Linus Torvalds Admits He Was Approached By US Government To Insert Backdoor Into Linux -- Or Does He?

from the who-can-you-trust? dept

At the LinuxCon meeting in New Orleans, Linus Torvalds was asked if he had ever been approached by the US government to insert a backdoor into the Linux kernel. Here's his characteristic answer:

Torvalds responded "no" while shaking his head "yes," as the audience broke into spontaneous laughter.

Obviously, it's hard to tell from that whether he really meant "yes" or "no". But the question does touch on an important issue: whether open source might be less vulnerable than traditional applications to tampering by the NSA or other intelligence organizations. That's plausible, because by definition free software's code is always available for inspection; the idea is that even if backdoors are somehow introduced, they will be spotted by people looking over the code.

Of course, there are some problems with that. The first is that just because the code is available does not mean anyone will look at it. Secondly, even if the source code is examined and looks fine, that doesn't imply that the compiled version you run on your machine will be -- a well known, and deep problem. So does that mean we should give up on the hope that open source might be better than traditional closed source when it comes to backdoors?

Not necessarily. Here, for example, is the security expert Bruce Schneier writing in the Guardian a couple of weeks ago on the best ways to stay secure in the light of the revelations about the NSA's activities. One suggestion was as follows:

Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software.

After listing a number of recommended software tools, he also makes the following comment:

I understand that most of this is impossible for the typical internet user. Even I don't use all these tools for most everything I am working on. And I'm still primarily on Windows, unfortunately. Linux would be safer.

That's just one voice, albeit a highly-respected one. Here's another, saying much the same thing as Schneier:

Thanks to the recent NSA leaks, people are more worried than ever that their software might have backdoors. If you don't believe that the software vendor can resist a backdoor request, the onus is on you to look for a backdoor. What you want is software transparency.

Transparency of this type is a much-touted advantage of open source software, so it's natural to expect that the rise of backdoor fears will boost the popularity of open source code. Many open source projects are fully transparent: not only is the source code public, but the project also makes public the issue tracker that is used to manage known defects and the internal email discussions of the development team. All of these are useful in deterring backdoor attempts.

That's from Ed Felten (pdf), Professor of Computer Science and Public Affairs, Princeton University, and someone whose name has appeared on Techdirt many times. Despite his upbeat assessment of the value of open source in providing software transparency, the rest of his post urges caution:

transparency does not guarantee that holes will be found, because there might not be enough eyeballs on the code. For open source projects, finding backdoors, or security vulnerabilities in general, is a public good, in the economists' sense that effort spent on it benefits everyone, including those who don't contribute any effort themselves. So it's not obvious in advance that any particular open source project can avoid backdoors.

In other words, open source is not a panacea: it is not guaranteed to protect you from backdoors. But, like encryption, it is probably one of the best defenses we have -- whether or not Torvalds was asked to add a backdoor to Linux.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Filed Under: backdoors, linus torvalds, open source, surveillance, trust

CIA Veteran: Snowden Did Everything Wrong And The Government Respects Your Privacy

from the government-issue-rose-tinted-blinders dept

Another article has arrived defending the poor, misunderstood intelligence agencies from the hateful actions of a single contractor. Fortunately, it's all spelled out in the headline: "What did Edward Snowden get wrong? Everything"

Missing period notwithstanding, former CIA agent Andrew Liepman dives into his defense of intelligence agencies by attempting to cast these agencies as sympathetic entities. Not a simple task considering the recent developments, but Liepman tries.

First, he points out that these agencies couldn't care less about your trivial online activities.

[T]he U.S. government truly does make strenuous efforts not to violate privacy, not just because it respects privacy (which it does), but because it simply doesn't have the time to read irrelevant emails or listen in on conversations unconnected to possible plots against American civilians.

First: trying to find something the agency deems "irrelevant" is an exercise in futility. Seemingly unconnected web detritus is swept up along with the actually relevant (as in the OED definition, not the NSA's definition) data. The NSA may not have any interest in 99.9% of it, but it stores it anyway. Just. In. Case. Liepman even offers his admiration for the agencies' ability to stack hay, but honestly, that talking point has been exhausted.

Second: while agents may be mainly interested in "possible plots," evidence exists that they take time out of their busy schedules to listen to irrelevant phone calls and read irrelevant emails.

That's why I find the Snowden controversy so frustrating. I realize many Americans don't trust their government. I wish I could change that. I wish I could tell people the amazing things I witnessed during my 30 years in the CIA, that I've never seen people work harder or more selflessly, that for little money and long hours, people took it for granted that their flaws would be scrutinized and their successes ignored. But I've been around long enough to know that deep-rooted distrust of government is immune to stories from people like me. The conspiracy buffs are too busy howling in protest at the thought that their government could uncover how long they spent on the phone with their dear aunt.

Realizing people don't trust the government is great, I suppose, but the problem remains that the government has rarely shown interest in rebuilding this trust. I'm sure the CIA has its share of hardworking, trustworthy employees just like any other corporation. (Former NSA director Michael Hayden made the same sort of claim in his interview with CNN -- "The people working at the NSA have the same concerns as the American people.") But like any other corporation, it's also going to have its share of less-than-stellar employees, only these under-performers have access to a hell of a lot of data. Telling the public that some people do a damn good job won't change anything, as Liepman notes. But he's still going to try.

But once he's through trying to humanize the intelligence agencies, Liepman falls right back into the same rhetorical trap so many other defenders have: belittling the public for its concerns. Instead of making any attempt to portray American citizens' concerns about broad, non-targeted data harvesting as legitimate, Liepman downplays the opposition's credibility by referring to them as "howling conspiracy buffs" concerned about the government listening to "phone calls to their aunts."

Insulting the opposition will do very little to rebuild trust. This is how the intelligence agencies view those concerned about their privacy and constitutional rights: as social misfits prone to conspiracy theories and wild exaggerations about these agencies' capabilities. All this indicates is that those running these agencies have very little interest in addressing the public's concerns. In their minds, these people should be marginalized and mocked, rather than taken seriously.

Liepman repeatedly asserts that the CIA, NSA, etc. aren't interested in anything other than the activities of terrorists, not the activities of non-terrorist Americans, but evidence continues to mount that shows this assertion JUST ISN'T TRUE.

Two stories, just from this morning, show the CIA is surveilling Americans with no links to terrorism. A FOIA request managed to pry loose enough info to force the CIA to admit that it spied on MIT professor Noam Chomsky for several years [caution: registration wall; disable javascript to read], tracking his anti-war activities. Evidence has also surfaced via a hacked Stratfor email account that CIA Director John Brennan was the point man on the administration's "witch hunts" of American investigative journalists. That's just from this morning.

The history of the CIA is long and awful and includes many more instances of the agency deploying its tactics against American citizens, this despite the fact that it's supposed to limit itself entirely to foreign intelligence work. Two well-known domestic surveillance programs, Project Merrimac and Project Resistance, surveilled American citizens, keeping an eye on anti-war protestors and other "radicals." The CIA also ran a domestic mail opening program for two decades in four major American cities according to the Church Committee report.

For all of Liepman's claims that the government simply doesn't care about your aunt unless she talks to terrorists (or is one), the facts simply don't bear that out. These surveillance programs aren't strictly limited to countering terrorist activity. They're also being used to track American citizens that are either too noisy about their beliefs or are sticking their noses into places various administrations don't want them to.

After haranguing Snowden for his careless exposure of the NSA's internal workings, Liepman continues to believe the real issue is the government's inability to control the narrative, although he phrases it a bit differently.

[T]he intelligence community — always a less sympathetic protagonist than a self-styled whistle-blower — actually has a good story to tell about how seriously the government takes privacy issues. We should tell it.

Go ahead. Tell it. But stop leaving out all the parts that undercut your narrative of good, honest spies protecting the nation and respecting the privacy of Americans. Frankly, the government doesn't care about privacy issues until it's forced to, and even then, it can barely work up the energy to address the concerns, much less right the wrongs.

Filed Under: andrew liepman, cia, ed snowden, privacy, trust

Obama's Response To NSA Was To Appease The Public, Not Reduce The Spying

from the total-failure dept

We've spent much of the afternoon detailing some of President Obama's statements concerning his response to the NSA surveillance revelations, combined with some of the documents released by the administration. But a key point in all of this is highlighted in the Associated Press's coverage of the press conference: President Obama flat out admitted that this was about appeasing a public that doesn't trust the administration, not about reducing the surveillance.

President Barack Obama made it clear Friday he has no intention of stopping the daily collection of American phone records. And while he offered "appropriate reforms," he blamed government leaks for creating distrust of his domestic spying program.

In an afternoon news conference, the president acknowledged the domestic spying has troubled Americans and hurt the country's image abroad. But he called it a critical counterterrorism tool.

Even more to the point, his comments represent a fundamental misunderstanding of why the public doesn't trust the government. That's because he keeps insisting that the program isn't being abused and that all of this collection is legal. But, really, that's not what the concern is about. Even though we actually know that the NSA has a history of abuse (and other parts of the intelligence community before that), a major concern is that scooping up so much data is considered legal in the first place. So, when President Obama says that we should blindly trust the government not to abuse the data, that's missing the point:

"Understandably, people would be concerned," the president said. "I would be, too, if I weren't inside the government."

That's not particularly comforting.

Filed Under: barack obama, bulk collection, concerns, ed snowden, nsa, nsa surveillance, public, trust

Now That The Intelligence Community Got Away With Lying, How Can You Trust Anything They Say?

from the there's-no-punishment dept

We've already discussed how Director of National Intelligence James Clapper flat out lied to Congress (and the American public) and gets away with it completely. While the Obama administration and other surveillance defenders have been almost universal in support for Clapper, despite his lying to Congress and the American public, this seems like a really bad strategy. As has been discussed, at the Black Hat conference, NSA director General Keith Alexander was heckled by someone who accused him of lying to Congress as well, perhaps confusing Alexander for Clapper or perhaps assuming that Alexander told lies another time.

But here's the thing: given Clapper's admitted lying combined with the complete lack of any direct consequences for doing so, there's simply no reason at all to take anything that Clapper or Alexander says at face value. Alexander, especially, has been trying to go on a charm offensive to convince people that the press reports are exaggerated. He even "cursed" during his speech at Black Hat, and then pretended that it was by accident, and asked that it not be mentioned, trying to show how "honest" he was being. But all the charm in the world can't overcome the simple fact that everyone knows that there appear to be no direct consequences for lying. Even if we want to believe him, it's pretty difficult.

If the administration really wants to convince us that the surveillance programs are above board, it seems that keeping on an admitted liar to both Congress and the American public as the "face" of such programs isn't a particularly intelligent idea. It just makes people that much less likely to believe anything that Clapper, Alexander or others say about the program in their attempts to defend it.

Filed Under: james clapper, keith alexander, lies, nsa, nsa surveillance, trust

The NSA's Overreach And Lack Of Transparency Is Hurting American Businesses

from the the-economy-has-been-drafted-into-the-War-of-Terror dept

One major negative side effect of the NSA leaks is the problem it's causing for US-based tech companies. Not only have they been forbidden to discuss the details and scope of their interactions with American intelligence agencies, they've also been put in the worst possible light by some of the revelations.

Very simply put, the actions of the NSA harm American businesses. The NSA's control of the narrative only makes it worse as existing and potential customers have no way of knowing the full extent of the protection (or lack thereof) surrounding their data. Under the current law, companies can't even acknowledge they've received FISA court orders, much less provide statistics on frequency and compliance. With these restrictions in place, the government becomes the mouthpiece for American tech companies, and that mouth isn't saying much.

Pointing to the potential fallout from the disclosures about the scale of NSA operations in Europe, [Neelie] Kroes, the European commissioner for digital matters, predicted that US internet providers of cloud services could suffer major business losses.

"If businesses or governments think they might be spied on, they will have less reason to trust cloud, and it will be cloud providers who ultimately miss out. Why would you pay someone else to hold your commercial or other secrets if you suspect or know they are being shared against your wishes?" she said.

"It is often American providers that will miss out, because they are often the leaders in cloud services. If European cloud customers cannot trust the United States government, then maybe they won't trust US cloud providers either. If I am right, there are multibillion-euro consequences for American companies. If I were an American cloud provider, I would be quite frustrated with my government right now."

As it stands right now, hardly anyone trusts the American government. Those who are loudest in their defense of these programs also stand to gain the most by their continued existence. And while a lot of the discussion centers around the constitutional issues of harvesting of data on American citizens, the rest of the world isn't exactly thrilled either, especially considering these rights (even if ignored domestically) aren't extended to foreigners.

As far as anyone can tell, it's open season on foreign data and hardly anyone is showing any interest in rolling that back. If a foreign company suspects the NSA might want to sift through its data, why would it make it easier by using US-based companies to store its info or handle its traffic?

For foreigners who don't regularly read American surveillance statutes, this all came as an unpleasant surprise. And the details of how the NSA administers the mass surveillance programs do not make the surprise any more palatable. Individuals subject to NSA surveillance are almost never notified. The proceedings authorizing the surveillance are secret. The orders and directives are classified. The Internet companies that respond to the U.S. government's information demands are under gag order, or otherwise obligated not to disclose. And from a foreigner's perspective, all this happens at the request of a government they can't hold to account and is approved by a secret foreign court they can't petition.

In addition to its broad legal authority to spy on foreigners, the U.S. now has a distinct technological advantage in doing so. In the past, the nature of the telecommunications infrastructure meant that NSA commonly had to operate abroad to intercept in real-time phone calls between non-Americans. But today, most communications flow over the Internet and a very large percentage of key Internet infrastructure is in the United States. Thus, foreigners' communications are much more likely to pass through U.S. facilities even when no U.S. person is a party to a particular message. Think about a foreigner using Gmail, or Facebook, or Twitter -- billions of these communications originate elsewhere in the world but pass through, and are stored on, servers located in the U.S.

Because of this, US companies are now viewed as "security risks." The lack of any avenue for recourse makes the use of US services even less palatable. American companies wishing to do business with foreign companies may find themselves having to set up local servers in other countries, or risk losing that business altogether. The surveillance net cast by the NSA (and others) shows no sign of being pulled back soon, if ever. If attempts at transparency on government requests continue to be rebuffed by the administration, the deleterious side effects of these spy programs will be permanent.

So the first unintended consequence of mass NSA surveillance may be to diminish the power and profitability of the U.S. Internet economy. America invented the Internet, and our Internet companies are dominant around the world. The U.S. government, in its rush to spy on everybody, may end up killing our most productive golden goose.

A recent survey by the Cloud Computing Alliance bears this out. When asked if the "Snowden incident" would make them less likely to use a US-based cloud service, 56% of respondents said, "yes," with an additional 10% indicating that they had already cancelled a project to use a US cloud service. 36% of respondents from American companies said the Snowden incident made it harder to do business outside of the US.

Also noted in the CSA's report is that a little transparency would go a long ways towards mitigating the fallout. When asked to rate their government's data harvesting processes (for security and law enforcement purposes), only 10% rated theirs as "excellent" in terms of understanding the process and having clear documentation. Nearly half (47%) rated theirs at the lowest rung: "Poor, there is no transparency in the process and I have no idea how often the government accesses my information."

Transparency would help, but so far, the administration and the agencies themselves have shown a reluctance (if not complete antagonism) towards revealing any of the inner workings, much less allowing affected companies to separate FISA requests from normal law enforcement activity. There's been some pushback from tech companies and rights groups, but for the most part, the NSA seems comfortable with conjuring up the specter of terrorism in order to fight off any requests for transparency.

With no openness and no effective limits on US surveillance efforts, US companies are going to continue paying the price for the government's lack of credibility.

Kroes warned that US firms could be the biggest losers from the US government's voracious appetite for information.

"Concerns about cloud security can easily push European policy-makers into putting security guarantees ahead of open markets, with consequences for American companies. Cloud has a lot of potential. But potential doesn't count for much in an atmosphere of distrust."

Filed Under: harm, nsa, nsa surveillance, trust, us businesses

Why The Tech Industry Should Be Furious About NSA's Over Surveillance

from the it'll-hit-their-bottom-lines dept

We've already pointed out how some tech companies, including Yahoo!, Google and Twitter have fought back against overly intrusive attempts at government surveillance (though, they often lose), and there's been some discussion about how these companies are fighting to protect their users' privacy. There's a further reason why all of the tech industry should be speaking out against NSA surveillance. Beyond just being the right thing to do to protect your users' privacy, it's likely that it also improves their bottom line. We're already starting to see the fallout from the revelations of the NSA being able to scoop up data from various tech companies, and it's going to be harmful to their revenue.

Right after the initial NSA leaks came out, David Kirkpatrick quickly wrote about how the Obama administration appeared to be sacrificing the US internet industry in a weak attempt at trying to increase security (despite no evidence that it's actually done that). The global implications of the NSA spying aren't hard to figure out -- especially when looking at how many people around the globe use these services:

It's quite possible that Obama has undermined the effectiveness and attractiveness for political speech and protest of what have been the most potent communications tools for activism in history. Political and commercial opponents of the U.S. in every country as well as governments themselves will likely alert citizens to the potential that U.S. companies could pass their info back to US authorities. This will seriously conflict with these companies' aim to maintain their platforms as neutral global environments. It could dramatically slow their global growth.

[....] Do we really want to impair such powerful tools for spreading dialogue, political discourse, and U.S. values? Is it worthwhile to impair the extraordinary financial and commercial success of these great flagships for the American economy? Does Obama want Facebook et al just to be seen as tools of American power? That is certainly not the way the average user in Bolivia sees it. They see it as a tool of their own personal power, and they don't want governments interfering with that.

Further, he points out, this will likely drive users to foreign corporations, rather than American ones, as they strive to protect their privacy:

Don't believe there are not alternatives to the U.S. Net collossi. Companies worldwide are already relentlessly working on alternatives. The second largest search service worldwide is China's Baidu, with more than 8% of searches globally at the end of last year according to ComScore. Russia's Yandex is at close to 3%, more than Microsoft's own search product. In social networking, China's Tencent has had a stunning recent success with its WeChat product, which by some counts has over 450 million users worldwide, including many tens of millions outside China. Most major Chinese Internet companies have global ambitions.

Kirkpatrick was focusing more on the consumer side, and the importance of using these tools for open and free communication. But the same issues clearly impact the business side as well. As CFO.com recently, noted, companies are gong to be a lot less trusting of US-based cloud computing companies because of these leaks. Exposing the key info to governments is a real risk:

At the end of the day, if you have mission critical data and information in the possession of a third party service provider - Cloud or otherwise – the assumption that your provider will be in full control over their environments may be drawn unto doubt. As a CFO, it is prudent to consider your next steps very carefully to ensure that your intellectual property and trade secrets do not become the assets of others.

Given the suggestions that the US government has used this surveillance as a form of economic espionage, these fears seem quite well grounded. Foreign companies are now going to be a lot less interested in using the services of American companies.

And this isn't a theoretical problem either. Sweden just issued a ruling that bars the public sector from using Google's cloud services. Meanwhile, India is already telling companies that they need to setup local servers rather than make use of US servers if they want to do business in India.

This issue is important on a number of levels, but technology companies, who rely on a global audience, should be standing up and loudly protesting the NSA's broad surveillance, because it's going to hit their bottom lines hard. The administration and the NSA are directly making it difficult for US internet companies to be global enterprises, at a time when that's exactly what we need. Is it really worth sacrificing one of the few growing and dynamic industries that the US has these days, based on some vague and unproven claims that the government "needs" all of this info? It seems like a massive cost for almost no benefit.

Filed Under: business, cloud computing, espionage, free speech, global business, india, nsa, nsa surveillance, privacy, silicon valley, sweden, trust
Companies: google, yahoo

Is Anybody Shocked That Americans Trust TV Judges More Than Supreme Court Justices?

from the time-to-televise-the-hearings dept

I suppose that’s a rhetorical question. When you live in a nation that’s been reduced to an army of mindless reality-TV-watching drones, it’s not exactly surprising that the average citizen is more inclined to trust a television judge than a jurist who’s been appointed to the highest court in the land.

We care more about the matching camouflage wedding couture Honey Boo Boo’s parents, Mama June and Sugar Bear, wore when they tied the knot this past weekend than the next round of controversial decisions that will be soon be handed down by the Supreme Court. We care more about the Kimye baby bump than the very existence of the Supreme Court, much less the names of the justices sitting on its esteemed bench.

No one who’s been paying any attention is taken aback by the fact that Americans care more about the people they see on television on a daily basis than names they once read in a textbook. That’s why the results of the latest Reader’s Digest Trust Poll as to this country’s judges are expected, and sad, and not at all surprising….

Before we start discussing the names of the judges who ranked the highest in the trust poll, we’ll break down the magazine’s methodology for you. Reader’s Digest rounded up the names of 200 “opinion shapers, leaders and headline makers” across 15 professions and showed the list to more than 1,000 Americans, who then ranked each name based on how trustworthy they thought they were. Here, trustworthiness was defined as “integrity and character, exceptional talent, drive to personal excellence, internal moral compass, message, honesty and leadership.”

All that being said, famous actors — Tom Hanks, Sandra Bullock, and Denzel Washington — were the most trusted people in America. Our own president was in the bottom half of the list, behind people like Tim Tebow and Adam Sandler. Again, this isn’t at all surprising, because we bring these people into our homes on DVD and pay exorbitant fees to see them in theaters while we eat our overpriced popcorn.

So when it comes to American’s most trusted judges, it’s no surprise that we all love Judge Judy. She was #28 on the Reader’s Digest list. She’s snarky and laypeople love it when she lays down the law in little sound bytes that actually make sense. Plus, her show is only half an hour long, which is about the amount of time it would take for the average citizen with an Adderall prescription to put aside the Supreme Court’s 193-page Obamacare opinion before deciding to use it to papercut their eyeballs.

But how do the Supreme Court justices stack up against our nation’s preeminent television jurist?

• No. 36: Ruth Bader Ginsburg
• No. 43: Stephen Breyer
• No. 44: John Roberts
• No. 49: Anthony Kennedy
• No. 53: Sonia Sotomayor
• No. 62: Elena Kagan
• No. 60: Samuel Alito
• No. 66: Antonin Scalia
• No. 88: Clarence Thomas

So again, I’m going to implore the Supreme Court to start televising its arguments — or better yet, give them all their own television shows, reality or otherwise. Seriously, give us a reason to watch C-SPAN.

Perhaps if something like “Keeping Up With Klarence” existed, the only black member of our country’s high court wouldn’t have been beaten out by Judge Joe Brown, who was ranked as the 39th most trustworthy person according to the Reader’s Digest poll. How about a talk show with Sonia Sotomayor? “It’s Her Beloved World (And We’re Just Living in It)” — she could be the next Oprah!

You want a comedy? “Kagan and Scalia: The Really Odd Couple”. If you’re into shows about buying other people’s expensive old things, you can watch “Antiques Roadshow with Ruth Bader Ginsburg,” where she’d star as a host and as an antique. If you want a late night talk show, you could watch “The John Roberts Show,” with Sam Alito standing in as the witty sidekick. Last, but not least, for some action, why not watch “I Survived” with Stephen Breyer? His calamities could fill out an entire season.

Just think about the ratings, network execs. Please help make American less… stupid.

Reader’s Digest Trust Poll: The 100 Most Trusted People in America [Reader's Digest]
Reader’s Digest Trust Poll: Here’s What Shocked Us the Most [Reader's Digest]
Justice Ginsburg is close behind Judge Judy on most trusted list [ABA Journal]

More stories from Above The Law

• The High Price of the Federal Bench
• It’s Her Beloved World, And We’re Just Living In It: Justice Sotomayor Speaks on Free Speech
• You Stay Classy, Mississippi Supreme Court Justice Mike Randolph

Filed Under: supreme court, supreme court justices, trust, tv judges

Who Would You Rather Trust: Bankers Or Regulators?

from the do-we-have-to-pick-one? dept

A simple model of banking regulation and, like, counter-regulation goes something like this:

• Regulators are conservative and dumb, and want to safeguard banks from bad risks even at the cost of preventing good risks,
• Bankers are aggressive and smart, and want to take lots of good risks even at the cost of taking some bad risks, and
• Sometimes bankers can find people to put up with their shit and sometimes they can’t.

“Put up with their shit” is meant in the broadest sense – Can banks defeat Dodd-Frank? Brown-Vitter? Is Lloyd Blankfein a hero or a villain? Jamie Dimon? Etc. – but one particularly interesting question is, if you’re trying to do trades that evade or bend or optimize or whatever regulation, will someone do those trades with you? You could write a history of recent finance with the answer to that question: in 2007 you could chuck all of your mortgage risk off-balance sheet via securitizations, in 2008 you … could not, and in 2013 if you’re looking for someone to provide regulatory capital relief all you have to do is call a Regulatory Capital Relief Fund. Six years peak-to-peak, same as the S&P.

You could probably use words like “bubble” in characterizing that cycle but I prefer the approach taken in this new NBER paper by Guillermo Ordoñez of Penn (free version here), both because it mathematically formalizes that basic model of regulation and counter-regulation in an interesting way, and because it is congenially cynical. As he puts it, “banks can always find ways around regulation when self-regulation becomes feasible, and it is indeed efficient for them to do so.” Bankers, of course, always think that it would be efficient for them to find ways around regulation. They only do so when they can find someone to trade with them.

The gist of the formalization is that banks can invest in “safe,” regulator-approved assets; in “superior risky” assets, which have a higher return than the safe assets for the same risk but which are not blessed by regulators¹; or in “inferior risky” assets which have a higher upside but more risk than risky assets and are mainly a way for banks to implement moral hazard. Good banks want to invest optimally and care about the future, bad banks don’t care about the future and sort of maximize moral hazard. How they invest depends on economic fundamentals: if things are good then they invest optimally because there’s no need to take excessive risks; if things are terrible then they want to take excessive risks.²

Banks are constrained by two things. One is reputation: investors will trust a bank with a good reputation – that is, an observed history of taking good risks – and will fund it using unregulated shadow banking. The other is economic fundamentals, which investors can observe too: if fundamentals are bad and everyone knows banks will take excessive risks, then everyone demands the safety of deposit insurance (and regulation):

Why do investors agree on participating in shadow banking if they understand that banks are trying to avoid regulation that provides a safety net against excessive risk-taking? A potential answer is that indeed regulation and capital requirements are useless. However, if this were true, why would investors run from shadow to traditional banking when they become concerned about the quality of collateral?

I argue that reputation concerns lie at the heart of both the growth and the fragility of shadow banking. Shadow banking spurs as long as outside investors believe that capital requirements are not critical to guarantee the quality of banks’ assets, since reputation concerns self-discipline banks’ behavior. When bad news about the future arise, reputation concerns collapse because reputation becomes less valuable, and investors stop believing in the self-discipline of banks, moving their funds to a less efficient, but safer, traditional banking.

Like I said I find this paper very congenial but that’s in part because I feel like some people won’t. It rests in part on the assumption that bankers can observe superior-versus-inferior risky assets, and that regulators can’t. This is pretty intuitive – bankers are paid (more!) to make optimal investing decisions, regulators are paid (less!) to prevent risky investing decisions – and perhaps empirically supported – but, y’know, bankers are wrong sometimes too.

Also fun is Ordoñez’s proposal for a solution that steers between the dangers of unregulated banking and the inefficiency of blunt-instrument regulation:

Another, ideal but unfeasible solution, is to just give a high subsidy to all banks, regardless of their reputation φ, conditional on their repayment of the loans [i.e. conditional on their not defaulting] …. This naturally increases the cost of default for all banks and then allows for more self-regulation. This solution has the same effects as an exogenous increase of μ [i.e. expected economic conditions], but how does one finance these widely available subsidies?

Hahaha that’s “the best way to make banks safer is to give them such huge subsidies that surviving and getting the subsidies is more appealing than taking the risk of failing and losing the subsidies.” That seems … politically challenging,³ and so Ordoñez has some other proposals.⁴

I don’t know, I stopped there. Today’s bank lobbying – against increased regulation, higher capital requirements, and reduced too-big-to-fail subsidies – seems pretty uninspiring after that, doesn’t it? The real challenge would be convincing regulators that what’s needed are bigger and better subsidies for banks. I’m sure somebody’s working on that.

Sustainable Shadow Banking [NBER, ungated February version]

1. This is the condition “bankers are smarter than regulators.”

2. That is:

For all fundamentals [below some minimum threshold] banks take excessive risk, even if … reputation suffers a lot from taking risks. Intuitively, future prospects are so poor that reputation concerns are irrelevant. Similarly, for all fundamentals [above some maximum threshold] banks invest optimally, even if … reputation does not improve from investing optimally. Here, future prospects are so good that firms are afraid of defaulting and getting a zero continuation value.

3. Though also, like, true? Cf. Gary Gorton on how banks historically accepted regulation in exchange for a “franchise value” coming from their monopoly on banking activity, and how shadow banking erodes that franchise value, as in this summary:

The second insight of Gorton’s on which this paper builds is the importance of statutory franchise value for the business model viability of at least some kinds of regulated financial entities. Where competition from unregulated entities is permitted, whether explicitly or de facto, capital and other requirements imposed on regulated firms may shrink margins enough to make them unattractive to investors. The result, as in the past, will be some combination of regulatory arbitrage, assumption of higher risk in permitted activities, and exit from the industry. Each of these outcomes at least potentially undermines the original motivation for the regulation.

4. Viz. to have bad-reputation banks pay for the subsidy (since they can’t shadow-bank anyway) and give it to the good-reputation banks (who do shadow-bank), which I don’t really understand (how does the regulator measure reputation?) but whatever that’s a minor quibble.

Other posts from Dealbreaker:

• Banks Not Especially Eager To Start Handing Out Mortgages To People With Credit Scores In The Low 400s Yet
• Ringleader Of Insider-Trading “Fight Club” Didn’t Want Any Sarcastic Comments With His Inside Information
• Expert: You Can Only Fire As Many Employees As You Have, And If You Do, You Will Have To Hire Others

Filed Under: banking, regulators, trust, wall street

Harvard Searched Email Subject Lines Of Faculty To Sniff Out Leak

from the why-people-keep-private-emails dept

We've written a few times about employers snooping through the emails of employees, and for the most part, courts have found this to be legal. There are a few exceptions -- such as for attorney/client communications -- but for the most part, if you're using work provided email, they can spy on it. Of course, just because they can doesn't mean they should. As we've been pointing out for over a decade, doing so probably fosters an environment of paranoia, which may not be the most productive. Still, it's a bit surprising to see that Harvard University chose to snoop through the emails of staff members in trying to hunt down the source of a leak. Specifically, the university searched the emails of 16 deans, telling them about the search a few days later. Again, even though this is likely legal, it seems odd that a university like Harvard would do it, as it inevitably creates distrust with some of its most important staffers. Indeed, the news apparently has faculty and staff up in arms.

Havard has defended the search by arguing it was very limited -- just to specific accounts and just to subject lines:

Consequently, with the approval of the Dean of FAS and the University General Counsel, and the support of the Dean of Harvard College, a very narrow, careful, and precise subject-line search was conducted by the University's IT Department. It was limited to the Administrative accounts for the Resident Deans — in other words, the accounts through which their official university business is conducted, as distinct from their individual Harvard email accounts. The search did not involve a review of email content; it was limited to a search of the subject line of the email that had been inappropriately forwarded. To be clear: No one's emails were opened and the contents of no one's emails were searched by human or machine. The subject-line search turned up two emails with the queried phrase, both from one sender. Even then, the emails were not opened, nor were they forwarded or otherwise shared with anyone in IT, the administration, or the board. Only a partial log of the 'metadata' — the name of the sender and the time the emails were sent — was returned.

"The Resident Dean whose account had been identified was asked about the incident and voluntarily reviewed his/her own sent items and confirmed that she/he had indeed forwarded the message to two students. Although the Resident Dean's actions violated the expectations of confidentiality surrounding the Administrative Board process, those involved in the review and the conversation with the individual were sufficiently convinced that it was an inadvertent error and not an intentional breach. The judgment was made not to take further action.

The issue, though, is the expectation of privacy and the level of trust built up between staffers and the university -- and actions like this, even when done narrowly and carefully, can break down that trust in significant ways.

Filed Under: email, harvard, privacy, searches, trust
Companies: harvard