Public Disclosure Defuses Scandal
Publish FOIA Response?
Technology motivates any publicly accountable organization (nonprofit, corporation, government) to adopt a radically open style of governance.
Owing to email, data logs, text messages and the like, the quantity of official business records ascends skyward, while the granularity of those records grows ever more fine. Detailed within these innumerable records are the secrets of the organization.
Stored this way, secrets are dangerous.
Keeping secrets –- or just withholding information -- is becoming harder and harder. Secrets and records can leak out by way of FOIA, spies, gossip, hackers, mistakes, e-discovery, whistleblowers, external surveillance, or just the natural course of events (sousveillance). In finance, a "trusted" banker will leak to a friend secrets about exotic instruments like credit default swaps, which are so new that the law has yet to establish "insider trading" rules applicable to them. Kara Scannell, "Trader's 'Nice Little Kiss' Tests Reach of Regulations," Wall Street Journal, March 31, 2010.
A leak is dangerous.
The leak is an invitation for an adversary to allege malfeasance. When a secret leaks, the adversary's storyline becomes (a) the organization possessed information that the public needed, (b) the organization wrongfully withheld the information and (c) the public now knows the information only because a righteous force external to the organization brought it to light.
For a smart organization, the best posture is to preempt the leaking. Before the leak happens, it should embrace transparency and publish (most all of) its records and activities onto the public Internet. It should expose its information to independent review and debate. Authors Tapscott and Ticoll admiringly call such an organization the naked corporation.
Take for example the story of the small, grassroots political action committee named “Take Back Your City,” which is promoting a vote by citizens against red light cameras in the municipality of College Station, Texas. Through freedom of information act, the PAC obtained extensive email records regarding the city government’s use of the cameras. In this trove of information, the PAC found what it believes is smoking gun evidence that the city is engaged in false, illegal political advertising about the effectiveness of the cameras. The city claims – in a flyer to be inserted in monthly utility bills -- that the cameras have reduced traffic accidents, but the PAC says an internal city email contradicts that claim. The PAC attached the email as evidence to a formal complaint it filed with the Texas Ethics Commission.
Whether this complaint will result in ethics sanctions against the city (or more particularly the city manager cited in the complaint), I don’t know. But the city’s defense would be easier had it been more open and transparent with its records. When it gave the email records to the PAC, it could have also posted them all on its web page as well. (Why not? The city had already gone to the trouble to compile them.) Then, when it prepared its flyer for the utility bills, it could have made its point about accident reductions while also saying, “Each citizen can draw his or her own conclusions. The city has posted on its web page exhaustive records regarding traffic cameras.”
Such openness takes the punch out of allegations that the city lied. Effectively, it enables the city to say, “We drew a conclusion from the data and told citizens our conclusion, but our statements to citizens were more than just that. We also made all the data available to the citizens and told them they could read it themselves and draw their own conclusions. We've opened the data to third party review.”
Another lesson in transparency derives from the contrast in styles between the board of directors at Hewlett-Packard Company and the town council at Watertown, Massachusetts.
When HP saw that someone on its board was leaking company secrets, it assumed cloak-and-dagger mode. It didn’t talk about the problem. It secretly hired private investigators to spy on members of its board as well as reporters in the media. The private eyes violated the privacy of the directors by hijacking their telephone calling records. AT&T discovered the hijacking and reported it to its customer, Tom Perkins, one of the directors targeted by the spying. The result was an embarrassing, debilitating scandal, with lawsuits, criminal complaints, an SEC investigation, a congressional investigation, and the end of career for two of the company’s top lawyers.
HP followed the old-fashioned, closed approach to resolving a crisis. But in this Internet age -- where clandestine activities are hard to keep clandestine -- that approach led to disaster.
Compare the youtube video below. It shows the town council dealing with the same problem as the HP board – insider leaks. The leaks pertained to closed-door deliberations about contracts. But rather than spying on its members in the dark of night, the Watertown council brought the issue into the open. It discussed the topic in public, video-broadcast session!
Notice that Watertown’s transparency immediately deters future leaks. The leaker has to be thinking, “My leaks are attracting negative attention. Now all the citizens are on alert, and some knowledgeable witness watching out there may come forward with embarrassing information that reveals me as the leaker. I’d best stop leaking.”
By being transparent, the council uses the Internet as its enforcer, and it avoids the risk of a HP-style scandal. Legal compliance meets modern public communications.
At the SANS Institute, Mr. Wright stresses that, in the wake of a data security incident, the delivery of a effective public message is as important as the technical and legal response.