The concept of whistleblowing informs our deepest designs. We cannot secure everything, so we go to the next best thing: we document everything. Extraordinarily, we can put together extremely strong systems that use the humble message digest to create chains of signatures and time entanglement, not because this is perfect, but because we know that if someone is looking, they can find.
As our deepest difficulties lie not in external security but in protecting against the insider, audit trails and wide dissemination of information is one of our hottest tools. For the financial cryptographer, our hope is to leave a trail so well buried and indicative that any investigator is supported with some real evidence and doesn't need to rely on anything but the evidence.
That's an ideal, thought, and it doesn't normally happen quite so well. Sometimes spectacularly so. Here are two whistleblowing stories from the US that provide colourful background to our efforts to secure systems and processes.
In what has turned into a festival of hand-wringing moralising, Deep Throat has revealed himself to be Mark Felt, the Deputy Director of the FBI during the Watergate Affair....
Deep Throat was the fabled secret source who prodded the journalists and provided the crucial inside tips to keep the story alive until it swept over and destroyed the corrupt and arrogant administration of Richard Nixon. (See google.news for a squillion articles.)
How could he, write many of Washington's finest. The act of treachery, the traitor!
How could he not? I ask. When your administration is corrupt, what do you do? What is the press for? What is that much exported model of freedom there for if not to dig out the dirt and keep politicians honest? And is Mark Felt an employee of a corrupt administration first and always? Or is he human being, a member of a society? (Americans would ask if he was an American, but that always confuses me.)
I think it is pretty clear that all our institutions, and also our models of financial cryptography support the concept and presence of whistle blowers. It may be hell when he's not on your team, but that's a different issue.
And in story #2, the Arthur Andersen conviction was overturned in the US Supreme Court by a unanimous decision. Arthur Andersen went down with Enron, which was done in by a public whistleblower when other, inside whistleblowers failed to do it.
What can done say about the Supreme Court's ruling - one of the most reputable names in accounting was wiped out by the original decision and now we are told it was wrong?
The obvious - too late for the 28,000 workers - has been written about elsewhere, but I can't help thinking such is simply the wrong way to look at the judicial process. Did it do the right thing or the wrong thing? I can't see the wrong thing having been done here. The prosecutor had a good case, and won the conviction. But he overstepped the mark and now it has been overturned. What else is there to say?
That's the way the process works, it's called checks and balances. If those that think this dreadful mistake means we should scrap the prosecutorial process, or "reel in the prosecution" then they need to think up a process to replace it. Regardless of the 27,000 or however many innocent workers at Arthur Andersen, that company was selling its soul.
So we need a process to stop that, and the current process just happens to do that. Sometimes. If anything, I think we need another big N accounting firm to go down for just such another scandal, as we know they were *all* doing it (as I've oft reported, I know all but one were doing it, and I just never heard what the other one was doing...).
Literally, yes, if the system needs to work that way, we need another 27,000 innocents to be turned onto the streets in order to get the message to the 1000 or so bad apples who will lie and cheat and basically sell their company's reputation for 30 pieces of silver. Remember, there are thousands of shareholders and the millions of california tax payers who also lost big time, and nobody's bemoaning their fate much. And nobody owns a job, whether they work for a corrupt company or an honest one.
But I'm all ears to a better system. Many older and legacy systems think they can protect themselves with an audit, and for the sake of all those who think that, well, their only real defence is an occasional spectacular bust of those selling unreliable audits. Or, to get serious about auditing and learn about financial cryptography :-)
Posted by iang at June 1, 2005 09:00 AM | TrackBackAlas, the Felt case isn't nearly as cut-and-dry as that, is it? Most of the discussion floating around the past few days has focused on the politics of it, with a bureaucratic turf war being the more likely source of motivation.
> I think it is pretty clear that all our institutions, and also our
> models of financial cryptography support the concept and presence of
> whistle blowers. It may be hell when he's not on your team, but that's
> a different issue.
Is this the case in the big picture? While covert channels to press from insiders are great, do many systems allow plausible deniability of misdeeds? Or internal access audit trails, allowing an annoyed boss to determine which high-level underling grabbed an anomolous file that ended up in the press?
Posted by: allan at June 1, 2005 03:39 PMI think that the problem runs deeper. The [limited liability employer] ~ [guaranteed salary employee] relationship is fundamentally flawed, IMHO. On a moral/ethical level, it leaves noone truly responsible for corporate actions. Managers are following their fiduciary duty to the shareholders, shareholders are just investing their money, employees are just following executive orders. Everyone has a near-perfect excuse, clearly limiting their responsibility. At the same time, there's nothing to limit the damage from corporate misdeeds. And its a double-edged sword, too: employees can (and do) cause unlimited damage to the company and its reputation/security/bottom line and get away with it -- they only risk their salary, after all.
Sure, there's criminal responsibility too, but that doesn't apply in many cases. One can cause a lot of damage without committing a crime by simply being inefficient. Also, the costs of criminal proceedings are prohibitively high in many cases.
John Kornai has developed a neat economic theory to explain the flaws of planned economies. It has two crucial elements: the soft budget constraint and the plan bargain. It is the second one that is of interest here: basically, those who are expected to follow some plan have huge economic incentives to misrepresent (make the planmakers overestimate) the resources that they require to fulfill the plan. They might even collude with those up and down the technological chain. Now, I am more and more convinced that large capitalist corporations are no different from the USSR (or was it the other way around?). Inner budget constraints are soft, people are coordinated by bureucratic orders (rather than market incentives) and the whole system is riddled with purposeful disinformation.
Whistleblowers often find themselves between two (or many) fires, since the lies are agreed upon and in the best interest of large numbers of people, often in the position of power: planned economies do not tolerate whistleblowers, even though they are beneficial for the system as a whole. Every planned economy has systemic problems with incompatible incentives.
I think that as capital stock (all the stuff that makes people more productive) is getting smaller and cheaper, the XXth century models of organizing cooperation need a rethink: maybe the economies of scale are not worth the loss of efficiency due to incompatible incentives and insufficient information anymore?
The whistleblower concept is so simple and clean in concept, but disgusting in practice. When I say that our ideas and practices are aligned towards whistleblowing, I mean in the sense of audit trails needing people to follow them. If auditors aren't doing that job, then the only one left might be the whistleblower.
In practice it's nowhere near as easy as that. Most whistleblowers will have their lives destroyed and never work again in that field. It is by no means a costless action, they are really putting everything on the line, so when we say that at the high level we support them, what we are really saying is that if things have got bad enough that someone is going to throw everything away to get the truth out, then the truth must be important.
Any criticism like "bureaucratic turf war" must be seen in that context. The whistleblower will be faced with a barrage of attacks designed to utterly destroy them. These attacks might be fair and just, even, but they are only a response to the truth that is put out there. If the whistleblower kept his mouth shut and didn't reveal the truth, the attacks wouldn't happen.
(The actual specifics of the Felt case I'm unaware of - and perhaps deliberately so. The principle of whistleblowing I find very interesting because it challenges our notions of reliable systems. How can we build secure systems if they keep getting blown up by whistleblowers? Are we really so far away from the mark?)
Posted by: Iang at June 2, 2005 12:15 PM