The STOCK Act and Security through Obscurity

by

Today’s edition of The Hill has a deeply disappointing story about the fading fortunes of the STOCK Act. The measure, which was designed to strengthen legislative and executive financial disclosures in order to prevent insider trading, has faced repeated delays as concerns began to surface about its online filing requirements. Now a long-awaited report from the National Academy of Public Administration has arrived, and says that those concerns are well-founded. There’s a real danger that the online disclosure requirements in STOCK could be permanently neutered.

But NAPA’s case is weak, relying heavily on vague scaremongering about the dangers of the internet (the word “cyber” appears in the report 29 times). It consistently downplays the benefits of online disclosure, sometimes in frustratingly self-contradictory ways. Worst of all, it embraces a classic information security blunder.

Scaremongering

There’s no denying the difficulty of managing personal privacy in the digital age. But we’ve all had Facebook accounts for a while now–one would hope we could speak about specific benefits and harms, rather than resorting to handwaving about “the growing threat to individuals from accumulative data found on the Internet.”

But NAPA’s report avoids assessing the likelihood of specific harms (or ways to mitigate them), and instead relies on frightening talk of “clandestine ‘criminal bazaars’ where stolen identities and personal information are bought and sold,” while speculating that putting STOCK Act disclosures online will prove to be a tipping point beyond which civil servants will be hopelessly lost to the cybercrime panopticon:

establishing the searchable databases the STOCK Act envisions may equate to a “boiling the frog” scenario in that it adds to the extensive information already available about federal employees and could result in significant unintended consequences. In other words, this forthcoming increment in available data could become the fatal temperature change that goes undetected by the hapless frog.

This is less than convincing. And indeed, the report grudgingly acknowledges “the dearth of empirical data to document any harm having arisen from existing online postings of federal officials’ financial disclosures.” It goes on to note that such “expected costs, benefits and risks are largely speculative.”

Ignoring Benefits

But in truth, the benefits are not speculative — NAPA just chooses to ignore them. Here’s how they dismiss the idea that online filing might compel reports to be more accurate:

Some research suggests that posting information online leads to more honesty on the part of the person reporting the information. This may indeed prove to be true for certain types of postings. However, executive branch financial disclosures are 100% audited for potential conflicts of interest by at least two, and often more, levels of reviewers and carry potential criminal penalties if completed falsely. This lowers the likelihood that online filing, in and of itself, would promote more honesty and accuracy.

But just pages before this, the authors acknowledged that:

Insider trading violations are rare in the executive branch, but they have been found and successfully prosecuted. However, they almost never surface through ethics office reviews of EIGA financial disclosure forms. Insider trading allegations are more commonly reported to the inspector general as a tip. IG staff will often confer with the DAEO, especially to inspect financial disclosure forms for the individual under investigation. As a matter of fact, filing a false financial disclosure form to conceal the proceeds of insider trading is often one of the criminal violations that may be successfully prosecuted in an insider trading case.

In one breath: the reports are perfectly accurate thanks to thorough review. In the next: most violations are caught by people other than the reviewers, and such third-party tips often turn into prosecutions for inaccurate reporting. Which is it? (And, while we’re at it, how much faith can we put in those violations truly being “rare”?)

Security Through Obscurity

This is an example of the model for public access to information that NAPA describes and endorses:

NAPA disclosure model -- go visit an office

They note:

Although financial information on career federal executives is currently publicly available, it is available with hurdles, which limit access. These limits heretofore have provided adequate safeguards against misuse of the information and are seen by ethics officials as a good balance between transparency and the need to ensure mission safety and protect individual privacy.

This approach is known as “security through obscurity.” Essentially, the idea is that rather than fixing a system’s flaws, you can just make the system opaque or unusable or unpopular enough that those flaws never surface. It’s generally considered to be a bad way to achieve security.

In this case, it only takes a moment to see why. If NAPA is right and the data that STOCK exposes really is hugely valuable to spies, identity thieves, blackmailers, and mobsters trying to detect undercover agents, it seems implausible that requiring a visit or letter to the Ethics Office will be enough to dissuade those bad actors. At the margin, sure, more script kiddies might mess with sensitive disclosures if they’re online. But the correct approach is clearly to design a system that doesn’t leak sensitive information to the public in any form. Relying on obscurity is a dangerous gamble.

Meanwhile, consider other users of this data–the ones who value it less than criminals do–people like reporters, watchdogs and concerned citizens. Writing a news story about corruption is clearly less lucrative than blackmailing a civil servant. It’s also far more valuable to our country. If we set the price of disclosure data too high by making it difficult to access, we risk discouraging valuable public uses without actually protecting ourselves against dangerous ones.

As my colleague Lisa Rosenberg observed last October:

Congress should […] carve out minimal exceptions for those employees in sensitive job categories and, for the rest, recognize that in this day and age, public means online.

In other words: if there are problems with disclosure, let’s fix them. Ignoring them and hoping that obscurity will prevent bad things from happening is not only short-sighted, it’s dangerous.

Saving Graces

It’s not all bad. NAPA deserves credit for acknowledging the need to modernize disclosure systems in a variety of ways, including:

  • What data is collected, in order to cover new financial instruments and resolve ambiguity that leads to overreporting
  • How data is collected, by embracing electronic systems that bring efficiency and lower the reporting burden
  • How disclosures are analyzed, adopting partially automated review processes that will let officials cover more ground and spot more problems

Clearly, technology can help with these challenges. But limiting access to the collected information to those with substantial resources or profit motive is deeply unwise.

Unfortunately, this is a pattern we’re seeing more and more: the idea that a given transparency measure might be worth doing, but only if the resulting records remain safely locked away in paper files where they won’t be used.

This kind of thinking needs to stop. It’s well worth carefully considering what information should be publicly disclosed. But whether public information should be online? That’s a no-brainer. Public information should be online.