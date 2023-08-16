Of Course Bank Execs Communicated Via Encrypted Messaging, But That’s Not The Fault Of Encryption
from the this-is-always-going-to-happen dept
I don’t think this is a surprise to anyone, but the SEC and the CFTC combined to issue fines on a bunch of Wall Street firms for execs communicating across encrypted messaging in a manner that wasn’t recorded and preserved as required. Being in a regulated industry means having to deal with all sorts of compliance requirements, that includes preservation of communications. But, of course, that freaks people out, so… they do what everyone does, and figure out ways to communicate outside of “official” channels such that it’s not recorded.
This could come in the form of… talking in person. Or over the phone. Or… by using third party messaging services that are widely available. And, if you’re going to do that, it’s no surprise that you’d use end-to-end encrypted services like Signal or WhatsApp.
The Securities and Exchange Commission today announced charges against 10 firms in their capacity as broker-dealers and one dually registered broker-dealer and investment adviser for widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications. The firms admitted the facts set forth in their respective SEC orders. They acknowledged that their conduct violated recordkeeping provisions of the federal securities laws, agreed to pay combined penalties of $289 million as outlined below, and have begun implementing improvements to their compliance policies and procedures to address these violations.
That’s from the SEC side. From the CFTC we get:
The Commodity Futures Trading Commission today issued orders simultaneously filing and settling charges against swap dealer and futures commission merchant (FCM) affiliates of four financial institutions for failing to maintain, preserve, or produce records that were required to be kept under CFTC recordkeeping requirements, and failing to diligently supervise matters related to their businesses as CFTC registrants.
The settling registrants admit the facts detailed in the orders, are ordered to cease and desist from further violations of recordkeeping and supervision requirements, and are ordered to engage in specified remedial undertakings.
There’s some overlap. Wells Fargo, BNP Paribas, and SG Americas/Société Générale) gets hit by both agencies.
The details are pretty much exactly what you’d expect:
The SEC’s investigation uncovered pervasive and longstanding “off-channel” communications at all 11 firms. As described in the SEC’s orders, the firms admitted that from at least 2019, their employees often communicated through various messaging platforms on their personal devices, including iMessage, WhatsApp, and Signal, about the business of their employers. The firms did not maintain or preserve the substantial majority of these off-channel communications, in violation of the federal securities laws. By failing to maintain and preserve required records, certain of the firms likely deprived the Commission of these off-channel communications in various SEC investigations. The failures involved employees at multiple levels of authority, including supervisors and senior executives.
I’ve seen some people using this as yet another opening to bash encryption, but encryption is not the problem here at all. First of all, encryption did not stop these banks from getting caught and fined. Second, as noted up top, people are always going to try to figure out ways to communicate that isn’t recorded. These messaging apps were convenient.
Indeed, if anything, these fines should (hopefully?) serve to get employees at these banks to be much more careful about how they communicate to avoid future fines. I still expect there to be plenty of attempts to get around the regulatory requirements to preserve communications, and it seems likely that bankers are going to get used to making phone calls or talking in person since that can’t be preserved in the same manner.
But, really, any time you have regulations requiring such archiving of so many communications, you just know that this kind of thing is likely to happen. There’s a reason why these industries are so heavily regulated… but there’s also a reason why the people in those industries really don’t want their communications preserved for future legal enquiries. There’s no perfect answer here, but these kinds of fines, (which, in total, added up to over half a billion dollars) at least suggest that there are financial penalties available for the banks that basically go “off-channel” as a standard way of communicating.
Filed Under: banks, cftc, communications, encryption, preservation, sec
Companies: bnp paribas, sg americas, wells fargo
Comments on “Of Course Bank Execs Communicated Via Encrypted Messaging, But That’s Not The Fault Of Encryption”
Encryption doesn’t mean the records are lost (though it sounds like it maybe in this case).
If they were NOT using encryption for sensitive topics that would be like them dancing naked in the street. That is, generally speaking, a terrible idea. They should also be preserving records they are required to.
An office or a meeting room is an official channel for communication. So’s an employer-provided phone.
While I think banks might have to record phone communications in some cases, the people who pass these legal mandates continue to use that channel to bypass freedom-of-information laws.
Of course, there’s no technical reason this stuff couldn’t be recorded, and even automatically transcribed (perhaps poorly) in real time. That might make a decent basis for a science fiction story: it’s the bankers, not the police, who have to wear body cameras while on the clock—because they’re the ones with the real power.
And this just goes to show why things like the online safety bill need to pass.
Re:
No it doesn’t, as those not keeping the records required by law had the plain text message that they could have kept to comply with the law, or in the case of phone conversations, not used their private phones for work communications.
The leaders in not complying with legal requirements are the cops and the politicians, so is it any wonder that business people follow that lead.
Re:
Your an idiot if you think the OSB/KOSA will do anything at all to protect anyone. The encryption algorithms are, for all intents and purposes, public domain. They’re widely used. Source code to implement them is widely available in pretty much every programming language. Every operating system has them. Hell, they’re so widespread that they’re embedded into the very computer hardware you use and interact with every day. Even if the OSB/KOSA passed and a clause was explicitly added that said that nobody could use encryption, the clause would be completely toothless. Anyone can get their hands on encryption algorithms and code. Trying to ban it now is like trying to put the Genie back into the bottle. People would keep using and implementing it, and there is absolutely nothing any government could possibly do about it.
Re: Re:
Governments should code their own closed source algorithm which has a key that only they can use and pass a law making it illegal to use other algorithms.
It’s not difficult.
Re: Re: Re:
lol! It’s literally impossible. Once there’s a backdoor (which is exactly what you’re proposing) then there’s nothing at all stopping anyone else from using the backdoor.
There’s already a law that they can’t use encrypted communication at all. How’s that working out, genius?
Re: Re: Re:2
“Once there’s a backdoor (which is exactly what you’re proposing) then there’s nothing at all stopping anyone else from using the backdoor.”
Not if they have a system set up where the password has to be changed every few weeks.
Re: Re: Re:2
Well, they successfully passed the law, so it was technically possible… and maybe not even difficult.
That’s not really true. A “key that only one party can use” is the basis of public key crypto. Of course, there’s a good chance the “key that only [the government] can use” becomes “the key that the government and some Chinese spies can use”, but it might not happen. As far as we know, only the NSA has the backdoor key to Dual_EC_DRBG.
Read up on the “crypto wars” of the 1990s to see a more realistic view. France did, in fact, ban all unauthorized cryptography. That didn’t stop people from using it, and the government eventually kind of gave up. The USA, by contrast, wanted people to use backdoored closed-source crypto. It turns out “closed-source” didn’t mean much; people reverse-engineered the cipher, and found a way to neuter the backdoor that would be undetectable till the government tried to use it (presumably after going to the trouble of getting a warrant). Also, people started to realize that “preventing the export of strong crypto” meant “preventing researchers from talking to each other”—which, in countries with a pretense of free speech, was starting to look like a problem to judges.
That said, requiring banks to be able to read communications sent via their own equipment is quite different than a nationwide crypto ban.
Re: Re: Re:
It’s not difficult, it’s impossible.
Just because a criminal uses it doesn't mean it's a criminal-only tool
If someone wants to argue that they used encryption to try to hide their actions therefore encryption is bad then they also used speech and I’m pretty sure they all breathe, better get to outlawing those too.
Re:
I’ve been saying we need a breathing ban.
Also: it occurs to me that most of the time when breathing is describe in text, there’s a negative connotation …
Replacement for the old back-channel communication?
The old days “encrypted communication” occurred while doing a line of coke in the bathroom of a strip club.
In politics they now also have these document/records preserving regulations. And we all know how well that’s working out.
(Insert picture of Mar-a-Lago bathroom here!)
Answer: Fine the fuck out of them, and assume any deleted communication during the time-frame covered by a lawsuit is a sign of guilt and let it be admissible evidence of said guilt. I know, I can dream it though.
Que the light slap on the wrist fine and a pinky swear not to do it again.
Re:
I believe that’s sort of how it works now:
“In Yarborough v. Hughes, the North Carolina Supreme Court considered destruction of evidence and held, “where a party fails to introduce in evidence documents that are relevant to the matter in question and within his control … there is a presumption or at least an inference that the evidence withheld, if forthcoming, would injure his case…This Court also addressed spoliation in McLain v. Taco Bell Corp….[w]hen the evidence indicates that a party is aware of circumstances that are likely to give rise to future litigation and yet destroys potentially relevant records without particularized inquiry, a factfinder may reasonably infer that the party probably did so because the records would harm its case.”
But. I am not a lawyer, and.all that.