Alongside recent moves by the government to collect sensitive personal data en masse from Americans in terrorism investigations without any indication of wrongdoing, market regulators have also sought similar authorities to sweep up vast amounts of financial data. Such bulk financial surveillance raises issues similar to those of “bulk” surveillance in other contexts. While records of individual transactions may not tell regulators much about the subject, the collection of all records can create a detailed picture of our most private political, social, romantic, and religious activities.
The ACLU has been a leading voice in efforts to protect financial privacy. For instance, we have vocally opposed the Comprehensive Automated Risk Data System (CARDS) proposed by the Financial Industry Regulatory Authority (FINRA), a quasi-governmental organization that monitors the capital markets for fraud. Currently, FINRA acts much like law enforcement agencies do. When it has reason to suspect wrongdoing, it issues requests for information in a targeted manner. CARDS would require financial entities to disclose transactional records on an ongoing basis and in bulk.
In detailed comments, we noted that this centralized repository of information would pose a much greater risk of breach, would present privacy harms even if it were stripped of personally identifiable information, and could be misused by the government as another tool of bulk surveillance in law enforcement and intelligence investigations. The CARDS proposal is emblematic of the growing danger of privacy breaches in the financial markets.