Hacker News new | past | comments | ask | show | jobs | submit login
DOJ: Hackers broke into an SEC database and made millions from inside info (cnbc.com)
448 points by djoldman 3 months ago | hide | past | web | favorite | 181 comments

> The New York Stock Exchange has asked the SEC to consider limiting the amount of data collected by the CAT, which would include data on around 58 billion daily trades, as well as the personal details of individuals making the trades, including their Social Security numbers and dates of birth

Dropping SSNs for natural persons would be a good idea.

IMO, everyone's SSN should be public. Mine has already be compromised by both my undergrad and grad school. At this point, I operate under the assumption that it is public knowledge for bad actors.

Hiding SSNs is false security at best. If they were public, banks would stop hiding behind "identity theft" and would start having to acknowledge that its their responsibility to confirm who they are lending money to.

The problem with identity in the USA has always been a religious problem more than anything else.

All legislation aimed around allowing people to be identified by numbers has been killed due to the whole "mark of the beast" .. "can't buy sell or trade without your number" revelations rhetoric.

As religion has less of an impact on people's daily lives, I expect this to change, but in the past it's been the one thing that's always prevented proper identity management in the USA.

I am curious to know though, if there are other countries that don't identify their citizens with a public id number?

Australia doesn't have a national ID number, and neither does New Zealand.

You have a TFN [1] (tax file number) in Australia, which are similar to an SSN, except somewhat more limited. My TFN is only used for income tax, not for identification, and I'm not actually legally required to supply it to anybody, even my employer (although it does make paying taxes a real pain as they withhold the maximum amount). You aren't even legally required to have a TFN, although once you get one you have it for life, and without one you pay the maximum income tax.

TFNs are specifically forbidden to be used for anything other than income or benefit purposes too. Businesses aren't allowed to ask for it as a form of ID.

[1] https://en.wikipedia.org/wiki/Tax_file_number

Religious concerns were only a minor factor. Other objections to having a national identifier include: wasteful "big government" spending, encroachment on states' rights, potential for civil liberties abuses, and lack of consensus over whether it's a real problem that needs to be solved.

I don't necessarily agree with those objections but there have been multiple reasons.

I'm not a Christian, but those concerns are not without merit. It's a slippery slope to "the only way we can eliminate identity theft is to use biometric authentication via implanted chips to validate financial transactions"

>"All legislation aimed around allowing people to be identified by numbers has been killed due to the whole "mark of the beast" .. "can't buy sell or trade without your number" revelations rhetoric."

This is easy to solve; simply make it illegal to use the identification number so capriciously. Define a narrow use-case for it, narrow enough to allay religious fears, and forbid anything other use if the ID number. Make it illegal to require customers to provide their ID number while making purchases, etc.

But once you do that, most of the desire to implement the system starts to disappear...

> This is easy to solve; simply make it illegal to use the identification number so capriciously.

Hmmmmm, that sounds familiar... https://en.wikipedia.org/wiki/Social_Security_number#/media/...

While it wasn't law, I don't see why legislature wouldn't renege on their promise to not use a unique identifier, already conveniently assigned to all people, for identification purposes.

Yes that's what I had in mind. It worked that time too, the general public accepted SSNs.

Maybe it's cynical, but I don't believe there is any limit on how many times you can lie to the public. There's only a limit to the frequency.

> a unique identifier, already conveniently assigned to all people, for identification purposes

One problem is that it's not unique. :)

If its primarily a religious problem why do countries less religious than the US have similar concepts? SINs in Canada, NINs in the UK, etc. etc

ID number in South Africa. Assigned at birth, used for opening of any account. Not considered private at all, can be requested by any company who might want to check that you are you. Also: ID card with number, photo and details on it, separate from drivers license.

More or less the same in Sweden.

NIN is rarely used in the UK. You need one for student financing... and later for your employer to correctly relay your taxes to HMRC. Certainly it's not needed for banks/credit cards/phones/brokerages/etc.

The last time I opened a bank account in the UK involved me sitting in a bank employee's office with two forms of proof of identity and proof of income. I could have used my birth certificate for one but AFAIK the second would cost money.

The parent means implementing national IDs provokes religious opposition in the US.

And yet many services rely on SSN for identity verification in the US (e.g. banks, telecoms, etc.)

that is what wtvanhest is talking about. If everyone has your social, its no longer considered a secret (like a password) its more like a unique identifier (an email address) just like it was intended to be.

When you think about it that way & then combine it with some type of 2FA, it starts to make a lot of sense.

That's how it works in Sweden.

> its more like a unique identifier

AFAIK they are not ever unique

Article written in 2014:

> To date, 450+ million SSNs have been issued, but with just under 1 billion possible number combinations, there has never been a need to recycle numbers, and the SSA notes that it does "not reassign a Social Security number (SSN) after the number holder's death."


They're not reliably unique: a nontrivial percentage of the population has multiple numbers associated with them, and a nontrivial percentage of the numbers are associated with multiple people.

If you have two systems and you want to correlate data between them, you can use something like the SSN to assist in that process, but usually it will need additional information.

Generally you can't use something someone supplies as a shared identifier. You can't start the process of verifying it, after all, without an identifier. You might think of all sorts of ways around this, but they all boil down to either tolerating errors or making the SSN a secondary attribute rather than a bona fide identifier.

> In the peak year of 1943, 5,755 people were using Hilda's number.


There are actually lots of dummy SSNs that are used by a lot of people (including illegal workers).

You mean they rely solely on someone dictating a SSN number? That's insane. They should ask for a official ID with photo, as the very minimum.

Is that something that goes against the American culture? The other day I had to give all 10 fingerprints to renew my driver's license (location: South America) and nobody seemed to care.

America historically was not very federalized, and being able to just abandon your life and move out west is a key part of the country's mythology, if not the DNA of the country. So there have always been attempts to resist a national ID system, and the SSN was originally not supposed to be used for this purpose.

Of course in 2019 this is basically a moot point if you want to be integrated into society, but even then there are people who are legitimately not integrated into the modern US economy by choice.

I have thought about this a little bit. If this is something Americans believe in, its time to make it official. Make a legal proceeding where you can "start again", so that nobody from your old life can trace you.

From what I can tell you can go to California and say you are an immigrant and get an ID under any arbitrary name. It seems you can do anything with this so it's essentially a new identity.


Formalizing the process kind of misses the point.

> Is that something that goes against the American culture?

Conservative Christian fundamentalist groups have, ever since Reagan, likened a national ID card to "the mark of the beast", citing Revelation 13's prophecy that no one could buy or sell goods without the number of the beast, and the reference to God's chosen people that refuse the mark of the Beast.

When a small but meaningful fraction of your constituents fervently believe that giving them a national ID literally damns them to Hell, it's a hard sell.

Much easier if you attach it to a tool (Social Security) with which they can get money.

There's also the angle of State's Rights and whether the federal government can require people to have national ID over just amalgamating the various state IDs.

Finally, Americans generally distrust their government. Not without reason, they believe a national ID would reduce their privacy and allow the government to more easily spy on and track them.

Then again, you could be like my uncle. His SSN is 666-66-6666. He's not particularly religious...

There’s a chance your uncle made that one up himself: “No SSNs with an area number of 666 have been or will be assigned.”[0]

[0] https://www.ssa.gov/policy/docs/ssb/v69n2/v69n2p55.html

There's a chance I made up that uncle myself... it's easier than using Google to find this information.

SSN is often used as an account verification, which is a problem because social engineers can get your SSN pretty easily.

It's hard for a phone bank operator to ask for a photo ID.

I used to give out fake SSNs to everyone that insisted on one (normally I just leave that part of a form blank). The first time someone asked for the last four digits of one of my fakes I had to scramble to remember what random number I had given out. I never considered that might actually be better security.

Downside of this solution is that many companies ask for it so they can do a credit check. Giving them a fake number could technically be fraud.

We don't require a full set of fingerprints to renew your driver's license, but we do require proof of citizenship and residence. As a practical matter, for most people that means birth certificate and a utility bill with their address on it.

I assume the fingerprints thing is for future crime solving?

A giant database of fingerprints is more likely to "solve" crimes than solve them. This statistical mistake even has a name: "the prosecutor's fallacy". (It could be that police detectives deserve to name this trope more than prosecutors do, but it's probably too late now.)

That'll be leaked eventually, too.

That's a fact of life. I'm talking about how they are determining identity. Just asking for a SSN number is mostly like dealing with anonymous people (thus my question about culture).

there are places here that will let you vote for the president of the united states without requiring proof that you are a US citizen. what do you expect.

That really isn't a big deal since you need to prove residence to register. There are a limited number of votes that can be made. If two people show up saying they are the same person, that will create a red flag.

But they are not really secret just like your email isnt. Its using it as if it is thats the problem imo

And some places "rely" on knowing a full name or just a phone number.

We would call that an error on their part, and I don't see why the same logic doesn't apply here.

It’s risk management. Some products just have greater risk associated with them.

Best Buy credit. I never have my card on me, but I can use my credit account with my Soc.

Not saving my SSN along with my transaction is different than my SSN being "public".

Why don't they just assign a new one from time to time? It's just a number after all, much easier to change than fingerprints.

The whole point is that it's not supposed to change, unlike your name, address, gender, occupation, and everything else.

Which makes it all the more ridiculous that as an immutable identifier, it's also supposed to be a secret.

It is supposed to change. The Social Security Administration explicitly allows people to obtain new SSNs in limited circumstances.

supposed !== possible

This is actually a great idea, as long as the government makes clear the plan to do this, and gives banks et al time to adjust.

SSNs were never designed for, nor intended for, secrecy.

They're names, not passcodes.

SSNs were never designed for, nor intended as, identification. For years, social security cards bore the text "NOT FOR IDENTIFICATION" on the front.


My understanding is that that warning applied to the card itself, not to the number. That is, the bearer of that card has no provable relationship to the social security number on the card as it contains no attestable information (like a photograph or general description) so the card cannot be used for identification.

The number itself is of course used for identification from the beginning as a unique identifier for your "account" in the social security administration.

The problem you see with using the card itself as identification of course also applies to using the number itself as identification.

Also, the card has zero anti-forgery technology built into it. Anybody with a printer can make a near-perfect fake.

> In order to make Social Security work, the government needed a way to identify every single worker and keep track of their earnings every single year for the rest of their lives.

According to the article it seems that it was intended to be used for identification, just only for one purpose.

Exactly, so creating a government website where one can verify someone's SSN would render it useless as a password and force businesses to come up with a real solution.

There is great video about that by CGP Grey: https://www.youtube.com/watch?v=Erp8IAUouus

Like biometrics but worse.

Now that corporations have more benefits that actual humans it makes the most sense for everyone to operate under their own corporation.

What's WEIRD is that area of law around liability though.

IF you own a company and you're the only employee and someone dies you're in a world of hurt.

If you're Walmart and you kill 100 people by accident basically nothing will happen in most cases.

> Dropping SSNs for natural persons would be a good idea.

It would but it isn't the SEC's decision to make and the Treasury Department & DOJ would never allow it. This is one of the primary means of investigating the flow of dirty money through the financial system.

People make money off advance information all the time. Often you can see that in the price action -- take this for example: https://imgur.com/mJq1OcY

Three days before a positive press release, demand pressure beings to drive up the price. Coincidence? I'm too jaded to believe that.

That data does not look suspicious at all. A very quick google search shows this article [1] that was published around the same time as the start of that growth.

[1]: https://www.fool.com/investing/2019/01/09/why-canopy-growth-...

It's been pretty well established that insider trading is and has been rampant: https://www.cnbc.com/2018/02/14/insider-trading-is-still-ram...

There's also a not insignificant number of economist who think it would be better if it was legal.

Insider trading laws remove information from the system. A common argument is that Enron could have never Enroned without the help of insider trading laws.

The big winner here is Wallstreet because the information asymmetry still exists, and they now have the most knowledge that can legally be acted upon. (plus they can act on illegal knowledge and it's much harder to prove than anyone else acting on it).

Layman wondering here: would legal inside trading not encourage the few with the inside knowledge to themselves exhaust the benefit that is to be had from the information, at the expense of everyone else? Including shareholders?

(1) is the best [i think] unbiased analysis I've seen on the subject that tries to look at it from many points of view.

It seems very complicated, and I don't really understand. But it seems like in either cases (legal or illegal) the people who benefits and those who suffers is going to change in every case. For the average investor, in some cases having more efficient stock prices would be a benefit, in other cases, the added information asymmetry would be a unfair.

Three points:

1 - Companies could still ban insider trading if that proved more efficient for them. If liquidity was low because insider trading was allowed, they could disallow it. The reverse is also true. So at least companies would have the choice (and investors would also have the choice of where to invest).

2 - While an insider could equally benefit from good and bad news, they are still incentivized towards positive results (salary, bonuses, keeping their job, reputation)

3 - My real problem with making insider trading illegal is that it's completely impossible to enforce consistently and fairly. This adds uncertainty (how much insider trading is going on in your current investments?) I think insider trading only applies to buying/selling, but what if someone has insider knowledge that causes them to NOT take an action. That seems as unfair but can't be enforced..

(1) https://www.frbatlanta.org/-/media/documents/research/public...

From an economic perspective, insider trading has plenty of nuances.

On one hand, you have the accountants/analysis that build the company numbers to be made public for investors to trade, and because they get the first peek at information that is not really theirs, if they buy/sell on that then they are definitely commiting this act.

On the other hand, you could have Elon musk reading information every day that could sway him to buy or sell at different prices, from the unique vantage point of his position: this is raw information that is better out there than repressed. (investors wuld know what the CEO thinks).

I have an amateurish devotion to economics and insider trading is one space where its all nuance.

It’s almost as if the narrative that there exists two justice systems, one for the rich & one for the poor, has merit

It's worth noting that trading spikes in advance of public availability of news doesn't necessarily imply illegal activity. Overheard conversations between strangers, for example, are fair game.

There is probably also magnification effects from bots scanning the market for anomalies and piling on.

> Overheard conversations between strangers, for example, are fair game.

Wrong. It's insider trading if you have material, nonpublic information. It doesn't matter how you got that information.

No, it only matters if you had a duty to keep that information confidential:


Several examples given that article seems to conflict with the explanation given in the other article linked in the replies, particularly situation 7.

Your article justifies it "Yes" answer because you were told the information was confidential, but then the "case study" used to back this up includes envelopes on cash being exchanged for this information. My reading of the other article seems to indicate that you would be fine because the CEO was not compensated by you for providing the information and there is nothing to indicate that this information was given as a gift.

Other article:


Edit: Given the bloomberg article cites relevant supreme court cases, I'm more inclined to believe it.

Matt Levine has written extensively on how squishy the line can be: https://www.bloomberg.com/opinion/articles/2015-07-31/when-c...

> So it's illegal "when an insider makes a gift of confidential information to a trading relative or friend." But if you read that too literally, you run right back into the first problem. There you are, at your job, talking on the phone with a company's investor relations department. The IR guy helps you with some questions about your model. You get off the phone convinced that the company is a buy. You go to buy stock. But wait. Your relationship with the IR guy is pretty cordial. You mentioned your love of fishing, and he said, "Hey, we ought to go fishing together sometime," and you said, "Sure, that sounds great," not that either of you meant it.

That's messed up. It should be a breach of fiduciary duty to continue to interface as investor relations with an investor who you have established a friendship with. Being friendly on the phone is one thing, but join family vacations? As the relationship becomes closer, the fishier any exclusive information provided should smell.

You become friends with someone? At a certain point both the investor and and investore relations personel should have to hand off the professional relationship to colleages to avoid the risk of insider trading charges.

So don't give confidential information to outsiders of the company, whether they are friends or not?

I don't see the issue.

"Confidential" is a big word. There is a lot of internal information about a company that is not strictly labeled "confidential." Putting that aside, I think Levine's point, which he makes in the piece I linked and has made in several other columns, is relevant:

> Er. Um. Sure. But another component of effective professional analysis of the value of a company's stock is talking to the company. There's a reason that companies have earnings calls. There's a reason that, when analysts get into the weeds on those calls, the companies say things like, "We'll follow up with you individually afterwards." There's a reason that companies selling stocks or bonds do one-on-one meetings with potential buyers. There's a reason that companies not selling stocks and bonds also do one-on-one meetings with current and potential investors. There's a reason that companies have investor relations departments full of people who talk to current and potential investors.

All of this gets to a point Levine has also made many times over, which is there is no explicit statute outlawing insider trading. Which seems crazy! People go to prison over it. But when you sit down and try to define it, it becomes even more of a mess, so here we are.

>Wrong. It's insider trading if you have material, nonpublic information. It doesn't matter how you got that information.

You are totally mistaken as far as the law in the United States. I can’t speak for other jurisdictions.

As I posted above, the poster is not mistaken.

I think you've misread the thread.

Absolutely not.

> It doesn't matter how you got that information.

Yes it does, if I didn't do anything illegal to acquire it, and I have no obligation to the company, I can use it legally, I'm not an insider.

Not quite. If you knowingly acquired the information from an insider and the insider himself would be liable for your trade (e.g. you're a friend or family member), then you could have derivative liability.

It's not a coincidence.. until it is. You can't make money consistently just looking at price actions (if you did, everyone would be doing it)

Is this not just a case of trade the rumor sell the news?

insider trading has to be the easiest damn thing in the world. discreetly tell someone you know in person a piece of insider knowledge, and let them profit off it, then reimburse you some how. i find it insane people think this isn't happening virtually 100% of the time.

You say that like people don't get busted for this all the time.

How many get away with it?


This seems like a pretty naive viewpoint. Don't you think the SEC would have thought about that? This kind of thing seems to me like it would be very easy to detect and penalize.

Some day I'd like to experiment with a press release driven trading strategy. I've seen plenty of cases where every man and his dog have been aware that $company sold $hugeNumber of $widgets, it can be open knowledge known industry wide, yet there is still a stock surge once the press release (or annual report or whatever) comes out.

Related reading: today's Matt Levine piece on how hard it is to make money even with this info. https://www.bloomberg.com/opinion/articles/2019-01-16/even-c...

They make successful trades 77% of the time they had insider information and 45% when they didnt. That clearly is an advantage.

I would never expect a 90% success rate because of how random Wall Street is, but 77% over a period of time definitely is an advantage.

That's a huge advantage. Counting cards in blackjack gives a 50.5:49.5 edge (roughly, there are variables). 77% is absolutely crushing it.

If I read it correctly, they were successful 77% of the time with inside info and 0% without, averaging 45%.

This situation brings to mind last year’s Verge article “HOW AN INTERNATIONAL HACKER NETWORK TURNED STOLEN PRESS RELEASES INTO $100 MILLION” https://www.theverge.com/2018/8/22/17716622/sec-business-wir...

The article include a great line “The [Ukrainian] intelligence agents began running a parallel operation to the Moscovite middlemen, using Turchynov’s access and sourcing their own traders, according to Demedyuk.”

Thank you for the nice link - is this guy (Matt Levine) somehow generally "known" for some reason? I liked the articles but it's the first time I hear the name.

Edit: thanks a lot for your hints/replies!

He is considered to be one of the most insightful (and humorous) finance writers today. He was formerly a Goldman Banker, and prior to this, a corporate lawyer at Wachtell, both firms having the reputation of residing at the summit of their industries.


Also a Latin teacher.

He is known for his articles about the financial industry, written with clarity and humor.

I also like his take on the WeWork fiasco.

Is it a fiasco or is it just "shady business" but still successful?

Really just asking because I never heard about that company but saw a few days ago a post about its split into different sectors all having their names starting with "We..." and did not dig further (and I did not find anything useful today using my keywords).

GP is correct, this column is entertaining and informative:


I'm more curious about how they hacked into the SEC database? Did they use an email trojan? Exploit an existing flaw or backdoor? If they did this via e-mail, who did they send the mail to?

The SEC’s complaint alleges that Ieremenko circumvented EDGAR controls that require user authentication and then navigated within the EDGAR system.

Looks like a way to say “exfiltrating data from the endpoints”.

The good old email trojan continues to be all you need.

> The hackers used malicious software sent via email to SEC employees. Then, after planting the software on the SEC computers, they sent the information they were able to gather from the EDGAR system to servers in Lithuania, where they either used it or distributed the data to other criminals, Carpenito said.

This is covered in the story. They sent email to SEC employees.

This isn't hard to believe if you've worked w/ the Edgar system!

Not a security complaint but an annoying experience with the system:

Sat down one Saturday to create a database for their Financial Statement and Notes data set https://www.sec.gov/dera/data/financial-statement-and-notes-...

Located documentation, thought okay this shouldn't be too bad. Ended up taking one day to understand the structure and another to implement the system. Finally got everything loaded in my tables and spot checked against the rendered versions on their website only to discover they truncate the most important text field. It's technically in the documentation that the value field is limited to 2048, but it's also in the documentation that the value field is for 'text analysis applications' and their website literally says: 'The information is presented without change from the "as filed" financial reports submitted by each registrant...' so I managed to gloss over this detail until I had already spent and entire weekend working on it.

I just can't wrap my mind around how they got 99% of the way there and then decided, 'hey lets just truncate this field, it's only the entire purpose of this dataset.'

> I just can't wrap my mind around how they got 99% of the way there and then decided, 'hey lets just truncate this field, it's only the entire purpose of this dataset.'

I'm willing to bet this is because they haven't made any significant changes to the system since it was implemented in 1996.

Calling it a "system" is an offense to all other systems.

Former discussion with backstory of the Ukrainian case:


The fact that the SEC can't secure this sort of information is an excellent argument against key escrow and government backdoors into crypto systems: it's completely impossible to prevent leakage or theft of that sort of incredibly-valuable information.

How did they do this and only make a few million?...

Matt Levine discussed this topic in Money Stuff today: https://www.bloomberg.com/opinion/articles/2019-01-16/even-c...

Long-story short is that it's not always obvious how the market will react to releases. Some of the hackers only traded with a ~70% win-rate after holding the releases.

70% is still very very high. They didnt make billions because they probably started with little capital.

70% is extremely high, you can easily get rich with a 51% advantage and making enough small bets to invoke the law of large numbers.

That, and depending on the companies they got data on (i.e. any number of widely traded stocks with large market caps), they could have had a LOT of volume to play with. This is a big deal and it's mind-boggling that the breach happened.

I'm guessing they didn't have a lot of money at their disposal.

This is probably all the prosecutors can prove.

Seems vaguely similar to another Insider Trading case relating to Slavic-descent and Marketwire: https://www.bloomberg.com/news/articles/2018-07-06/pastor-co...

Pending public publishing seems to be a common liability for unwanted content disclosures.

Apple struggles with this with almost every product release.

That's pretty smart

So, basically, Trading Places but online?

> Hackers broke into an SEC database and made millions from inside info

Given the thirty minute window between copying the file to the server and the SEC posting the URL, I figure they guessed the URL from an easily predicted sequence.

> said the same criminals also stole advance press releases sent to three newswire services

Yeah I remember the charges against those people too

Basically newswire services get hacked and people get the earnings reports beforehand

SEC gets hacked and people get the earnings reports beforehand

I think public resources shouldnt be spent on that. Prosecute the hacking but just drop the “trading on material non public information but only in the equities capital markets and only when there is a duty from the source to keep things nondisclosed” sanctions. It is so narrow but extremely expensive to prosecute, has with little efficacy in stopping the behavior, and incorrectly effects the collective conscious on what can be traded and when. People at this point think its actually illegal to have a trading advantage in any context

I don't understand your argument for not prosecuting MNPI trading. Are you saying that because the general public doesn't understand what MNPI is, the law shouldn't be enforced?

Are you taking issue with reason the law exists, or just that the people don't understand it?

And what's your basis for saying it's ineffective? From my experience, insider trading laws are taken very seriously by most of the industry.

> basis for saying its ineffective

Yes, they are effective at chilling speech and forms of legal trading. They are not effective at preventing trading on information, for example, the SEC and DOJ secured indictments against Ukrainians and Russians which it will never extradite. Wow a pen stroke after an expensive investigation, congratulations. Fix your damn IT systems if you want confidence in the securities market.

> are you taking issue with reason the law exists

Yes, I am. The industry takes these laws seriously without the SEC because all the SROs already had these prohibitions before the SEC copied and pasted some parts into the Code of Federal Regulations or created 10b-5 convictions that are SOMETIMES upheld by appeals courts before stripping them down in other circuits.

Insider trading is a balance.

On the one hand, we want market prices to be accurate. This means we want people with material information to trade on that information.

On the other hand, we need some fairness in a market. This is mostly to ensure people keep trading. In a world were inside-info is commonplace, trading without it is just stupid. This would cut off a lot of people from investing.

The line needs to be drawn somewhere. The US approach of insider trading requires a broken 'duty to keep secret' isn't nice, but considering the above trade-off I think it is better than "All non-public information is off-limits". Especially because it captures the 'most disruptive' form of insider trading: people who work at a company that is getting acquired / going bankrupt.

> On the other hand, we need some fairness in a market

American insider trading law has nothing to do with fairness. It is based on theft of information. In this case, the hacker’s stole information from the SEC that belonged to the reporting companies.

(This is a commonly misunderstood alley of securities law.)

That's interesting. I was digging around, and this piece[1] goes into detail, but early on they summarized the rationale for insider trading laws.

"One objection is that it violates the fiduciary duties that corporate employees, as agents, owe to their principals, the shareholders (Wilgus 1910)."

That supports the theft formulation.

"A related objection is that, because managers control the production of, disclosure of, and access to inside information, they can transfer wealth from outsiders to themselves in an arbitrary and hidden way (Brudney 1979; Clark 1986)."

Again, supports the theft formulation.

"The economic rationale advanced for prohibiting insider trading is that such trading can adversely affect securities markets (Khanna 1997) or decrease the firm’s value (Haft 1982)."

This seems like the fairness argument, though.

[1]: https://www.econlib.org/library/Enc/InsiderTrading.html

it violates the fiduciary duties that corporate employees, as agents, owe to their principals, the shareholders

Insider trading regs, as currently enforced in USA, get this exactly backwards. Senior C-suiters are not prohibited from trading their firm's stock. They only have to carefully choreograph that trading with respect to other events. They get as much advance time as they need to do this, and as much professional help as they (or the firm) can afford. They get all this time to scheme and pre-arrange, precisely because insider trading laws exist to hammer the lowly middle managers who would like to do their own trading on inside information.

The sooner trading based on information occurs, the sooner that information is public. The effect of these regulations is to keep secrets and make misguided investment more likely. All executives of a public corporation are in a conspiracy against the investing public. Insider trading laws function precisely to punish defectors from that conspiracy. This defection should rather be encouraged, so these are yet another set of laws the effect of which is entirely backwards from their supposed justification.

These are economic arguments. I was speaking solely to the law.

Not sure why you got downvoted, this is correct. If you, for example, overhear an executive on the street discussing how his company is going to bomb their earnings report, you wouldn't get in trouble for trading on that (if you somehow got "caught"). It's unfair in a sense because you just got lucky and stumbled into material, non-public information, but you also didn't really do anything wrong.

if that were the case, it would be legal for a company director to trade on information they gleaned from an internal meeting. Which, as far as I understand, it isn't.

> if that were the case, it would be legal for a company director to trade on information they gleaned from an internal meeting

That’s theft of company (read: shareholders’) information by a fiduciary.

Remember: America has no statute barring insider trading. The rules were developed through case law. (There’s a hypothetical of “if a company insider shouts material nonpublic information on the street and you trade on it, is that insider trading” that lawyers love to opine on, but to my understanding that’s never come up in court.)

This is a common misunderstanding with respect to insider trading.

The 1933 Securities Act, 1934 Securities Exchange Act and the Sarbanes-Oxley Act of 2002 all directly address insider trading.

In very limited ways. For example, the 33 Act bans short-swing trading and certain specific activity by holders of more than 10% of a stock. The vast majority of insider trading enforcement is brought forth on securities antifraud and fiduciary obligation statute interpreted through extensive case law.

That's fair, but it's also generally how the modern regulatory state works: Congress lays out a rough sketch of the laws and regulatory agencies and courts hash out the details. And counting incidences of enforcement doesn't tell you where the bulk of doctrine is since someone who plainly violates the law is quickly shut down, while the authorities are forced to play cat and mouse with the ones who skirt the law.

No, they all address illegal insider trading. If all forms of legitimate trading on material nonpublic information were illegal, then information asymmetry in the market would be outlawed. That would make it impossible to legally profit using any kind of financial research.

"If all forms of legitimate trading on material nonpublic information were illegal, then information asymmetry in the market would be outlawed."

FWIW, I'm not expressing an opinion on insider trading, just arguing that this specific claim is overly broad.

If your only relation with a company is to own stock in it, you're not an insider, but any research you do may be based on public information, but is nevertheless material and as private as you keep it.

And there's a lot of research to do. The economic fable "I, Pencil" is about the sheer number of firms that any given firm is indirectly dependent on and indirectly affects. Thus, if you see shocks affecting any upstream suppliers, the shocks are public information but your knowledge that it's relevant to the firm you're invested in is private to you.

That’s theft from the corporation they work for. GP is 100% correct in this case. Just read Matt Levine’s Money Stuff. He goes over this stuff a lot.

I'm not disagreeing with you because I have no clue about this stuff, but man that is an odd usage of the word 'theft'. Sounds more like improper use to me, e.g., getting a speeding ticket while using a company truck. I didn't steal the truck, but I used it in a way which is unlawful.

Well, say your company is going to buy another company. You know about it, and buy shares of tbe other company ahead of the public anouncement.

You are essentially stealing from your own company, since your purchase of shares will drive up price and result in your employer paying more than they otherwise would have.

Though for the record, I think insider trading should be legal, or at least should be a civil instead of a criminal matter.

The purpose of financial markets is decentralized price discovery and preventing the trading of certain types of non-public information is totally counterproductive in that regard.

It's more like you were authorized to drive the truck to make deliveries, but you used it to pick up your kids from school and go grocery shopping without your employer's permission, causing wear and tear on the truck that caused economic damage to your employer without their permission.

Ok, but the point is that, in either case, the driver isn't going to be charged with motor vehicle theft.

Don't assume that insider trading laws make sense...

>This is mostly to ensure people keep trading. In a world were inside-info is commonplace, trading without it is just stupid.

I find this line of reasoning hard to swallow. As an individual I have significantly less info than hedge funds and other professionals but that doesn't change the fact that I want to buy Apple or whatever because I think it will grow over the next 5 years.

Now if you add in the scenario where all of the Apple employees are buying and selling based on unreleased earnings, that doesn't change my want to buy the stock at all.

How does Tim Cook buying some Apple shares right before good earnings change anything for a regular investor?

It is not so much about the retail investors as it is about the professionals. Most of the market is determined by them, in a world without them, prices will less accurately reflect the 'true value' of stocks. As such, we want to keep them trading. We also kind of want to dis-incentivize the professional traders from engaging in massive corporate espionage. Just because that is an arms-race that isn't very productive.

You keep saying "we" -- who are you speaking for?

Your argument that professional traders would stop trading in unison if insider trading laws were abolished seems entirely unconvincing to me.

Tim Cook (and all other Apple employees) are legally disallowed from buying or selling Apple stock outside of specific, well-defined trading windows. In particular, they cannot legally benefit from unpublished earnings information.

> all other Apple employees) are legally disallowed from buying or selling Apple stock outside of specific, well-defined trading windows

I don't think this is true, at least for most employees. I think this only applies at higher levels, though of course insider trading laws are still in force.

Sure so insider trading is almost exclusively a creature of the executive branch, with the general antifraud provision under “Section 10b-5” used to prosecute it most of the time, a provision only the securities regulatory can pursue (in conjunction with DOJ for the criminal prong)

The legislature fails to have consensus on this topic and hasn’t weighed in since the 1980s (where it was only to add statutory damages if a conviction was achieved, but no clarity regarding how and when it could be achieved)

And courts strip or uphold nuances various of the agency’s sentiment leaving this to be largely unsettled territory, all while the people that staff these agencies have the same unclear and misguided (when courts later disagree) view on what kind of trading is or isnt prohibited

Other markets are completely exempt: Futures, currencies, metals, nike shoes, non-securities digital assets. I think this aberration for the securities market should be re-evaluated, as it is an expensive dragnet.

Do the journalists believe Lithuania and Ukraine still somehow belong to Russia? I can’t see any explanation in the article on how was Russia involved.

Is there a reason why all SEC filing shouldn't be immediately publicly available?

Yes - certain filings are confidential while they are 'in process.' They then get released in batches on specific release dates, to the entire world, all at once. In particular, IPO registrations may be done confidentially in early stages. The information that is present in such filings is often valuable.


Because markets are built upon the assumption that time is discrete, not continuous.

But.. is it continuous?

In theory yes (Einstein) though we know this theory is wrong at the small scale so in reality probably not given what we know of quantum mechanics.

Yes - so they're not released while the markets are open.

Just curious -- why does that matter? In either case there's a single moment wherein people can trade on it. Why is it better for that moment to be at 9:30 instead of say noon?

I guess it prevents people hammering the servers to get the earning reports ASAP.

With this, people have a few hours to get the reports which means miliseconds matter less.

...which happens anyway. Starting 5-10 minutes before the official earnings reports come out, investor.google.com gets hammered by bots, requesting every few milliseconds until the actual page is released.

I knew an SRE that wanted to put up a fake earnings report until the official time at which the real one was released, to disincentivize this behavior, but the lawyers nixed that idea really quick.

Why didn't they just decide to delay the posting by 30 seconds? It's not like that would deter regular users but it completely eliminates the high speed trading case.

Uncertain - I'm not exactly the decision-maker. But I can think of two reasons:

1) They say that earnings will come out at a certain time, so they better be out at that time or else the SEC comes after them. If they just posted earnings as coming out at say 12:00:30 instead of 12:00:00, that just shifts the problem 30 seconds later.

2) The bots will just run for an extra 30 seconds, and will still have the advantage over ordinary people.

(Something I'm not clear on: regular Google - and Hacker News, for that matter - will sometimes just make a user's connection slower if they repeatedly hit it with traffic. Why not use that on bots that hammer the investor relations site? It completely disincentivizes these bots if the 100 requests you made at 11:58:30 mean that you get stuck with a 5 minute delay and don't get the information until 12:03:30. Or maybe they do use this approach and the SRE in question just didn't bother to tell me.)

Oh, I’m sorry. I thought you were referring to the finance information on finance.google.com, not investor information about google itself.

For the latter, companies are not required to release reports on their website in a timely manner. That’s what EDGAR is for.

Accessors who really care would just hit it from multiple IP's? And keep adding distributed IP's until they got what they wanted.

There's nothing you can do to eliminate the high speed trading case short of outlawing automated trading. As long as computers can trade, they'll compete on speed and nothing you do can prevent that. You could forcibly slow down trades to 1 a minute, and you'll still have bots competing on speed to be the first trade each minute and they'll still beat humans.

In 2012 Google's 8K earnings filing was accidentally released 3 hours early. https://www.businessinsider.com/google-blames-rr-donnelley-f... Their stocked tanked 10% before trading was halted

But it was an earnings filing in which they did not meet expectations - this strongly suggests that the stock would have tanked anyway, regardless of timing.

One can earn money on options that expire before the publication. If the market has not expected any surprises, such options can be rather cheap.

Because they need time to correct errors and to prevent fraud. Say someone gets into the SEC and decides to release a fraudulent report. If that happens during off hours it can be rectified, but if it happens during the trading day the markets will react instantly and the damage is done.

Fixed release times also means that the companies submitting the filings cannot pick an advantageous time. Imagine if Musk was sitting atop a really horrible Tesla earnings report. If he could manipulate the exact time of its release he could leverage all sorts of things.

>but if it happens during the trading day the markets will react instantly and the damage is done.

Sounds like a good hacker movie.

>If he could manipulate the exact time of its release he could leverage all sorts of things.

There's already protection against him insider trading. Not sure what else "leverage all sorts of things" is.

Market trade panics are positive feedback loops. The closure of the market and the release of data while the market's closed allows investors to digest new information and move with their heads, not their hearts, decreasing the risk of regrettable shocks.

Meh, stocks trade after hours immediately after release so this excuse leaves something to be desired. It also doesn't account for the before open releases.

> Why is it better for that moment to be at 9:30 instead of say noon?

Because the market opens with an auction, giving everyone time to retrieve the information, digest it, and place their orders. Whereas, if the market is already open, whoever's closest to the source of information, and the exchange, has an advantage.

I take it they would have gotten away with it if they did it from Russia?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact