Regulation, legitimation, neutralization
A thing that bankers and spies have in common is protestations about how elaborately they are monitored. Every financial product or arrangement requires elaborate legal vetting, is touched by innumerable regulations, must run a gamut of refusals and reworkings in the name of “compliance”. In the current scandal over government surveillance, we hear repeated assurances that the programs are legal, that they are reviewed, that despite potentially vast loopholes in the documents thus far leaked, our security services have procedures in place to ensure that there is no abuse.
A cynic might dismiss these protestations as mere cant, but that’s a mistake. I think the insiders who offer us these assurances are perfectly, almost desperately, sincere. From their perspective, I suspect regulatory precaution seems absurdly overdone, even Kafka-esque, interfering with the good work they are trying to do. And they are trying to do good work! Most bankers are nice people working hard jobs. Most people who work for the ominous-sounding “surveillance state” genuinely strive to contribute to the security of the country without dishonoring its ideals. Large organizations are peopled by, well, people, most of whom are not so different than you and me. When organizations misbehave, it is important to understand that they do so in spite of being filled for the most part by people of good will. We should try to understand how they manage this.
One way that they manage this is by virtue of the regulation that exists ostensibly to control the misbehavior. Regulation sprouts in broad thickets, often in response to idiosyncratic events and concerns and constituencies. Pushback by the regulated trims those thickets, but not universally or uniformly. Organizations assent to and even embrace regulation that doesn’t challenge their core imperatives. They aggressively resist those that do. We end up with organizations that are, in fact, extensively and intrusively regulated, but have blind spots, weaknesses and loopholes that are not at all random.
“Core imperatives” are objectives that enable organizations to survive and thrive, and importantly to defend themselves from various sorts of challenge. Core objectives may be related to formal missions, but they are distinct, and may sometimes be in conflict. There are tensions between banks’ formal role as high-information allocators of credit to the real economy and the scale that renders failure politically intolerable. Where those tradeoffs exist, successful banks pursue the core imperative, not the formal mission. The organizational form that maximizes the quality of credit allocation would be one that keeps the organization and its stakeholders forever at risk. That form does not thrive in competition with others who gain funding advantages by insulating themselves from those risks. Like it or not, maximalist acquisition of information is a core imperative of organizations in the intelligence community. For reasons good and obvious but also for some ugly reasons, access to information is crucial to defending and expanding the intelligence ecosystem.
We should not be surprised, although we should certainly be angry, that “the toughest financial regulation in a half century” was a thousand pages long and failed to address the core problem of immunities and funding advantages that derive from scale and interconnectedness. We should not be surprised, though we should certainly be angry, that as technology has rendered surreptitious, ubiquitous surveillance easier, weak spots and loopholes have appeared that make it colorable, although still shameful, for the President of the United States to come on television and call this stuff “lawful“.
But it’s important to note, both among bankers and spies, we do not end up with an absence of regulation. Instead we end up with a festival of regulation undermined by a few strategic lacunae. And that festival of regulation is a critical part of the problem we’ve circuitously set out to address. How do organizations persuade the well-meaning humans that comprise them to work hard and feel proud of doing stuff that is ultimately not so good? Why is it that people in banking or intelligence so often effuse, with complete sincerity and no small measure of frustration, about how regulated they are, about how much care they take to comply with the regulations they face, in letter and in spirit. Because they do!
Regulation and compliance serves a straightforward human function. It substitutes for and absolves participants of the duty they would feel, as human beings, to exercise independent judgment about the nature of the work they are doing. There is nothing odd or conspiratorial about saying this. Organizations wouldn’t function if every organizational action were subject to idiosyncratic review and veto by each participant. When people claim that Edward Snowden had no right to do what he did, they do not mean to say everyone in any organization must always “just follow orders”. Their argument is based on the notion that Snowden’s organization was well-regulated, and an ethical participant in an organization ought to let the regulations of the organization stand-in for individual moral views. As we see each time one of our shameful politicians or one of our shameful bankers goes on television, lawfulness and regulation are used to legitimate organizational behavior externally. But they are used to legitimate behavior internally as well, and so may enable groups of people to do what perhaps they ought not do.
The moral choice faced in practice by members of a large organization isn’t whether some activity they participate in is ethical, but whether it is so unethical that they are compelled to substitute their own judgment for the organization’s controls and resist in some fashion. The perceived quality of the controls plays a role in those decisions. When effective participation is significantly voluntary — that is when talented people might choose to quit, or slack off, or in extremis enlist external allies to address their concerns — controls that appear to be high quality are an important organizational asset. Elaborate regulation and burdensome compliance can serve as “accountability theater” even when it is less than effective. In large organizations that do prima facie icky things, whether those things are ultimately justifiable or not, you’d expect to find a mix of very visible controls and strong economic incentives. Which, I think, you typically do. Obviously, in military and intelligence organizations, controls and incentives are supplemented by a sense of serving a larger interest that may sometimes override more ordinary qualms. But feelings of patriotism don’t eliminate participants’ need for legitimating regulation.
The most dangerous organizations are those whose participants are subject to internally credible controls that are nevertheless ineffective at constraining organizational behavior, whether because the controls are inadequate or because some groups within the organization are able to circumvent them. Unfortunately, that’s exactly the combination that serves organizations best in amoral, functional terms. We should be careful of starting with a kitchen-sink of potential regulations, then letting organizations choose their battles, as happened with banking reform. Obviously, we should be careful of letting regulated entities drive and manage the regulatory process from the start, as happened with the security state. When insiders tell us that prima facie bad things are justified by the regulations or controls under which they are produced, we should understand those accounts to be both sincere and usually mistaken. We should remember that mistargeted regulation may be worse than useless. It may provide, to use a term I learned from Bill Black, a means of neutralization that perversely enables the very misbehavior it ostensibly exists to prevent. I think that is very obviously what has happened in the US and elsewhere with state surveillance.