BIG DATA BIG PICTURE BIG OPPORTUNITIESWe see big to continuously boil down the essentialimprovements until you achieve sustainable growth! 617.237.6111 [email protected] databoiler.comMay 3, 2021Via Electronic Mail ([email protected])Ms. Vanessa Countryman, SecretaryU.S. Securities and Exchange Commission100 F Street NE., Washington, DC 20549File #4-698S7-10-20Release #34-91487 134-91555 234-89632 3Proposed Amendments to the National Market System (NMS) PlanGoverning the Consolidated Audit Trail (CAT)Limitation of Liability [pertaining to potential breach of privacy/ security protection of nonpublic data and personal identifiable information (PII)] for Stakeholders of CATRevise funding model set forth in Article XI of the CAT NMS PlanEnhanced Data Security of CAT (RIN: 3235-AM62)Dear Ms. Countryman:On behalf of Data Boiler Technologies, I am pleased to provide the U.S. Securities and Exchange Commission (SEC) with ourcomments on the captioned releases concerning: (1) Limitation of Liability (pertaining to potential breach of privacy/security protection of non-public data and personal identifiable information (PII) for Stakeholders of CAT system; (2)Revise funding model set forth in Article XI of the CAT NMS Plan; (3) Enhanced Data Security of CAT.A. Context of the Problem: Outdated Design since 2012As an inventor of patented solutions that solved the surveillance challenges mentioned in IOSCO – CR12/20124, we praisethe honorable goals of CAT as a means to prevent future flash crashes5 and allow the SEC and other market regulators to“rapidly reconstruct trading activity and quickly analyze both suspicious trading behavior and unusual market events”6. Weargue against the limitation of liability proposal and the revised funding model NOT BECAUSE we have any dislike theCAT processor and participants (i.e. FINRA, CAT LLC, and the Exchange Groups). Indeed, have mercy on them becauseevery constituent (including industry members) seems individually bound to achieve the following goals concurrently: (1)fulfill the SEC’s mandate to regulate/ promote the safety and soundness of market, (2) the public interest [address thecivic concerns about Massive Government Surveillance]7, (3) uphold and the continue pursuant of National cybersecurityand privacy protection best practices,8 and (4) comply with the Fourth Amendment of US Constitution9, the Departmentof Justice’s latest edition of the Privacy Act of 197410 and other applicable laws and new bills11 introduced ects/ethics-of-surveillance/ethics.html8NIST’s CISP revision 4 of SP800-53 has been superseded by revision 5 since September 2020. Also, NIST’s recommended bestpractices alongside other Cybersecurity and Privacy protection standards/ guidelines, such as ISO/IEC 27001 and 27032, Gramm-LeachBliley Act §6801, and FINRA’s cybersecurity rules and guidance, etc. may continue to have updates and new added contents. We havemultiple concerns if CISP is referencing to a particular NIST publication, including: (1) potential of complying with the bear minimalrequirements rather than pursuing the best practices; (2) new emerging cyber/ A.I. threats that the corresponding mitigationmethod(s) have yet to be incorporated in newer standard – i.e. the in-between time awaiting to adopt new policy; (3) non-synchronizewith international rules, such as the EU’s General Data Protection Regulation (GDPR).2P.O. Box 181, North Weymouth, MA 02191Page 1 of 13 (Public)

BIG DATA BIG PICTURE BIG OPPORTUNITIESWe see big to continuously boil down the essentialimprovements until you achieve sustainable growth! 617.237.6111 [email protected] databoiler.comThe CAT’s technical design since 201212 as a golden-source while well intended (or a “gigantic data-vault”) is out-of-date.It will take “forever” to come up with a “golden” unified “single source of truth”. By the time a common standard isadhered, value of the data subsided to almost worthless in the context of market surveillance. Analysts need sensors, notan encyclopedia. A good decision, made now and pursued aggressively, is substantially superior to a perfect decision madetoo late. The CAT project is outsized and is a Money Pit. Not only in terms of building and on-going operating costs, but italso introduces huge wastages and is non-environmental friendly according to LEAN Six-Sigma13.2012 Intended purposeCATPrevent flash crash2021 in progress of buildingElephantGigantic Vault“rapidly reconstruct tradingactivity and quickly analyze bothsuspicious trading behavior andunusual market events”Outdated Design - Money PitResulting inSecurity/ Privacy ProblemsPrime target for internal/ externalbreach and foreign adversariesWastages: data-in-motiontraffics, storage, wait (T 5)adds layers of vendor costs proposed funding model exacerbatesinequalities in the marketIn particular, frequent transmittal of data in-and-out and within CAT, unnecessary data-in-motion14 traffics, is wastageand more susceptible to defects. When data is ‘at-rest’ rather than ‘in-use’, it serves no value other than one has to payfor storage of the data. As data is redundantly stored at industry members’ systems and at the CAT system and then isregurgitated in bulk to CAT participants’ systems, causing significant wastages. Real-time analytic platform (RTAP) andmodern techniques could be applied closest to the original source of the data to avoid multiplicity of storage and dataprotection costs. Nevertheless, real-time or velocity of data serves to provide higher values than veracity of data during a‘market crash’. “T 5 days” regulatory access means unproductive idle time wasted to take timely action in curbingpotential abuse, protecting investors, and/or regulating an abnormal market event. Prior to addressing these wastages, itis unfair and premature to ask for funding of this CAT.The outdated design of CAT with all the non-essential data ‘at-rest’ and ‘in-motion’ makes it more vulnerable to securitythreats than modernized RTAP. Data-vault, data-lake, and ‘golden source of data’ are indeed attractive targets h amendment state-comparison-table/ G7 Cyber Exercise Programs a new Bill has been introduced to theU.S. House Financial Services Committee on March 18, 2021 to prohibit the SEC from requiring that personally identifiable informationbe collected under consolidated audit trail reporting requirements, and for other wastes-of-lean/14 htm files/DataBoilerInMotion.pdf10P.O. Box 181, North Weymouth, MA 02191Page 2 of 13 (Public)

BIG DATA BIG PICTURE BIG OPPORTUNITIESWe see big to continuously boil down the essentialimprovements until you achieve sustainable growth! 617.237.6111 [email protected] databoiler.comhackers to treasure hunt. Hackers do not necessary come from outside; compromised internal executive(s) and staff(s)and contractors may pose even higher dangers because of potential cover ups and abilities to profit off any stolen data.15The Central Intelligence Agency – Edward Snowden case16 is a prime example, i.e. NOT a hypothetical “black swan”17cyber breach. Additionally, the Director of National Intelligence has warned about China and Russia being the biggestthreats to the U.S. in the latest assessment report.18. An insecure and breached CAT can cause the destabilization of theU.S. capital market, which trades in trillion dollars daily. CAT must up its game for security protection against infiltrationand foreign adversaries or else it could become a threat to National Security.The CAT NMS Plan failed to address the following causes for potential information leak: Membership Inference Attacks,Reconstruction Attacks, Property Inference Attacks, and Model Extraction.19 It lacks scenario planning to counterdifferent implementation of attacks (Centralized/ Distributed Learning). The trading and investment communities areconcerned that User Defined Direct Query and bulk extraction increase the vulnerability of data being misused forimpermissible purposes. We are not convinced that non-public data and PII will be safeguarded properly if measuredagainst our suggested minimum requirements (please see Table 1 of our November 30, 2020 comments20 or Appendix 1 inthis letter). Without embedding appropriate analytical framework into the design of CAT as we have pointed out since ourcomments in 2016,21 CAT may be a useless gigantic vault that does nothing other than cause disturbances to all industrymembers wasting valuable time and energy in data submission and causing worry about security and compliance.Why would large Exchange Groups with robust surveillance systems and linked to market data feeds at nanosecondprecision need a “50 millisecond tolerance” CAT system? “If” one would play the devil advocate of using CAT data fornon-regulatory purpose (i.e. function creep), CAT will not save Exchanges from subscribing to other peer Exchange feedsgiven the T 5 access for CAT, but what if these non-public data and PII offer valuable insights to help Exchanges target toattract order flow? Would countless buy and sell-side broker-dealers and market makers be cut-out from the industryvalue chain22?CAT participants and industry members seem to address themselves to the parable of the blind men and an elephant23and/or hustle to seek shelter – immunity1 and/or defer until “accommodate the unending demands of the industry”24.Frankly, the only parties that stand to gain from an ever growing size of CAT may be the vendors. These cloud storage,security, infrastructure, data processing vendors and other big law or compliance consultant firms add layers of costs tothe industry without adding much value to the monitoring and analytical aspects of CAT, how sad!B. Outside delegate authorities, NOT immune from risks/ liabilities claimsThe proposed limitation of liability provisions discourages CAT Participants from advancing the security protection anddesign of CAT and CAT data. Although Self-Regulatory Organization (SRO) immunity may be broad, including affirmativeacts and omissions and failures to act. SROs, however, do not enjoy complete immunity from suits. According to ex htm .pdf21 htm men and an 1020-8077540-226001.pdf16P.O. Box 181, North Weymouth, MA 02191Page 3 of 13 (Public)

BIG DATA BIG PICTURE BIG OPPORTUNITIESWe see big to continuously boil down the essentialimprovements until you achieve sustainable growth! 617.237.6111 [email protected] databoiler.comcourt cases,25 FINRA and presumably all SROs remain subject to liability should claim(s) arises as a result of privatebusiness or commercial conduct. The SROs’ immunity from private civil actions applies ONLY when they are actingwithin their delegated authority.26 How courts apply a “functional test” to determine whether an SRO is entitled toimmunity from burdens of litigation or civil damage suits may be a controversy here. If in the case of SROs’ executive(s) orstaff(s) or contractor(s) willful misconduct, gross negligence, bad faith or criminal acts related to CAT, SROs shouldNEVER be immune under those circumstances because these are not part of their arbitral and prosecutorial authority.Given FINRA replaced Thesys Technologies (a private company) as the CAT processor indeed signified that FINRA and CATLLC are in effect conducting private business. We argue such commercial conducts must subject to corresponding risksand civil claims in the case of liability.When we rebut the Charles River Associates’ Economic Analysis (CRAEA) on their estimates of “greater than 100 milliondamage or 95% percentile loss may misguide policy makers info falsely believing the risks may possibly be accepted whenit should not” in our January 27, 2021 comments.27 We are thinking of the temptation for function creep28 and the realismof various adverse scenarios29 if happened to CAT may potentially destabilize our capitalistic system and economy. Onthe other hand, we have the following picture in mind:Outsized risks of thiselephant cannot beaccepted, insurers refuseliability coverage.CAT participants seekimmunity and ways outby transferring risks toIndustry Members.Industry Members cannotabsorb the risk and has noway to mitigate risksoutside of their controls.Shouldn’t this be a CAT, not an Elephant in the first place? What can be done to ensurefit-for-purpose and proper security protection, so risks would be mitigated accordinglyrather than being forced to accept or unnecessarily transferring the risks to ordinaryinvestors that have nothing to do with risky or abnormality of trading activities.25Weissman v. Nat’l Ass’n of Sec. Dealers, 468 F.3d 1306, 1312 (11th Cir. 2006); see also Sparta Surgical Corp. v. Nat’l Ass’n of Sec.Dealers, 159 F.3d 1209, 1213 (9th Cir. dex htm ity.pdf28The defined purposes of accessing CAT should be much narrower than the broadly defined “regulatory purposes”. Using tax filingto the Internal Revenue Service (IRS) as an illustrating analogy, the IRS asks for income information, but would not ask for the completecustomer and supplier lists and detail transactions unless the party is being summoned in court. Therefore, we argue that there shouldbe no access to CAT for ‘market surveillance’ purpose prior to identifying symptoms of irregularity that are substantiated by data atSecurities Information Processors/ Competing Consolidators and/or analytical procedures at SROs/ the SEC.29The CRAEA failed to account for scenario, such as the Edward Snowden case where information from CIA systems got exposed toWikiLeaks. The CRAEA also neglected the scenarios, such as the 2015-2016 SWIFT banking hack, where hackers used stoleninformation of a foreign central bank to initiate the scam/ scandal to theft on the Federal Reserve Bank of New York; or Market Chaossuch as the GameStop phenomenon if it may allegedly involve foreign adversaries. We can go on-and-on with additional scenarios andpotential exploitations or abuse of CAT. In any case, the SEC’s proposed standard Limitation of Liability Provisions (LLP) to the ReporterAgreement and Reporting Agent Agreement is inconsistent with the Exchange Act because these threats could escalate into NationalSecurity issues which are outside the jurisdiction of the SEC.P.O. Box 181, North Weymouth, MA 02191Page 4 of 13 (Public)

BIG DATA BIG PICTURE BIG OPPORTUNITIESWe see big to continuously boil down the essentialimprovements until you achieve sustainable growth! 617.237.6111 [email protected] databoiler.comNevertheless, neither the SEC nor the SROs have rights above the U.S. Constitution. Please be reminded that the FourthAmendment right to be free of unwarranted search or seizure, recognized by the Supreme Court as protecting a generalright to privacy.9 No-one wants his/her data be used by regulator(s) to develop policies that potentially may discriminateagainst him/her. Suspicion of crime or anticipation of market turmoil should begin with some basis or require ‘searchwarrant’ before permissible collection or surveillance on information that would otherwise be considered as private.Unlike census, collection of non-public and PII by CAT for all trade activities without express consent by the investors is anintrusion of one’s privacy. Stakeholders of CAT should NOT be placed above the law.According to a recent National Security Commission on Artificial Intelligence Final Report30, “The reach of tools that China,for instance, uses to monitor, control, and coerce its own citizens—big data analytics, surveillance, and propaganda—canbe extended beyond its borders and directed at foreigners. Without adequate data protection, A.I. makes it harder foranyone to hide his or her financial situation, patterns of daily life, relationships, health, and even emotions. Personal andcommercial vulnerabilities become national security weaknesses as adversaries map individuals, networks, and socialfissures in society; predict responses to different stimuli; and model how best to manipulate behavior or cause harm. Therise and spread of these techniques represent a major counterintelligence challenge.”This is America, not a communist country that performs massive government surveillance.31 To be consistent with §11Aor any other provision of the Securities Exchange Act of 1934, we think the SEC has full authority to pursue, without worryof other U.S. regulatory authorities’ objection, to demand better Suspicious Activity Report (SAR) from Broker-Dealers(BDs) and/or order improvements of BDs’ trade controls or fulfill certain compliance requirements. We also think the SEChas rights (without stepping on other agencies’ jurisdictions) to adopt the “A-Z” clauses that we suggested in Appendix 1,as part of the minimum requirements for CAT NMS Plan’s principle based rules rather than the Enhanced Data Securityproposal which makes specific reference to an outdated revision 4 of SP800-53 by the NIST.8 However, the CAT NMS Planin its current form or the application of the captioned proposal(s) may be in contradiction with the Department ofJustice’s latest edition of the Privacy Act of 197410 and other applicable laws and new bills11.C. CAT’s Funding does NOT have to be a “Sh*t hit the fan” scenario, there are better alternativesAt Data Boiler, we despise the mentality of stop trying when there is still room for improvement. Attempt to “allocate”risks (shift liability disproportionally) to industry members who are NOT users of CAT and have NO control over potentialsecurity breach caused by CAT participants, external hackers, or in case of CAT system failure is UNFAIR. If we compare thecurrent CAT design with our “A through Z” requirements per Appendix 1, we see significant deficiencies and ineffectivecontrols requiring immediate attention. We are not sure if that’s the reason why the CAT operating committee seems tohesitate to respond to each of our 26 suggestions17, but to resolve CAT’s challenges, it takes not just cooperation andcollaboration, but development and deployment efforts.CAT participants and Industry Members do not have to worry about heightened costs related to improving CAT’s systemand security and privacy controls, because creative design such as our alternative suggestions per Figure 2 of ourNovember 30, 2020 comments or Appendix 2 in this letter, would innovate the approach to analyze suspicious tradingbehavior and unusual market events directly and quickly, as well as yield substantial savings while enhancing security forall parties. In turn, the essential data stored at CAT would be much more manageable, data control would be more robust,and by then, insurers should be more willing to provide liability surveillance in ChinaP.O. Box 181, North Weymouth, MA 02191Page 5 of 13 (Public)

BIG DATA BIG PICTURE BIG OPPORTUNITIESWe see big to continuously boil down the essentialimprovements until you achieve sustainable growth! 617.237.6111 [email protected] databoiler.comRegarding CAT’s funding model, both the original and the revised proposal are like the Financial Transaction Tax (FTT).32The plan is simply tolling everyone in the industry, which will ultimately be passed-down to the end-investors. Wequestion why the CAT operating committee, a CAT governing body composed of ONLY representatives of the SROs, wouldhold concentrated power on the Funding Authority as set out in §11.1?33 We challenged the Article XI §11.2 FundingPrinciples being insufficient to check against the CAT operating committee’s legislative power to (a) approve budget ofCAT and (b) establish fees for themselves as well as for all industry members, the committee’s executive power in (c)imposing and collecting of all Consolidated Audit Trail Funding Fees, and the judicial right to (d) assign and change the tierassigned to any particular Person, resolution of disputes upon reasonable notice to such Person. Even though the SROs arerequired to file the fee schedules with the Commission, such unchecked power34 of the CAT operating committee wouldnot ease the public or the industry community’s concerns for potential biases.If the CAT operating committee’s funding authority under Article XI §11.1 is a delegated power conferred by the SEC toperform a public duty, then we have the following concerns and/or questions:i.Bifurcated Cost Allocation is Inequitable and Proposed Minimum for Industry MembersWhy are the CAT fees not imposed on the direct recipients of those that receive benefits from such services butrather a ‘tax’ on all industry members? Whether CAT participants should or should not be the direct recipients ofCAT benefits is also arguable given the rationale we stated in Part A of this letter.a) If the CAT fee is related to supporting the SEC to “rapidly reconstruct market events/ trading activity” beyondusing the public available data, then the Commission may subscribe to the SROs’ proprietary feeds for anynon-public data, or seek expressed consent to voluntarily share, or use of its permissible authority to summonthe relevant private information.b) If the CAT fee is related to “facilitating risk-based examinations” and/or “improving abilities for evaluating tips,complaints and referrals of potential misconduct made to regulators, monitoring and evaluating changes tomarket structure”, then the SEC and SROs may go back to the Congress for funding or pay for it usingcollected fines, penalties, and intragovernmental fees, but not “user fees”.c) If the CAT fee is related to “better identification of potentially manipulative trading activity, increasedefficiency of cross-market and principal order surveillance”, then private surveillance businesses affiliatedwith Exchange Groups stand to receive benefits from CAT, hence they should pay the most if not all of suchCAT costs. The SEC and other SROs shall have choice to use peers’ surveillance system, or build their own orbuy from other private vendors.d) If the CAT fee is related to “improving efficiencies from a potential reduction in disparate reportingrequirements and data requests”, then it should be segregated into regulators’ portion and the users’ portion.If CAT is constituted as one of the “user fees” imposed by the SEC and/or SROs, then according to theGovernment Accountability Office (GAO), these “fees assessed to users for goods or services provided by theFederal Government are deposited to the Treasury as miscellaneous receipts and are generally not availableto the nt/uploads/STA-FTT-Letter-FINAL-03 16 files/2015/10/leadership-xtufp4.pdf35Fees assessed under the authority of the Independent Offices Appropriation Act of 1952 (codified at 31 U.S.C. § 9701), rather thanunder a specific authorizing statute, must be deposited to the Treasury as miscellaneous receipts and are not available to the agencyor program that collected the fees, unless otherwise authorized by law.33P.O. Box 181, North Weymouth, MA 02191Page 6 of 13 (Public)

BIG DATA BIG PICTURE BIG OPPORTUNITIESWe see big to continuously boil down the essentialimprovements until you achieve sustainable growth! 617.237.6111 [email protected] databoiler.comIf the SROs argue that CAT fee setting, collection, and dispute resolution are common commercial practices thatthey should have full discretion, then, CAT would not be part of their arbitral and prosecutorial authority. Hence,the SROs should not enjoy immunity related to their private businesses and the industry members shall thenhave choice (under antitrust laws), including rights to opt-out of CAT given they are not even users of the CATsystem. If CAT fee/ minimum is a “pay to play” bundled cost to participate in a market, then this “tax” is a barrierof entry inconsistent with the competition, capital formation, and other goals of the Exchange Act.ii.The allocation and minimum are undue burden on Industry MembersOther than a negotiable portion of point “C(i)(d)”, CAT has no reason to allocate an inequitable36 75% of CAT costto Industry Members. The proposed 125 per quarter ( 500/ annum) minimum to Industry Members hits 225industry members in the bottom population (18.2% of 1237). There will be 792 industry members (64%) paying 1penny to 86 cents above the minimum per quarter under the proposal. If counting from industry members #37 tothe #1237 (97.1%), they generate 3.33% of message traffic, but will be required to pay for 4.26% of aggregatedindustry member fees under the proposal. It is a huge wastage in CAT billing and other administrative functions tocollect these “de Minimis” fees or minimums from small industry members; it proves that the proposed fundingmodel is inconsistent with funding principle §11.2(d).Also, why should smaller firms subsidize the top 36 elites whom generate 96.67% of message traffic but will pay95.74% of aggregated industry member fees after the discounts? Some of the top elites already receive 32 milsuper-tier rebates and other favorite treatments to compensate for their market making efforts and order flowcontributions in the price discovery process. The CAT operating committee’s proposal with discount, maximumcap, minimum, and other adjustments would further exacerbate the inequalities in the market37. Establishmentof funding model without involvement of industry members and the public may raise public concerns or potentialnegative impression that CAT being a “private party” among elites to seek unfair advantages over others. Contrastto serving the public interest, rulemaking to seek sole benefit for the government agency or the affiliated SROsshould be prohibited.We suggest adding a new CAT funding principle 11.2(g) about CAT costs allocation should be in proportion withspecific public benefits received, i.e. not private benefits of CAT participants; and those that have higher implicitrisk and vulnerability to potential conflicts of interest must be charged higher fees than others, to cover what isnot already funded by fines and settlements from abuse or other securities law violation cases.iii.Proposed CAT Participants allocation versus Our Counter SuggestionsWe argue against both the original “execution venue” concept and the proposed “message traffic” concept. If CATNMS Plan is meant to prevent future flash crashes, curb suspicious trading behavior and unusual market events,then why should one who is doing things fairly and squarely be subjected to regulatory scrutiny and CAT costburden? CAT funding model should be driven mainly by fines and settlements. We believe the Commission’scurrent operating cost is also supported substantively by fines and settlements. So fines and settlements shouldbe deemed acceptable revenue streams to cover CAT LLC costs satisfying the Article XI §11.2 funding principles.If fines and settlements are insufficient to cover all CAT costs, then the SEC and CAT operating committee mayconsider imposing a negotiable portion of an earlier mentioned point “C(i)(d)” cost to those based on kelvin-to/P.O. Box 181, North Weymouth, MA 02191Page 7 of 13 (Public)

BIG DATA BIG PICTURE BIG OPPORTUNITIESWe see big to continuously boil down the essentialimprovements until you achieve sustainable growth! 617.237.6111 [email protected] databoiler.comand number of suspicious activities reported on the Suspicious Activity Reports (SAR). Those who under reporton SAR should get increased fines. We think those who “operate at the edge” and have higher risks for potentialconflicts of interest, should bear much of CAT cost given the extra efforts in deciphering their complex activitiesas compared to firms with a simpler business model. Indeed, smaller players who do not accept or pay paymentfor order flow (PFOF) and who are not entitled to access fee rebates deserve appropriate subsidies, so there willbe a sustainable pipeline of emerging broker-dealers to participate in the markets.a) Categorization of ATS, Market Making Discount, and Maximum are UnjustRegarding Alternative Trading Systems (ATS), we think Dark pools introduce higher implicit risks due to theirlack of transparency and vulnerability to potential conflicts of interest38 than Lit venues. Therefore, dark poolsshould

BIG DATA BIG PICTURE BIG OPPORTUNITIES We see big to continuously boil down the essential improvements until you achieve sustainable growth! 617.237.6111 [email protected] The CAT’s technical 12design since 2012 as a golden-source while well intended (or