The Securities and Exchange Commission is deploying a massive government database—the Consolidated Audit Trail, or CAT—that monitors in real time the identity, transactions and investment portfolio of everyone who invests in the stock market. As SEC Commissioner Hester Peirce describes it, by allowing the commission to “watch investors’ every move in real time,” CAT will make it easier to investigate insider trading or market manipulation.
But as a lawsuit being filed Tuesday in Texas federal court makes clear, CAT crosses a constitutional red line. Accepting this sweeping surveillance would eviscerate fundamental privacy protections. That a few bad apples might engage in misconduct doesn’t justify mass surveillance of everyone’s private affairs.
The SEC conceived of CAT during the Obama administration. Now, without congressional authorization and under the radar of most Americans, the commission is trying to impose it by executive fiat. CAT will reportedly be the single largest government database targeting the private activities of American citizens.
The SEC can deal with potential market manipulation by focusing on the transactions of large institutional firms without sweeping up data on millions of small retail investors. Nevertheless, the agency is requiring every broker to feed into CAT in real time every securities transaction along with every investor’s personal information, including name, address and birth year. With a keystroke, more than 3,000 government employees and contractors from the SEC and more than 20 other regulatory bodies will be able to see the personal investment activities of tens of millions of Americans. This invites abusive investigatory fishing expeditions, targeting of individuals, and intrusive data mining. Concentrating this sensitive data in a single repository guarantees it inevitably will be hacked, stolen, or misused by bad actors, including hostile nations, cybercriminals and faithless government employees.
The Constitution prohibits mass surveillance of private activities based merely on the possibility that someone might commit a crime. The Fourth Amendment requires that before the government can access a person’s home, papers or personal effects, it must get a warrant showing probable cause to believe that a crime has been committed and that the information will yield evidence of that crime. Even when the government seeks information about a citizen from banks, phone companies and others with whom he has done business, the government isn’t free to vacuum this up carte blanche. It must normally show that it is investigating specific suspected wrongdoing and that the information sought is potentially relevant to that particular inquiry.
The Supreme Court has held that even access to some third-party information may require a warrant. In Carpenter v. U.S. (2018), the government obtained several months of cell-tower data from a suspect’s phone provider. The Supreme Court held that even though these were third-party records, a warrant was required because the data provided an “exhaustive chronicle” of the suspect’s whereabouts over a 127-day period.
The CAT program clearly violates these limits by collecting private information on tens of millions of investors without any connection to suspected wrongdoing, either by the investor or anyone else. By requiring that this information be continuously fed into the government’s database, it gives the government a truly “exhaustive chronicle” of all investors’ activities—not only their past activities, but their every move in real time.
There are more-targeted ways for the SEC to get what it needs. The SEC acknowledges that when a suspected violation occurs, it has the ability—without CAT—to gather the relevant evidence by issuing “blue sheets,” which require broker-dealers to provide information on the transactions and investors in a particular case. As one SEC commissioner observed, the SEC’s “enforcement program already performs very well without CAT” and has “sufficient tools to get the information it needs to pursue credible leads about market misconduct and to do so quickly.”
The crux of the SEC’s argument is that it could investigate things more easily if it weren’t limited to gathering investor information on a case-by-case basis after suspected wrongdoing took place. It “could more quickly initiate investigations, and more promptly take appropriate enforcement action” if it had immediate access to the entire universe of private investor information in real time.
But the whole point of the Fourth Amendment is to make the government less efficient by making it jump through hoops when it seeks to delve into private affairs. For an agency to argue that it should be able to avoid these hoops to make investigations easier is to assert that it should be exempt from the Fourth Amendment.
If our society accepts the SEC’s rationale for CAT, there is no reason to confine the government to databases on investment activities. Digital records on a range of personal activity can help crack criminal cases. Phone companies have data from our smartphones, automakers have data from our cars, and so forth. Why not maximize the efficiency of all law enforcement by pumping this information into government databases, so investigators have it in real time?
CAT’s sweep is unprecedented and would take us far down the road toward an Orwellian surveillance state. As the Supreme Court has reminded us, “privacy comes at a cost.” The cost is that law enforcement must sometimes be a little less efficient than it would be if Americans had no privacy. If there are shortcomings, improvements can be achieved by incremental fixes rather than by bulldozing Americans’ liberties.
William P. Barr is a distinguished fellow at the Hudson Institute and author of the memoir “One Damn Thing After Another.” He served as U.S. attorney general, 1991-93 and 2019-20.