[Plura-list] Capitalism's crooked refs; Aaron Swartz, vindicated

Cory Doctorow doctorow at craphound.com
Fri Jun 4 11:40:26 EDT 2021


This morning, I'm appearing with David Dayen in the Second Life Book Club!


And next Monday, Jun 7, I'm helping Terry Miles launch his debut novel



Today's links

* Capitalism's crooked refs: Big Accounting and the bezzle.

* Aaron Swartz, vindicated: Van Buren and the CFAA.

* This day in history: 2006, 2011

* Colophon: Recent publications, upcoming/recent appearances, current
writing projects, current reading


🍨 Capitalism's crooked refs

Capitalism is weird.

Almost without exception, people who invest in businesses do so without
personally inspecting the business, overlooking its processes, seeing
its bank statements, meeting its managers and going on the road with its

Whether you're managing a giant pension fund, buying into a fund with
your 401k, or buying stocks (or STONKS) you likely have little to no
direct experience of the firm you're buying into. At best, you have
visited a retail premises or tried a product, but that's very thin.

Even if you think a business operates a tidy and efficient store, even
if you love its products, you still have no basis to assess whether it
is a sound investment. Maybe the business is selling products at a loss
and teetering on the verge of bankruptcy.

Maybe those gorgeous stores are run by creepy harassers who've created
billions in liabilities by abusing their employees. Maybe the owners
have borrowed heavily to fund a cocaine habit.

You have no way to personally verify a firm's commercial soundness prior
to investing.

Instead, you must rely on the business's own assurances about its
viability - the balance sheets it publishes, the risks it discloses, its
own profit and loss statements.

If these are competently prepared, it's impossible to tell fraudulent
statements from true ones.

Regulators aren't much help. They're mostly reactive, coming in *after*
a fraud to figure out what happened and (sometimes) punish the perps.

While the fraud is in play, they're unwitting participants, publishing
those potentially fraudulent documents blended with true ones.

The main assurance that investors get comes not from regulators, but
from auditors: those arms-length, third-party referees whose job it is
to personally verify all those bank-statements, sniff around the shop
floor, examine the P&Ls, and promise that it all adds up.

Auditors are the refs that keep the game honest. In theory, auditors are
kept from cheating by strict ethics codes, licensure and regulatory
oversight. Auditors are posed as neutral, trusted third parties who
mediate between businesses and investors.

But a funny thing happened on the way to the Great Neoliberal Decline:
world governments stopped enforcing anti-monopoly laws, allowing every
industry to shrink down to a handful of firms that are too big to audit,
let along punish for wrongdoing.

This isn't just true of the companies seeking investment - it's
*especially* true of the auditors themselves. The Big Four accounting
firms - KPMG, PWC, E&Y and Deloitte - now control virtually the entire
market for auditing, having bought all of their competitors.

But these Big Four - who audit nearly every large business - make most
of their money from "consulting" - selling companies business advice.
The Big Four claim that their auditors and consultants are separated,
but those claims are hard to credit.

Time and again, we see Big Four firms fudging the books for their best
clients - as with "zombie banks" whose reckless lending has made them
the walking dead, sure to collapse and require government bailouts.


These banks pay Big Four firms vast sums to consult for them. Between
2009-17, Big Four-audited bank financials failed 800 (!) audits (!!).

But the regulator only initiated enforcement action against the auditors
53 times (!!!).


It's not just the businesses that Big Accounting audits that are too big
to regulate. Big Accounting is *also* too big to regulate, even when it
conspires with its clients to commit vast, terrible frauds.

Accounting fraud is the norm in big business. Big Four firms have their
fingers in every one of these frauds, from Exxon lying about shale gas
to Facebook lying about video views.


It's the inevitable and foreseeable outcome of merging "consulting" and
"auditing." Auditing's job is to bring clarity to numbers. Consulting's
job is to obscure them. You can always make more money with fraud (for a
while) than you can with honesty.

The Big Four are far more likely to cook books than straighten them -
every one of the Big Four firms is deeply implicated in tax evasion, for
example, using numbers to obscure a business's financials, rather than
reveal them.


It's been nearly two decades since Arthur Andersen - part of the
then-Big-Five accounting cartel - was given the corporate death penalty
for its role in the Enron fraud. That was the last time a Big Accounting
company really suffered over a fraud.

Since then, the regulators overseeing Big Accounting have largely
ignored its crimes, or, at worst, charged the companies penalties that
were smaller than the profits they realized through fraud. A fine is
just a price.

Take KPMG.

In 2019, the SEC found that KPMG's most senior managers were helping
their auditors cheat…*on ethics exams*.

KPMG execs bribed employees at the Public Company Accounting Oversight
Board to slip them advance copies of the ethics exams.


Even better (worse): the bribe that KPMG offered to regulators was *a
job at KPMG*.

Remember, KPMG plays a vital role in the market system: to be perfectly,
scrupulously honest, so that rich people (and regular slobs) can make
sure that they're not getting ripped off.

KPMG's job is to stop cheating. And KPMG cheats.

Not surprisingly, a company whose official policy is to help its
employees cheat on ethics exams keeps getting embroiled in ethics
scandals, which end up costing regular investors and even very rich
people a *lot* of money.

Here's a good one: since 2016, investors have been suing KPMG for
signing off on the books of Miller Energy Partners, a dirty-as-fuck oil
company that turned out to be a giant scam.


Miller claimed that it could profitably extract oil from wells other
companies had abandoned as too dry to pump (energy companies routinely
incorporate standalone businesses for each field, then declare those
companies bankrupt rather than pay to shut down when they dry up).

Miller was a fraud. It inflated the value of the wells it bought by
$400m. Miller was run by serial scammers. Its CEO, Scott Boruff, stole
$6m from his father-in-law, and was a veteran of a company that went
bust after roping for Provident Asset Management, a Ponzi scheme.

Boruff brought in Provident's former National Sales Director to oversee
Gibson's sales - publicly praising the Ponzi schemer's "proven track
record in raising capital."

Miller was full of red flags and might have struggled to attract
investors, but then it paid KPMG millions to sign off on its fraudulent
books. That was the clincher than brought in millions more from
investors who lost everything.

Even after the SEC fined KPMG for helping commit fraud, the partner who
masterminded the crime kept his job at KPMG, staying on until retirement.

Now, it's possible the reason KPMG's internal watchdog missed all this
was because it was a little distracted at the time - you see, that was
around the time that David Middendorf - who ran KPMG's Department of
Professional Practices - was being sent to prison for fraud.

Meanwhile, Miller's top fraudsters got paid millions - and paid fines of
$125,000, each.

KPMG tried to weasel out of the Miller victims' class-action suiit, but
a judge in Tennessee just overruled its objections, so it's going to court:


But the days of corporate death penalties are long behind us. If KPMG
loses this suit, it will pay out a few million, but it will continue to
operate, providing assurances of probity where none exist.

Big Accounting is a rarity in late-stage capitalism: a sector that preys
on wealthy people as well as everyday people. Somehow, it gets away with
it - perhaps because there is no honor among thieves?


🍨 Aaron Swartz, vindicated

It's been eight years since Aaron Swartz took his own life. Aaron had
been charged with 13 felonies under the Computer Fraud and Abuse Act
(CFAA) for violating the terms of service on the JSTOR database of
scholarly articles.

Prosecutors Stephen Heymann and Carmen Ortiz didn't dispute that Aaron
was allowed to access the articles he retrieved. Rather, they said that
the WAY he accessed them (using a script instead of clicking on links)
was a terms-of-service violation and hence a crime.

In other words: any business could conjure a felony out of thin air by
making you click through an unreadable garbage-novella of legalese
proscribing the use of a service they granted you access to. Violate any
of those terms and you face a prison sentence.

This isn't law as we know it, it's Felony Contempt of Business Model,
and the most alarming thing was that this interpretation of the CFAA
wasn't completely ridiculous, given how badly drafted that law is.

Ronald Reagan signed CFAA into law. Fed prosecutors had been seeking
broad authority to punish "hacking" and had drawn up an absurdly broad
definition of cybercrime that would give them latitude to go after
anyone they didn't like.

They wanted to define hacking as "exceeding your authorization" on a
computer that didn't belong to you. Even in the mid-1980s, legal and
technical scholars recognized the potential dangers of a definition this
broad, but not Ronald Reagan.

Then Reagan got spooked by the movie Wargames - yes, the one with
Matthew Broderick - and urged the dimbulbs in the Congress and Senate to
send the CFAA to his desk. They obliged, he signed it, and CFAA became
law in 1986.

In the decades since, CFAA has become a major source of cybersecurity
mischief. Security researchers who audit systems and warn their users
about defects in them are silenced with CFAA threats, giving companies a
veto over who can criticize them and how.

Monopolistic online businesses threaten their competitors with CFAA
liability. Companies like Facebook have managed to prevail in court,
interpreting CFAA the same way Aaron's prosecutors did, making
terms-of-service violations into violations of the law.

But cracks have appeared in this dangerous interpretation of CFAA. The
ACLU and a group of journalists have been litigating to overturn
portions of the law since 2016:


And in 2019, the Ninth Circuit Court of Appeals produced a remarkably
good ruling on CFAA in Hiq v Linkedin, splitting with its own (terrible)
precedents in Power Ventures and Nosal II.


But the main event for CFAA-fighters has been at the Supreme Court this
year, where the Van Buren case promised to make or break the worst
elements of the CFAA for good.

The truism "hard cases make bad law" was especially true in Van Buren.
Nathan Van Buren was a crooked Georgia cop who took a bribe to look up a
sex-worker's personal information in the state law-enforcement database
in a FBI sting.

Van Buren thought he was helping a criminal determine whether the
sex-worker was an undercover cop.

Van Buren is a bad man and a bad cop.

But he isn't a hacker.

Nevertheless, prosecutors charged him under the CFAA, saying that while
he was allowed to access the database, doing so for an improper purpose
was a hacking crime, because he "exceeded his authorization."

This may sound sensible - or just expedient - to you. But if the
prosecutors were right - if accessing a computer you were authorized to
use, but in an unauthorized way - is a felony, then almost everyone is a

The DoJ's theory of the CFAA would make most terms-of-service violations
into potential jailable offenses (think "sharing Netflix passwords"). If
federal prosecutors gain the power to threaten prison for anyone -
everyone - this won't be used to rid the world of dirty cops.

Rather, it will be used against people who already bear the brunt of
prosecutorial overreach, creating leverage over the victims of dirty cops.

Thankfully, the Supremes agreed. Yesterday, they handed down a good - if
not great - ruling in Van Buren.

The best analysis - as ever - comes from my EFF colleagues Kurt Opsahl
and Aaron Mackey.


As they point out, the heart of the ruling is a ban on breaking into
computer systems - not criminalizing entering the wrong command into a
computer you're allowed to use.

This correct interpretation (far narrower than the DoJ's) safeguards
security researchers, competitors, and other researchers doing things
like gathering data from a housing site to investigate racial bias in
rental ads.

As the court pointed out, the DoJ's interpretation was so broad that it
could criminalize "embellishing an online-dating profile to using a
pseudonym on Facebook."

The ruling was good, but not perfect. A single footnote explains that
the court isn't ruling on whether the CFAA only applies when someone
bypasses a technical measure, which leaves the door open to turning
policy and contract violations into crimes.

SCOTUS got it (mostly) right here. They vindicated Aaron Swartz and all
the other victims who were bullied, silenced and terrorized by the CFAA.
They took a huge step towards undoing one of Ronald Reagan's many idiocies.

Van Buren should be punished for corruption - under anti-corruption law,
not under a definition of hacking so broad that it captures normal
activities we all engage in several times, every day.


🍨 This day in history

#15yrsago GNU Radio: the universal, software-defined radio

#10yrsago France bans “follow us on Twitter” from newscasts


🍨 Colophon

Today's top sources: Naked Capitalism (https://www.nakedcapitalism.com/).

Currently writing:

* Spill, a Little Brother short story about pipeline protests.
Yesterday's progress: 275 words (3932 words total).

* A Little Brother short story about remote invigilation.  PLANNING

* A nonfiction book about excessive buyer-power in the arts, co-written
with Rebecca Giblin, "The Shakedown."  FINAL EDITS

* A post-GND utopian novel, "The Lost Cause."  FINISHED

* A cyberpunk noir thriller novel, "Red Team Blues."  FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: How To Destroy Surveillance Capitalism (Part 06)

Upcoming appearances:

* In conversation with David Dayen (Second Life Book Club), Jun 4,

* Book launch for Terry Miles's Rabbits (Book Soup), Jun 7,

Recent appearances:

* Get Your News On With Ron/Ron Placone:

* Seize the Means of Computation, Consensus 2021

* How to Destroy Surveillance Capitalism:

Latest book:

* "Attack Surface": The third Little Brother novel, a standalone
technothriller for adults. The *Washington Post* called it "a political
cyberthriller, vigorous, bold and savvy about the limits of revolution
and resistance." Order signed, personalized copies from Dark Delicacies

* "How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet
analyzing the true harms of surveillance capitalism and proposing a
(print edition:
(signed copies:

* "Little Brother/Homeland": A reissue omnibus edition with a new
introduction by Edward Snowden:
https://us.macmillan.com/books/9781250774583; personalized/signed copies

* "Poesy the Monster Slayer" a picture book about monsters, bedtime,
gender, and kicking ass. Order here:
https://us.macmillan.com/books/9781626723627. Get a personalized, signed
copy here:

Upcoming books:

* The Shakedown, with Rebecca Giblin, nonfiction/business/politics,
Beacon Press 2022

This work licensed under a Creative Commons Attribution 4.0 license.
That means you can use it any way you like, including commercially,
provided that you attribute it to me, Cory Doctorow, and include a link
to pluralistic.net.


Quotations and images are not included in this license; they are
included either under a limitation or exception to copyright, or on the
basis of a separate license. Please exercise caution.


🍨 How to get Pluralistic:

Blog (no ads, tracking, or data-collection):


Newsletter (no ads, tracking, or data-collection):


Mastodon (no ads, tracking, or data-collection):


Medium (no ads, paywalled):


Twitter (mass-scale, unrestricted, third-party surveillance and


Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):


"*When life gives you SARS, you make sarsaparilla*" -Joey "Accordion
Guy" DeVilla

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://mail.flarn.com/pipermail/plura-list/attachments/20210604/65fdf5a2/attachment.sig>

More information about the Plura-list mailing list