In news of a big scandal in the diamond world, the rating agency was found to be inflating valuations prior to sale. I find this a good example of what we mean when relying on "trusted third parties" means we are more vulnerable:
The Gemological Institute of America, which grades diamonds for independent dealers and big retailers, fired four employees and shuffled top management after an internal investigation of its policies, the Wall Street Journal said.The institute's internal probe started after a jewelry dealer who was also the former head of retail operations at luxury jeweler Harry Winston claimed that the institute and two diamond dealers conspired to inflate the grade of two diamonds that he sold to members of the Saudi royal family.
The diamonds, which were sold for $15 million, were taken to an independent appraiser and found to have a lower grade that made them worth much less, the paper said.
The dealer alleged that lab workers took bribes to inflate the quality of diamonds in grading reports, according to the news report, which cited people familiar with the situation.
Bribes, Saudi royals, diamonds, it's got it all! Only problem is, this is an old plot.
When we create an agency of such power, we all become vulnerable to it (a point credited I believe to Mark Miller to many -- see comments). That which we call the Trusted Third Party is no more than a hack that leaves us vulnerable to the TP in exchange for maybe being secure against something else; whether that is a good exchange is highly dependent on the circumstances (see for e.g., Nick on TTPs).
In that case, when we say "trust" we mean you have no choice but to trust this arrangement - in other words you are highly vulnerable. The business about trust being nice and warm and consumer-oriented is simply marketing designed to lull us to sleep while others sleep not. (Auditors, CAs, Issuers, take note.)
We need to guard the guardians and watch the watchers as if they are untrustworthy. Because, frankly, if we do not, they will be. Oh, and for those who think it can't happen to them because they have structured it "properly" please take note:
"Fees depend on a diamond's size; grading a one-carat round diamond costs about $100. In 2004, the institute, a nonprofit, had income of $104 million, the paper said.
Non-profits are likely to have poorer governance as they have a better ability to hide information from stake holders. Why? They don't have shareholders, they only have employees. That means the guardians and watchers cannot be guarded and cannot be watched. Who'd trust a nonprofit voluntarily?
Posted by iang at December 21, 2005 12:15 PM | TrackBackEveryone trusts the GIA. But with $15 million diamonds, you would normally get all four certifcate companies to make a cert (you wouldn't be trying to save the $40 you know?)
ALSO with the largest stones (multi million $), in some ways the color / clarity are not entirely the main determinant of price .. so it's a bit "fuzzy"
Posted by: JPM at December 22, 2005 08:13 AMThe first to make this kind point was probably some ancient political scientist, and the founders of the U.S. made it quite often. It was their motivation behind separation of powers (e.g. why our President is supposed to go to a court to get a warrant before the NSA can spy on citizens!) For example James Madison said in Federalist #10 about designing that ultimate trusted third party, government, that it should not be based on an actual in a particular party: "ambition must be made to counteract ambition. The interest of the man must be connected with the rights of the place," and thus "it is necessary...to divide and arrange the several offices in such a manner as each may be a check on the other - that the private interests of every individual may be a sentinel on the public rights."
That's also the motivation behind separation of duties and oversight by a board of directors in corporations. It has also been at least implicitly an idea in at least some parts of the computer security for some time (it's a big motivation behind multiparty secure computation, Byzantinee agreement, etc.) I did coin the slogan "trusted third parties are security holes" back in the late 1990s or 2000, which Mark thought was over the top, and that inspired me to write this:
http://szabo.best.vwh.net/ttps.html
See also
http://szabo.best.vwh.net/separationofduties.html
In this case, I suspect that the Gemological Institute should have been auditing the valuation decisions of its employees more closely. There might also have been a problem that some of these employees were auditing each other, but were not sufficiently separated and thus could easily collude. Furthermore, some outside agencies (such as big customers) should have been independently auditing these decisions. If governments don't protect these entities from their mistakes, both the Institute and its customers will suffer and learn from this episode.
And, as JPM points out, with high value diamonds you should get several certificates from independent gem inspectors.
Posted by: nick szabo at December 22, 2005 11:46 AMI am a Graduate gemologist trained at the GIA in Los Angeles. I have been out of the trade for several years. My knowledge of the institute was extensive during the twenty five years that I was associated with it through the wholesale diamond business as a diamond grader and Gemologist.
The writer of this inciden (poster) appears to be ignorant of the diamond grading process and of the diamond industry itself. To an outsider, and indeed to someone only familiar with CA;s as such I can understand this point of view. So, let me illuminate in this particular instance. The GIA is a CA and is regulated by the necessity to maintain it's trust to and from the diamond industry itself. If only the government CA's and for profit CA organizations were only this well regulated by the computer industry we would be blessed and living in a different world.
While the diamonds are graded by the GIA for quality, the GIA never puts a price or value on the stones themselves. The values of the stones are set by the trade itself. Particularly with the use of a pricing sheet called the Rappaport Report. Among the traders themselves, there is a great deal of variance among the selling prices or trade prices of the stones in 'relation' to the sheet prices. Further, the sheet reports on diamonds traded in the bourses, the diamond clubs, up to a size of 5 carats.
For two stones to have a value of 25 million dollars, they have to weigh more than 5 carats. Even if they were rated at a grade of D Flawless (perfect). Therefore there can be no way of standardizing the prices of these particular stones.
If there was any misrepresentation, it could only have been in the grading of the stones, not the valuation.
Secondly, a diamonds of this size would have to have been seen by at least 3 graders, perhaps as many as five to adjudicate a grading. So, If there was any malfeasance, There would have to have been collusion among at least that many - 1 graders plus a senior grader to have altered the evaluation of the quality.
There are at least 3 Gem Trade Laboratories in the system, California, New York, and London as well as 11 other GIA locations throughout the world. The GIA reputation is founded on the trust, accuracy, precision of diamond grading and the teaching of consistent methods of grading diamonds. Therefore, system wide, any breach of ethics would be treated harshly. Indeed in this case it was with the dismissal of those involved and to prevent further incidents, the GIA has now instituted an ethics hot line. See http://www.gia.edu/ethics/31236/gia_ethics_hotline.cfm for further details. Further, ethics-point is an outside agency.
There was a breach, it was handled and the institution has adapted with further protections.
Further, I have found the diamond industry to be self regulating and somewhat private. There is no mention of the action that the Harry Winston Company took in regard to the employees that induced the breach of ethics. No doubt exists that there was some sanction within this private company. I'm sure that the names of these perpetrators went around 47th Street (New York's diamond district) and the insiders in the major jewelry districts around the world in a matter of hours. I would doubt that these people would be able to have employment in any reputable establishment for the rest of their lives. They are goners.
As far as who is watching the watchers, in this case, the diamond industry is and always has watched the watchers. Indeed in this instance is was the trade that called attention to this discrepancy. In my experience, the diamond traders, cutters and appraisers keep tabs on the grading institutions by submitting and resubmitting or re cutting and resubmitting the same stones to the same and different laboratories in order to find the determine the precision and accuracy of the different grading laboratories because the reputation of the grading institutes and the reputation of the individual businesses and traders and indeed the valuation of the commodity itself is defendant on accuracy and precision of this process and the trust that it creates.
Without this trust, the value of the commodity will not hold and there are too many stakeholders dependent on this process for their livelihoods and holdings. The energy and accounting industries should only be as self regulating.
Posted by: slf at December 23, 2005 03:45 AMNick Szabo wrote:
>> I did coin the slogan "trusted third parties are security holes"
>> back in the late 1990s or 2000, which Mark thought was over the top,
>> and that inspired me to write this:
>>
>> http://szabo.best.vwh.net/ttps.html
I'm glad to have helped prod Nick into writing that; it's a good essay. However, I still think the title is over the top -- it over simplifies complex issues. But then again, all titles must.
> Non-profits are likely to have poorer governance as they have a better ability
> to hide information from stake holders. Why? They don't have shareholders,
> they only have employees. That means the guardians and watchers cannot be
> guarded and cannot be watched. Who'd trust a nonprofit voluntarily?
Well there's a dogmatically prejudiced comment if ever there was one. By the same argument we should be even less inclined to ever trust a privately held for-profit company. After all, not only do they have no oversight but we actually know that they are only in it for the money. Furthermore, in my years both observing the markets and as a director of a public company I have seldom seen very much evidence that shareholders really provide much is any oversight of the operational aspects of companies and are even less inclined to question profitable practices. In fact it is distressingly often the case that the driver for better governance is actually the government, which is probably an uncomfortable truth to swallow for many contributors to this site.
As has been noted already, the problem here was that there was a single point of failure in the process employed by Harry Winstons to value the stones. The fact that that single point was a non-profit (the existence of which, incidentally, is solely predicated on it's reputation) is an irrelevance.
The NSA's definition of a "trusted" component is one that can break your security policy. How true :)
Happy New Year!
Posted by: IanB at December 31, 2005 09:02 AMThere is a fair amount of study of efficacy of governance based on type of organization. In health care I recall not-for-profit did better. Essentially my point is that while you may be right, there is also quite a bit of scholarship on organizational theory and in fact you are almost certainly not right in many contexts.
Posted by: L Jean Camp at January 1, 2006 06:50 AM