Wikileaks: Freedom of information versus information privacy

Article reposted from original posting on ComputerWorldUK

The commotion over Wikileaks and Julian Assange is incredible. Even more incredible is the polarisation of opinions you find on the internet. It ranges from “Assange for president” to “Assange the digital Osama Bin Laden”.

Stepping away from the opportunistic rhetoric we should realise that this discussion involves fundamental issues concerning information ownership, information privacy, freedom of information and the way we handle information on the Internet.

I believe that the law should just be the written representation of what we as society believe is right and wrong. So this article is not intended to discuss if Wikileaks and Assange are acting unlawfully and should be persecuted but our beliefs, as a society, of what is right and wrong. In itself the lawfulness is already an interesting discussion since the Internet supersedes any geographical boundaries. So which country law should govern the Internet?

Until recently we had a (barely) workable answer to that question. You look at the physical location of the server that stores the information; the law governing the location governs the information. The concept of Cloud Computing which separates the application (and the information it contains) from the physical infrastructure makes an end to that solution. So again: What law governs information on the Internet? Since the Internet is International the logical answer would be international law. If that is the answer I guess diplomats got a “heads-up” the hard way. The diplomatic wheels should start turning to come to some form of international regulation on this subject.

But back to the principles involved and the question we as society should answer. The first question is “Who owns information that governments create, gather and manage?” If the answer is the government itself than we have very little discussion: Whoever leaked the information from the US Government basically stole it from its rightful owner. That would make Wikileaks a fence of stolen property and thus wrong. Personally I believe there should be no difference between material and immaterial objects. If somebody gives me a car and I know he stole it, I would be wrong to accept it and use it to my advantage. The same should go for information. Society universally decided that stealing is wrong. If we start questioning that fundamental principle we might as well start thinking about anarchy as a viable way to (dis)organise our global society.

The nuance is in the information ownership. There are those (including me) who feel that the government does not own the information it manages, it is just the caretaker. As a rule of thumb the idea is that information is owned by those it concerns. That would make me the fundamental owner of all information the government has about me. The government is the assigned caretaker. As the owner I would have the right to hear what information the institution has and to demand correction should the information be false etc.

This I believe is fundament under legislation like the freedom of information act and the EU Data Privacy regulation, on other similar legislation. Having said this I do not believe Osama Bin Laden should have the right to call the CIA and US Military and demand to know what these institutions know about him, his location, organisation, etc. So as usual there is no black and white here.

Still I the case of Wikileaks and the US Government I would find it defendable to claim that Angela Merkel, Silvio Berlusconi, etc. should be allowed to ask what information the US Government manages about them. Angela should be able to demand correction if she does not feel as “butch” as US diplomats claim she is. If Berlusconi can proof he is not “feckless, vain and ineffective” the US Government should correct their records. If only to ensure that these organisation stay on their toes regarding accuracy and necessity of information, wider access to the information used as the bases for international diplomacy and decision making would be admirable. However it is a tremendous step from giving access to information to those it concerns to publishing it on the internet for the whole world to read.

If we as society fail to see the distinction and decide that internet publication is OK then I guess the next thing to publish would be all criminal records from the different justice departments (including speeding tickets, parking violations and other minor stuff) and there are countries that allow internet exposure of serious criminal like rapists. So if we are still ok with that than I guess tax records could be next. Would you like it if your neighbour knew exactly what your financial situation is? I would not! Bottom line this would spell the end of all information privacy and I do not believe that a majority of society would consider that “right”.

So the boundary is somewhere in the middle and looking at the raging discussion it is far from clear. This is where I see the problem. If the boundaries between right and wrong are unclear individuals like Julian need to decide for themselves without guidance. Looking at his choices so far the fact that US diplomats have been caught with their pants down makes me smile. Not because it is the US but because diplomacy in my view is a very unclear world often beyond the control of those it affects (society as a whole). Power without clear accountability in my opinion is always something to be very careful with. If this action upsets the diplomatic world one might question their activities. But that is a different topic altogether.

I understand that the discussion is now about publishing a list of critical installations which makes me feel much more uneasy. The discussion about what is acceptable seems to revolve around the possible damage that might result from the information becoming publicly available. I find the other argument (about the motives of Assange and Wikileaks for starting the site in the first place) even more interesting.

Consider the following: If the Taliban had gained access to the material from the American Embassies they might have decided to publish it in exactly the same way Assange did but their motive would probably have been to upset relations between coalition members that form the UN forces in Afghanistan (something in the line of divide and conquer).
If Osama Bin Laden could have gained access to a list of installations considered critical by the US Government he might have decided to publish it on the Internet in the hope it might inspire some nutcase to do something foolish. The end-result of either of those actions could arguably be exactly the same as those from Assange but I would bet that there would be a lot less people applauding. So we should ask ourselves: Are “pure” motives a free-pass to do whatever the hell we please? If not I guess we as global society need to start thinking what use of information (on the internet) is “right” and what we feel is “wrong”.

Bonuses and sanctions

In Holland there is a saying: You catch more flies with honey than with vinegar. Indeed if we look at the causes of the financial crisis in a number of cases the drive to achieve the incredible bonuses that are customary in the financial sector seem to have outweighed the sanctions the enterprise risk department might or might not have imposed for excessive risky behaviour.

First of all this shows an underpinning feeling regarding enterprise risk and control: Enterprise risk and control limit the possibilities of "the fast and the furious" to reach for the sky. This feeling that enterprise risk and control only limits the possibilities of the organization to maximize on growth and profit potential is surprisingly common also with people that should know better. Some time ago I had a conversation with an account manager of the management consulting firm I was working for at the time. The customer we were discussing was a supplier of high-tech production tools for the computer industry with a world-wide customer base. The company is a world-wide market leader in its field of business. We were discussing if they might be interested in my particular expertise (IT Governance, Risk, Security and Compliance). I will not soon forget one of the statements my discussion partner made: "This is a fast moving company with a young, entrepreneurial, can-do culture. They have no interest in the control resulting from IT GRSC since it would limit their possibilities to maximise growth and profit." Not his exact words by the way but close enough. Such convictions however are amazing for an account manager of a management consulting firm. What made it worse was that he was also the company director overseeing the consulting business for customers in the production sector. In response I have a question: Why does a formula 1 race car need breaks? Answer: To be able to drive faster. Explanation: No formula one driver in his right mind will drive his car at full speed unless he is convinced he will be able to slow down in time to make the next corner!

These days we look at the causes of the financial crisis and the actions to be taken to ensure it does not happen again. There seems to be consensus that Governance and Risk mechanisms have failed in the financial sector. Regarding the solutions the discussion often turns towards the (according to some excessively) high bonuses customary in the financial sector and the need to limit these. Interesting to notice that the amounts of the employee remunerations are not a primary focus point of any of the Governance and Risk models and regulations I checked (amongst others COSO ERM, OECD Principles of Corporate Governance, Basel II, ISO 38500). The Cadbury report does address the issue but comes with the following statement: "The Committee has received proposals for giving shareholders the opportunity to determine matters such as directors' pay at general meetings, but does not see how these suggestions could be made workable." Do the models and regulations have a blind spot on the issue? One could argue that (IT) Governance and Risk models and regulations do target organizational objectives and since bonuses (in general) are connected to achieving objectives there is a causal connection between the two. However this would not explain why the discussion only focuses on the height of the bonuses. One would expect the discussion to focus on the circumstances under which bonuses are awarded, not primarily the values.


It is understandable how the high financial bonuses are at the core of the public discussion since they speak to the imagination of the public and are sure to create public outrage: "Make so much money for yourself and loose so much money for the rest of the world". To exclusively focus on the amounts keeps it simple and understandable for the general public. For opportunistic politicians and press the opportunity is just too good to pass. Though I do not want to defend the bad apples we should not forget that it was the financial sector that made the economic boom of the last decades possible by creating new financial products that made more investment capital available to a wider audience. It is the COD's that made mortgages more widely available and made home-ownership possible for a bigger percentage of the population. These and other financial instruments that were eventually misused and are partially the cause of the disaster did initially do very good things. As long as the financial sector supported and fuelled the economic boom nobody seemed to care that they made a "good living" for their effort.


There is one reason to discuss the height of the bonuses and this is a basic law of security and control: The higher the possible benefits the bigger the temptation to break the rules to achieve them. As a result a bank is normally better protected against robbery than, let's say, a poor man's home. One response is to try and limit the possible benefits of misbehaviour (lower the bonuses). But it is a fact that the financial whiz kids who earn these incredible bonuses make even more money for their employers and they are in short supply. So unless you want to rethink the fundamental concept of capitalism any solution that might get implemented will go directly against the basic supply-and-demand law of economics (High demand for items in short supply will drive the price up).


There is however another approach. As we noted in the beginning, currently risk management is seen as a limiting factor on maximising growth and profit. The basic attitude seems to be: Don't do it because it is too risky. However an alternative approach would be to make target correction based on inherent risk. We all know this attitude: The better your financial situation and past history the better terms you are offered on new credits (Getting a loan or a new credit card is much more expensive for a person who went bankrupt in the past). In the stock market we expect a better return on investment for venture capital when compared to an investment in a blue-chip fund. As the Greek government learned the hard way in recent days a triple-A rated government bond does not have to offer as much interest as a bond of a less reputable (and thus lower rated) government to attract investors.


Could we use that principle elsewhere? If we look at the Investment portfolio for (IT enabled) organizational investments, for instance, we could look at introducing a risk-rating system for each of the proposed investments. The (financial) goals, for instance the expected return on investment, could be adjusted based on the project risk rating. If we came up with a rating system that factored in the past performance of the key-project personal like project and program managers etc. we could use that as the bases to steer risk-aware behaviour of these people. Risk aware attitudes would translate towards better (financial) goals and targets. Since these targets in general form the bases for the bonuses earned this would mean bonuses are inherently connected towards risk attitude. This is just one example. An risk aware culture that better aligns benefit and sanction instead of perceiving these two as two seperate worlds can be achieved in multiple ways.


Too often I encounter organization with on the one side a focus on performance management, goal setting, monitoring, etc. and this would include the remuneration for good performance. On the other side (in complete isolation) there is the governance; risk and compliance (GRC) function. They are trying to limited the risk exposure and ensure organizational compliance. Operating in isolation from performance management they do not have the "weapon" of remuneration (and bonuses) to stimulate desired behaviour. All GRC is left with is sanctions to stop unwanted risky behaviour. If these sanctions are perceived to stand in the way of achieving the bonus benefits one can clearly recognise the basis for possible future disaster.


Bottom line: There is so much to align, in this case performance and risk management

So you think you are compliant

Article originally posted on: Computerworld UK

Remember, risk management does not necessarily mean risk elimination.

Organisational compliance is not a “black and white”, “yes or no” status but a “more or less”, “better or worse” continuous scale. Organisations that are 100% certain of organisational compliance should verify their belief by considering the questions in this article.

First the article title, you might have recognised the reference to a television show called “So you think you can dance?”. I am not a big fan of the show but I love the title. For me it holds both a challenge for the contenders to show “their stuff” combined with a high-level of “who do you think you are to think you are good enough to appear before us?” arrogance. And indeed, as expected, self-appointed experts and has-been celebrities in the jury will cut overconfident no-talent participants down to size.
Too often I have to think about this image when I see (IT) auditors’ fresh out of school present their audit findings passing judgement over the organisational compliance effort. Please do not misunderstand me, there is nothing wrong with the auditing profession as such, but at times we seem to forget that the audit reports describes the auditors’ opinion not the absolute truth.
I have no respect for auditors that think they can pass final (and absolute) judgement on the workings of an organisation based on a two week (or even shorter) audit period. Yes they might be able to find examples of what went wrong in the operations. And a good auditor will be able to form an opinion about the mentality and culture of the organisation in such a time frame.
However a great auditor will be the first to admit that his report is just an opinion. He will discuss his findings with the organisation he investigated and more importantly will have an open mind for arguments that might change his opinion.
Too often the equality between auditor and audited department is gone. It is the same with these talent shows, if the performance is ridiculously bad it might be warranted to put somebody “out of his misery”. However when it comes to judging those that clearly show promise and commitment judges should discuss “opportunities for improvement” instead of passing “final verdict”.
Granted, where the purpose of the audit is to assure compliance with an individual regulation or to issue certification to a standard, the end result will be a pass or fail “bottom-line” statement. My comment is related to the relationship and attitudes during the assurance process to deliver that verdict.

So when assessing the compliance status of your organisation there are a number of questions you should consider. By answering them truthfully you will probably find that 100% certainty of organisational compliance is both impossible and if possible undesirable.
Compliance is a requirement; somebody wants your organisation or department to comply with a set of rules and/ or regulations. For instance the financial administration of an organisation that handles credit card transactions has to comply with the rules set by the credit card companies (PCI-DSS). In turn the administration will have to articulate the security requirements for their relevant IT-services to the IT Department. In the same manner the finance department will react to the Sox regulations (if applicable). The HR and Marketing/ Sales departments might require compliance with Data Privacy regulations. The logistics department may have requirements based on import/ export regulations.
Off course IT itself has to comply with software and hardware license requirements. We have the requirements originating for fire, health and (personal) security. The industry specific regulations for instance Basel II for finance or Hipaa for US Health Care organisations might be an issue. There are local regulations regarding building, parking, signage, etc., etc. Just to name a few.
The list of organisational stakeholders with rules and regulations to comply with is endless. So how sure are you that you know all the compliance requirements you are supposed to meet as an organisation or department? When answering this question it is important to realise: To be 100% certain you know all applicable rules and regulations you would need infinite resources to keep checking with every possible stakeholder.

This is the first compliance risk: Not knowing of the existence of the requirement.

So 100% certainty is both impossible and undesirable since one has or would want to spend infinite resources. The real question then becomes what is your organisational risk posture? How much risk are you willing to accept? And how much are you willing to invest to mitigate the risk of non-compliance due to unawareness?

Most rules and regulations are created with the best intentions. That is, to try and limit the change that an undesirable event or situation occurs. But there are places were rules and regulations are created to support corruption.
The basic idea is that the requirements of these regulations are purposely impossible to meet and the only way not to get punished for non-compliance is to bribe those who create and enforce those rules. I have experienced these situations in the past and basically non-compliance and bribery is an accepted part of doing business in these places. Trying to achieve your goals in a fully compliant manner is a very expensive, inefficient, if not impossible task. Even more so in some cases, where it might put the organisation in an undesirable competitive disadvantage.
These days I see non-bribery policies with more and more (multi-national) organisations some of them active in these kinds of places. In a number of instances I believe the policy is more about “don’t ask don’t tell” than anything else. It is not my intention to advocate bribery but we do live in the real world and an ostrich should not claim 100% certainty of compliance.

Assuming the intentions behind the regulations are good that does not mean the actual requirements are clear. Many laws and regulations are supposed to last over a longer period of time and cover a wide area. It would be impractical to describe the do’s and don’ts for each individual situation and even impossible to predict how the situation will evolve over time. As a result numerous rules and regulations are purposely written with room for interpretation. It is left to the individual judges and juries to fine-tune the rules by creating jurisprudence. But until jurisprudence has been created there is no way to be 100% certain what the exact requirements are.

This is the second risk of compliance, the risk of misinterpretation of the requirements.

It is always good to get assistance of a regulations expert when assessing the requirements of individual regulations. Expert involvement will reduce the risk of misinterpretation. However in a number of cases all an expert can offer is an expert opinion which is not the same as the absolute truth.
Again, risk management offers additional means to manage this risk. The risk avoidance response would suggest you adopt a “worse case” interpretation of the rules and act accordingly. In this case the chances the judge and jury rules the organisation broke the rules is clearly lower than when the organisation “lives close to the edge”. However rules and regulations, by nature, limit the organisational flexibility and agility. They limit the number of possible responses to a given situation. So again, the organisational risk appetite for non-compliance due to misinterpretation is important. In turn this will tell “how close to the edge” the organisation is willing to operate.

Once we know what the applicable rules and subsequent requirements are the daily compliance of the operational organisations is ensured by creating policies, processes, controls and procedures. These tell individual employees how to conduct their tasks and duties so they do not (inadvertently) break the rules. Everybody knows however people can have unexpected behaviour that deviates from the described actions. In this context it is important to realise often such a deviation is for the best of reasons and not always because of ignorance, fault or malice.

So the third risk of compliance is deviation from design/ expected actions resulting in breaking the rules.

By training, testing, coaching, etc. we can mitigate the risk of unexpected/ undesirable actions by man or machine. But again this is a risk: How much uncertainty is the organisation willing to accept? How many resources will the organisation make available to mitigate the risk? With people there is another consideration.
We value the creativity of people, in this context I mean their ability to think of actions and solutions for unexpected situations. But if the situation is unplanned for the reaction as a result of human creativity is clearly unplanned for as well. So the creativity we value so much might easily be at odds with organisational compliance.
The only way to ensure actions resulting from on the spot creativity align with the compliance requirements is to make sure people do not only understand what they should or should not do but also why.
What are the underpinning regulations and requirements? Based on that knowledge those on the spot can than decide on creative solutions that fit within the regulatory requirements. Empowering people with that kind of knowledge means you can enhance the flexibility and agility of your organisation while ensuring a higher certainty of organisational compliance. But again this empowerment can be resource intense so once more the organisation needs to strike a balance between empowerment (lowering the risk of non-compliance) and the cost involved.

What is the consequence of non-compliance?
The moral of this article is that Compliance is a requirement and non-compliance is a risk and should be treated accordingly. In the same way we cannot exclude all risk from the organisation, 100% certainty of organisational compliance is an illusion. Any organisation will have to think about the level of non-compliance risk it is willing to accept.
A popular way to categorise risk is to look at both likelihood and impact. Identifying the sources of uncertainty is the first step to assess likelihood. I have seen strategic statements and policies that claim “the organisation will comply with all applicable regulation” or something to the same effect.
What this statement does not say but what is does imply is “at all cost”. In practise however most organisations will assess the impact of public non-compliance. They will look at possible fines, reputational damage and other possible negative consequences. Even though very few organisations will come out and say it, they will look at the negative consequences of non-compliance before they decide how many resources are committed to ensure compliance (and thus mitigate the risk of non compliance).
At one time I came across a courier that made speed of delivery their unique selling point. They worked for broadcast companies for example. They ensured the fasted possible transfer of physical news footage arriving at the airport to the television studios. Before the digital age, with breaking news, this transfer time was a valuable commodity. So valuable even that the drivers were instructed (never in writing off course) to break traffic regulations in favour of speed and the company would cover the possible fines.
There are very few people that live by the credo that “everything goes as long as you do not get caught”. On the other hand there are very few people that will ensure compliance at all cost. For organisations risk (of non-compliance) is just another risk that they should manage but risk management does not necessarily mean risk elimination.