Why digital signatures don't work

At Tuesday's town planning committee meeting we had one applicant for a parking waiver.  He made a quick presentation showing how they planned to add another office space to a warehouse and add a couple parking places for it.  This just involved putting marks on the warehouse driveway.  It doesn't require a zoning change.  It's just a change to the registered building plan.

The chair asked the consulting engineer for his report.  He listed changes A, B, C, ... and G between the plans he was given and the new plan.  Two board promptly started talking about changes B and C.  They had a bunch of doubts and questions.  The applicant answered some questions and dug through his documents.

As the two board members got going he put up another plot plan and asked:  "Why are we talking about this again?  You agreed to this back in November.  See, here are your signatures on the approved plan.  It shows those changes."

The consulting engineer said he had been given plans dated July for comparison.  A quick look and he agreed that the only change between the signed November plan and the proposed plan was the office space layout and parking places.  The two board members walked up, saw their signatures, and sat back down.

The office space and parking change was agreed to be minor and the new plans approved.

Signatures exist in large part to make board members and applicants shut up and sit down. 

This works for several reasons. 

First, there is a signing ceremony.  This ceremony involves ritual motions, ritual words, public observation, and sometimes other steps.  The ceremony is a recognized and understood end point.  It ends social acceptance your ability to make changes.  It is important that the the ritual motions be unique.  A physical signature is a ritual motion that you almost never use for any other purpose.  It is not just an emotional or intellectual difference.  The physical movements are unique, non-trivial, and not accidental.  You must use muscles and eyes to perform it properly.  It leaves behind a physical artifact that you personally recognize.

Similarly, the witnesses are physically there and can observe and confirm this ritual motion.  After a while, they also have the ability to immediately recognize the resulting physical artifact.

For plot plans there is more to the ritual.  Not only are there the signatures of the board, this is preceded by stamping the plot pages with the official stamp, the signatures are on the stamp, and after the signatures are there the paper is sealed with a press that bends, dents, and selectively tears the paper that was stamped.  All of this is something that can be recognized and confirmed by those present.

Second, the board members immediately recognized the physical results of that ceremony and recognized the social power.  They shut up.  This was not some arguable computer magic.  They were able to perform their own immediate verification.

Perhaps some day the digital signature will reach the level that these physical signatures have reached.  There will be the ceremony that ensures that all the participants recognize that they are agreeing to an endpoint.  Pushing a button on a computer is not a unique ceremony with witnesses.  It is not a unique motion used for no other purpose.  A whole ceremony process needs to be invented for the digital signature that it presently lacks.

Issues of ceremony, social witnessing, etc. are malleable.  Ceremonies change.  So the digital signature can reach general acceptance, but the endless fascination with esoteric internal implementation details is not creating a proper ceremonial process.  In fact, the current user interfaces for computers make it quite a large challenge to create a proper family of ceremonies.  Physical signature ceremonies are rather adaptable and cover the range from the quick initialling in a hurry to the formal multiparty signing ceremony with stamps and seals that is used for building plan approvals.  Digital signing ceremonies will need to provide that same spectrum of ceremony.

The validation of signatures is similarly immature.  There is no technological barrier to the quick verification of physical signatures.  Those two board members took less than a second to confirm their own signatures.  They could have argued forgery.  Forgery is unlikely because of the high cost of creating the forgery and the near certainty that it would be discovered because other duplicate copies of the plans are kept in storage at various locations.  A successful forgery would need to substitute those also.  Getting approval for an office and some parking does not justify all that expense and risk.

Digital verification might reach that same degree of universality some day, but it will take decades or centuries.  It's not just a matter of computer access.  What the board members were verifying was that the plans that they saw had been signed.  If a computer were involved you must figure out how to ensure that the photons emitted correspond to the digital signatures.  The relationship between photons and signatures is inherent in the physical processes of paper and light.  If this were a plan being projected by a computer, how do I know that the digital signature corresponds to the projection?  If I do not trust the presenter, why trust the projection.  This means that I need the document to be provided to me so that I can use a computer and projection system that I trust.  Lack of trust can go both ways, so this comparison of photons can become very difficult logistically.  Every participant must have their own trusted viewing system and verification system.  It's a rather huge investment in equipment and facilities to reach the point where everyone has this and can confirm signatures to their own satisfaction in less than a second.

For now, that piece of paper and those physical signatures are meeting the signature goal.  The investment in physical resources and new scial ceremonies will not happen just to improve signatures.  The improvement is not that valuable.  It will happen when other reasons and purposes have justified the investment in computers, etc.  Then social ceremonies can be created and digital signatures finally become practical.  (Assuming that something better has not been invented first.)

Hostility to risk analysis

I found this old quote in Nature:

The widespread hostility to the use of benefit-cost and risk assessment analysis is based on an absolutist health-only positionj that virtually no one is willing to embrace in the real world. 

Hammond, P.B., and Coppock, R. (eds) Valuing Health Risks, Costs, and Benefits for Environmental Decision Making (National Academies Press, 1990)

In this case the issue is particulate pollution, but the same hostility can be found in all sorts of health related policy discussions.  It's very hard to get any kind of rational discussion of risk, or cost-benefit, or even simple concepts like maximizing return on investment.  The polemics of win/lose and absolutist evaluations seem to dominate.

(A frustrating Thanksgiving of fruitless political arguments may be part of the inspiration to post.)

Good Hurricane Forecasts Considered Harmful

Good hurricane forecasts may have reached the point of doing more harm than good. Since 1970 the American Meterological Society has editorialized against the bad hurricane policies of the US. In particular, the coastal development planning and regulation emphasizes evacuation and encourages people to live in areas at risk. Evacuation is a brittle protection. Failures are complete, not partial. The recommended policies are mitigations that reduce risk and provide partial protection even when the hurricane overwhelms the protections.

This is a subject that simple linear text handles poorly. So I'm experimenting with a diagram of the interactions.

(My first experiment was with SVG. That doesn't work so well with Typepad. It puts in a nice link that you can follow, so if your browser supports SVG you then get to see it. This diagram does OK as an image, so it's in as an image with thumbnail.)

Repeat and Unnecessary Exam

I've heard a lot of claims recently about a high rate of repeat and unnecessary diagnostic exams. The claims range from 5% to 50% of exams are unnecessary. This is then used as justification for whatever change is being proposed. Most recently it was used as justification for implementing a RHIO.

I have a complaint with proceeding based on such vague and sketchy information. What is their definition of repeat or unecessary? How were the results obtained? What was the test environment? This information is available in the literature. For example, see this report. If you track through its references, you find that all of their reported errors were within hospital errors. None were the result of failure to convey information from one hospital to another. They did not even measure that category.

Was this one of the studies being used to get that unnecessary exam figure? I don't know. These decisions are being made on a social and emotional basis, not on the basis of measurements and observations. It's representative of the immaturity of the quality system. Some of the measurements needed are being taken and are available. The decision making process has not reached the maturity level of including those measurements accurately.

My own reaction is to focus more energy on the relatively easier task of improving the internal processes, and less on the much harder task of regional and national data networks. This is based on a) the observation that fixing the internal systems eliminates a huge source of error, and b) the delivery of reports will merely deliver them to the still broken internal system. So most of the gain from regional sharing will not be available until after the internal systems are working well.

Politically and socially, the big regional networks are more attractive. They mean lots of money, which attracts politicians, the press, and the beltway bandits. Plebian fixes like "lets show the prescribing physician contra-indications automatically" mean lots of grunt work, not much money, and no publicity.

Update: Fixed the link to point to the right report

What's wrong with medicine

Dr Rangel is looking for comments on medicine, so here is my view of the primary problems. From time to time I discuss details. This is the framework within which those details fit.

The overall problem with the medical system is that it is not meeting the goal of delivering a high level of patient health at a reasonable cost. Major contributing factors are:

1) Medicine lacks a mature quality system. There are some early efforts like evidence based medicine and early efforts at process improvement, such as those found at Mayo. But on the whole there is no widespread understanding of the processes used in a quality system.

This is not very surprising considering how recently these efforts started. It takes many decades for an industry to develop a mature quality model. The Japanese auto industry began theirs about 1950, and even now there is regular improvement visible in Japanese automobiles. The American automobile industry started their efforts in the 1960's and although improvement is visible, they still have a long way to go.

2) The quality system invented by the politicians and lawyers has proven ineffective at meeting this goal. This is hardly a surprise. They've not had success anywhere. The tort system never delivered high quality in automobiles, electronics, or anything else. The tort system is primarily effective as a means of controlling the sociopaths that are also high functioning individuals in society.

If we used the medical malpractice approach to automotive quality we would discover who worked on a lemon car, pick a selection of those workers, empty their bank accounts, and fire them. This practice of blaming the workers was tried (somewhat less dramatically) for quite a while in the auto industry. It was a complete failure and has been replaced by a more effective quality system.

3) There is a mismatch between the decision making, financial responsibility, and beneficiary. For example, the primary beneficiary of employee medical insurance is the employee. The decisions about what coverage is obtained are made by the employer. Even with the best of intentions, there will be an inefficiency due to the mismatch between employer perceptions and actual employee desires. In practice, this mismatch is severe and made worse whenever financial pressures significantly influence the decision making.

I think that the emerging concierge medicine is the leading edge of a change towards matching these back together. The HSA's may also encourage a better matching of roles and responsibilities.

4) The ignorance and naivete of the patients leads to a misunderstanding of responsibilities, made worse by external societal factors. The patients' own failures often cause substantially worse health. Some of this is ignorance. Some of this is the naive belief that "there will be a pill for that". Only a small part is patients' mental deficits, e.g., Alzheimer's. I see little indication of significant change here. There are responsible people and irresponsible people, about the same mix as when I was growing up. Before antibiotics and immunizations the diseases of irresponsibility were a minor health factor. Now they are a major health factor.

5) The expectations of patients are unrealistic. You will get old and die. There are incurable diseases. Bad things do happen. General anaesthsia is occasionally fatal. Diseases don't always respond as expected.

6) Direct providers (especially doctors) are not accustomed to working in a team, are not well trained for teamwork, and their work structures are very badly designed. Effective teamwork is more often punished than rewarded by their employers, payers, etc. Yes, everyone thinks that they are an effective team, but start looking at the reality. In a high functioning team would patient handoff and transfer be a major problem?

7) The notion that "someone is to blame" interferes substantially with all the efforts to make improvements. Blame is useful when controlling sociopaths. Blame gets in the way of improving a quality system. Dealing with this will require changes in societal attitudes.

Solutions? There are many small steps that can be taken. I'm involved in some of them. The global strategy is to restructure the system so that a modern and effective quality system can be made operational.

"No Regrets" policy

I came across this term in reading about reef maintenance policies in Tuvalu, and I like the term.  The concept is that the environmental policies be chosen so that there are "no regrets" about following the policy even if it turns out that the underlying environmental assumptions are wrong.  These are policies that make sense for other reasons as well.

The classic examples are fluorescent lighting for businesses and CFLs for homes.  At present, the commercial sector is converting from T12 to T8 lighting.  This has some significant environmental benefits:

• T8 bulbs in a T12 housing save 10-15% on lighting power (and a corresponding amount on cooling demands.)
• T8 bulbs in a T8 fixture save another 10-15%.
• T8 bulbs contain half the mercury.  (T12 bulbs were already greatly reduced mercury content.)

Since the T8 bulb costs only a little bit more, this is an obvious money saver as well.  The bulbs last longer, and they come in a variety of lighting temperatures for different kinds of office environment.  So you can justify them using operational, comfort, financial, and environmental reasons.  And when it is time to replace the fixtures, the upgrade to T8 fixtures is similarly easy to justfiy.

The CFL is a similar saver for the home market with environmental savings, labor savings, trash reduction, and cost savings.  There are issues with lighting flexibility for things like spot lights but it is easy to find many places where CFLs make sense.  As with T8, current CFLs have highly reduced mercury levels.   Assuming current US mix of fuel sources, the mercury emissions reductions from the coal burning eliminated by CFL power savings exceed the mercury contained in the CFL (per US EPA).

They both fit the "no regrets" policy description.

The other nice thing about "no regrets" is that it forces the analysis to leave the neo-religious environmentalist mindset.  You need to consider other factors, like finances, comfort, utility, etc.  This makes it necessary to start thinking "system" instead of religion.  I've found that when you start thinking "system" you find many cost effective ways to improve the world without imposing the eco-religion on the world.

No regrets is an excellent approach to much of the response to the potential of global warming.