@INFO.POLICY: Robert Gellman
SEC's Net surveillance plan doesn't smell right
The Securities and Exchange Commission wants to surf the Internet for crooks.
A few weeks ago, the daily press reported on SEC's plans for an automated surveillance system to find people violating securities laws. The plans weren't secret, but there wasn't much public discussion until stories appeared in The Wall Street Journal and The Washington Post.
Without question, the Internet offers a vehicle for unscrupulous stock promoters. Anonymous stock message boards, chat rooms and spam enable illegal stock touting and market manipulations to be carried out with relative ease. SEC has always been serious about policing the securities markets, and the Internet clearly presents a new challenge to the agency.
But the biggest threats to privacy often come from well-meaning civil servants carrying out a legitimate objective without regard for the broader consequences.
The debate here is not over the goals but over the means. Does government surveillance of public Internet space violate the privacy interests and First Amendment rights of netizens? My question is whether the use of automated surveillance systems to sift through public postings constitutes an unpalatable search.
The plans are not for wiretapping of private space. That would be much easier to denounce. SEC proposes to scan public spaces for messages containing keywords suggesting potentially illegal activities. Is that really terrible? The real world equivalent might be the mounting of video cameras on every corner. Not everyone would be happy to be under constant surveillance.
I doubt whether the SEC scheme would even work. Remember how hackers shut down major Web sites with denial-of-service attacks? Once SEC's keywords are identified'and it will be impossible to keep them secret'it would be child's play for anyone to post millions of messages daily just to clog SEC's computers.
Another question is whether SEC has the resources to follow the leads it will uncover. The commission probably has more fraud cases than it can handle already.'Still harder questions surround how the government uses the Internet for law enforcement. The country must ask itself if agencies should be allowed to conduct general, automated surveillance of Americans.
SEC isn't the only agency with an interest. The IRS might prowl the Net looking for evidence of tax cheating. The national security establishment could begin tracking anyone with a security clearance in the hopes of learning about questionable activities. I don't even want to think about what the FBI could do.
At the bottom of the slope is the possibility that the Internet will become a generalized tool of government surveillance, all in the interest of finding someone possibly engaged in inappropriate, suspicious or illegal activity. Another word for this type of surveillance is Orwellian.
Even if government surveillance is constitutional, I wonder if such use of the Internet will stifle the spread of electronic commerce.
I don't have the answer. I think, however, we need a different process. The commission, however well-intentioned, should not proceed with its plans. This issue begs for congressional oversight and debate before agencies start Internet surveillance.
Such use, if sanctioned by Congress, will require standards and procedures drawing clear lines around permitted and prohibited conduct. We may need an Internet search warrant procedure to make sure that agencies operate within the law and don't undermine broader privacy interests and First Amendment values. We may need more formal notices of agency plans.An objection
Amusing fallout over the SEC proposal came from PricewaterhouseCoopers Inc. of New York. The accounting firm criticized SEC because of privacy concerns about surveillance. But the firm's own privacy profile leaves much to be desired.
For a fee, the company will grant Web site operators the right to display a privacy seal indicating the site's compliance with the company's privacy standards. Trouble is, PricewaterhouseCoopers' program fails to require compliance with fair information practices or allow consumers to opt out of redisclosure of personal data. To my way of thinking, just about any Web site would qualify for this privacy seal.
Maybe the company, which recently was stung by SEC for violating rules prohibiting auditors from owning stock in audit clients, decided to shoot back at the commission.Robert Gellman is a Washington privacy and information policy consultant. His e-mail address is firstname.lastname@example.org.