Topic: Regulatory Studies

Schumer’s Epiphany?

I had to do a double take of the by-line of an unabashedly pro-capitalism op-ed (subscription required) in today’s Wall Street Journal. Yes, indeed, that was Sen. Chuck Schumer (D-NY) who co-authored a piece with New York City mayor Michael Bloomberg on the need to rethink stifling regulation of America’s financial services industries, and to consider tort reform.

Lamenting the relative decline of NYC as the world’s financial capital, Schumer and Bloomberg identify stifling regulation and frivolous law suits in the United States as major factors contributing to London’s and Hong Kong’s relative ascent as premiere locations for initial public offerings in recent years. Among the facts they cite is that in 2005, only one out of the top 24 IPO’s was registered in the United States, while four were registered in London. Moreover, “next year more money will be raised through IPOs in Hong Kong than in either London or New York.”

Schumer and Bloomberg cite regulatory costs that are 15 times higher in the United States than in Britain, an adversarial relationship between “tough cop” regulators and business in the United States, and the surging costs of securities-related class action suits as key factors driving business away from New York’s financial houses. The auditing expenses associated with the requirements of Sarbanes-Oxley are deemed to have grown “beyond anything Congress had anticipated.”

These are indeed serious problems, but it’s hard not to laugh about the irony. Schumer’s never met a regulation he didn’t like. He’s never been a friend of business. Of course he voted for Sarbanes-Oxley, along with all of his colleagues in the Senate, but he also led the charge against Kelloggs, General Mills, and the other cereal companies in the 1990s, when the price of Lucky Charms became unacceptably high to him. Just last summer, Schumer urged federal regulators to examine the behavior of oil companies to make sure they weren’t holding back production. And Schumer has been quick to ascend the podium to decry America’s growing trade deficit, urging, at times, government intervention to “correct” that growing problem.

That Schumer is suddenly opposed to stifling regulation and is saying things that are sure to upset the trial lawyers is welcome news. But it is likely just a fleeting flirtation with enlightenment. Let’s see what happens when someone points out to the Senator that New York’s capacity to attract IPOs, and the foreign investment that follows, is more a cause of the U.S. trade deficit than any “unfair trade” practices he assails. Which cause will he champion then?

Kahn on ‘Net Neutrality

Venerated deregulator Alfred Kahn weighs in on “ ‘net neutrality” - the proposal to have Congress and the Federal Communications Commission decide the terms on which ISPs could provide service, and whom they could charge for what. Net neutrality regulation is advanced primarily by the political left. Here’s Kahn on his bona fides:

I consider myself a good liberal Democrat. I played a leading role under President Carter in the deregulation of the airlines (as Chairman of the Civil Aeronautics Board) and trucking (as Advisor to the President on Inflation), against the almost unanimous opposition of the major airlines and trucking companies and–let’s be frank about it–their strongest unions. Among our strongest allies were Senator Ted Kennedy, Stephen (now Supreme Court Justice) Breyer, and such organizations as Common Cause, Public Citizen, the Consumer Federation of America and Southwest Airlines.

On telecommunications competition:

In telecommunications, cable and telephone companies compete increasingly with one another, and while the two largest wireless companies, Cingular and Verizon, are affiliated with AT&T and Verizon, respectively, some 97 percent of the population has at least a third one competing for their business as well; and Sprint and Intel have recently announced their plan to spend 3 billion dollars on mobile Wi-Max facilities nationwide. Scores of municipalities led by Philadelphia and San Francisco, are building their own Wi-Fi networks. And on the horizon are the electric companies, already beginning to use their ubiquitous power lines to offer broadband–to providers of content, on the one side, and consumers, on the other.

His conclusion: “There is nothing ‘liberal’ about the government rushing in to regulate these wonderfully promising turbulent developments.”

Lovely Hospital, Doc — Be a Shame if Anything Were to Happen to It…

I recently came across a transcript of National Economic Council director Al Hubbard’s remarks to a hospital trade group back in March.  In it, Hubbard discusses Bush administration policy regarding price transparency in health care.  That policy was later fleshed out in an executive order, which mandated that federal health programs furnish beneficiaries with information on prices, etc.  The administration stopped short of imposing a similar mandate on the private sector.

But Hubbard’s comments to the hospitals let us know where the president is headed.  And it was Hubbard’s…shall we say…rhetorical agility that I find priceless:

The president’s approach has been…that through persuasion we can get the [health care] providers of this country to start providing accurate, easy-to-use information and we don’t have to go to legislation, because, you know, legislation is a very crude tool to accomplish things and we would much rather let the free market, and you all individually, com[e] up with the best way of approaching transparency as opposed to Congress and the federal government telling you how to do it. But the president has also made it clear that if the provider community is not receptive to providing transparency that we will turn to Congress and ask them to support transparency.

When is persuasion not persuasion?  When it’s a threat.  Later, in an answer to a question, Hubbard dispensed with the subtleties:

And by the way – and I hate to use this blunt club as a threat – if you don’t, it’s going to be imposed upon you. It is going to be imposed upon you.

In other words, Pres. Bush thinks that the market should do whatever it wants, so long as it’s exactly what he wants.

Which is exactly the same as not being for a free market at all.

Fake Boarding Pass Generator Underscores ID Woes

Yesterday, the blogosphere crackled with news that ‘net surfers could use a website to generate fake boarding passes that would enable them to slip past airport security and gain access to airport concourses. The news provides a good opportunity to illustrate a credentialing (and identity) system, how it works, and how it fails.

It’s very complicated, so I’m going to try to take it slowly and walk through every step.

The Computer Assisted Passenger Prescreening System (CAPPS) separates commercial air passengers into two categories: those deemed to require additional security scrutiny — termed “selectees” — and those who are not. When a passenger checks in at the airport, the air carrier’s reservation system uses certain information from the passenger’s itinerary for analysis in CAPPS. This analysis checks the passenger’s information against the CAPPS rules and also against a government-supplied “watch list” that contains the names of known or suspected terrorists.

Flaws in the design and theory of the CAPPS system make it relatively easy to defeat. A group with any sophistication and motivation can test the system to see which of its members are flagged, or what behaviors cause them to be flagged, then adjust their plans accordingly.

A variety of flaws and weaknesses inhabit the practice of watch-listing. Simple name-matching causes many false positives, as so many Robert Johnsons will attest. But the foremost weakness is that a person who is not known to be a threat will not be listed. Watch-listing does nothing about people or groups acting for the first time.

In addition, a person who is known and listed can elude the system by using an alias. The use of a false or synthetic identity (and thus an inaccurate boarding card) could assist in this. But the simplest wrongful use of this fake boarding card generator would be to make a boarding card that allows a known bad person to receive no more security scrutiny than all the good people.

When CAPPS finds that a passenger should be given selectee status, this is transmitted to the check-in counter where a code is printed on the passenger’s boarding pass. At the checkpoint, the boarding pass serves as a credential indicating that the person is entitled to enter the concourse, and also indicating what kind of treatment the person should get — selectee or non-selectee. The credential is tied to the person bearing it by also checking a government-issued ID.

In a previous post, I included a schematic showing how identification cards work (from my book Identity Crisis). This might be helpful to review now because credentials like the boarding pass work according to the same three-step process: First, an issuer (the airline) collects information, including what status the traveler has. Next, the issuer puts it onto a credential (the boarding pass). Finally, the verifier or relying party (the checkpoint agent) checks the credential and accords the traveler the treatment that the credential indicates.

Checking the credential bearer’s identification, a repeat of this three-step process, and comparing the names on both documents, ties the boarding pass to the person (and in the process imports all the weaknesses of identification cards).

Each of these steps is a point of weakness. If the information is bad, such as when a malefactor is not known, the first step fails and the system does not work. If the malefactor is using someone else’s ticket and successfully presents a fake ID, the third step has failed and the system does not work.

The simple example we’re using here breaks the second step. A person traveling under his own name may present a boarding pass for the flight for which he has bought a ticket — but the false boarding pass he presents does not indicate selectee status. He has eluded the CAPPS system and the watch list.

The fake boarding pass generator does not create a new security weakness. It reveals an existing one. Though some people may want to, it’s important not to kill the messenger (who, in this case, is a Ph.D. student in security infomatics at Indiana University who created the pass generator to call attention to the problem). As I’ve said before, identity-based security is terribly weak. Its costs — in dollars, inconvenience, economic loss, and lost privacy — are greater than its security benefit.

Hopefully, the revelation that people can use fake boarding passes to elude CAPPS and watch-lists is another step in the long, slow process of moving away from security systems that don’t work well, toward security systems that do. Good security systems address tools and methods of attack directly. They make sure all passengers on an airplane lack the capacity to do significant harm.

The FDA’s Record on Folic Acid

However the kerfuffle over the Food and Drug Administration’s handling of Vegemite pans out, my passionate Australian colleague Sallie James is right to be suspicious. The FDA’s record regarding folic acid has been anything but sensible – or humane. As I wrote in 1998:

[I]n 1992, the federal Public Health Service (PHS) recommended [that] all women of childbearing age consume 0.4mg of folic acid daily. The PHS estimated this could lead to a reduction in spina bifida, a crippling birth defect that partially exposes the infant’s spinal cord through a hole in the backbone, of about 50 percent (i.e., about 1,250 cases per year).

However, the FDA would not let producers of foods rich in folic acid (oranges, leafy green vegetables, etc.) inform expectant mothers of this preventive medicine until 1996. From PHS estimates, it may be reasonably postulated that the FDA’s four-year suppression of this health claim caused as many as 5,000 infants to be unnecessarily stricken with spina bifida.

The federal government itself recommended that women of childbearing age consume more folic acid, yet the FDA refused to let food manufacturers get the word out for four years. As if to shine a beacon on its prior stupidity, in 1998 the FDA required manufacturers to fortify enriched cereal grain products with folic acid.

If the FDA can tolerate 5,000 preventable cases of spina bifida, it’s reasonable to conclude that the agency wouldn’t bat an eye over severing one’s emotionally crucial link to the motherland.

That is, unless Australians have a more powerful lobby than newborns do.

Google Office vs. Government “Request”

TechCrunch is a terrific blog covering new Internet products and companies.  Edited by Michael Arrington, it’s a clearinghouse of information on ”Web 2.0” - the agglomeration of innovations that could take online life and business through their next leaps forward.

In this recent post, TechCrunch briefly assessed some concerns with Google’s office strategy.  Google has online offerings in the works that could substitute for the word processing and spreadsheet software on your computer - just like Gmail did with e-mail.

And just like Gmail, documents and information would remain on Google’s servers so they can be accessed anywhere.  This is a great convenience, but brings with it several problems, namely: 

The fact that unauthorized document access is a simple password guess or government “request” away already works against them. But the steady stream of minor security incidents we’ve seen (many very recently) can also hurt Google in the long run.

Arrington’s post goes on to highlight a series of small but significant security lapses at Google.  If Google wants companies and individuals to store sensitive data on their servers, they have to be pretty near perfect - or better than perfect.

Then there is government “request.” Arrington makes appropriate use of quotation marks to indicate irony.  Governments rarely “request” data in the true sense of that term.  Rather, they require its disclosure various ways - by warrant or subpoena, for example, by issuing “national security letters,” or by making a technical “request” that is backed by the implicit threat of more direct action or regulatory sanctions.

On resisting government demands for data, Google has been better than most - an awfully low hurdle.  It opposed a subpoena for data about users’ searches earlier this year.  But Google has a long way to go if it wants people to believe that leaving data in their hands does not provide easy (and secret) access to the government.  Indeed, thanks to the recently passed cybercrime treaty, doing so may well provide access to foreign governments, opening the door to corporate espionage and any number of other threats.

At a meeting of the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee in San Francisco last July, I asked Google Associate General Counsel Nicole Wong what the company is doing about its ability to protect information from government “request,” given the sorry state of Fourth Amendment law with respect to personal information held by third parties.  Her answer, which I must summarize because the transcript is not yet online, amounted to “not much.”  (Eventually, the transcript should be linked from here.)

Google has issued a “me too” about an effort to invite regulation of itself.  That project is going nowhere, but if it did get off the ground, it would do nothing about government access to the information that Google holds for its customers. 

Government access to data is a big flaw in Google’s nascent effort to move into online productivity services.