Confidentiality at Risk: Accessing Financial Filings on EDGAR
The EDGAR (Electronic Data Gathering, Analysis, and Retrieval) database,
which is part of the US Securities and Exchange Commission's (SEC)
website, contains the financial filings of firms that access US capital
markets (EDGAR is the US equivalent of Canada's SEDAR). However, users'
activities on this database are at least partially public information,
due to the zealous US freedom-of-information law and culture.
Fortunately, one can take steps to preserve anonymity when client
confidentiality requires it. Turning the tables also appears to be
possible: taxpayers with documents posted on EDGAR may want to do their
own tracking of the companies (or even the tax authorities) that have
accessed their data.
The academic research publication "IRS Attention" and its online appendix
report that as each user accesses EDGAR, a server log file tracks
(1) the IP address of the requesting user, (2) the date and time of the
request, (3) a code identifying the public company whose forms were
requested, and (4) the particular form or filing being accessed. This
information is made public on the SEC website
and is updated quarterly with a time lag of six months or more. To
partially protect the user's privacy, the final eight characters of the
user's IP address are replaced with three unique letters (for example,
the "abc" in the fictitious IP address 123.456.789.abc). This practice
eliminates the possibility of tracking the access request to a
particular person, but it appears to allow the tracking of accesses to
those firms that use blocks of IP addresses. Specifically, if all of a
firm's assigned IP addresses differ only in the final eight characters,
the firm can be identified by using public records.
Users who want to protect their privacy can use standard techniques for
hiding an IP address, such as first connecting to a privacy-protecting
website known as a virtual private network (VPN), and then connecting to
EDGAR through that network (assuming, of course, that one can trust the VPN provider).
One can also take such steps when accessing other US government
websites if there is a fear that web accesses to those websites might
also be made public. VPNs are best known in Canada for allowing
Canadians to access websites whose content is intended to be restricted
to residents of the United States.
The aim of the "IRS Attention" study was to find out which companies'
filings were particularly the object of IRS research. It appears that at
the time of the study (2004-2014), IRS employees were not using VPNs to
obscure their IP addresses. Perhaps the IRS was not aware that the
employees' access to EDGAR was observable (or did not care that it was),
or perhaps it was just difficult to use a VPN within the IRS computer
What are the broader implications of public or semi-public access? In
particular, what types of information are tax practitioners potentially
disclosing when they access EDGAR? The answer may be as broad as the
question posed. In accessing publicly available filings, a buyer may
disclose potential interest in a seller, or a regulatory body may
disclose scrutiny of an entity. While that party's exact intentions may
never be known with certainty, the simple fact of access—especially
multiple accesses within a short period—could provide useful insights
both to the entity that is being examined and to other market players.
Alex Klyguine and Alexandra McLennan
Osler Hoskin & Harcourt LLP, Toronto