[DannyBee]

"The 1400 page travel regulations is a result of trying to prevent fraud - every single issue that comes up results in a new rule."

This seems like a serious inability to understand that no process designed to prevent future things you can't forsee is 100% effective (by definition). At some point, you have to declare "good enough", and live with it until the error rate becomes unacceptable overall again, then modify it.

IE it's likely 50 pages of those regulations gave them a 99.9%+ rate of avoiding fraud. They then added 1350 pages to get to probably 99.99%

This is unlikely to be worth it.

(and yes, before someone points it out, i'm likely being generous with the numbers)

[joeyo]

Some of it comes down to agencies needing to protect themselves from congressional witch-hunts. Consider a congressman or political party that has ideological objections to an agency even existing and wishes to neuter or eliminate it. A stellar way of achieving this is by making the target seem wasteful and fraudulent [1]. If there is actual fraud, no matter how small or how much of a corner case, this task becomes even easier.

1. A good example of this is how Republicans periodically attempt to defund science agencies by mocking research projects that sound frivolous.

[my_first_acct]

A Democrat, the late Senator William Proxmire of Wisconsin, was well known for mocking frivolous-sounding research projects. From the Wikipedia article[0]:

"In 1987, Stewart Brand accused Proxmire of recklessly attacking legitimate research for the crass purpose of furthering his own political career, with gross indifference as to whether his assertions were true or false as well as the long-term effects on American science and technology policy."

[0] https://en.wikipedia.org/wiki/William_Proxmire#Golden_Fleece...

[knowaveragejoe]

It's good to see examples from both sides. That being said, what the above mentions is Republican doctrine, as opposed to isolated cases of politicians(on either side) simply blindly furthering their political careers.

[dastbe]

Unfortunately there are a lot of people who believe government shouldn't do anything unless it is fraud-proof. The narratives around welfare and food stamp abuse make headlines for exactly this reason :(.

[el_benhameen]

I think their intentions are a little more nefarious. It's not that they want e.g. a fraud-free welfare system; they fundamentally disagree with the idea of welfare and so use fraud, whether it's a legitimate issue or not, as a basis for trying to stymie or dismantle the institution.

[temujin]

The problem is, once the government chooses to not close a known loophole, the number of people who exploit it may increase by orders of magnitude. Without a willingness to add the other 1350 pages, you may end up with something like 70% fraud prevention, not 99.9%.

What's needed is more refactoring. This would benefit from more capacity to try different sets of regulations in parallel.

[DannyBee]

This is a generally true statement about any process. The solution to that is to enforce well enough that people don't think that's a good idea. I also did say you do have to refactor over time as compliance rate decreases. Past that, i don't think we actually disagree :)

If you have a speed limit sign, and it says "speed limit, 50 mph, enforced by satellite observation", most people will probably ignore it. Those that don't and get caught, yeah, they go looking for excuses for why they ignored it to post-justify it. Changing the regulation wording will not change this. You can make the sign much larger and say "speed limit 50 mph, even if you are really late for an appointment, etc" but honestly, it still will not help that. People ignore it because the enforcement mechanism makes them feel like it won't happen to them (and because it's not socially abhorrent, etc), not because of ignorance of the law

On the other hand, if you have a sign that says "speed limit 50mph, enforced by this guy, right here", and there is a smiling cop with a radar gun sitting next to the sign, enforcing it, most people will not ignore it. In fact, i'd bet you could write everything before "enforced by this guy" in small print people had to slow down to read, and most people would slow down and read it, because they believe the risk of enforcement is greater to them.

Will you get everyone to stop speeding there? Nope.

Even if you add spike strips, laser beams, whatever, someone is going to do it, and in fact, enforcing harder sometimes increases the rate (depending how low the rate is) based on the thrill some people get. 100% compliance is just pretty much impossible, no matter what words you use.

[azernik]

You cannot fix a loophole with better enforcement. By definition, the behaviors involved are allowed.

[Bartweiss]

I'm not convinced about that.

Some organizations do startlingly well with good enforcement and a rule against circumventing the rules. Yes, that's subjective and messy, but it can actually work quite nicely.

Hell, it's basically what financial structuring laws are: a rule saying "no using loopholes if you find them". With that in place, it becomes surprisingly easy to address loopholes by punishing everyone who employs them.

[vidarh]

A common approach is to set a fixed amount per day for expenses based on cost levels in the country in question, and be extremely strict with extras, coupled with approved supplier lists and price ranges for the actual travel.

It "rewards" those who are prudent with extra cash, and so it certainly won't be perfectly efficient, but in return it makes it harder for those who would otherwise try to abuse the system who often will go far overboard, because any extra expensive claims can be given a lot more attention (and often will require advance approval), and it drastically cuts down on paperwork.

[mattmcknight]

Amazingly, the government does that already! http://www.gsa.gov/portal/content/104877

Still they create mountains of rules....

[learc83]

This is analogous to adding code to cover security issues. 99.9% isn't good enough when people are actively looking to exploit the 0.1%.

[nitrogen]

But unlike security issues a single failure doesn't compromise 100% of the rest of the system. This is also why analogies between software/security/cryptography/privacy and the tangible world are so awkward.

[temujin]

Fraud prevention actually is a security issue. Not an Internet security issue, so mistakes aren't punished that quickly, but the analogy is still sound.

[nitrogen]

Someone buying a new watch with their expense account doesn't suddenly give them access to the whole treasury -- that's the difference between physical and digital realms I am trying to emphasize.

[hiram112]

Most security breaches don't allow the malicious user to root the entire server farm either.

I just spent a week fixing permission validation done in JS on the browser. Users could have potentially allowed themselves to see parts of documents outside their role. This didn't give them access to our payroll system, credit card processor, or the backend infrastructure.

[Bartweiss]

This is a big part of the answer. Congressional hearings and reporting often act like "fraud is fraud", but allowing 1% fraud to save 20% overhead is entirely reasonable.

Improper resource usage is a better metaphor than security failures for this topic.

[sliverstorm]

People are pretty sensitive about government financial workers committing fraud, similar to how they are rather sensitive to government police committing murder.

[DannyBee]

Sadly, in neither case will you ever have 100% compliance. Pretending it's achievable, and trying to achieve it, is IMHO, silly.

Remember the regulations do not prevent fraud, enforcement prevents fraud. There already exist plenty of things saying it's not okay, etc. Saying "and also, don't do that" is probably not actually necessary most of the time, in the same way saying "don't shoot people" is sufficient. Saying "and also don't shoot them while they are handcuffed" isn't necessary. Crappy post-justification does mean the regulation was written wrong, and changing the regulation to account for the post-justification will not actually improve the process most of the time.

[sliverstorm]

I don't think we can take this much further without knowing what's actually in the regulations, but I imagine they consist more of "officer's dash cam will be run 24/7 and backed up in triplicate", "officer will learn proper gun handling techniques X, Y, & Z", etc rather than "don't shoot people", "don't shoot handcuffed people", "don't shoot clowns", "don't shoot children".

Or, in the fraud case, "books will be audited at frequency X", "Y behavior makes it too easy to hide fraud and is not allowed". Rather than "fraud is illegal on Monday", "fraud is also illegal on Tuesday", "fraud is even illegal on holidays"...

Of course we can never achieve 100% with more regulation, but we make it more of a priority to make abuse harder to get away with than elsewhere, presumably increasing overhead in exchange for lowering abuse (yes, this is probably not a strictly linear curve)

[Bartweiss]

In the travel regulations case, we can see, and horrifyingly it's more of a "fraud is illegal on Monday" situation: https://www.defensetravel.dod.mil/Docs/perdiem/JTR.pdf

There are some sensible regulations there, like having someone approve travel requests, but there are also a lot of very narrow restrictions obviously added by someone who wanted to prevent Fraud X, but lacked the authority to change what was already written. The result is that you get more overhead with depressingly little payoff.

In principle you're right about the trade-off, but that's only the case when rule-writers have the authority to sensibly restructure what already exists.

[Bartweiss]

This is a good summary. At a certain point, you honestly can just have a rule against stupid or malicious behavior. The trick is to enforce it carefully and sensibly, rather than to pursue comprehensive objective rules.

Anyone who's played rules-lawyering games like Nomic will be aware that banning all misbehavior explicitly is impossible. You're basically limited to whitelisting approved behaviors, or implementing a general rule against malfeasance. Unless the consequences of misbehavior are enormous, the second option tends to be more efficient.

[nitrogen]

I don't think that necessarily has to be the case. The public conversation could conceivably shift to a cost/benefit analysis of varying levels of enforcement vs. fraud, if only the media would cooperate.

[Bartweiss]

This is definitely the case, because we already see different analyses for different topics.

When it comes to NSF, people worry about overhead and waste. When it's welfare or food stamps, people worry about fraud instead. Some of this is moral - people care about the 'undeserving poor' more than 'undeserving scientists' - because we tend to hate abuse of charity. But it clearly shows that there are different categories of concern, and that the public is capable of examining both topics.

[Bartweiss]

This is exactly the problem. When you have a system that completely ignores inefficiency/overhead but goes berserk over fraud, you get totally absurd incentives. Those 1350 pages probably kept some managers from getting fired, but realistically have been a serious waste of time and money.

At a certain point, you either accept a low level of fraud or just make a rule saying "don't do bad, wasteful stuff." Then you fire anyone who breaks that rule and let things work themselves out. (This has other problems, but they can be addressed.)

Most of bureaucratic stupidity is ultimately moral hazard. Someone pays for one failure case but not another, so they spend absurd amounts minimizing what they're responsible for.