% fortune -ae paul murphy

What port security, patents, and out-sourcing have in common

In March of 2000 "Patently Absurd", an article by James Glieck, appeared in the New York Times Magazine. Here's part of his description of the original rationale for the patent system:

Patents long served as a fundamental cog in the American machine, cherished in our national soul. We are the land of Thomas Edison and the Wright Brothers and Alexander Graham Bell, where Congress is empowered by the Constitution to promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries. Hence the patent office, charged with the enforcement of a Faustian bargain: inventors give up their secrets, publishing them for all to see and absorb, and in exchange they get 20-year government-sanctioned monopolies on their technologies. This arrangement fuelled industrial progress in the early United States by encouraging investment in research and rewarding inventors who published their work rather than cloaking it in trade secrets.

Today's reality delivers the opposite of this: patents protect big companies, both patent filing and patent protection are beyond the financial resources of most individuals, and the complexities surrounding the patent system defeat its primary purpose as a kind of clearing house safely and cheaply matching the people who create new technologies to the people who can exploit those ideas commercially.

Basically, if we wanted to re-invent the Patent Office to meet those original objectives we'd set up an idea exchange as a website with free access for both the inventors of ideas and the companies or individuals who want to do something with those ideas. Think of open source exchanges like sourceforge as prototypes focused on software, and you can see that the technology needed for this pretty much exists - and so do the business methods needed to protect both sides of such an exchange.

As a side effect, of course, doing this would wipe out a large federal bureaucracy, put thousands of lawyers out of business, and leave companies like Microsoft and IBM looking at some future end of life for their existing patent portfolios and legal support teams. On the positive side, however,m it would give tens of thousands of people with great ideas, in hundreds of specialised fields from metallurgy to software, the opportunity to pursue those ideas and thereby contribute significantly to the likelihood and success of a future American rennaisance in manufacturing.

So what's the key to this? In a generic sense it's openness: the willingness to trust in the goodwill and honesty of a majority of the people and organizations simply because most or all of their activities are transparent.

The US ports controversy has made a lot of headlines lately. Fundamentally what's going on there is that the U.S. has no reason to declare Dubai an enemy state and it's therefore perfectly legal for a company based there to buy control of an organization which indirectly controls the quality of some port security services at a number of major U.S. ports.

In an essay written for wired.com cryptology expert Bruce Schneier puts this controversy in the broader context of social and democratic proxies - people or organizations we put in place and then trust to act on our behalf. Here's a small part of what he says:

We don't know what kind of security there is in the UAE, Dubai Ports World or the subsidiary that is actually doing the work. We have no choice but to rely on these proxies, yet we have no basis by which to trust them.

Pull aside the rhetoric, and this is everyone's point. There are those who don't trust the Bush administration and believe its motivations are political. There are those who don't trust the UAE because of its terrorist ties -- two of the 9/11 terrorists and some of the funding for the attack came out of that country -- and those who don't trust it because of racial prejudices. There are those who don't trust security at our nation's ports generally and see this as just another example of the problem.

The solution is openness. The Bush administration needs to better explain how port security works, and the decision process by which the sale of P&O was approved. If this deal doesn't compromise security, voters -- at least the particular lawmakers we trust -- need to understand that.

Regardless of the outcome of the Dubai deal, we need more transparency in how our government approaches counter-terrorism in general. Secrecy simply isn't serving our nation well in this case. It's not making us safer, and it's properly reducing faith in our government.

Although I personally think that the people pushing this issue are hoping their audience will be as simple minded as they are, Schneier's prescription for increased openness as the generic answer on trust resonates with what I, and I think most of the open source movement, believe in. Not everyone understands how port security works or would be affected by this change of ownership, but if all of the processes and data were openly discussed and widely documented, the fact that a lot of non participants who do understood could look at it would suffice to reestablish, at least for most of us, the trust proxy relationships like those we have with government depend on.

The out-sourcing relationship is another such proxy relationship that depends on mutual trust.

Suppose, for example, that your organization outsources receivables processing and the related call center to a well known company's local office which, despite having a state or national incorporation, actually delivers the service through a contract its international arm has with a subcontractor in India.

When things go well, this structure should not cause a problem: the outsourcer files its SAX70 or similar paperwork, and the internal auditors quietly sign off. What happens, however, when someone, somewhere, alleges that a problem exists and trust therefore fails is that all the walls go up -hard. Your CFO/CEO have signed off on the Sarbanes-Oxley 404a/b requirements, and are not going to want to know they're headed for jail. Your external auditor can deploy your contractual access to the outsourcer, but that may not pass through to the real contractor. Worse, few audit firms have either the stomach or the resources needed to send American auditors to really follow the controls trail through multiple foreign jurisdictions, What they do, instead, is rely on their people in those jurisdictions.

Unfortunately, neither the foreign auditor nor the people they talk to, whatever their individual commitment to ethical behavior and openness, have the whistleblower protections built into Sarbanes-Oxley. Basically a whistleblower in an American processing center will be protected, one in the out-sourcer's Barbadoes office - or the real contractor's Bangalore call center - will not.

The bottom line on this is simple: the realistic answer to the question described in Public Company Accounting Oversight Board Auditing Standard No. 2: viz: did the company in fact maintain, in all material respects, effective internal control over financial reporting? is always no in this kind of outsourced services situation.

What's missing from the process is openness -if your data processing operation is out of your physical and jurisdictional reach, the paranoid bet is that it you will not be notified when it goes wrong. Indeed the one key difference between having IT under internal control and doing it via an off shore out-sourcer lies in a failure of commonality: if you can't walk down a hall somewhere in your own language and legal jurisdiction to look a receivables clerk in the eye, the trust relationship organizational integrity ultimately depends on can't be protected and will, inevitably, fail.


Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues.