Tag: data

Debate over Duncan’s Record in Chicago

At The Quick and the Ed, Chad Aldeman disputes my assertion that Duncan’s impact on Chicago public school achievement was near zero.  To make his case, Aldeman cites the fact that scores rose during Duncan’s tenure on 3 out of the 4 available NAEP tests. While true, this evidence actually supports my assertion rather than either Aldeman’s or Duncan’s.

Chicago’s gains on the NAEP tests ranged from 0.3 to 7.2 points on the 500 point scale, averaging out to a 1% increase in scale scores. I think 1% is pretty darn close to zero, and that’s what I said.

What’s more, as I wrote yesterday, the minuscule 1% improvement in Chicago NAEP scores was statistically identical to the improvement made by students in large central cities all over the country during the same period, so “The Duncan Effect” – his value-added over other large city superintendents – was precisely zero.

If there are other relevant data that I’m unaware of that paint a different picture, I’ll be happy to look at them. But the NAEP results flatly contradict Duncan’s own claims – routinely repeated in the media – that students made dramatic academic gains under his leadership.

Some Thinking on “Cyber”

Last week, I had the opportunity to testify before the House Science Committee’s Subcommittee on Technology and Innovation on the topic of “cybersecurity.” I have been reluctant to opine on it because of its complexity, but I did issue a short piece a few months ago arguing against government-run cybersecurity. That piece was cited prominently in the White House’s “Cyberspace Policy Review” and – blamo! – I’m a cybersecurity expert.

Not really – but I have been forming some opinions at a high level of generality that are worth making available. They can be found in my testimony, but I’ll summarize them briefly here.

First, “cybersecurity” is a term so broad as to be meaningless. Yes, we are constructing a new “space” analogous to physical space using computers, networks, sensors, and data, but we can no more secure “cyberspace” in its entirety than we can secure planet Earth and the galaxy. Instead, we secure the discrete things that are important to us – houses, cars, buildings, power lines, roads, private information, money, and so on. And we secure these things in thousands of different ways. We should secure “cyberspace” the same way – thousands of different ways.

By “we,” of course, I don’t mean the collective. I mean that each owner or controller of a prized thing should look out for its security. It’s the responsibility of designers, builders, and owners of houses, for exmple, to ensure that they properly secure the goods kept inside. It’s the responsibility of individuals to secure the information they wish to keep private and the money they wish to keep. It is the responsibility of network operators to secure their networks, data holders to secure their data, and so on.

Second, “cyber” threats are being over-hyped by a variety of players in the public policy area. Invoking “cyberterrorism” or “cyberwar” is near-boilerplate in white papers addressing government cybersecurity policy, but there is very limited strategic logic to “cyberwarfare” (aside from attacking networks during actual war-time), and “cyberterrorism” is a near-impossibility. You’re not going to panic people – and that’s rather integral to terrorism – by knocking out the ATM network or some part of the power grid for a period of time.

(We weren’t short of careless discussions about defending against “cyber attack,” but L. Gordon Crovitz provided yet another example in yesterday’s Wall Street Journal. As Ben Friedman pointed out, Evgeny Morozov has the better of it in the most recent Boston Review.)

This is not to deny the importance of securing digital infrastructure; it’s to say that it’s serious, not scary. Precipitous government cybersecurity policies – especially to address threats that don’t even have a strategic logic – would waste our wealth, confound innovation, and threaten civil liberties and privacy.

In the cacophony over cybersecurity, an important policy seems to be getting lost: keeping true critical infrastructure offline. I noted Senator Jay Rockefeller’s (D-WV) awesomely silly comments about cybersecurity a few months ago. They were animated by the premise that all the good things in our society should be connected to the Internet or managed via the Internet. This is not true. Removing true critical infrastructure from the Internet takes care of the lion’s share of the cybersecurity problem.

Since 9/11, the country has suffered significant “critical-infrastructure inflation” as companies gravitate to the special treatments and emoluments government gives owners of “critical” stuff. If “criticality” is to be a dividing line for how assets are treated, it should be tightly construed: If the loss of an asset would immediately and proximately threaten life or health, that makes it critical. If danger would materialize over time, that’s not critical infrastructure – the owners need to get good at promptly repairing their stuff. And proximity is an important limitation, too: The loss of electric power could kill people in hospitals, for example, but ensuring backup power at hospitals can intervene and relieve us of treating the entire power grid as “critical infrastructure,” with all the expense and governmental bloat that would entail.

So how do we improve the state of cybersecurity? It’s widely believed that we are behind on it. Rather than figuring out how to do cybersecurity – which is impossible – I urged the committee to consider what policies or legal mechanisms might get these problems figured out.

I talked about a hierarchy of sorts. First, contract and contract liability. The government is a substantial purchaser of technology products and services – and highly knowledgeable thanks to entities like the National Institutes of Standards and Technology. Yes, I would like it to be a smaller purchaser of just about everything, but while it is a large market actor, it can drive standards and practices (like secure settings by default) into the marketplace that redound to the benefit of the cybersecurity ecology. The government could also form contracts that rely on contract liability – when products or services fail to serve the purposes for which they’re intended, including security – sellers would lose money. That would focus them as well.

A prominent report by a working group at the Center for Strategic and International Studies – co-chaired by one of my fellow panelists before the Science Committee last week, Scott Charney of Microsoft – argued strenuously for cybersecurity regulation.

But that begs the question of what regulation would say. Regulation is poorly suited to the process of discovering how to solve new problems amid changing technology and business practices.

There is some market failure in the cybersecurity area. Insecure technology can harm networks and users of networks, and these costs don’t accrue to the people selling or buying technology products. To get them to internalize these costs, I suggested tort liability rather than regulation. While courts discover the legal doctrines that unpack the myriad complex problems with litigating about technology products and services, they will force technology sellers and buyers to figure out how to prevent cyber-harms.

Government has a role in preventing people from harming each other, of course, and the common law could develop to meet “cyber” harms if it is left to its own devices. Tort litigation has been abused, and the established corporate sector prefers regulation because it is a stable environment for them, it helps them exclude competition, and they can use it to avoid liability for causing harm, making it easier to lag on security. Litigation isn’t preferable, and we don’t want lots of it – we just want the incentive structure tort liability creates.

As the distended policy issue it is, “cybersecurity” is ripe for shenanigans. Aggressive government agencies are looking to get regulatory authority over the Internet, computers, and software. Some of them wouldn’t mind getting to watch our Internet traffic, of course. Meanwhile, the corporate sector would like to use government to avoid the hot press of market competition, while shielding itself from liability for harms it may cause.

The government must secure its own assets and resources – that’s a given. Beyond that, not much good can come from government cybersecurity policy, except the occassional good, long blog post.

Morozov vs. Cyber-Alarmism

I’m no information security expert, but you don’t have to be to realize that an outbreak of cyber-alarmism afflicts American pundits and reporters.

As Jim Harper and Tim Lee have repeatedly argued (with a little help from me), while the internet created new opportunities for crime, spying, vandalism and military attack, the evidence that the web opens a huge American national security vulnerability comes not from events but from improbable what-ifs. That idea is, in other words, still a theory. Few pundits bother to point out that hackers don’t kill, that cyberspies don’t seem to have stolen many (or any?) important American secrets, and that our most critical infrastructure is not run on the public internet and thus is relatively invulnerable to cyberwhatever. They never note that to the extent that future wars have an online component, this redounds to the U.S. advantage, given our technological prowess.  Even the Wall Street Journal and New York Times recently published breathless stories exaggerating our vulnerability to online attacks and espionage.

So it’s good to see that the July/ August Boston Review has a terrific article by Evgeny Morozov taking on the alarmists. He provides not only a sober net assessment of the various worries categorized by the vague modifier “cyber” but even offers a theory about why hype wins.

Why is there so much concern about “cyber-terrorism”? Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies—which need to justify their own existence—and cyber-security companies—which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts.

I agree.

Social Control as a Profit Center

Here’s an idea that should be killed in the crib: scanning automobiles for up-to-date insurance.

Says Gizmodo (via ars technica and the Chicago Sun-Times):

The system is anticipated to raise yearly earnings “well in excess” of $100 million (possibly even double that figure or more), with InsureNet taking a modest 30% for their services. Of course, all of this cash would be contingent on uninsured drivers actually paying their fines.

There will be thousands more reasons like this put forward for mass public surveillance. The answer should almost always be no because of the accumulations of data about law-abiding citizens such programs would collect in government (and government-contractor) databases.

Taxpayers and the Federal Diary

The Federal Diary column in the Washington Post is a curious piece of newspaper real estate. Most newspaper columns are aimed at the broad general public, but this column is aimed directly at the few hundred thousand government workers in the DC region. The result is that it takes a very government- and union-centric view of the world. The fact that the federal civilian workforce costs taxpayers an enormous $300 billion or so every year is beside the point for the column.

In a briefing with reporters yesterday, the head of the Office of Personnel Management complained about a Lou Dobbs television bit that featured this data that I assembled from the Bureau of Economic Analysis. The Federal Diary columnist called me yesterday about the data, and I explained to him the shortcomings of the OPM claims that federal workers are underpaid.

Unfortunately, the Federal Diary today simply parrots the OPM’s claims, calling the Dobbs/Edwards/BEA data “misleading.” Yet this data clearly shows that federal compensation has taken off like a rocket this decade.

Today’s column, like many of the Federal Diary columns, is about how to improve the pay, benefits, and working conditions of federal workers. What about the taxpayers who foot the bill? To provide some balance, the Post ought to at least have a side-by-side column entitled “Federal Taxpayers’ Diary.”

Euro VAT for America?

Desperate for fresh revenues to feed the giant spending appetite of President Obama, Democratic policymakers are talking up ‘tax reform’ as a way to reduce the deficit. Some are considering a European-style value-added tax (VAT), which would have a similar effect as a national sales tax, and be a large new burden on American families.

A VAT would raise hundreds of billions of dollars a year for the government, even at a 10-percent rate. The math is simple: total U.S. consumption in 2008 was $10 trillion. VATs usually tax about half of a nation’s consumption or less, say $5 trillion. That means that a 10% VAT would raise about $500 billion a year in the United States, or about $4,300 from every household. Obviously such a huge tax hit would fundamentally change the American economy and society, and for the worse.

Some fiscal experts think that a VAT would solve the government’s budget problems and reduce the deficit, as the Washington Post noted yesterday. That certainly has not happened in Europe where the average VAT rate is a huge 20 percent, and most nations face large budget deficits just as we do. The hard truth for policymakers to swallow is that the only real cure for our federal fiscal crisis is to cut spending.

Liberals like VATs because of the revenue-raising potential, but some conservatives are drawn to the idea of using VAT revenues to reduce the corporate tax rate. The Post story reflected this in noting “A 21 percent VAT has permitted Ireland to attract investment by lowering the corporate tax rate.” That implies that the Irish government lost money when it cut its corporate rate, but actually the reverse happened in the most dramatic way.

Ireland installed a 10% corporate rate for certain industries in the 1980s, but also steadily cut its regular corporate rate during the 1990s. It switched over to a 12.5% rate for all corporations in 2004. OECD data show that as the Irish corporate tax rate fell, corporate tax revenues went through the roof – from 1.6% of GDP in 1990, to 3.7% in 2000, to 3.8% in 2006.

In sum, a VAT would not solve our deficit problems because Congress would simply boost its spending even higher, as happened in Europe as VAT rates increased over time. Also, a VAT is not needed to cut the corporate income tax rate because a corporate rate cut would be self-financing over the long-term as tax avoidance fell and economic growth increased.

E-Verify: The Surveillance Solution

The federal government will keep data about every person submitted to the “E-Verify” background check system for 10 years.

At least that’s my read of the slightly unclear notice describing the “United States Citizenship Immigration Services 009 Compliance Tracking and Monitoring System” in today’s Federal Register. (A second notice exempts this data from many protections of the Privacy Act.)

To make sure that people aren’t abusing E-Verify, the United States Citizenship and Immigration Services Verification Division, Monitoring and Compliance Branch will watch how the system is used. It will look for misuse, such as when a single Social Security Number is submitted to the system many times, which suggests that it is being used fraudulently.

How do you look for this kind of misuse (and others, more clever)? You collect all the data that goes into the system and mine it for patterns consistent with misuse.

The notice purports to limit the range of people whose data will be held in the system, listing “Individuals who are the subject of E-Verify or SAVE verifications and whose employer is subject to compliance activities.” But if the Monitoring Compliance Branch is going to find what it’s looking for, it’s going to look at data about all individuals submitted to E-Verify. “Employer subject to compliance activities” is not a limitation because all employers will be subject to “compliance activities” simply for using the system.

In my paper on electronic employment eligibility verification systems like E-Verify, I wrote how such systems “would add to the data stores throughout the federal government that continually amass information about the lives, livelihoods, activities, and interests of everyone—especially law-abiding citizens.”

It’s in the DNA of E-Verify to facilitate surveillance of every American worker. Today’s Federal Register notice is confirmation of that.