Framing Effects & Law Reviews

Framing effects are what a variety of types of academics call the variety of contextual effects on perception. For example, six months ago, this laptop went for $4800, and now it’s just $3,500! Similarly, law reviews, where lawyers write for each other, are usually exceptionally long, from my perspective. And so we get Orin Kerr saying:

Fun, Entertaining, Clever, and Short: Believe it or not, that’s a description of a forthcoming law review article. Yes, a law review article. Check out The Perfect Crime, by law prof Brian C. Kalt, forthcoming in the Georgetown Law Journal. It clocks in at 22 amusing double-spaced pages…

Yes, in law review-world, that’s short. In my world, this is slightly fun, mildly entertaining, clever in a sort of self-referentially post-modern fashion and short, at slightly over 22 words.

Small Bits: Long tunnels, Marburg virus, Cyber Cons

  • Iraqi prisoners have dug a 200m tunnel out of one of the US run prisons in Iraq. The BBC has pictures.
  • The Marburg is spreading in Angola. Marburg is an Ebola-like heamorraghic agent. Some analysis.
  • Charles Cooper has some commentary ranting about the state of the information security industry at cnet:

    It’s tempting to become cynical about so sensitive a subject, but the blunt truth is that Americans care more about the ultimate outcome of “American Idol” than they do about repairing the nation’s IT infrastructure. Outside of the confines of the security nerds who live and breathe this stuff, most folks are bored silly by the subject.

  • If you’re not bored silly by this stuff, Not Bad for a Cubicle has a nice post on The Costs of Keeping Data. If you’re responsible for security programs, you should read what he says about your costs and risks.

Lying to Congress, Murdering Prisoners Now Legal

Ryan Singel reports that lying to Congress is now legal, at least according to TSA spokeswoman Amy Von Walter. “Von Walter also indicated the agency is working to make sure that the public and Congress are better informed about the agency’s actions.”

In other news, the Pentagon will ignore the recommendation of the Army Criminal Investigation Command to try the soldiers responsible for the deaths of detainees. Michael Froomkin has commentary.

Next up, sending prisoners to Egypt, and then seven or eight other things.

Choicepoint, March 24/25

  • The Federal Reserve has joined the FDIC in ordering banks to notify customers of breaches.
  • Forbes reports that Choicepoint director Thomas Coughlin has resigned his day job at Wal-Mart:
    “A senior board member of Wal-Mart Stores Inc. resigned Friday following an internal investigation related to personal reimbursements, billing and company gift cards.”

  • [Choicepoint CEO] Derek Smith has apparently received threats via fax, according to TV station WXIA Atlanta. Here’s a cheat sheet for you:
    • Denying his job application because of a Texas criminal record: Entertaining.
    • Sending him Nigerian spam from a Kinko’s in LA: Self-referentially ironically cool.
    • Sending threats: Not cool.
  • Scott Berinato has a column at CSO Magazine calling this the Waterloo of information security. (Is there a permalink to that column?)
  • The Christian Science Monitor has an editorial entitled “Locking Out Identity Thieves.” The subtitle is “Why are data collectors blocking efforts to require notice of a security breach?”

    One problem that critics point out: Consumers might also limit their own ability to obtain credit. But that’s a small price to pay for privacy and a more secure online identity.

The best way to see all my Choicepoint posts is probably the category archive for Choicepoint. [Update: added Berinato column, 2: Identified Smith]

Security In a Changing Nation

Screendiscussion responds to my comments about “Three Privacy Breaches” in Security In a Changing Nation. He sums up his argument as “Why? The reason is that we, as a nation, have become extremely security conscious in the past few years.” I think this is only partially correct. I suspect that this is part of it. Perhaps that consciousness also entails an understanding that no one is perfect? That the attacker only needs to win once? That a cover-up is a worse sin than a mistake?

I suspect its the last bit: We’re coming to see security mistakes as mistakes, that will happen. I think we need to start designing systems with that in mind.

Discretionary Disclosure

A man who pleaded guilty to hacking into an Arkansas data company’s computer system and stealing personal identification files was sentenced Wednesday to nearly four years in federal prison.

Daniel J. Baas, 26, of suburban Milford, entered his plea in December 2003, after being indicted that August.

Baas was a systems administrator for Market Intelligence Group, which had an agreement to analyze data for Acxiom Corp., of Little Rock, Ark., when he exceeded his authorized access and downloaded encrypted password files, prosecutors said.

In a plea agreement, Baas admitted that he stole the data between January 2001 and January 2003 and stored it on computer disks at his home, prosecutors said. On Wednesday, U.S. District Judge Susan Dlott sentenced Baas to 45 months in prison.

Acxiom’s clients include credit card issuers, banks, auto manufacturers, telecommunications companies and retailers. Baas bragged to other hackers that he had the files, but didn’t share them with anyone, prosecutors said.

According to Robert O’Harrow’s “No Place to Hide,” pp72, the company chose not to notify: “A company official said that the information was simply not that sensitive and ‘did not meet a threshold that would require customer notification.'” (Update: Try this Google Print link.)

Acxiom’s data would be covered under California law, the new laws that a number of states are putting in place after Choicepoint, but not the FDIC, FRB, or OCC regulations that have been put forth.

Disclosure Laws & Regulations

Declan McCullagh writes about new rules requiring banks to disclose breaches, as promulgated by an alphabet soup of federal regulators.

A brief digression: The new guidelines seem to make sense, but it’s difficult to figure out whether they go too far or not far enough. Normally consumers can shop around and choose products based on a whole range of different options.

For instance, a hypothetical BankSuperSecure might employ only bonded employees with government security clearances and hire armed guards to watch these employees all the time. Those security measures would probably reduce the chance of insider shenanigans — but would come at a substantial cost that would be passed on to consumers in the form of lower interest rates on savings accounts and higher interest rates on loans and credit cards.

Its hypothetical competitor CheapDiscountBank might take less rigorous security mechanisms but offer far better terms on savings accounts and loans. In this scenario (let’s assume that the banks were required to disclose their respective approaches to security), consumers could choose what risks they’re willing to take and companies could experiment. Because that process doesn’t exist today, we end up with a one-size-fits-all rule that sets both a security floor and also a de facto ceiling that banks seem unwilling to exceed. It’s difficult to know whether that security “level” is the best one for consumers.

I’ll suggest that the new rules don’t go far enough. As the Washington Post story (archived here) explains: “If the organization
determines that misuse is unlikely, it need not report the breach to its
” So CheapDiscountBank might have one criteria for determination, while BankSuperSecure has another. But consumers won’t be able to compare those. As the regulation says “It also should generally describe what the institution has done to protect the customers’ information from further unauthorized access.” Generally describe? How can I assess a general description? (A non expert consumer might have difficulty, but could turn to Consumer Reports, or other trusted sources, for advice.)

Also, federally mandated “know thy customer” regulations require banks to gather, authenticate, and store everything an ID thief needs to go about their business. SuperSecureBank might promise to throw away all the non-essential data, so that they can’t have a breach. SuperSecure could thus lower their costs and increase their security. It’s too bad that a mere $50 billion in annual losses doesn’t prompt a review of how we’ve organized the regulatory regime.

“A Unified Theory of VC Suckage”

Brad Feld pointed to an essay by Paul Graham, entitled “A Unified Theory of VC Suckage.” (VC is short for venture capitalist, the folks who invest in certain types of startup companies.)

I used to take it for granted that VCs were like this. Complaining that VCs were jerks used to seem as naive to me as complaining that users didn’t read the reference manual. Of course VCs were jerks. How could it be otherwise?

But I realize now that they’re not intrinsically jerks. VCs are like car salesmen or petty bureaucrats: the nature of their work turns them into jerks.

What I really like about Paul’s essay is that it talks about some of the economic pressures on VC funds, and how those pressures get pushed to startups.

This is a strange thing for a startup guy to say, but I have a lot of sympathy for venture capitalists. In some ways, a VC fund is like a startup. You have some guys who know something about business. They go out looking for money. If they get the money, they have 10 years to make good on it. I’m might get pilloried for this next sentence, by people who skim through why I’m saying it: Unlike a startup, most VC have relatively little in the way of compelling advantages. That’s not to say that investors are indistinguishable, only that it’s even harder for a VC firm to create, maintain, and communicate a compelling advantage over the other firms.

Most investors don’t get to build disruptive technology. They get slight first mover advantages. Most VC are in cutthroat competition with other VC for the ability to put cash into a few good companies, and a lot of ‘maybes.’ A good investor brings good strategic advice, and a big rolodex, and a willingness to work for you. Well, so does that other fund. Compare to a startup which can get a strong first mover advantage, building, say, a database that’s 10 times faster, or with six signed customers in the fortune 500.

So I think, to extend Paul’s economic analysis of why investors and startups clash, it goes back to the limited partners who invest in venture capital funds, and the way they need to behave.

As a side comment, Rick Segal asks:

And what is this issue with a liquidity event. Why is that evil? What’s wrong with making some coin, selling companies, IPOs, mergers, whatever. I’ve yet to see anybody, Paul included, to give me a compelling reason why this aspect of venture capital means we all suck. 

Let me start by reiterate that I don’t buy the suckage claim. At the same time, there are businesses which may look like VC-fundable businesses, and, to everyone’s surprise, turn out to be organic growth sorts of businesses. For these companies, who need to contort to give their investors an exit, the liquidity requirement can suck. If the investors and CFO are good, I think there are usually options, such as a management-lead leveraged buyout, converting equity to debt, and giving the cash to the investors. But, really, the issue is that VC firms are on a ten year schedule, and that creates pressure on the startups to be on (at most) a 5-6 year schedule. If you don’t know this going in — if you’re starting a startup to build a great business like your grandparents did — then you can find a world of hurt.

“What Would Gandhi do?”

What would Gandhi do?” is the title of a soul-searching post by Joi Ito about positioning. It reminded me of a passage in William Shirer’s memoir of his time with Gandhi. I’d like to quote the passage, which ends chapter 11, and then add some comments. The context is Gandhi’s visit to England, and in particular, his visit to the Lancashire mills, which were suffering from an Indian boycott on English cloth. Gandhi visited the mills to find allies and support for his goal of Indian independence.

Gandhi was too tactful to mention–to the workers or the employers–a strong impression he had gained after three days in Lancashire. It would have amazed them, I think. But he remarked on it to me the last day in Manchester. He was taken back he said, by the backwardness of Lancashire’s cotton industries.

“I’m no mechanic,” he smiled, “but I’ve seen enough up here in three days to show me that the English are using antiquated machinery. It probably explains there inability to compete with other countries. The machinery in the Bombay and Ahmedabad mills is one hundred percent more efficient.”

So, when it came to searching for allies, Gandhi did not feel compelled to say everything he thought. He was truthful, and had someone thought to ask, he probably would have answered honestly. So I think pulling back from offending your audience so much that they close their ears is a fine thing.

At the same time, sometimes you may not be able to be diplomatic. I think we agree that over the next decade, copyright is likely to change dramatically. Innovative publishers like Baen books and O’Reilly are experimenting with new models. If a publisher wishes to call Baen and O’Reilly’s experiments ‘disgusting,’ they’re free to do so. (Well, they may have a fiduciary duty to their shareholders to figure out how likely a change in copyright law is, and how they’d handle it if it happens, but they can still call it disgusting.)

Earlier in the chapter, Shirer discusses how, at the London conference on India, Gandhi ignored the wishes of the rest of the delegation, and announced that Britain should take on India’s national debt. He did this because he thought it was right, and important. I suppose to sum up my reading of Gandhi, consider if what you’re saying needs to be said. If something needs to be said, don’t be afraid to speak the truth.