June 01, 2006

Dodgy practices - and how to defend against them with Audits

One of the things that we as society do to protect us against dodgy practices is to employ specialists to prepare considered reports. Often known as audits, these reports solve a particular economic problem for us - it is too expensive for all or even any of us to gain the knowledge, travel to the site and review all the requirements. So we elect a specialist who can do it for all of us, thus saving our scarce resources.

(I stress this economic equation so that those familiar with open governance can compare & contrast.)

The downside of the auditing approach is that we are now beholden to the quality of the audit. How do we ensure that the process is good? In principle, we let institutions such as auditor's associations provide principles, standards of quality, and ethics. In practice, we hope they are followed, but practice often lags principle because of the dramatic costs of audits, and the less than transparent information provided. In effect, the problem is shifted from the company to the audit, resulting in what amounts to being two points of failure.

For CAs, a widely used standard is the WebTrust criteria, which have been written by bodies in the US and Canada. This backs into various other documents and standards of those bodies, but tries to narrow down the essentials for CA practice and policy.

It is perhaps interesting to view the WebTrust against yesterday's news of VeriSign being sued on alleged misrepresentation of security levels. Here is one snippet from their "WebTrust Program for Certification Authorities:"

Client/Engagement Acceptance
The practitioner [auditor] should not accept an engagement where the awarding of a WebTrust seal would be misleading.
The WebTrust seal implies that the entity is a reputable site that has reasonable disclosures and controls in a broad range of areas. Accordingly, the practitioner would avoid accepting a WebTrust engagement when the entityís disclosures outside the scope of the engagement are known by the practitioner to be misleading, when there are known major problems with controls not directly affecting the scope of the engagement, or when the entity is a known violator of laws or regulations.

(My emphasis.) Some have found WebTrust controversial because it is (allegedly) permissive of any procedures, as long as you document them. By way of example, it has been commented (alleged) that you can get a WebTrust for spying on your customers, as long as that is what you say you do in your CPS.

(Whether that is true or not I have no idea.)

But, above, it says there in black and white that misleading disclosures are not acceptable. What's more, it states it broadly - even including disclosures _outside the scope of engagement_ which is likely to be a problem for a company as large and spread as VeriSign, as there are a lot of other areas they get into.

If the court case does find that there is misleading selling going on, there are going to be some questions to be asked. Indeed, maybe the auditor should be asking those questions now, or even in the past. Here's some of the questions that spring to my mind.

Should an auditor necessarily be aware of those sorts of disclosures? WebTrust says that the practitioner has to get into the business model of the CA, which necessarily involves understanding the pricing and product models to at least some extent. So it's a definate maybe. I know in my work, I would need to know the different pricing arrangments to form an assessment, but that's just me. Also, as the two products are apparently discriminated in terms of higher security, that would appear to be something the auditor would look at, as the public is relying on the security if nothing else.

Should this effect the current situation? WebTrust is determined on this issue - it is supposed to a more or less continuous engagement, with updates no more than every 12 months. Further:

During the period between updates, the CA undertakes to inform the practitioner of any significant changes in its business policies, practices, processes, and controls, particularly if such changes might affect the CAís ability to continue meeting the WebTrust Principles and Criteria for Certification Authorities, or the manner in which they are met. Such changes may trigger the need for an assurance update or, in some cases, removal of the seal until an update examination by the practitioner can be made. If the practitioner becomes aware of such a change in circumstances, he or she determines whether the seal needs to be removed until an update examination is completed and the updated auditorís report is issued.

In an actual engagement, an auditor can instruct the CA to pull the switch. "Now!" It is unlikely that the auditor will go that for, nor are they likely to pull the Seal. No auditor ever wields the stick that is written into the arrangements, they find other ways to deal with the issue, because any auditor that ever actually did that would not get another engagement. (This of course is part of the reality of auditing, something that is more evident from the Arthur Andersen experience.)

What's more there are plenty of arguments in favour of the practice. E.g., airline seats are quite happily sold at different prices, and the old game with computers is to sell the same machine for different prices but with internal switches set at different speeds. (In the really good old days, you could pay for an engineer to come out and turn the speed doubling switch.) So there are at least some bona fide arguments why this practice is beneficial, leaving aside the fair representation question.

What then should the Auditor do? Initiate a re-engagement? That is one plausible action. Another is simply drop the client, quietly or otherwise. A company that has to search for a new Auditors is sufficiently warned not to do it so many times that it runs out of potential suppliers. Alternatively, the auditor could simply put pressure on the company to sort out its misleading practices and also to settle any case forthwith.

What should relying parties do? Well, purchasers will think twice, but they do anyway, and this is only likely to add to the rumble of discontent with CAs, not change anything.

What about browser manufacturers? I think that depends on the Auditor's actions. Software manufacturers have already passed much of their reliance (but not their liability) onto the auditor by specifying the WebTrust. So they will now need to sit back and wait for the auditor to do the job, which is what the auditor wanted in the first place.

As long as something is done. If the auditor does nothing, or equally uncompellingly, does not inform the relying parties of any actions taken, a browser manufacturer might now wonder if the auditor can be relied upon for the very role they were selected. "Just exactly what would cause the auditor to respond, if not misleading practices towards the users, the very users that we the software suppliers serve and protect?"

Or, a software supplier might have to re-evaluate its own wider sense of duty of care. As the browsers sit in the front row of any liability for the use of SSL (by dint of embedding and hiding the certs and CAs), we could speculate how this case could spread wider. Could this be pinned on the software suppliers? Again, I can't quite see it, although if there is a rash of cases, including to do with phishing, then it is more plausible as the traditional relationship is not exactly an arms-length one.

Finally, what about the buyout of GeoTrust? Well, GeoTrust owners are likely to want to grab their cash and run faster rather than slower, and such events might conceivably destroy the buyout - although I can't see why it would have a material effect. More importantly, if the anti-trust grumbling took root, the law suit might have more an impact.

Of course, such musings are definately above our paygrade. But it is certainly one to watch.

Posted by iang at June 1, 2006 05:21 AM | TrackBack
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.