Information Escrows to Combat Code Fraud

November 5, 2015

Code fraud is the implementation of software that induces illegal, unethical, or otherwise malicious outcomes. Difficult to detect, code fraud is a growing concern across industries. Detecting it is a challenge that vastly outpaces our current regulatory apparatus. In the case of Volkswagen, a small non-profit (the International Council on Clean Transportation), not regulators or internal whistleblowers, pieced the complex chain of dependencies together and came forward. Earlier this year, a report written by Forensiq, a small firm, gave notice to Google that apps available through their app store contained malicious code designed to defraud advertisers. Eric Scott Hunsader, a developer for the Nanex exchange is still wondering why regulators have not forced the New York Stock Exchange to investigate—and close—specific loopholes being exploited by high-frequency trading firms. It could be, as he notes, because “Code fraud is *integral* to how high frequency trading works."

The code fraud committed by Volkswagen is unique not because it went on for years, not because it outwitted regulators, not because it generated collateral damage for unwitting bystanders, not because it is worth hundreds of millions of dollars, but because it was detected at all. Most code fraud is written into software with no detectable change to hardware, making it nearly impossible to track down and eliminate. As early as 1984, Turing award winner Ken Thompson warned the computer industry that, “[you] can't trust code that you did not totally create yourself. No amount of source-level verification or scrutiny will protect you . . . these bugs will be harder and harder to detect.” Remarkably, Thompson sounded the alarm about maliciously opaque code 10 years before the first web browser.

Thompson’s lecture—and much of the discourse in the intervening two decades—has focused on “hackers” or small groups of nefarious people, often imagined to be young, a bit desperate, and living in a country that does not border the Atlantic Ocean. The Volkswagen case sends an alarm that code fraud can be perpetrated by middle class office workers in a well-reputed company that has been around for decades.

Our reliance on these men and women of our corporations to do the right thing is deeper than we may like to admit. Regulatory regimes are designed to detect “lying, cheating, and stealing,” and the FBI currently has a good handle on internet auction fraud and Nigerian letter scams. The narrowness of those areas of enforcement expertise would be heartening if the list were longer. In addition to law enforcement, fraudsters in certain industries face a credible threat from forensic software investigators and other private sector anti-fraud squads. Banks, major retailers, and ad tech companies dominate fraud-squashing. One weakness of this model is that private companies naturally focus on fraud that impacts them directly. They do not have a broad mandate to protect everyone from malfeasance the way that government does.

Like all fraud, code fraud increases the cost of doing business by acting as a tax. Where there are direct monetary costs to identifiable consumers, we are likely to see private sector enforcement arise to stem losses. This is the current state of affairs in advertising technology, banking, retailing, and—to a lesser degree—high-frequency trading. Regulators are largely absent from detection, but detection can be purchased or developed in the private market. Google and Apple try to keep ahead of fraudsters in their app stores. However, even when transaction platforms like app stores implement code review, a team at Georgia Tech has proven that is possible to write “Jeckyll apps” that operate benignly until they have passed inspection, after which they become malicious. This is much like the Volkswagen emissions code fraud, though without the hardware component that may have made Volkswagen’s misbehavior easier to detect.

As the Volkswagen emissions cheating case illustrates, code fraud can result in damage that may not have direct costs to consumers. The Volkswagen inspection “defeaters” increased air pollution. Malicious apps drain battery life in infected phones and eat bandwidth on mobile networks. As political, manufacturing, and social systems increasingly run on software, the consequences of code fraud will proliferate and diversify.

If reviewing code is at best a partial solution and then only in industries with muscular gatekeepers, what else can be done to combat code fraud? Whistleblowers within corporations need to be able to report potential fraud to capable law enforcement agencies.

Information Escrow for Potential Whistleblowers

One proposal for reducing the risk associated with whistleblowing is adapted from an information escrow platform developed to allow victims of sexual harassment to store reports of their attacks "in escrow" on a third-party platform called Callisto. Reporting code fraud, or any other kind of fraud, is clearly different than reporting sexual assault. One quality these situations share is that making a report is risky for the claimant, especially if that person is the only one making the accusation. If two or more employees come forward to report the same fraud or two women report the same assailant, not only are their cases stronger, but they will not bear the burden of reporting alone.

In the case of code fraud, when an employee suspects that the code he or she is writing could be used to perpetrate or otherwise enable fraud, the employee could log into a third-party information escrow platform and follow prompts that would guide him or her to write a clear fraud documentation report. If the fraud continued, whistleblowers could log in and add additional documentation.They would not be able to alter previous submissions. The information escrow is a secure storage facility for fraud claims. It only automatically reports the existence of a claim about a specific fraud case to another person who has reported a similar claim. The contents of the claims are not shared with co-claimants. The only information shared with co-claimants is their self-reported likelihood of coming forward if one or more people who have detected what is likely the same fraud exist in the system.

An information escrow allows potential whistleblowers to know they are not alone in detecting code fraud. They can also get a rough estimate of how likely some other person is to come forward. An information escrow does not report the fraud to authorities or to the company where it allegedly took place. It may offer to provide guidance about coming forward in some cases, but it need not. It does not put claimants in touch with one another, a matching procedure that could lead to perceived or actual collusion.

In the case of Volkswagen, investigation into the origin and development of their code fraud over a period of six to seven years continues. It is difficult to know if insiders realized they were writing code designed to outwit regulations. An information escrow solution may have allowed some within the company to report fraud, but they would have had to recognize the fraudulent code amongst the million or so lines of code necessary to engineer a car. Information escrows for code fraud reporting lower the threshold for reporting, but they do not make detection of fraudulent code any easier.

Professional Societies

Lowering the barrier to code fraud reporting with information escrows is an important first step. It empowers programmers and other men and women of the corporation to step forward in stages and in ways that could moderate the negative consequences of being the sole whistleblower trying to halt an organizational inertia aiming to play on.

Professional organizations like the Association for Computing Machinery (ACM) to which many programmers belong are key players for establishing trusted third-party information escrow platforms and establishing guidelines for identifying and reporting code fraud. Building information escrows for code fraud reporting will not prevent code fraud or quickly bring it to a halt, but it will offer a mechanism for lowering the risks associated with whistleblowing. I invite leadership within the ACM to consider establishing information escrows for fraud reporting.