The Abnormal Distribution

Can things that look like hard facts and indeed are hard facts be socially constructed? Sure. But many people, indeed quite a few scientists, think not. I remember being quite surprised a decade and a half ago when I realized how many facts were indeed socially constructed. It is more obvious that social facts such as crimes and torts are socially constructed. Certain behavior is deemed to constitute a crime, and that is a construction; we (rather; our lawmakers) do it all the time. But facts about existing types of crime can also be socially constructed, and I find that much more problematic. What particularly concerns me here is the casual interpretation of existing categories of crime or tort on internet behavior.

I remember first realising how true it is that hard facts can be socially constructed by reading John Searle’s brilliant book The Construction of Social Reality. There are lots of facts about money. Money is just as real as my house. But it is purely a social construction. That doesn’t mean that “all truths are relative to the truthsayer”, as people such as the late Richard Rorty notoriously claimed. Many psychologists one encounters like to speak of what is “true for you” or “true for him”, but many of them still intuitively know they can be flattened by the bus they hadn’t seen when they try to cross the road and don’t look first, whatever they might think their truth consists in. Still, there is real meat, not just relative meat, in the debate between “realists” and “relativists”. Robert Nozick wrote a fine book, Invariances, on it in 2002, in which he argues truth is relative and tries to show to what. A decade ago, even I made my own minor contribution to the debate around the Sokal hoax and the Bricmont-Sokal review of some sociological thinking about science. But all that is not really my point here.

Before I get to that point, let me make a relevant plug. I recently read Harry Collins’ lastest book, Gravity’s Ghost, which has a brilliant example of a social construction in science. Collins is notorious among some scientists (and some scientific philosophers, I think) for claiming that much of science is a social construction. No, say the scientists, it is about reality and fact (whatever those are, add the philosophers). Harry has studied the gravitational-wave community, the people trying to detect them, for many years, and far from playing one of those “truth-is-what-you-want-it-to-be” sociologists, he looks to have gone native. And he tells a great story. The book reads like a novel, and is quite short. If you want to know how “big science” is done, it is hard to think of a more entertaining introduction. The book also has one of the finest introductions I have read to the difficulties of statistical reasoning as a guide to reality, with insights I cannot recall having read elsewhere. I probably don’t agree with all of it, but I enjoyed reading it and wasn’t in critical mode as I did so.

One of the major problems, perhaps the major problem after that of money, in gravity-wave science, is knowing when you have seen something. Collins has a wonderful account of how a phenomenon was reified by vote. And the vote wasn’t unanimous! (Buy the book! Read it! End of Plug!)

I talk here about a social construction which worries me. Crimes and torts are being constructed out of Internet activity. I don’t mean here crimes and torts as traditionally conceived, which may be committed in ways enabled by internet technology. The Economist once argued against constructing specific internet crimes out of activities which are already proscribed, but which are enabled in different ways by new technology (in the 1990′s; I am sorry that I no longer have the reference). As a classical liberal in my political thinking, I am very wary of the invention of new crimes specific to the internet, or reinterpreting old categories of proscribed behavior in inventive new ways to cover internet activity.

When working in California in the 1980′s, I felt the consequences of the Morris Internet Worm. Robert Tappan Morris Jr. was widely vilified for having released the worm, and eventually convicted of a crime. I felt at the time that that was desperately all wrong. There is no doubt that it was a watershed moment. Companies and organisations were installing and selling actefacts that I felt were not completely fit for purpose. Specifically, large public companies were selling proprietary versions of the Unix operating system, with the Sendmail program compiled with the debug flag set, thus allowing a back door into root privilege on their customers’ computers. I felt that was simply negligent. That was just one example of people being unwise, arguably negligent, and enabling possible damage to innocent others. I was concerned that such things were becoming a major problem on the internet in those days (I long consider this to have been decisively proved!).

What is one going to do about it? Since such habits constitute force majeur, any action must be political – you must bring it inconveniently to people’s attention, because they will ignore you, as they had been doing for years, if you just say “I don’t think this is a good idea” and leave it at that. But inconvenience too many people, and some of them are likely to try to criminalise your activity; force majeur again. It’s a dilemma; there is a fine line.

We now know well the competing philosophies. One (mine) says that Morris was performing what was, at that time, for that act, a legitimate public service. The public needs to be shown how bad things are, once, to start serious public debate and hopefully rectify the situation. That did not turn out to be the majority view. The majority view added up the collective resources spent on combating the worm (stupidly or intelligently, all of it equal), puts it in dollar terms (or equivalent measure) and says to Morris “that is the damage you have caused“. And that is the view that prevails nowadays. That is the view proposed by the U.S. Department of Defence, which has added up all the resources it claimed were compromised by Gary McKinnon’s hack into and through their WWW sites. The fact that they were apparently using insecure software for a site that, by their own arguments, was essential for US national security is apparently no longer considered a significant and culpable act of negligence. I feel strongly that such unfortunate events as the McKinnon hacking episode and attempted extradition would not be happening had we collectively chosen the other reaction to Morris’s escapade some twenty-odd years ago; holding the owners of frangible systems more responsible for the effects of that frangibility.

Which is why I am exercised by what I take to be the invention of a tort. An article by Lauren Weinstein in today’s Risks 26.78 points to an interesting article by a Business-School computer scientist, Panos Ipeirotis, written a year ago, on a scheme for making money from internet advertising.

Someone set up a bunch of domains with benign names to host invisible ads which were then automatically clicked. The ads were of the pay-per-click variety, and the assessment was only made on the “host” site. However, as far as I understand it, the money went elsewhere.

What puzzles me, indeed slightly disturbs me, is that Ipeirotis and Weinstein describe this as “fraud”, and I presume the WSJ, which picked up on the story, does too. Yes, things that are happening and actions that are being taken are not what they seem, for example, an ad on a 0×0 frame cannot be “seen” by any human, the “click” on it is automatic, and a frame that is loaded is not necessarily the same frame that a cursory scan of the source code might lead you to think it was. But all of these things are commonplace in Internet commerce as it is currently practiced.

I wrote down what I think fraud is. Maybe readers would like to try it for themselves before reading below what I wrote, or what others wrote. I wrote

Fraud is a category of human behavior in which one party is led to believe something which is untrue or misleading by a second party, and is thereby led to engage in a valuable-goods or financial transaction whose nature is not in fact what the first party believes it to be; and where the second party benefits and the first party suffers deprivation.

I then looked it up in James’ Introduction to English Law, which is a standard short reference. It is part of the law of contract. There is something called a “representation”, which is a statement, in this case about goods or material involved in a potential transaction. An untrue representation is called a “misrepresentation”. The tort of “fraud” (or “deceit”) is committed when

a person makes a false representation of fact, knowing it to be false, or without believing it to be true, or recklessly, careless whether it be true or false. The false representation must , further, be made with the intention that it is to be acted upon by the party deceived, and if his claim is to succeed this person must prove that he actually did act upon it to his detriment. (Italics in original omitted)

So I got it more or less right, except that the second party does not need to benefit. A few moments thought shows why.

Now, I am sure that the notion of fraud has been extended to electronic actions, such as those made by automated trading devices, in various ways. But it seems to me that a notion of “misrepresentation” would be key to characterising something as fraud. Advertising is rife with misleading representation, but that misreprentation has to do with perceived content, and there is a lot of law based around that. According to the definition in James’, above, a null representation, such as that shown in a 0×0 frame, would not count as a misrepresentation, for it is not untrue; and it is not untrue for it simply is not!

If something is commonplace, such as pop-under windows and suchlike, or dummy frames such as those with size 0×0, then it is surely not clear in what way there is a misrepresentation (in this technical sense). Saying nothing (or putting an ad in a 0×0 frame) even when you know something, does not constitute fraud: caveat emptor. And whether you are paid for “clicks” surely depends on what the contract says it pays for, and I doubt it says that only clicks are paid for which are made by a bona fide human sitting at a keyboard or tapping on hisher iPhone with intent to view. And in a world in which people pay real money for virtual artefacts on games such as Second Life, it is hard to rely on one’s moral intuition to determine when paying money for something or nothing is “OK” and when it is “not OK”.

If we don’t like what this person is doing, and we collectively decide to proscribe it, then let’s approach our lawmakers and persuade them to do so. Let us not put new whines in old torts.

The British Royal Academy of Engineering, an institution whose membership is nominated and elected only, is conducting a study on the engineering and societal impacts of space weather and has issued a call for evidence. I sent the following note on Sunday 25th March to policyAT[theRoyalAcademyOfEngineering] with a copy to the Office of Nuclear Regulation.

Dear Sirs and Mesdames,

You are performing a study of the effects of solar storms on UK infrastructure and asked for evidence to be submitted to this e-mail address by mid-April. I am hereby responding to that call.

Many nuclear power plants are dependent upon continuing supplies of electricity to support not only normal but emergency operations. Cooling systems, including emergency cooling systems, in most plants are dependent on continual (and continually reliable) supplies of electricity for control, and in some cases also operation.

The station blackout at the Fukushima Daiichi plant a year ago focused some attention (ours as well) on the vulnerability of such plants to design and operational assumptions which, in my view, a thorough hazard analysis of the modern variety would and should have made apparent.

Electricity supply to essential functions at nuclear power plants is provided “in depth”, that is, by redundant systems. The BWRs with Mark 1 containment at Fukushima Daiichi obtained power first self-generated, then from external grid supply, then from on-site diesel generators, finally from batteries. The self-generated power was lost upon shutdown, a response to the Tohoku earthquake, which also took out the external grid supply. Nearly an hour later, the diesel generators were flooded by the tsunami and the only electricity supply available became the batteries, which were scoped to supply for 8 hours. The physical requirement in that situation, though, was for far longer than that and the result (of that as well as other damage) was meltdown. I observe that, until recently, the requirement for battery power supply in “station blackout” conditions in some US power stations was only 4 hours. The US Nuclear Regulatory Commission has recently reconsidered that requirement.

One salient engineering phenomenon is that the satisfactory operation of many of these systems was predicated on independent failure of systems. For example severe ground movement and flooding seem to have been taken as independent events by the designers and builders, as far as we know. Whereas at Fukushima Daiichi those events had a common cause, namely the Tohoku earthquake. We see this phenomenon, an assumption of independence vitiated by common-cause events, time and again in engineering.

I understand that a recent solar storm in 1989 took out the grid power supply in Quebec for about nine hours http://en.wikipedia.org/wiki/March_1989_geomagnetic_storm . So it is possible for the consequences of a solar storm to exceed the “design basis” requirement for emergency-system operation at at many nuclear power plants of the BWR design (I understand well that the UK has no plants of similar design; I use this simply as an example of how design assumptions and physical reality may not always connect well).

However, I know of no current public study of the effect of a solar storm (coronal mass ejection, CME) on US nuclear power plants, although recent articles in the New York Times by journalist Matthew Wald have detailed some current thinking and practical exercises to install emergency power generators: http://green.blogs.nytimes.com/2012/03/19/a-speed-record-on-the-power-grid/

A Fellow of your institution, Martyn Thomas, has given talks recently on the possible consequences of solar storms on some engineered systems. I am in regular contact with Martyn. He gave a talk at the Workshop I organised last August on the Fukushima Daiichi accident, and has recently given a talk at the Safety-Critical Systems Symposium in Bristol in February 2012, which was filmed by the IET at http://scpro.streamuk.com/uk/player/Default.aspx?wid=12667&ptid=32&t=0 When Martyn asked during his talk who explicitly considered Carrington-type events in their hazard analyses, I was apparently the only person to respond positively. (I chair a standardisation committee in Germany which is performing a hazard analysis of charging electric road vehicles; we explicitly consider solar storms.) That suggests to me that awareness of the consequences of severe solar storms on UK infrastructure is not very high amongst even safety engineers. I would hope that your study could help remedy that.

The issues with hazard analysis and mitigation concerning complex safety-critical systems such as nuclear power plants are not trivial, and this is not the place to list them. But the most salient characteristic which came to light in our work is that the assumptions about what can happen which constitute what the US calls the “design basis” for these plants can be obscure, sometimes outmoded, and, as at Fukushima Daiichi, inappropriate. (It is particularly noteworthy that the vulnerability of the diesel emergency generation to flooding had been pointed out explicitly, most notably by the sociologist Charles Perrow in his 2007 book “The Next Catastrophe”. The possibility of station blackout of BWR designs due to flooding was not exactly an obscure phenomenon. How did the engineers miss that? We don’t know yet, although we have some hints. The answer will be given in my view by sociologists, not by the engineers themselves.)

I looked in the material on the WWW site of the Office of Nuclear Regulation for mention and consideration of solar storms, and found just one document from the Cabot Institute at Bristol University: http://www.hse.gov.uk/nuclear/fukushima/submissions/226920.pdf So the ONR is aware of the potential for such storms, but consequences of such storms are not considered at all in the vulnerability analysis which ONR performed at the request of the government in 2011: http://www.hse.gov.uk/nuclear/fukushima/final-report.pdf

I do think it essential that a careful analysis of the effect of severe solar storms on the safety and emergency infrastructure of nuclear power plants be performed. I think special attention should be paid to the general engineering problem of considering the issue of common-cause failures of kit whose design assumptions include independent failure.

I am moderately sure that you (and the ONR) will be aware of many of these issues already. I hope you understand, though, my desire to ensure that they are considered and hence this note.

Sincerely,

PBL

For those interested in analyses of the Fukushima Daiichi accident, I have a paper on it with clickable links (unlike the version in the Proceedings). I gratefully acknowledge the agreement of the Proceedings publisher, Springer-Verlag, for me to include the paper on our WWW site and note that the final publication from Springer is available at www.springerlink.com in the book Achieving Systems Safety, edited by Chris Dale and Tom Anderson. A video of the accompanying talk is also on IET.tv

I don’t have time to write any blog posts or anything else for that matter at the moment. But it seemed to me that an e-mail I wrote today might be converted to a post. Herewith.

Steven Tockey pointed to an article in the Huffington Post about delivering tacos by robotic helicopter. Apparently there is a Silicon Valley company of three people called Tacocopter (why not Tacopter?) which wants to use small robotic helicopters to deliver tacos ordered by your smartphone before they get cold. Huffington Post spoke with Star Simpson, one of the founders. She is reported to have had something to do with the MIT Media Lab Personal Robots Group, but she doesn’t turn up on the list of people, including alumni, on their WWW site.

The FAA says, of course, “you can’t fly drones in civil airspace”. Ms. Simpson’s characterisation of the “obstacles” to getting started is telling:

It’s really the legal obstacles in the U.S. that seem insurmountable at this time.

To which the journalist comments:

So, there you have it: The U.S. government is single-handedly preventing you from ordering a taco and having it delivered to you by a totally sweet pilot-less helicopter. So get out your pitchforks, sign those petitions, start calling your local congressmen, and let them know: We want our tacos hurled at us by giant buzzing robotic helicopters, and we want them now.

….. which does rather give me the impression that he doesn’t take it all quite as seriously as the founder.

Let’s see. Is it just “legal obstacles”? Well, as the journalist points out, there are plenty of real ones in the way of flying helicopters in urban areas, so one should surely also think of safety and liability insurance.

When it comes to buying liability insurance Ms. Simpson might well find that companies won’t do it and she has to ask Lloyds. The price of insurance is bound to include the almost-certainty that there will be at least one accident. What is one accident likely to cost? The cost of the aircraft (almost all that seriously crash are written off), plus the cost of repairs to or replacement of any infrastructure and personal goods that are damaged along with it, not to speak of the cost of people possibly being hurt. So take that, add insurer’s administrative costs, as well as a bit of profit on top. That’s just for one accident. How many might there be? The first accident might well shut the company down, because that’s what happens to very small airlines which have an accident. (Airline you say? She will in fact be running a cargo airline. I am not sure how good an idea it is to let the FAA know in advance that you think the Federal Aviation Regulations stand in the way of your business. The FAA is likely to point out that the FARs do a very good job of assuring safety in what used to be the very risky business of flying – and they are right!) So Tacocopter would either have to self-insure, if they are rich enough, or have to interest someone in the idea who is rich enough to self-insure, and most of those people are very interested in the business model, for that is how they got rich in the first place.

So let’s look at the business model. How many people are going to be willing to pay more than double the usual price for a taco so delivered? (I am thinking here that the cost of a new private airplane in the US is -still- over 50% liability insurance for the manufacturer.) It might indeed be a nice party trick. Then again, those wealthy enough to pay double the price for food might well care a lot about the quality of that food, so turning up in a van with a cooker in the back and preparing tacos on the spot might generate far more business, and is obviously an easy way to ensure the freshness of the delivered product. As well as not requiring the FAA to change the Federal Aviation Regulations.

Ms. Simpson has surely also taken the five minutes to think about such things. It would be nice to have read her answers.

But there is a more general phenomenon here worth remarking. There appears to me to be a blind spot amongst mobile-robot enthusiasts and researchers concerning safety, and this seems to occur in this article also.

This issue is “close to home” in the following sense. Until the end of October I run a research group in Interactive Safety at the “Cognitive Interaction Technology” research lab in Bielefeld, CITEC. As Germans like to express it, our interests in safety have not “resonated” in CITEC. People are building small mobile robots of various sorts, even having them run around in public areas and interacting with ordinary people. I have had many conversations about safety, what the issues are, why it is important, and what you can do about it (Hazard Analysis, Hazard Mitigation or Avoidance Measures, Residual Risk Analysis; it’s helpful to have a set of principles which help you avoid the most well-known major hazards). Indeed, I gave a Keynote Talk on exactly this topic at the IET System Safety conference in London in 2009, along with a paper. But I haven’t met anyone at CITEC who has read the paper or who knows what is in it (it’s only about 3000 words long, so length can’t be a factor). When I have talked to CITEC people about safety, the reaction is typically “that’s nice. How interesting, I hadn’t thought about that” and they turn back to what they were doing before.

I remember a long conversation I had in November 2010 at an evening reception with a CITEC researcher who was part of a team building a mobile robot which interacted with people. They were aiming to exhibit it in a local gallery as a robotic guide, along with the human guides. I suggested to her that the insurance company would likely want assurance against accidents, and the way to do that is Hazard Analysis, etc (as above), that we were expert at that and could help. I said that the classic mitigation for robots with moving parts (indeed, defined in a draft international standard which was in review) was defining a space of motion and installing interlocks to prevent people entering that space when the robot was in operation. I suggested that was likely to be what will happen if one doesn’t think about the issues more creatively, and it was probably not what she wanted. Indeed not, she said, it’s not really what we’d like.

I didn’t hear from her again, despite trying e-mail contact. (Remember, this is in the very institute in which I work! That “resonance” thing.) But a few months ago there was a picture in the local newspaper of the robot doing its guidance job – in an area roped off in the corner of the gallery, well away from exhibits and with gallery personnel on hand to ensure people stayed the other side of the rope. The classic measure, as I predicted.

A robotic helicopter has fast-moving parts which are open to the atmosphere – if it didn’t, it wouldn’t fly. Quite apart from damage caused by physical collision with the drone body, these fast-moving rotating parts are going to be moving in environments which have not been built with that in mind. Children get very curious and like to touch things, for example, so you have to keep it away from them. If operation was in a industrial plant, interlocks would be required to prevent any people from approaching the device when it was operating. And that is with presumed-trained, professional personnel. You don’t have three-year-old kids running here and there on the factory floor. That is the legal situation with human interaction with such devices currently, and it’s not just the FAA. In the US it’s OSHA and 150 years of experience with dangerous workplaces, such as 19th century and early 20th century railroads. Are people just going to throw all that out so that some company can deliver tacos? I doubt it. It took decades to get that level of protection, and I suspect that a lot of that was driven ultimately by consideration of the costs of accidents. So you probably can’t let the Tacocopter land (the journalist’s idea about getting tacos thrown at you is not that far-fetched!). So what about when it has to, for some reason – a fault, for example? Which aircraft doesn’t have those occasionally? How do you assure to keep it well away from kids during such a event? However you do it, that subsystem better not be the faulty one!

Here is an article from this week’s Economist which does say something about liability. Someone at MIT is trying to devise algorithms to interpret hand-signalled movement instructions, as used on aircraft carriers, reliably and accurately. I used to know one of the authors, Randall Davis, from conferences. He is a well-known and well-respected AI guru. The final question that occurs to the journalist is who would be prepared to trust “the fate of a multi-million-dollar drone to such a system” (it is only about 75% reliable at the moment).

But, says the Economist:

But it is a good start. If Mr Song can push the accuracy up to that displayed by a human pilot, then the task of controlling activity on deck should become a lot easier.

Another point of view is that experience shows that 75% is the easy part. When you’re at 90% and you want to get it up to 95%, that’s when the hard work starts. And from 95% to 99% may well take orders of magnitude more. For example, staying with AI, raw Circumscription is not the way to handle Blocks-World planning. This has been agreed for a couple of decades. But it does handle 90% or more of Blocks-World planning very effectively, as do many of the other methods from that era that “don’t work”.

But that’s SW engineering and “Symbolic AI”. Curiously, people who work in “neural informatics” (as it’s called in Germany) and approximation techniques seem often to have a different view, that when they can do 75%, or 80%, or 85%, they are “nearly there”. How can such different views of success prevail in one and the same subject, informatics?

Martyn Thomas chaired a committee convened by the UK Royal Academy of Engineering on infrastructure vulnerabilities to GPS disturbances. The committee reported in March 2011 and Martyn was briefly on the front page of UK news media on March 10, 2011 until the Tohoku event happened the day after.

What Martyn’s committee found was astonishing. For example, critical infrastructure functions whose builders and operators were convinced had no connection with any GPS functionality – and which stopped working when a GPS jammer was activated. The Committee’s report is well worth reading all the way through. Its remit includes all SatNav systems, not just GPS.

Martyn gave a Keynote talk at the 20th Safety-Critical Systems Symposium in Bristol a couple of weeks ago. A Google preview of Martyn’s paper is available, as well as an IET.tv film of his talk. (The Institution of Engineering and Technology, IET, filmed many of the presentations. You can check out my Keynote on the Fukushima Daiichi accident as well if you like )

It is amazing to me that anyone wouldn’t take Martyn’s observations very seriously indeed.

However, we do appear to have a few journalists that poo-poo it, for example Lewis Page again recently in The Register after his commentary a year ago upon the report’s release, just as we had an astonishing number of journalists who made public their opinion that Y2K was never a big deal. A very silly point of view. As Martyn points out in his talk, the reason Y2K was not a big deal is that people such as himself worked very hard to eliminate as many as possible of the Y2K vulnerabilities discovered in our critical infrastructure, and were obviously quite successful. He knows what they were, since he was the senior technical advisor for some of that work (for example, UK air traffic services provision), and knows what would have happened had they not been taken care of.

The main social point here is, I think, people who worry versus people who don’t. If we didn’t have people who worried, then we wouldn’t be able to operate because things would be continually going wrong, such as possibly UK air traffic services at the turn of the millenium had NATS not worked very hard to eliminate those vulnerabilities. And on the back of such successful effort there are journalists who say “everything’s OK, isn’t it? Why worry?”. Yes, things are OK. Why worry? Because if some of us didn’t, they wouldn’t be.

Here is an example of a daily vulnerability that bit. It’s also old hat. But it happened to me two days ago, and most of those involved are a professional computer scientists with a PhD (or about to obtain one) and decades of experience of such matters.

I have used my e-mail system as a memo system very effectively for the last few decades. I am based on IMAP, so it’s what people now call “in the cloud” but used to be called “stored on a server“. Over the years, when a subject or task occurs to me, I have got pretty good at remembering the context in which it occurred and indexing into e-mail (I send quite a few messages just to myself). It works for me very well. For decades.

Until Tuesday. I was writing an email, and the longish memo I was writing started losing characters backwards from where I had been typing, at the similar repetitive rate to that deriving from, say, a stuck delete key. It took a few seconds to realise what was happening. Then I went into the menu-strip at the top of the screen (I use the Apple OS+environment) and tried to quit my mail client (Thunderbird – Apple Mail apparently does not work well with IMAP. I lost all my mail for about a year at one point a few years ago and it took a couple of days to generate a solution from backup. The second time it happened, I switched to Thunderbird). The menu would come down, but disappeared again as I moved the mouse onto it. This happened repeatedly. I tried the same on the Apple main menu (so I could “Force Quit” the mail client) but the same happened there. I tried a hardware shutdown – the OS refused because Thunderbird would not quit and it advised me to quit Thunderbird and then try again. I have never actually tried to log in as root and am not sure I remember the root password, so trying that, and if successful getting the process number and performing “kill -9” didn’t seem like a good option given the urgency.

So, hardware kill: press the “off” switch and hold until the machine powers down. Good news for me: this worked.

When it came back up and I fired up the mail client, it showed me that all the messages from Wednesday 15 February at 16:35 (15:35 UTC) until that Tuesday morning, 21 February, were no longer there. There are a bunch of important interventions that had disappeared.

So I asked the faculty computer services to restore the mails from backup. One of the two officers is Jan Sanders, with whom I have worked closely for over a decade; he also works with Causalis (people from SSS2012 may remember him from the booth) and will shortly finish his Ph.D. with me. And he installed and maintains this blogging system. These two people, along with 50-75% more help from assistants, manage the Technology Faculty’s (TechFak) computer systems, which account for over half the data volume per day of the entire university. A couple of years ago, we purchased backup hardware for some €30,000 because the university computer center proved to be unable to provide backup services as needed by some high-data-volume colleagues. The university is trying to centralise as many “routine” computing services as possible, and this situation was and is a major negotiating point over the future organisation of research computing services in the university.

Well, our backup HW+SW didn’t work. Jan + colleagues were unable to extract my e-mail Inbox directory alone. They ended up rebuilding the entire TechFak mail-server IMAP file system on a restore disk, some seven hundred gigabytes or so to be restored from main+incremental backup tapes. Estimate on Tuesday lunchtime was Wednesday morning. But on Wednesday morning, when they came in to work, the job had terminated with an error, and then only had up to 6 February cleanly restored.

Moral: the cloud is vulnerable in the ways that people concerned with the provision of computing services have known about for a long time. This is not the first time this has happened to me (indeed, the third time I have lost amounts of mail in five years). There are obvious ways to avoid specific problems, but there is mostly neither time nor resources to implement and manage all those solutions perfectly all the time. In this case, there were (at least) two failures, and it is clearly impractical for the faculty computing services to check continuously whether they can effectively restore data through such two failures, as well as all the other possible failures that could occur. This is a resource-intensive on-demand function and it is combinatorially impossible to check regularly the execution of all such functions in even a moderately complex system such as e-mail backup.

When someone comes up with easy ways to solve any digital-computational vulnerabilities, say to GPS interference, that is less than half the tale. The rest of the tale concerns whether those solutions are implemented, and also continuously and effectively maintained.

There is a lot of superb computer science behind this nowadays. Versions of Leslie Lamport’s Paxos algorithms are enabling Google’s servers to provide us with our daily informational bread (Paxos logically serialises distributed database transactions).

Most journalists and digital-services marketing people have not heard of, let alone understand, the combinatorial impossibility of checking and maintaining all your on-demand functions, or even routinely how the various Paxos variants work and three-phase commit doesn’t. To find out what is possible and what is not, in other words, you still have to talk to computer scientists with authoritative knowledge. Such as Martyn and his GPS-vulnerability team from the Royal Academy of Engineering. And be wary of what is said in thoughtful articles about “cloud computing” in news media unless it comes from such people.

What actually happened to me? I don’t know. The “stuck delete key” hypothesis seems to me to be implausible (it has worked fine since). And a software glitch in my mail client alone would not explain why the windowing system pull-down menus failed to operate as expected. I am not unfamiliar with forensic analysis of this sort (indeed we do it for major accidents) but this is not the first time an explanation has eluded me and I doubt it will be the last.

Not mine this time (the one I wrote in 1997 is still being referenced, but is out of date because the German degree system has changed) but the OECD’s from October 2011, based on 2009 data, which I have just discovered. The Washington Post published in September 2011 a startling graphic, accompanying an article on the report to which was linked in an essay today by Nicolas Kristoff of the NYT. (Kristoff is a member of my college. In his journalistic wanderings around some of the poorest, most disadvantaged parts of the world, he sometimes seems to me like a modern Wilfred Thesiger, a former member.)

I should note, first, in reference to the Washington Post article that the US term “college” refers to all higher-education which leads to a qualification called a degree. This includes “community colleges”, tax-supported institutions which provide the equivalent of the first two years of a four-year university education and which grant degrees called “associate degrees” to successful students, as well as universities, which may be four-year or six-year institutions, as for example the California State University system is, granting Bachelor’s and Master’s degrees, or “research universities” such as the University of California which also grant Ph.D. degrees.

I recall British Prime Minister Blair saying in 1997 (do I?) that the Labor government intended to push degree achievement rates up to 35% of the population, up from the 15-18% or so which it was when I graduated in 1973. I didn’t realise until I looked at the WP graphic, based on the 2009 data, that this had been achieved. I herald it as a major national accomplishment.

(I get the figure of 15-18% as follows. This 2000 report by David Greenaway and Michelle Haynes says that about 400,000 young people were in tertiary education then. If one takes the average lifetime, a little under 80 years, considers that 3 years is a twenty-fifth of that, and that the population of Britain is about 60 million, one would expect 2.4 million people of university-visiting age. 400,000 is thus one in six, about 17%. I should perhaps mention that Laura Spence, who was rejected by “Oxford” but given a scholarship at Harvard, had in fact applied to my college. Not the greatest marketing moment in history).

Similarly, I had, until today, oft quoted the rate of young people in the US entering higher education as a sign of what I thought was desirable, and used the figure of 55% of school leavers. I doubt if this has changed significantly. But I am disturbed to find out that that apparently only 41%, about three-quarters, complete to some sort of degree. Considering that includes associate degrees, which are only two-year courses of study, that does not bode well for the US, if you believe as I do that the more people learning skills in a short time which they otherwise would not have, then the greater the productivity of their society, in the richness of hobbies and other pursuits in life and not just in stuff measured in standard economic measures.

I am intrigued by the Box on p18 of the OECD report entitled “Germany rethinks its assumptions about education and social equity”. Yes, indeed! People here were quite convinced about the “quality” of the education system, despite the obvious inequities and inadequacies apparent to those of us with wider experience, until the PISA reports on comparative achievement in secondary education started appearing from 2000 on, which showed German school achievement in a poor light compared with Germany’s economic peers. Then it couldn’t be ignored any more, and it wasn’t.

PISA was to do with secondary education. I am still somewhat disturbed by the relatively poor showing of Germany in tertiary education, at 26%. Some comments on that, some of which I have made before.

We currently have huge building projects going on around our Bielefeld University campus, which is itself huge (put “Bielefeld University, Universitätsstrasse 25, Bielefeld, Germany” into Google Maps). The main university building, in which almost everything goes on, is some third of a kilometer long, as you can see. Two new campuses are being constructed, one adjacent to the old building on a parking lot just to the north of the main building, between the two branches of what is labelled “Universitätsstrasse, some two hundred meters long and the better part of a hundred meters wide, and one “over the road”, almost a kilometer away, in (Google Maps again) “Lange Lage, Bielefeld, Germany”, which is also large, and will house the University of Applied Sciences (what the Brits used to call a “Polytechnic” and Germans a “Fachhochschule”), a teaching university which does not grant research degrees, and which is now largely scattered in old and often unsuitable buildings around town. This all amounts to a huge public works (which Google Street View does not yet show). And, if the above figure is to be believed, this will only be usable by a quarter of the young adults in the city and surrouding areas.

Do we have a town-and-gown problem? Less so than we did, I think, but more so than we might. The university does some outreach, including a science fair each year called Geniale (some pictures of GENIALE 2011 – the German for “pictures” is “Bilder”), spread over selected spots in the Old Town. But why aren’t most of the young people in this area passing through some part of this enormous spreading campus to take part in something? After all, they and their parents pay the taxes that create all these large buildings and pay their occupants. Future auto mechanics and hairdressers could surely benefit personally from participating in a course on 1960′s popular music, couldn’t they? Germany has no equivalents to Brian Patten, Roger McGough, Adrian Henri or Carol Ann Duffy, but we have plenty of slam poetry (link only in German, unfortunately), indeed a local slam poet who has turned into a valued writer and raconteur, Mischa-Sarim Verollet (also only German). Here is the announcement for the next one in April 2012.

Such educational offerings are available through the Volkshochschule Bielefeld, the Community Further Education Center, but this is largely less formal – courses are not assessed, the qualifications of course-offerers fulfil no standards (either experiential or formal), one doesn’t obtain a transcript of courses completed, and, importantly, it does not constitute the kind of accomplishment which a prospective employer expects to see on an applicant’s résumé. I am thinking that all these things should happen. I am also thinking about the impoverished financing of the Volkshochschule compared with the heroic building works around the university campus.

I cannot see that expensive tertiary education can thrive unless it includes way more than the elite. We are well past the days when people said “well, that’s for them rich and clever kids” and turned their backs. Nowadays, people say “I pay taxes too; why can’t I come in here?” and I think that question is very well founded. Especially when the expenditure is so massively visible, as it is in Bielefeld.

German university education has changed, though, massively in the last decade. The previous system has been more or less junked, and every university now offers Bachelor’s and Master’s degrees, instead of the old Vordiplom/Diplom, which were not recognised outside Germany for what they were (a Vordiplom was like a US associate degree, and a Diplom like a Master’s, but with nothing in between). It is astonishing how everyone just threw the old tradition away in the early 2000′s and went with what, for most here, was a completely foreign system with which they had little or no experience. I did find out why from a colleague in Sociology, though. They had over a 90% drop-out rate in their Diplom course. And this in one of the most well-reputed Sociology faculties in the country that invented it.

I think student contact with the rest of Europe was also slowly bringing a new perspective. German university students were finding themselves relatively immobile compared with their peers in other European countries, because the organisation of their degrees did not easily translate. For example, in the late 1990′s, students studying for degrees in my faculty returning from studying abroad for a year in the ERASMUS program still had to take an oral degree examination in the studies they had completed abroad to have it count for our degree, even though they had already been assessed by the foreign institution for that work and the EU ERASMUS agreement requires that we honor that assessment. To those who came to me, I asked for the transcript, or equivalent document showing successful completion, asked them to tell me about what interested them in the work, and passed them. In other words, the exam was purely formal, and the result identical to what they had already achieved. That is the best way I could see to fulfil the EU requirement, which our internal faculty procedures at that time still contradicted.

Besides that, successful graduates (the Sociologists’ 10%; our proportion in Informatics was much, much higher!) were leaving tertiary education with a degree equivalent to a Master’s at the age of 26-28 (and some even older), whereas their British and US peers were obtained such qualifications at the ages of 22-24. People on the ERASMUS exchange were noticing they were somewhat older than their local peers, and those starting Ph.D. programs in other countries noticed it even more.

Now, we have Bachelor’s and Master’s degrees, credit points for each course, and credit points are transferable between all European tertiary-educational establishments.

I cannot necessarily say that the quality of education has improved, however. With the more extensive evaluation requirements (per course, now), much of this is being farmed out to tutors and other helpers, and the quality of that education and assessment does not seem to be monitored as I feel it should be. I monitor the courses in my group, which are all based on lab work, or seminars which consist largely of student contributions with commentary from the lecturer, and my group has considerable continuity in our student tutors, who were picked for (or, better said, who picked themselves by) their enthusiasm and capabilities. But some of our larger courses appear to have problems (one of my bright people, who has coauthored an important chapter in our system safety text, is on his third attempt at one of the required practical courses, for what appear to me to be spurious reasons).

The throughput has, however, improved. One reason in the past was the introduction of modest fees, some few hundred euros per semester. Suddenly, all our 6-year and 7-year students (of which we had plenty) wanted to finish – and most did. And the fee money was directly given to the Faculty, in which a largely student committee, which did include the Dean, decided what to do with the money to finance improved teaching. More tutors for some courses. Lab equipment – my lab was built with this money. The faculty also hired a highly motivated and very successful lecturer whose courses are loved by students and who does lots of lab work, indeed he uses the lab which we built.

The other reason is that students in our Bachelor’s and Master’s programs are spending much of the day in courses, and most of the rest of their time doing the homework. Their time is filled with study-related work. This is very different from ten years ago. But I think it is a benefit, more on a par with what their peers do in other countries with a higher percentage of college graduates.