Pluralistic: 04 Jun 2021


Today's links



A shell-game con artist wearing a KPMG badge on his lapel, lifting a shell to reveal a pumpjack.

Capitalism's crooked refs (permalink)

Capitalism is weird.

Almost without exception, people who invest in businesses do so without personally inspecting the business, overlooking its processes, seeing its bank statements, meeting its managers and going on the road with its sales-force.

Whether you're managing a giant pension fund, buying into a fund with your 401k, or buying stocks (or STONKS) you likely have little to no direct experience of the firm you're buying into. At best, you have visited a retail premises or tried a product, but that's very thin.

Even if you think a business operates a tidy and efficient store, even if you love its products, you still have no basis to assess whether it is a sound investment. Maybe the business is selling products at a loss and teetering on the verge of bankruptcy.

Maybe those gorgeous stores are run by creepy harassers who've created billions in liabilities by abusing their employees. Maybe the owners have borrowed heavily to fund a cocaine habit.

You have no way to personally verify a firm's commercial soundness prior to investing.

Instead, you must rely on the business's own assurances about its viability – the balance sheets it publishes, the risks it discloses, its own profit and loss statements.

If these are competently prepared, it's impossible to tell fraudulent statements from true ones.

Regulators aren't much help. They're mostly reactive, coming in after a fraud to figure out what happened and (sometimes) punish the perps.

While the fraud is in play, they're unwitting participants, publishing those potentially fraudulent documents blended with true ones.

The main assurance that investors get comes not from regulators, but from auditors: those arms-length, third-party referees whose job it is to personally verify all those bank-statements, sniff around the shop floor, examine the P&Ls, and promise that it all adds up.

Auditors are the refs that keep the game honest. In theory, auditors are kept from cheating by strict ethics codes, licensure and regulatory oversight. Auditors are posed as neutral, trusted third parties who mediate between businesses and investors.

But a funny thing happened on the way to the Great Neoliberal Decline: world governments stopped enforcing anti-monopoly laws, allowing every industry to shrink down to a handful of firms that are too big to audit, let along punish for wrongdoing.

This isn't just true of the companies seeking investment – it's especially true of the auditors themselves. The Big Four accounting firms – KPMG, PWC, E&Y and Deloitte – now control virtually the entire market for auditing, having bought all of their competitors.

But these Big Four – who audit nearly every large business – make most of their money from "consulting" – selling companies business advice. The Big Four claim that their auditors and consultants are separated, but those claims are hard to credit.

Time and again, we see Big Four firms fudging the books for their best clients – as with "zombie banks" whose reckless lending has made them the walking dead, sure to collapse and require government bailouts.

https://pluralistic.net/2020/09/28/cyberwar-tactics/#aligned-incentives

These banks pay Big Four firms vast sums to consult for them. Between 2009-17, Big Four-audited bank financials failed 800 (!) audits (!!).

But the regulator only initiated enforcement action against the auditors 53 times (!!!).

https://pluralistic.net/2020/09/28/cyberwar-tactics/#aligned-incentives

It's not just the businesses that Big Accounting audits that are too big to regulate. Big Accounting is also too big to regulate, even when it conspires with its clients to commit vast, terrible frauds.

Accounting fraud is the norm in big business. Big Four firms have their fingers in every one of these frauds, from Exxon lying about shale gas to Facebook lying about video views.

https://pluralistic.net/2021/02/18/ink-stained-wretches/#countless

It's the inevitable and foreseeable outcome of merging "consulting" and "auditing." Auditing's job is to bring clarity to numbers. Consulting's job is to obscure them. You can always make more money with fraud (for a while) than you can with honesty.

The Big Four are far more likely to cook books than straighten them – every one of the Big Four firms is deeply implicated in tax evasion, for example, using numbers to obscure a business's financials, rather than reveal them.

https://pluralistic.net/2020/09/15/shorter-brother/#tax-havens

It's been nearly two decades since Arthur Andersen – part of the then-Big-Five accounting cartel – was given the corporate death penalty for its role in the Enron fraud. That was the last time a Big Accounting company really suffered over a fraud.

Since then, the regulators overseeing Big Accounting have largely ignored its crimes, or, at worst, charged the companies penalties that were smaller than the profits they realized through fraud. A fine is just a price.

Take KPMG.

In 2019, the SEC found that KPMG's most senior managers were helping their auditors cheat…on ethics exams.

KPMG execs bribed employees at the Public Company Accounting Oversight Board to slip them advance copies of the ethics exams.

https://www.nysscpa.org/news/publications/the-trusted-professional/article/sec-probe-finds-kpmg-auditors-cheating-on-training-exams-061819

Even better (worse): the bribe that KPMG offered to regulators was a job at KPMG.

Remember, KPMG plays a vital role in the market system: to be perfectly, scrupulously honest, so that rich people (and regular slobs) can make sure that they're not getting ripped off.

KPMG's job is to stop cheating. And KPMG cheats.

Not surprisingly, a company whose official policy is to help its employees cheat on ethics exams keeps getting embroiled in ethics scandals, which end up costing regular investors and even very rich people a lot of money.

Here's a good one: since 2016, investors have been suing KPMG for signing off on the books of Miller Energy Partners, a dirty-as-fuck oil company that turned out to be a giant scam.

https://www.desmog.com/2021/06/03/miller-energy-kpmg-auditors-oil-fraud/

Miller claimed that it could profitably extract oil from wells other companies had abandoned as too dry to pump (energy companies routinely incorporate standalone businesses for each field, then declare those companies bankrupt rather than pay to shut down when they dry up).

Miller was a fraud. It inflated the value of the wells it bought by $400m. Miller was run by serial scammers. Its CEO, Scott Boruff, stole $6m from his father-in-law, and was a veteran of a company that went bust after roping for Provident Asset Management, a Ponzi scheme.

Boruff brought in Provident's former National Sales Director to oversee Gibson's sales – publicly praising the Ponzi schemer's "proven track record in raising capital."

Miller was full of red flags and might have struggled to attract investors, but then it paid KPMG millions to sign off on its fraudulent books. That was the clincher than brought in millions more from investors who lost everything.

Even after the SEC fined KPMG for helping commit fraud, the partner who masterminded the crime kept his job at KPMG, staying on until retirement.

Now, it's possible the reason KPMG's internal watchdog missed all this was because it was a little distracted at the time – you see, that was around the time that David Middendorf – who ran KPMG's Department of Professional Practices – was being sent to prison for fraud.

Meanwhile, Miller's top fraudsters got paid millions – and paid fines of $125,000, each.

KPMG tried to weasel out of the Miller victims' class-action suiit, but a judge in Tennessee just overruled its objections, so it's going to court:

https://www.goingconcern.com/kpmg-class-action-suit-miller-energy-investors/

But the days of corporate death penalties are long behind us. If KPMG loses this suit, it will pay out a few million, but it will continue to operate, providing assurances of probity where none exist.

Big Accounting is a rarity in late-stage capitalism: a sector that preys on wealthy people as well as everyday people. Somehow, it gets away with it – perhaps because there is no honor among thieves?



A 2009 portrait of Aaron Swartz.

Aaron Swartz, vindicated (permalink)

It's been eight years since Aaron Swartz took his own life. Aaron had been charged with 13 felonies under the Computer Fraud and Abuse Act (CFAA) for violating the terms of service on the JSTOR database of scholarly articles.

Prosecutors Stephen Heymann and Carmen Ortiz didn't dispute that Aaron was allowed to access the articles he retrieved. Rather, they said that the WAY he accessed them (using a script instead of clicking on links) was a terms-of-service violation and hence a crime.

In other words: any business could conjure a felony out of thin air by making you click through an unreadable garbage-novella of legalese proscribing the use of a service they granted you access to. Violate any of those terms and you face a prison sentence.

This isn't law as we know it, it's Felony Contempt of Business Model, and the most alarming thing was that this interpretation of the CFAA wasn't completely ridiculous, given how badly drafted that law is.

Ronald Reagan signed CFAA into law. Fed prosecutors had been seeking broad authority to punish "hacking" and had drawn up an absurdly broad definition of cybercrime that would give them latitude to go after anyone they didn't like.

They wanted to define hacking as "exceeding your authorization" on a computer that didn't belong to you. Even in the mid-1980s, legal and technical scholars recognized the potential dangers of a definition this broad, but not Ronald Reagan.

Then Reagan got spooked by the movie Wargames – yes, the one with Matthew Broderick – and urged the dimbulbs in the Congress and Senate to send the CFAA to his desk. They obliged, he signed it, and CFAA became law in 1986.

In the decades since, CFAA has become a major source of cybersecurity mischief. Security researchers who audit systems and warn their users about defects in them are silenced with CFAA threats, giving companies a veto over who can criticize them and how.

Monopolistic online businesses threaten their competitors with CFAA liability. Companies like Facebook have managed to prevail in court, interpreting CFAA the same way Aaron's prosecutors did, making terms-of-service violations into violations of the law.

But cracks have appeared in this dangerous interpretation of CFAA. The ACLU and a group of journalists have been litigating to overturn portions of the law since 2016:

https://www.aclu.org/cases/sandvig-v-barr-challenge-cfaa-prohibition-uncovering-racial-discrimination-online

And in 2019, the Ninth Circuit Court of Appeals produced a remarkably good ruling on CFAA in Hiq v Linkedin, splitting with its own (terrible) precedents in Power Ventures and Nosal II.

https://www.eff.org/deeplinks/2019/09/victory-ruling-hiq-v-linkedin-protects-scraping-public-data

But the main event for CFAA-fighters has been at the Supreme Court this year, where the Van Buren case promised to make or break the worst elements of the CFAA for good.

The truism "hard cases make bad law" was especially true in Van Buren. Nathan Van Buren was a crooked Georgia cop who took a bribe to look up a sex-worker's personal information in the state law-enforcement database in a FBI sting.

Van Buren thought he was helping a criminal determine whether the sex-worker was an undercover cop.

Van Buren is a bad man and a bad cop.

But he isn't a hacker.

Nevertheless, prosecutors charged him under the CFAA, saying that while he was allowed to access the database, doing so for an improper purpose was a hacking crime, because he "exceeded his authorization."

This may sound sensible – or just expedient – to you. But if the prosecutors were right – if accessing a computer you were authorized to use, but in an unauthorized way – is a felony, then almost everyone is a felon.

The DoJ's theory of the CFAA would make most terms-of-service violations into potential jailable offenses (think "sharing Netflix passwords"). If federal prosecutors gain the power to threaten prison for anyone – everyone – this won't be used to rid the world of dirty cops.

Rather, it will be used against people who already bear the brunt of prosecutorial overreach, creating leverage over the victims of dirty cops.

Thankfully, the Supremes agreed. Yesterday, they handed down a good – if not great – ruling in Van Buren.

The best analysis – as ever – comes from my EFF colleagues Kurt Opsahl and Aaron Mackey.

https://www.eff.org/deeplinks/2021/06/van-buren-victory-against-overbroad-interpretations-cfaa-protects-security

As they point out, the heart of the ruling is a ban on breaking into computer systems – not criminalizing entering the wrong command into a computer you're allowed to use.

This correct interpretation (far narrower than the DoJ's) safeguards security researchers, competitors, and other researchers doing things like gathering data from a housing site to investigate racial bias in rental ads.

As the court pointed out, the DoJ's interpretation was so broad that it could criminalize "embellishing an online-dating profile to using a pseudonym on Facebook."

The ruling was good, but not perfect. A single footnote explains that the court isn't ruling on whether the CFAA only applies when someone bypasses a technical measure, which leaves the door open to turning policy and contract violations into crimes.

SCOTUS got it (mostly) right here. They vindicated Aaron Swartz and all the other victims who were bullied, silenced and terrorized by the CFAA. They took a huge step towards undoing one of Ronald Reagan's many idiocies.

Van Buren should be punished for corruption – under anti-corruption law, not under a definition of hacking so broad that it captures normal activities we all engage in several times, every day.

(Image: Sage Ross, CC BY-SA)



This day in history (permalink)

#15yrsago GNU Radio: the universal, software-defined radio https://web.archive.org/web/20060613062355/https://www.wired.com/news/technology/1,70933-0.html

#10yrsago France bans “follow us on Twitter” from newscasts https://www.zdnet.com/article/france-bans-facebook-and-twitter-from-radio-and-tv/



Colophon (permalink)

Today's top sources: Naked Capitalism (https://www.nakedcapitalism.com/).

Currently writing:

  • Spill, a Little Brother short story about pipeline protests. Yesterday's progress: 275 words (3932 words total).

  • A Little Brother short story about remote invigilation. PLANNING

  • A nonfiction book about excessive buyer-power in the arts, co-written with Rebecca Giblin, "The Shakedown." FINAL EDITS

  • A post-GND utopian novel, "The Lost Cause." FINISHED

  • A cyberpunk noir thriller novel, "Red Team Blues." FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: How To Destroy Surveillance Capitalism (Part 06) https://craphound.com/nonficbooks/destroy/2021/05/10/how-to-destroy-surveillance-capitalism-part-06/
Upcoming appearances:

Recent appearances:

Latest book:

Upcoming books:

  • The Shakedown, with Rebecca Giblin, nonfiction/business/politics, Beacon Press 2022

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.


How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/web/accounts/303320

Medium (no ads, paywalled):

https://doctorow.medium.com/

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla