Quick, who are Cynthia Cooper, Colleen Rowley and Sherron Watkins? How quickly we can forget. Theyre the three whistle-blowers from MCI, the FBI and Enron, respectively, who were Time magazines persons of the year in 2002. Sen. Joe Biden has called whistle-blowers "national assets." And Tom Devine, of the Government Accountability Project, said whistle-blowers are "the lifeblood of anti-corruption campaigns." States such as California have made laws protecting whistle-blowers. So its ironic and tragic that corporate whistle-blowers are going to be the latest victims of the law of unintended consequences. With the best intentions, corporations have moved to protect privacy for customers and partners, deploy strong document and intellectual property protections, and implement systems to monitor whos accessing what data. These actions are being taken to comply with various state and federal Laws, such as HIPAA.
Software vendors have begun to step forward with solutions to help companies meet these goals. IBMs recently announced EPAL (Enterprise Privacy Authorization Language), Microsofts NGSCB (Next-Generation Secure Computing Base) and a whole list of applications from other vendors will help companies lock down who can access what information, control how information and documents are disseminated inside and outside a company, and make it possible to track who has accessed specific information and documents.
One thing all these software systems have in common is the ability to strictly control the flow of information through a company, to control what employees can do with documents and data, and to track who has accessed that information.
Sounds great so far. But imagine a company with less-than-worthy goals—say, one with unethical or illegal business practices—installing this type of software. All of a sudden, it becomes hard to copy or view documents and data that show the companys actions. And if you do view a document, someone higher up will know you looked at it. If that person thinks you might tell the authorities, he or she may remove the offending data.
I cant help but get the feeling that these software applications, designed for worthy goals, will end up being used to protect all kinds of corporate information and stop whistle-blowers before they can get started. I have to think that even ethical companies, once theyve installed these applications to protect privacy and handle reporting, will use these systems to protect many other types of business information, especially the information they dont want outsiders to see.
Should there be laws to deter this behavior? Sarbanes-Oxley and other anti-corruption laws would seem to make this type of behavior illegal. But if corporate officials are already cooking the books and engaging in other illegal practices, theyre not going to stop when it comes to using software to hide these activities. And they can say that they put in the software to comply with the laws.
Obviously, companies shouldnt do this. But there will always be thieves, and there will always be corrupt corporate leaders, and when theres billions of dollars at stake, these crooks will work hard to hide what theyre doing.
No matter how you look at it, the work of whistle-blowers will get a whole lot harder. It will be a lot harder to get law enforcement to come into a large company based on just word of mouth rather than hard evidence, especially if, unlike at Enron, the people doing the whistle-blowing are low on the totem pole.
This is not to say that customer and patient privacy should not be protected, or that companies should not be able to protect their intellectual property, or that good monitoring shouldnt be in place to track accurate financial data. All these things are needed. And its not the job of the software makers to make sure their applications arent misused.
But sometimes in achieving one desirable goal, you can put something else in jeopardy. Its going to get awful quiet in a few years when the whistle-blowing stops. I dont know about you, but I dont want to see what some companies will do when they think they wont get caught for their wrongdoings.
Jim Rapoza can be reached at firstname.lastname@example.org.