Monday, February 15, 2010

University of Houston Tuition Increases 2010 - 2011

I'm attending University of Houston Law Center (UHLC) as an evening student, since the Fall 2009 semester. The proposed tuition increases at the University of Houston in general and at the Law Center in particular are a big concern to me. As you can see on page 4 of these materials presented to the Finance Committee of the UH Board of Regents at their meeting on 10 February 2010, the Law Center is proposing a 40% increase in resident tuition for students who joined in Fall 2009 and Fall 2008. The increase for the class entering in Fall 2010 is even greater; for residents, the increase is 65%, and for non-residents, 132%. Yes, if I am reading it correctly, that's the increase, not the resulting tuition as a percent of the current rate.

I understand the need to increase tuition as state funding drops and expenses go up. The campus-wide rise seems to be pegged at a little less than 4%, which seems reasonable, especially as it's paired with an increase in student aid, and a rise in the maximum income a family can earn while still qualifying for the Cougar Promise of free tuition. The Regents and the administration have a duty as stewards of our tuition to spend that wisely on education: to fund research and programs to enhance learning, and to attract and retain great faculty. I wouldn't have any objection to an increase of that magnitude.

I do, however, object to the purpose stated in the Justification for the increase at the Law Center: Support for advancement to top 30 school status including faculty salaries and new facilities. Let me address each element separately:

  1. Advancement to top 30 status. The Law Center administration may argue, much as Dr. Rupp did at Rice University almost 20 years ago, that a top tier university should be charging top tier tuition rates. I won't address the merit of that decision; it seems to have worked out more or less well at Rice, and it would be possible to gather data on how that increase affected the demographics there. Assuming arguendo that raising tuition for incoming students is acceptable because they've not yet decided to turn down offers elsewhere, I submit that incorporating such a "prestige premium" for current students is unconscionable. Students currently attending UHLC relied on the Fall 2008/2009 tuition scale when they made their decisions (in many cases) to move to Houston and turn down offers from other schools. The time and money these current students have already invested in a career at UHLC were made relying, perhaps in large part, on the cost of that education. It's not enough to offer to offset the increase with expanded access to student loans; that merely pushes the problem to after graduation, when it becomes even more difficult (for example) to decide to enter a public interest position, or to go into practice for one's self (perhaps in one's small home town). And it certainly doesn't do anything for those who may be paying for their education themselves.
  2. New facilities. Heaven knows UH needs to rebuild the Law Center; just last week, during the heavy rains, we had water leaking in, and some ceiling tiles soak through and drop to the floor. This sounds dramatic, but it's not surprising for a building its age. Nevertheless, new buildings should be built with funds from a capital campaign which solicits contributions from alumni (and even current students). Even after such fund raising there will be a significant amount which will need to be financed; however, that should reasonably be added to the tuition of the students who will be enjoying the new facilities. It makes no sense to force current students to start paying for a building we'll never see or use.

    One could argue that a new Law Center campus would add to the school's reputation and prestige, and that such improvements would be to our benefit in our careers. However that benefit would also accrue to alumni and to the future students using the facilities. We current students would be in the strange position of being compelled to pay for the new facilities (unlike alumni) while never receiving the benefit of the new building (as would future students).

The Board of Regents meets on Tuesday 16 February 2010 to vote on the proposed tuition increases. Law Center alumni on the board include Jarvis V. Hollingsworth of Bracewell Giuliani; Nandita V. Berry of Locke Lorde Bissell and Lidell; Nelda Luce Blair of The Blair Firm; Jacob M. Monty of Monty Partners; and Carroll Robertson Ray of Andrews and Kurth. I hope they take all these considerations into account and choose to vote against increasing tuition for current students at their alma mater.

Sunday, February 14, 2010

Being thankful

I attended a workshop this weekend (13 Feb 2010) which was focused on the parents and teachers of advanced students. There were interesting discussions, and it was impressive to see the groups of parents organized to provide or procure academic services for their children.

Most of all, I came away pretty grateful for the infrastructure Houston ISD has put in place to serve gifted and talented children. It's not perfect, and I've written before about at least one way they can improve. In general, HISD can now get better by implementing routine assessments of gifted students and supporting their curricular needs on an individual basis, especially in the middle schools. They should also consider soliciting more feedback from parents, and implementing an assessment/feedback loop to improve their programs.

That said, we as parents in HISD are starting well ahead of the pack compared to some of the other nearby school districts. We have large clusters of gifted students and at least moderately accelerated curricula. Parents from smaller districts have a harder time; their children learn with fewer peers in their group, and their districts may not have the resources or desire to provide services adequate for their advanced children. From some of the comments I heard, I feel I've had an easier time keeping my kids academically challenged because of the support I've had from our school district.

Thursday, February 11, 2010

Verified by Visa: Weak Security?

Steven J. Murdoch and Ross Anderson analyze the '3-D Secure' protocol, implemented as Verified by Visa (VbV) and MasterCard SecureCode (MCSC), in a recent article for Financial Cryptography and Data Security. The two credit card companies have implemented software and a process which attempts to make online transactions more secure by asking the card holder for a password whenever the card is used for a purchase. The idea is that someone holding a stolen card would not know the secret or pass-phrase the holder uses, and so won't be able to complete an online transaction.

In theory, this isn't a bad idea. Having a two-factor authentication scheme for purchases, if implemented correctly, can make fraud harder to perpetrate online. Because the second factor is (in theory) under the control of the card holder, it is their responsibility to make sure it's difficult to guess, and that they change it frequently or whenever it may have been compromised. Based on this theory, the card holders have changed the rules for liability profile for such transactions; a purchase conducted pursuant to the '3-D Secure' protocol shifts the liability for fraud to the issuing bank, away from the merchant and acquiring bank. In section 2.4 on page 4 of the report, the authors identify a situation where the issuing bank then passes the responsibility to the card holder; this is a UK bank, and I'm not sure that would be possible in the US.

The article points out that there are two important areas this protocol can fail. The first comes from the potential shift in liability to card holders, which would reduce the pressure on the banks involved to make more than token additional investments in fraud reduction, either by transaction analysis or by using effective security technology. This is in contrast to the current regime which absolves card holders of responsibility for fraud when they promptly report a lost or stolen card to the bank or issuer; when the cost of fraud lies with Visa or MasterCard, they make (and have made) significant investments in detection and prevention. Our cards have been stolen a few times; each time a large number of purchases were charged, and each time our prompt action avoided liability for the fraudulent balances. I think in most of those cases the bank called us to warn us of the unusual charges, implying that their fraud detection is pretty effective. Keep in mind that this potential responsibility shift to card holders may not be possible to effect in the US, at least under current laws.

The second area '3-D Secure' potentially fails is in the implementation; there are a number of weaknesses exposed in some banks' software:

  1. The web page asking for your VbV or MCSC password is not obviously served by your bank or by Visa or Mastercard. The password field is implemented as an IFRAME (an embedded frame) which does not trigger the security notices that are typically present in your broswer's location bar, so it's not easy to confirm that it's a safe place to type your password.
  2. A safe protocol would have you register a password or phrase at your bank's site before using the card. Unfortunately, the protocol allows something called "Activation During Shopping" (ADS) which prompts you for a password the first time you make a qualifying purchase. Well, maybe that's you, or maybe that's the person who stole your wallet. Some sites want to confirm it's really you, so they ask for your birth date - which is conveniently located on your driver's license, right next to the credit card. Or they may ask for your ATM PIN, which hopefully you haven't memorialized on another piece of paper in your wallet ...
  3. Password resets are not consistently secure. Some banks identified in the report prompted you for a new password if you entered an incorrect one three times.

Finally, there's another issue to consider. Because of the complexity, it seems a number of banks are outsourcing the implementation of '3-D Secure' to a third party such as Cyota. The potential positive effect of that decision might be that the participating banks all benefit simultaneously from increases in security as that party improves. The possible concern is that there's now yet another entity which knows about all your online credit card purchases; in fact, because transaction details are passed to the issuer to present to the card holder for verification, they now are told not only the total for the transaction but all the items in the purchase. That level of detail was not reported by the merchant to the bank previously (in the current/older SET protocol).

So what's the conclusion? Maybe you should consider this course of action when you're challenged by a site using Verified by Visa or MasterCard SecureCard: abandon the transaction, write a letter to the merchant explaining why you think '3-D Secure' is a bad idea, and write to your card issuer and let them know you'll be using another card (Discover? American Express? Paypal? Amazon Payments? Google Checkout?) for your online purchases. In the worst case, the driving consideration behind the development of this protocol is not improved security; instead, it could be the shift in liability for fraud from the banks to you. Maybe if enough card holders push back, they'll get the message, and maybe future implementations of '3-D Secure' will be better.

Saturday, February 6, 2010

Sustaining grant-funded software

As I've written before, I am impressed by the Our Courts foundation, web site, and materials. My children found the interactive games compelling, and I'm considering using the volunteer guides in their schools.

I'm disappointed by their decision to use CC-BY-ND-NC as the license for the materials, in particular the inclusion of the NC (no commercial use allowed) and ND (no derivative works allowed) restrictions. The definition of "non-commercial" appears intuitively obvious, but as the discussions at creativecommons.org have demonstrated, its full import is still unclear. When coupled with ND (no derivatives), it's almost unnecessary; since no one can make a derivative work, anyone trying to commercialize the unchanged content would have to compete with Our Courts, which is providing the same work at no cost. The economics apparently wouldn't encourage such an attempt. There's also a compelling argument that restricting commercial use is unnecessary to protect the freedom of works and is incompatible with the principles of free software and free culture.

However, the use of ND is a bit more of a concern to me; it means that adopters can't adapt the materials if appropriate: altering vocabulary to address a different grade level, translating to another language, adding fact patterns or rights to the card hand-outs in the volunteer guide. Each potential improvement is a derivative work prevented by the license. Further, it means the games can only be re-distributed intact; downstream recipients, programmers and content developers, cannot add a new fact pattern to "Supreme Decision", or add/alter fact patterns to "Do I have a Right?" (DIHAR), add/change lawyers, add/change law firm upgrades, add rights, translate, etc.

I will guess that their team has plans to create more and different resources (games, materials, etc.); I look forward to them as they arrive. However, as they move forward, older resources will tend to ossify. By removing the no-derivative (ND) restriction (and perhaps by replacing it with SA) they may in fact improve the chance that these materials stay relevant and become more widely adopted, as they are adapted to new statutory environments, and are translated into Spanish, Chinese, and other languages. I recommend they use the CC-BY-SA to make it possible for Our Courts to foster an ecosystem around the content, and leverage their investment in those impressive materials by taking advantage of the enthusiasm and efforts of a wider, engaged community.

No grant-funded project wants to think about what happens when the soft money runs out - but funding doesn't last forever. Until Our Courts figures out an economic model that's self-sustaining, they run the risk that when they can no longer afford to publish and improve their materials, that investment and hard work disappears. They might take a look at the Connexions repository as an example of a project which uses the CC-BY license, thereby ensuring that their materials will continue to be updated and useful by the community even if their own funding should run out.

Friday, February 5, 2010

Seems obvious

When network operators (phone and internet) implement wiretap back doors to allow governments to monitor your data, it should be expected that the wiretap channels can also be accessed by other entities. This includes other governments, employees at your service provider, random third parties. The fact that these wiretap facilities have no audit trail means you don't even know when your data has been compromised.