The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 3 Issue 80

Wednesday, 15 October 1986


o US Navy reactors
Henry Spencer
o Data Protection Act Risks
Lindsay F. Marshall
o Is Bours(e)in on the Menu?
Martin Minow
o Re: Software Wears Out
o Info on RISKS (comp.risks)

US Navy reactors

Henry Spencer <decvax!utzoo!henry@ucbvax.Berkeley.EDU>
Tue, 14 Oct 86 17:56:36 edt
  >     A co-worker of mine who has worked in both the Navy and civilian
  > nuclear programs tells me that Navy reactor systems are designed to keep
  > humans in the loop. The only thing the automated systems can do without
  > a person is 'scram' or shut down the reactor...  Thus, the
  > system can't very easily spring surprises on the operators.

A probable contributing factor here is that the US Navy's submarine people
do not trust automation at all in crucial roles.  For example, US subs have
no autopilots, even though they spend most of their time at constant speed
and depth.  They are "flown" manually at all times.  This is not so much a
matter of keeping the operators alert and informed as it is a matter of
complete distrust of complexity and automation in submarines.  This is a
significant constraint on submarine design, in fact.  Modern subs generally
have a fairly symmetrical set of vertical and horizontal fins at the tail.
Looked at from behind, it's a cross shape.  There would be advantages to
using an X shape instead, just shifting the whole cluster 45 degrees:  this
would permit grounding the sub on the bottom without damage to the bottom
fin, and would permit docking against a straight dock without worries about
banging one of the horizontal fins against the dock.  The US Navy does not
think highly of the idea, because it would require a mixing box of some kind
(which could be purely mechanical!) to turn the horizontal and vertical
control inputs into rudder/elevator motion.  That's how deep the distrust of
complexity runs.  I'm not surprised that they have manually- controlled

The USN also has an outstanding reactor safety record — no big accidents,
no serious radiation releases — with a stable of reactors comparable in
numbers (although not in output) to the entire US nuclear-power industry.
They are very fussy about materials, assembly, and operator training.

                Henry Spencer @ U of Toronto Zoology

   [Intriguing.  I have frequently heard it said — by Nancy Leveson and
    others — that the nuclear power technology is so sensitive that they
    feel they cannot afford to use computers!  PGN]

Data Protection Act Risks

"Lindsay F. Marshall" <>
Wed, 15 Oct 86 14:36:27 gmt
Police find a Catch 22 for data victim - From The Guardian

The police are ready to challenge the new right to compensation guaranteed
by the Data Protection Act to people injured through the passing of
inaccurate information.  Hertfordshire Police, which wrongly suggested to
Tayside Regional Council that a woman it was considering appointing had a
criminal record, has denied that the woman has any claim to compensation.
Under the Data Protection Act, all agencies - including the police - which
hold information electronically are liable to damage claims for any harm
which inaccuracies create for people on their records.  But Hertfordshire
Police has produced a Catch 22 defence.  In a letter to the woman's
solicitor, the force suggests that the woman has no claim to compensation.
The police now conceded that the woman does not have a criminal record but
go on to argue that she is therefore not on their records.  As she is not a
"data subject" she cannot be eligible for compensation.

Mr.  Eric Howe, the Data Registrar, said yesterday that he would resist such
an interpretation of the act.  One problem for the woman, Mrs Anne Trotter,
of Kirriemuir, Tayside, would be the cost of the court action.  There is no
legal aid in such cases.  The Data Registrar can initiate criminal
prosecutions but cannot sponsor civil actions.  The case would cost over
1,000 pounds.

The mistake happened earlier this year.  Tayside Regional Council social
work department, which was considering appointing Mrs.  Trotter to a special
fostering programme for delinquent teenagers, followed the recommended
procedure of checking the criminal records of its applicants.  The authority
wrote to the police in Hertfordshire, where Mrs Trotter had lived for a
period, and was informed that two separate sets of "convictions are recorded
against Anne Trotter, who appears identical with the applicant." They
involved thefts in Newcastle upon Tyne in 1942 and theft and false pretences
in Newcastle in 1947.

Anne Trotter's maiden name was Lawson until she married in 1954.  In 1942
she was 15 years old and was still at school in Arbroath.  The police were
given her maiden name.  Mrs Trotter was so upset by the incident that she
decided to drop her application and take up a temporary teaching post.  She
asked the social services department for a copy of the police letter and,
unusually, was given one.  The right of access to such letters does not come
into force until November next year.  

Later, after hearing about the Data Protection Act, she took it to a
solicitor in Dundee.  He wrote to the Hertfordshire Police on July 3 asking
for compensation.  The police replied on July 8, denying responsibility.
The force said its letter had only said the Newcastle offender "appears
identical with the applicant."  The letter went on to claim: "The fact of
the matter is that your client is not a data subject within the terms of the
Data Protection Act as it is now clear ...  that no records are held in
respect of your client."

Mr Kevin Veal, the solicitor, sent a second letter which said: "It seems
to use that insufficient care was given to the issue.  For example, it
must have been obvious to anyone compiling the report that a young girl
born in 1927 under the name of Lawson could not have been convicted
under the name of Trotter in 1942. 

The case is made more complicated by the fact that the police supplied
the information on April 21 but the compensation provisions of the act
only came into force on May 11.  There was no retraction, however, until
July 8 and no attempt by the police in the letters to use the May 11
date as the reason for not providing compensation. 

Is Bours(e)in on the Menu?

15-Oct-1986 1530
                  (Martin Minow, DECtalk Engineering ML3-1/U47 223-9922)

                          By Paul Lewis

    (reprinted without permission from the New York Times News Service)

PARIS - The two hungry diners sat down, turned expectantly to a flickering
computer screen on a nearby stand and began studying the latest quotations.
The news seemed ominous.  Making money would not be easy in today's luncheon

The scene was La Connivence, a small new bistro-style restaurant at 6 Rue
Feydeau, a stone's throw from the Paris Bourse, or stock exchange.  As with
stocks on the exchange, the laws of supply and demand determine the price
diners at La Connivence pay for a meal.  (The name, La Connivence, means
complicity, with the slightly shady overtones appropriate for a gambling den
of sorts.)

As patrons place their orders in the austere ground-floor dining room, one
of the owners, Jean-Claude Trastour, enters them into a computer which
promptly adjusts the menu prices to reflect demand.  Popular dishes, like
popular stocks, go up in price while less popular ones decline.

Timorous diners may choose to pay the quoted price for a dish at the
moment they order it.  That is called eating on the march comptant, or
cash market.  If the price rises while these diners are tucking in, they
have done very well for themselves.  If the price falls, they get
indigestion.  It is the safe way to eat - safe and dull.

More adventurous folks play the futures market, the march a terme,
agreeing to pay the price quoted when they call for the check at the end
of their meal.  Naturally, they hope the price will have fallen by that
fateful moment.  But hopes may be dashed by a flurry of buying, and the
price may easily shoot up.  Worse indigestion.

The newly seated diners began preparing their gambling strategy by reading
the trends.  They saw that the prices of several dishes had already fallen
by close to 6 francs--the limit for price changes up or down in any one
eating-trading session.  (A dollar is worth about 7 francs.)  That left
little room for further decline.  There would be no point in ordering any of
those dishes, no matter how delectable--unless, of course, the diner was
more interested in eating than in successful speculation.

The computer screen flashed chute du filet mignon, indicating that the price
of that choice steak had already fallen 5 francs, to 50 francs a serving.  A
veal casserole with herbs had slipped 4 francs, to 48 francs.
 A rack of lamb chops for two, down 10 francs, was priced to sell for
110 francs a serving.  As for the haddock, the computer reported a
"sharp fall" of 5 francs a portion, to 57 francs.

Other dishes were doing better.  The screen showed that a "stampede" of
orders for lotte had pushed the price of that pleasant Mediterranean
fish up 4 francs to 62 francs a portion, making it an interesting
speculation.  If diners played the forward market, the price might be
substantially lower when the time came to pay; of course, it could still
rise another 2 francs before reaching the 6 francs ceiling.

Occasionally, a diner's greed is outweighed by the thought of what he would
have to eat to turn a profit.  An example: "Victorious advance of the
stuffed pigs' trotter," the computer flashed, marking it up 5 francs, to 43
francs.  Surely it could only fall.  But a lunch of pigs' feet?

In the end, the diners chose a conservative strategy, ordering the special
of the day, saddle of lamb, on the marche a terme.  The lamb was trading at
39 francs a portion; up a modest 2 francs for the day thus far.

The check arrived for the conservative diners: 228 francs for two, which is
pretty good by Paris standards since it included a bottle of Beaujolais, a
cheese-filled ravioli from the French Alps for a starter, homemade apple
tart, and coffee.  But the roast saddle of lamb stood at 38 francs, only a
meager 1 franc cheaper than when it was ordered.  Down the street, the
Bourse was having one of its best days ever.

      [Inside tip: Sell-SHORT-Ribs, Buy-LONGustine.  Bon appetit!  Pierre]

Re: Software Wears Out

Anonymous <[...]>
Mon, 13 Oct 86 08:15:06 [...]
       [I have been rejecting almost all messages on this subject, in that
       (1) the topic was not converging, and (2) the discussion might better
       belong in SOFT-ENG@MIT-XX.  But this somewhat historical note seems
       worth including — along with this note explaining that I have been
       throttling other contributions.  PGN]

I have to remain anonymous because my management lives in fear that someone
who works for them may post something dumb.  Herewith, I justify their most
morbid fears.

The comments on software "wearing out" vs. becoming obsolete seem to me to
be dancing around the issue.  L.A. Belady and M.M. Lehman addressed this
matter in a seminal paper: "Programming System Dynamics, or the Meta-dynamics 
of Systems in Maintenance and Growth" (IBM Research, RC 3546, Sept 17, 1971).

The authors maintain that systems do have a "lifetime," and so in that
sense, they may be supposed to wear out, although they do not use that term;
nor do they say that software becomes obsolete.  Instead, their measure is
entropy.  When the programming system's entropy is low, its ability to do
"work" on its environment is high, and vice-versa.

A system at release, or shortly thereafter, possesses low entropy.
Maintenance and enhancement over time increase the entropy until the
marginal cost of the next required set of fixes and/or enhancements
approaches, say, the amounts expended on the system up to that point.
Entropy is then high, and the system may be said to be "worn out."

This is at best a poor precis of a very elegant paper; the gentle reader is
referred to the original for a deeper insight into the reasons why software
wears out.

   [Among all the complaints that software is static and — in never changing 
    — should not be said to "wear out", we note that it is often NOT static,
    which is of course a large part of the problem.  In the other hand one 
    might say that the INTERFACE wears out rather than the software.  But
    let us not quibble on this one any more.  PGN]

Please report problems with the web pages to the maintainer