by the SEC."

Once the surveillance is under way, the contractor would search for such matters as improper use of the SEC's name, impersonating a public company or its officers, fictitious news releases or news reports, and disclosure of non-public information, the bid documents show.

Where will the data go? The accumulated data would be sorted, ranked and then -- in a second phase of the project -- compared with securities data and financial news to better home in on possible fraud. For example, suspicious Internet chat that may have moved a stock's price would be made a higher priority for investigators.

In compiling Internet messages, the SEC said, "contractor shall include the following minimum information pertaining to each indexed message: the date of posting; title line; the groups to which posted; nature of discussions; and the disclosed affiliation, user name and email addresses of individuals posting information". The contractor also has to make the database accessible online to as many as 50 SEC staffers at one time and take steps to prevent unauthorised access.

The SEC "appears to be creating an investigative database in advance of any reasonable suspicions about individuals whose information is being collected", Trent said. Another concern, she added, is that because individuals won't know information about them has been collected, it isn't clear how the SEC would comply with federal Privacy Act provisions that entitle individuals to correct any false information about them in government databases.

The SEC's Brown said the agency would take responsibility for handling requests for corrections. He added that while the agency is sensitive to constitutional arguments, "the Constitution doesn't give people the right to use the Internet to commit fraud".

Bidders and resistors The SEC declined to say how many bids it has received, but people familiar with the matter say a leading contender is Cyveillance, which provides Internet business intelligence to companies. These people say that Cyveillance assisted the SEC in researching the project and teamed with Ernst & Young in bidding for the contract.

Cyveillance officials declined to comment. But in a letter to the SEC, Cyveillance raised several concerns of its own about AOL's likely resistance to having its boards monitored. It also worried that "many of the large service providers or portals with significant populations are extremely protective of crawlers mining their data (Yahoo!, eBay, MSN and so on); if these companies detect high levels of downloading from their sites, they may choose to deny access to the public material."

AOL declined to comment on the SEC project.

Brown said the agency wants to take a co-operative approach to dealing with Internet companies. "Hopefully, AOL and Yahoo will have an interest in the integrity of their boards and in the prevention of fraud, and we will work with them on that," he said.

What do you think? Tell the Mailroom and read what others have to say.