Category: economics

It's a Lie: Seattle Taxpayers Will Pay for a Staduim

The Seattle Times carries a press release: “Arena plan as solid as it looks?

The intricate plan offered for an NBA and NHL arena in Sodo hinges on the untested strategy of building a city-owned, self-supporting arena, without the aid of new taxes, and with team owners — not taxpayers — obligated to absorb any losses.

This not only a lie, it is a blatant lie, contradicted by statements later in the article:

…Seattle and King County would finance $200 million — likely in bonds — to cover construction costs. The city would recoup its money through lease payments and the taxes on everything from tickets to concessions from the arena.

Let me translate that into plain English. The taxpayers of Seattle and King County would sign a bond. We’d be obligated to pay it back if or when the Supersonics new team leaves town. Also, let me comment that the use of “would” is inaccurate. The word that the writers sought and were unable to come up with is “might”, as in: “the city might recoup its money…”

One more quote:

It’s hard to argue against the idea of an arena that pays for itself.

It’s even harder to guarantee it, though.

Actually, it’s easy to guarantee that the arena pays for itself, or at least that the taxpayers don’t pay for it. The builders finance the arena. See how easy that is? They issue the bonds, they reap the profits. Then the people of Seattle and King county are guaranteed to not be on the hook.

Pretty simple, if the Seattle Times would stop relaying lies about who’s on the hook for bonds issued by Seattle or King County.

Look, while I’m opposed to having to sit in traffic for yet more sporting events, I shouldn’t have a say in how these folks spend their money. The arena backers should feel free to spend their money, plus as much as anyone will loan them, to build a stadium, buy a team, or hold a parade. That’s what freedom is about. But the people of Seattle should not carry any of the risk. The money should be entirely private.

Maybe the plan can’t work without Seattle bearing some of the risk. If that’s the case, that’s because this isn’t the sure thing that its backers want us to think. It means that the bankers see this as a risky thing, and want to transfer that risk to some sucker. I don’t want to be the sucker who’s paying for a failed deal. Do you?

Threat Modeling and Risk Assessment

Yesterday, I got into a bit of a back and forth with Wendy Nather on threat modeling and the role of risk management, and I wanted to respond more fully.

So first, what was said:

(Wendy) As much as I love Elevation of Privilege, I don’t think any threat modeling is complete without considering probability too.
(me) Thanks! I’m not advocating against risk, but asking when. Do you evaluate bugs 2x? Once in threat model & once in bug triage?
(Wendy) Yes, because I see TM as being important in design, when the bugs haven’t been written in yet. 🙂

I think Wendy and I are in agreement that threat modeling should happen early, and that probability is important. My issue is that I think issues discovered by threat modeling are, in reality, dealt with by only a few of Gunnar’s top 5 influencers.

I think there are two good reasons to consider threat modeling as an activity that produces a bug list, rather than a prioritized list. First is that bugs are a great exit point for the activity, and second, bugs are going to get triaged again anyway.

First, bugs are a great end point. An important part of my perspective on threat modeling is that it works best when there’s a clear entry and exit point, that is, when developers know when the threat modeling activity is done. (Window Snyder, who knows a thing or two about threat modeling, raised this as the first thing that needed fixing when I took my job at Microsoft to improve threat modeling.) Developers are familiar with bugs. If you end a strange activity, such as threat modeling, with a familiar one, such as filing bugs, developers feel empowered to take a next step. They know what they need to do next.

And that’s my second point: developers and development organizations triage bugs. Any good development organization has a way to deal with bugs. The only two real outputs I’ve ever seen from threat modeling are bugs and threat model documents. I’ve seen bugs work far better than documents in almost every case.

So if you expect that bugs will work better then you’re left with the important question that Wendy is raising: when do you consider probability? That’s going to happen in bug triage anyway, so why bother including it in threat modeling? You might prune the list and avoid entering silly bugs. That’s a win. But if you capture your risk assessment process and expertise within threat modeling, then what happens in bug triage? Will the security expert be in the room? Do you have a process for comparing security priority to other priorities? (At Microsoft, we use security bug bars for this, and a sample is here.)

My concern, and the reason I got into a back and forth, is I suspect that putting risk assessment into threat modeling keeps organizations from ensuring that expertise is in bug triage, and that’s risky.

(As usual, these opinions are mine, and may differ from those of my employer.)

[Updated to correct editing issues.]

"Pirate my books, please"

Science fiction author Walter John Williams wants to get his out of print work online so you can read it:

To this end, I embarked upon a Cunning Plan. I discovered that my work had been pirated, and was available for free on BitTorrent sites located in the many outlaw server dens of former Marxist countries. So I downloaded my own work from thence with the intention of saving the work of scanning my books— I figured I’d let the pirates do the work, and steal from them. While this seemed karmically sound, there proved a couple problems.

Read more in “Crowdsource, Please.”

I'd like some of that advertising action

Several weeks back, I was listening to the Technometria podcast on “Personal Data Ecosystems,” and they talked a lot about putting the consumer in the center of various markets. I wrote this post then, and held off posting it in light of the tragic events in Japan.

One element of this is the “VRM” or “vendor relationship management” space, where we let people proxy for ads to us.

As I was listening, I realized, I’m in the market for another nice camera. And rather than doing more research, I would like to sell the right to advertise to me. There’s a huge ($59B?) advertising market. I am ready to buy, and if Fuji had shipped their #$^&%^ X100, I was about ready to buy it. But even before the earthquake, they were behind in production, and I’m ready to buy. So I could go do research, or the advertisers could advertise to me. But before they do, I want a piece of that $59B action.

I don’t want to start a blog. (Sorry, Nick!). I don’t want to sell personal information about me. I want another nice camera. How do I go about accepting ads into this market?

I’m willing, by the way, to share additional information about my criteria, but I figure that those have value to advertisers. Please send in your bids for the answers to specific questions. Please specify if your bids are for exclusive, private, or public answers. (Public answers prevent others from gathering exclusive market intelligence, and are thus a great strategic investment.)

So, dear readers, how do I get a piece of the action? How do I cash in on this micro-market?

If I get a highly actionable answer, I’ll share 25% of the proceeds of the advertising with whomever points me the right way.

Copyrighted Science

In “Shaking Down Science,” Matt Blaze takes issue with academic copyright policies. This is something I’ve been meaning to write about since Elsevier, a “reputable scientific publisher,” was caught publishing a full line of fake journals.

Matt concludes:

So from now on, I’m adopting my own copyright policies. In a perfect world, I’d simply refuse to publish in IEEE or ACM venues, but that stance is complicated by my obligations to my student co-authors, who need a wide range of publishing options if they are to succeed in their budding careers. So instead, I will no longer serve as a program chair, program committee member, editorial board member, referee or reviewer for any conference or journal that does not make its papers freely available on the web or at least allow authors to do so themselves.

Please join me. If enough scholars refuse their services as volunteer organizers and reviewers, the quality and prestige of these closed publications will diminish and with it their coercive copyright power over the authors of new and innovative research. Or, better yet, they will adapt and once again promote, rather than inhibit, progress.

I already consider copyright as a factor when selecting a venue for my (sparse) academic work. However, there’s always other factors involved in that choice, and I don’t expect them to go away. Like Matt, my world is not perfect, and in particular, I’m on the steering committee of the Privacy Enhancing Technologies Symposium, and we publish with Springer-Verlag. I regularly raise the copyright question with the board, which has decided to stay with Springer for now [and Springer does allow authors to post final papers].

There’s obviously a need for a business model for the folks who archive and make available the work, but when many webmail providers give away nearly infinite storage and support it with ads, $30 per 200K PDF is way too high for work that was most likely done on a government grant to improve public knowledge.

I’m not sure what the right balance will be for me, but I’d like to raise one issue which I don’t usually see raised. That is, what to do about citing to these journals? I sometimes do security research on my own, or with friends outside the academic establishment. As a non-academic, I don’t have easy access to ACM or IEEE papers. Sometimes, I’ll pick up copies at work, but that’s perhaps not an appropriate use of corporate resources. Other times, I’ll ask the authors or friends for copies. We need to understand what’s been done to avoid re-inventing the wheel.

If our goal is to ensure that scientific work paid for by the public is not handed over to someone who puts it behind a paywall, perhaps the next step is to apply pressure by only reviewing open access journals and conferences? When I first thought about that, I recoiled from the idea. But the process of looking for previous and related work is a process which must be bounded. There’s simply too many published papers out there for anyone to really be aware of all of it, and so everyone limits what they search. In fact, there are already computer security journals, including Phrack and Uninformed, which are high quality work but rarely cited by academics.

So I’m interested. Does being behind a paywall suffice as a reason to not cite work? If you answer, “no, it’s not sufficient,” how much time or money do you think you or I should reasonably spend investigating possibly related work?

Unmeddle Housing More

Last month, I wrote:

But after 50 years of meddling in the market, reducing the support for housing is going to be exceptionally complex and chaotic. And the chaos isn’t going to be evenly distributed. It’s going to be a matter of long, complex laws whose outcomes are carefully and secretly influenced. Groups who aren’t photogenic or sympathetic will lose out. (I’m thinking “DINKs” in gentrified urban areas.) Groups who aren’t already well-organized with good lobbyists will lose out. (See previous parenthetical.) Those who believed that the government housing subsidy would go on forever will lose. (“Unmeddling Housing,” January )

Now, the New York Times reports on the administration’s plan, calling it “audacious:”

The Obama administration’s much-anticipated report on redesigning the government’s role in housing finance, published Friday, is not solely a proposal to dissolve the unpopular finance companies Fannie Mae and Freddie Mac. It is also a more audacious call for the federal government to cut back its broadly popular, long-running campaign to help Americans own homes. The three ideas that the report outlines for replacing Fannie and Freddie all would raise the cost of mortgage loans and push homeownership beyond the reach of some families. (“Administration Calls for Cutting Aid to Home Buyers,” New York Times)

Audacious would be to put the mortgage interest deductions on the table. This is a move in the right direction, but it’s not going to let people express their real preferences in a market. It will continue to distort the market, reducing people’s flexibility to move, and encouraging them to make their major asset a non-liquid one which is likely to decrease in value as the US population ages.

Unmeddling Housing

For a great many years, US taxpayers have been able to deduct interest paid on a home mortgage from their taxes. That made owning property cost roughly 20% less than it otherwise would have (estimating a 25% tax rate on interest on 80% of a property). So everyone could afford 20% “more” house, which meant that property values inflated until things were in balance again.

It was a good deal for those who were in at the start. But we should also ask, who lost out? First, anyone renting who couldn’t take the deduction. Second, anyone who assumed that this state of affairs would go on forever. Because this week, the chair of the FDIC called for a re-examination of that policy.

Now, this week, Goldman Sachs predicted a 20% drop in Seattle home prices over the next two years, so as a renter, I get to feel a little schadenfreude. But more important, I think, is the chaos of unwinding 50 years of distortion in the housing market.

A great many people have taken the rise in home prices as a bankable truism. Conflating the rise in prices has been a massive increase in the size of houses and lots, underwritten by cheap oil and large highways, but I’m going to mostly set that aside, and focus on the impact of social policy.

Homeownership has a number of downsides. It locks up a tremendous amount of capital in an illiquid investment. It conflates investment and emotional concepts of home. It makes it hard to move when you need a new job.

Now, a government policy to encourage homeownership (uber alles) encourages homeownership. The trouble is, it does so in an unnatural way, and in a way which it now seems appears unsustainable to our bank regulators. That it’s unnatural and unsustainable was always obvious. It’s inherent in the fact that it’s being encouraged. At the margin, there are either people who buy because it’s encouraged, or the policy is an utter failure. So there are people who, without such a policy, would not be homeowners. And homes cost more than they otherwise would.

But after 50 years of meddling in the market, reducing the support for housing is going to be exceptionally complex and chaotic. And the chaos isn’t going to be evenly distributed. It’s going to be a matter of long, complex laws whose outcomes are carefully and secretly influenced. Groups who aren’t photogenic or sympathetic will lose out. (I’m thinking “DINKs” in gentrified urban areas.) Groups who aren’t already well-organized with good lobbyists will lose out. (See previous parenthetical.) Those who believed that the government housing subsidy would go on forever will lose.

Most of all, those of us who lived within our means are going to lose out as the taxpayer “helps cushion” the “unpredictable” changes.

The worst part is, government never needed to get involved.

[This was written in June, I forgot to hit post, so the dates are a little off.]

Israeli Draft, Facebook and Privacy

A senior officer said they had found examples of young women who had declared themselves exempt posting photographs of themselves on Facebook in immodest clothing, or eating in non-kosher restaurants.

Others were caught by responding to party invitations on Friday nights – the Jewish Sabbath. (“Israeli army uses Facebook to expose draft dodgers,” Wyre Davies, BBC)

What’s interesting to me about this story is that it illustrates how part of the cost of using Facebook is the occluded future. If you’d asked me if Facebook impacted on military draft, I’d have said no. Predictions are hard, especially about the future. And the young women in question probably didn’t think that their use of a social networking site would cause them to be drafted.

A second interesting aspect to this is that it indicates that one’s Facebook profile, in aggregate, is a religious identifier. That’s interesting because religious information is categorized specially under the Canadian privacy act (PIPED) and possibly also under European data protection laws. I haven’t seen this aspect covered in the analyses that I’ve read from those regulators. (Admittedly, I have not read all of those analyses.)

It's not TSA's fault

October 18th’s bad news for the TSA includes a pilot declining the choice between aggressive frisking and a nudatron. He blogs about it in “Well, today was the day:”

On the other side I was stopped by another agent and informed that because I had “opted out” of AIT screening, I would have to go through secondary screening. I asked for clarification to be sure he was talking about frisking me, which he confirmed, and I declined. At this point he and another agent explained the TSA’s latest decree, saying I would not be permitted to pass without showing them my naked body, and how my refusal to do so had now given them cause to put their hands on me as I evidently posed a threat to air transportation security (this, of course, is my nutshell synopsis of the exchange). I asked whether they did in fact suspect I was concealing something after I had passed through the metal detector, or whether they believed that I had made any threats or given other indications of malicious designs to warrant treating me, a law-abiding fellow citizen, so rudely. None of that was relevant, I was told. They were just doing their job.

It’s true. TSA employees are just doing their job, which is to secure transportation systems. The trouble is, their job is impossible. We all know that it’s possible to smuggle things past the nudatrons and the frisking. Unfortunately, TSA’s job is defined narrowly as a secure transportation system, and every failure leads to them getting blamed. All their hard work is ignored. And so they impose measures that a great many American citizens find unacceptable. They’re going to keep doing this because their mission and jobs are defined wrong. It’s not the fault of TSA, it’s the fault of Congress, who defined that mission.

It’s bad enough that the chairman of British Airways has come out and said “Britain has to stop ‘kowtowing’ to US demands on airport checks.”

The fix has to come from the same place the problem comes from. We need a travel security system which is integrated as part of national transportation policy which encourages travel. As long as we have a Presidential appointee whose job is transportation security, we’ll have these problems.

Let’s stop complaining about TSA and start working for a proper fix.

So how do we get there? Normally, a change of this magnitude in Washington requires a crisis. Unfortunately, we don’t have a crisis crisis right now, we have more of a slow burning destruction of the privacy and dignity of the traveling public. We have massive contraction of the air travel industry. We have the public withdrawing from using regional air travel because of the bother. We may be able to use international pressure, we may be able to use the upcoming elections and a large number of lame-duck legislators who feared doing the right thing.

TSA is bleeding and bleeding us because of structural pressures. We should fix those if we want to restore dignity, privacy and liberty to our travel system.

Money is information coined

In the general case, you are not anonymous on the interweb, but economically-anonymous, which I propose to label “enonymous”, and that’s not the same thing at all. If you threaten to kill the President, you will be tracked down, and the state will spend the money it takes on it. But if you call Lily Allen a a hereditary celebrity and copyright hypocrite (not my own views, naturally) then it’s not worth the state’s money to track you down. If Lily wants to spend her own money on tracking you down and taking a civil action for libel, then fair enough, that’s the English way of limiting free speech. If the newspapers want to spend their own money on it, fine.

I think this is an interesting approach, bringing friction into the definition. It resonates as related to an information-centric definition of anonymity. If we say that money is information coined, then we bring in Hayek. Which is always good fun.

The explicit introduction of money as a way to measure (a subset of) privacy invasions allows us to think about the erosion of privacy by the addition of technology. We know that the internet makes it easier, and perhaps money is that yardstick. What does it take to track down your property taxes? It’s gone from sending someone to the county records office to having someone with a browser. So Alice’s privacy with respect to Bob is not only lower, it’s no longer related to the cost of travel. We’ve zero’d out a term in the cost equation, and that leads to all sorts of chaos.

Anyone engaged in the NSTIC discussion should read and ponder the line of reasoning that Dave extracts over a long and chaotic set of sources. His post advances the discussion around NSTIC, and raises questions that must be answered if that work is to lead anywhere.

The NSTIC proposal places no value on anonymity; indeed, it evinces an apparent lack of understanding of what anonymity really means. It takes for granted the need for authentication (if we pay in cash, why does a merchant, much less a common carrier or government agency, need to know about us other than that our money isn’t counterfeit?) and confuses a policy that purportedly restricts disclosure of our identity with actual non-knowledge of our identity.
[From Papers, Please! » Blog Archive » Public says “No” to national cyberspace ID proposal]

If we in Europe decide to develop our own kind of European Strategy on Trusted Identites in Cyberspace (ESTIC) then I think it should not only include both conditional and unconditional anonymity but should strive to make it clear that, like pseudonymity, these types of online persona will be the norm, not the exception.