Thomas Sowell strongly implies that there's "mountains of evidence" that a 40 percent income tax rate is on the right tail of the Laffer curve, so that raising the tax to that level would actually result in less revenue.
I think the idea of 40 percent taxes makes a lot of people nervous because they implicitly think that there's some dangerous threshold at 50 percent, as if that's the threshold at which people will drop out of the labor force. But the reality is that nothing special happens if you tax more than 50 percent. First, it's important to remember that that's a 50 percent marginal rate--most people in this bracket won't pay anywhere near 50 percent of their income because most of their income is in a lower tax bracket. And as for the incentive effects, the poor are actually likely to work more if you tax them at a higher rate because they simply need the money--the wealth effect simply dominates. Now think about the rich. The top income bracket threshold corresponds to roughly $1,000 an hour. Take half of that and they'd still get $500 for an extra hour's worth of work per week--that incentive is still huge. For the rich, the substitution effect does dominate, just as the Laffer curve predicts, but at 50 percent that substitution effect is still pretty strongly weighted towards labor.
That's why, if you actually examine the "mountains of evidence" Sowell refers to, you'll find that economists generally estimate that the peak is somewhere in the 70 percent to 80 percent range. It's hard to know for sure, because it has been a very long time since we had tax rates anywhere near that high, and there are a lot of other taxes and wedges that affect it. But that remains the best estimate we have.
Nevertheless, out of curiosity, let's do the math. Let [$]L[$] be the number of hours per week that you work, which is a decreasing function of the tax rate [$]\tau[$]. You work for an hourly wage [$]w[$] so that [$]wL[$] is your weekly pay. Thus the taxes [$]y[$] you pay is given by [$$]y=\tau wL.[$$] In order for it to be the case that raising taxes reduces the total taxes you pay (and therefore government revenue), the derivative with respect to the tax rate, [$]\frac{\partial y}{\partial \tau}[$] must be negative:[$$]0\gt \frac{\partial y}{\partial \tau} = wL+\tau w \frac{\partial L}{\partial \tau}[$$] which implies that we must have [$$]\frac{\partial L}{\partial \tau}\lt -\frac{L}{\tau}.[$$]
Let's plug in some numbers, shall we? With a 40 hour work week and a 40 percent tax rate, that means for Sowell's claim to apply to our example, [$$]\frac{\partial L}{\partial \tau}> -\frac{40}{0.4}=-100[$$] That in turn means that a 1 percentage point increase in tax must cause you to reduce your weekly hours by at least 1 hour per week. At the median wage of $22 an hour, that's a tax hike of $8.80 per week causing you to reduce your weekly income by $22 per week in exchange for an extra hour of liesure a week.
Whether that sounds reasonable to you is opinion, I supose. But the data does not find many people making that choice.
Sidenote: there are also state and local taxes to consider, as well as other types of taxes. In addition to income tax, sales taxes also have a labor disincentive effect, albeit of different magnitude, so we need to consider those. All told though, the rest of these taxes add up to about 15 percent for a typical city in a typical state, and these tend to be regressive rather than progressive. 55 percent is still way below the peak of the laffer curve.
It's also worth noting that revenue is not necessarily the only way taxes redistribute.
"This ignores mountains of evidence, going back for generations, showing that raising tax rates does not automatically mean raising tax revenues — and has often actually led to falling tax revenues. A fantasy expressed in numbers is still a fantasy."He softens the remark in the usual weasle words ("does not automatically mean") but gives away the game by asserting flat out that raising revenues by rasing the tax to 40 percent is "still a fantasy." Sowell claims that the Laffer curve peaks at less than 40 percent. And he's wrong.
I think the idea of 40 percent taxes makes a lot of people nervous because they implicitly think that there's some dangerous threshold at 50 percent, as if that's the threshold at which people will drop out of the labor force. But the reality is that nothing special happens if you tax more than 50 percent. First, it's important to remember that that's a 50 percent marginal rate--most people in this bracket won't pay anywhere near 50 percent of their income because most of their income is in a lower tax bracket. And as for the incentive effects, the poor are actually likely to work more if you tax them at a higher rate because they simply need the money--the wealth effect simply dominates. Now think about the rich. The top income bracket threshold corresponds to roughly $1,000 an hour. Take half of that and they'd still get $500 for an extra hour's worth of work per week--that incentive is still huge. For the rich, the substitution effect does dominate, just as the Laffer curve predicts, but at 50 percent that substitution effect is still pretty strongly weighted towards labor.
That's why, if you actually examine the "mountains of evidence" Sowell refers to, you'll find that economists generally estimate that the peak is somewhere in the 70 percent to 80 percent range. It's hard to know for sure, because it has been a very long time since we had tax rates anywhere near that high, and there are a lot of other taxes and wedges that affect it. But that remains the best estimate we have.
Nevertheless, out of curiosity, let's do the math. Let [$]L[$] be the number of hours per week that you work, which is a decreasing function of the tax rate [$]\tau[$]. You work for an hourly wage [$]w[$] so that [$]wL[$] is your weekly pay. Thus the taxes [$]y[$] you pay is given by [$$]y=\tau wL.[$$] In order for it to be the case that raising taxes reduces the total taxes you pay (and therefore government revenue), the derivative with respect to the tax rate, [$]\frac{\partial y}{\partial \tau}[$] must be negative:[$$]0\gt \frac{\partial y}{\partial \tau} = wL+\tau w \frac{\partial L}{\partial \tau}[$$] which implies that we must have [$$]\frac{\partial L}{\partial \tau}\lt -\frac{L}{\tau}.[$$]
Let's plug in some numbers, shall we? With a 40 hour work week and a 40 percent tax rate, that means for Sowell's claim to apply to our example, [$$]\frac{\partial L}{\partial \tau}> -\frac{40}{0.4}=-100[$$] That in turn means that a 1 percentage point increase in tax must cause you to reduce your weekly hours by at least 1 hour per week. At the median wage of $22 an hour, that's a tax hike of $8.80 per week causing you to reduce your weekly income by $22 per week in exchange for an extra hour of liesure a week.
Whether that sounds reasonable to you is opinion, I supose. But the data does not find many people making that choice.
Sidenote: there are also state and local taxes to consider, as well as other types of taxes. In addition to income tax, sales taxes also have a labor disincentive effect, albeit of different magnitude, so we need to consider those. All told though, the rest of these taxes add up to about 15 percent for a typical city in a typical state, and these tend to be regressive rather than progressive. 55 percent is still way below the peak of the laffer curve.
It's also worth noting that revenue is not necessarily the only way taxes redistribute.
Jim Tankersley has some numbers from online prediction markets on the 2016 presidential election, suggesting that Hillary Clinton has roughly 50-50 odds of winning the presidency.
Do the prediction market numbers make sense? A little probability analysis:
Let [$]A[$] denote the event where Clinton wins the nomination, and [$]B[$] denote that a democratic nominee wins the presidency. Tankersley then provides the following probabilities from the prediction markets:
\begin{align} p \left( A \right) &=0.77 \\ p \left( B \right) &=0.55 \\ p \left( A \cap B \right) &=0.47 \end{align} Thus prediction markets think that if Clinton is nominated, theres a [$$]p \left( B \vert A \right)=\frac{p \left( A \cap B \right)}{p \left( A \right)}=\frac{0.47}{0.77}=0.61[$$] chance of her beating the GOP candidate.
Note that [$$]p \left( A \right) p \left( B \right)=0.42 \lt p \left( A \cap B \right) =0.47 [$$] so market participants do think that who gets nominated matters for which party wins the White House, and they think Clinton has a better shot than all the other democrats combined. By what margin though?
It helps me to write it out. So let [$]\bar{A}[$] be the complement of [$]A[$], that is, the event that someone other than Clinton wins the nomination. The two are mutually exclusive complements so [$$]p \left( \left( A \cap B \right) \cup \left(\bar{A} \cap B \right)\right)=p\left( A \cap B \right) + p \left(\bar{A} \cap B \right)=p \left( B \right)=0.55[$$] which tells us that the entire row of Ptolemies1 together have a probability of just [$]p \left(\bar{A} \cap B \right)=0.08[$] of winning the presidency, despite the 0.23 probability that one of them will be nominated. So based on prediction market figures, if the democrats nominate a Ptolemy, he'll have a [$$]p \left( B \vert \bar{A} \right)=\frac{p \left( \bar{A} \cap B \right)}{p \left( \bar{A} \right)}=\frac{0.08}{0.23}=0.35[$$] chance of winning the presidency.
So Clinton, according to the people who bet on this stuff, is not-quite twice as likely to win the general election if nominated.
1. Based on the democratic debate, I've started referring to all of the non-Clinton candidates collectively as the Ptolemies. This explains the reference.
Do the prediction market numbers make sense? A little probability analysis:
Let [$]A[$] denote the event where Clinton wins the nomination, and [$]B[$] denote that a democratic nominee wins the presidency. Tankersley then provides the following probabilities from the prediction markets:
\begin{align} p \left( A \right) &=0.77 \\ p \left( B \right) &=0.55 \\ p \left( A \cap B \right) &=0.47 \end{align} Thus prediction markets think that if Clinton is nominated, theres a [$$]p \left( B \vert A \right)=\frac{p \left( A \cap B \right)}{p \left( A \right)}=\frac{0.47}{0.77}=0.61[$$] chance of her beating the GOP candidate.
Note that [$$]p \left( A \right) p \left( B \right)=0.42 \lt p \left( A \cap B \right) =0.47 [$$] so market participants do think that who gets nominated matters for which party wins the White House, and they think Clinton has a better shot than all the other democrats combined. By what margin though?
It helps me to write it out. So let [$]\bar{A}[$] be the complement of [$]A[$], that is, the event that someone other than Clinton wins the nomination. The two are mutually exclusive complements so [$$]p \left( \left( A \cap B \right) \cup \left(\bar{A} \cap B \right)\right)=p\left( A \cap B \right) + p \left(\bar{A} \cap B \right)=p \left( B \right)=0.55[$$] which tells us that the entire row of Ptolemies1 together have a probability of just [$]p \left(\bar{A} \cap B \right)=0.08[$] of winning the presidency, despite the 0.23 probability that one of them will be nominated. So based on prediction market figures, if the democrats nominate a Ptolemy, he'll have a [$$]p \left( B \vert \bar{A} \right)=\frac{p \left( \bar{A} \cap B \right)}{p \left( \bar{A} \right)}=\frac{0.08}{0.23}=0.35[$$] chance of winning the presidency.
So Clinton, according to the people who bet on this stuff, is not-quite twice as likely to win the general election if nominated.
1. Based on the democratic debate, I've started referring to all of the non-Clinton candidates collectively as the Ptolemies. This explains the reference.
One of the most important and least talked about web security issues is cross-site request forgery (CSRF). For some reason, it seems like web security experts and commentators spend a lot more time talking about things like cross-site scripting (XSS), which are actually a lot harder to pull off than CSRF. So here's my attempt to understand CSRF.
Like a lot of web security issues, the story begins with the same-origin policy. All browsers enforce a policy whereby they will block http requests from a site with one domain name to a site with a different domain name, unless the response from that outside domain says to honor the request. An important caveat, though, is that the browser only blocks the origin site from reading the response from the second domain if the second site does not allow cross-domain requests. Since the browser cannot know ahead of time what the second domain's cross-domain policy will be, it can't block the first site from making the request.
So consider the following scenario: you sign into facebook, the site places an authentication cookie in your browser which your browser then sends with all requests to facebook.com to verify to facebook.com that you are in fact you, and that you have authorization to view and control the account. Browsers automatically send all cookies that belong to the domain that an http request is going to. This means that when an interesting-looking news article comes up in your facebook feed and you open it up in another tab, the javascript in that site can actually make an http request to facebook.com, and your browser will actually send your real, valid authentication cookie along with this forged request! Facebook.com, unable to tell what domain the request was made from, will actually reply with the real corresponding information from your facebook profile. Fortunately though, the browser will read the reply and see that facebook is not authorizing this third party domain to read it, and will block the other site from reading any your private facebook information.
Unfortunately, that same-origin policy comes too late in the process for other types of requests. Suppose that third-party website you clicked on instead sends a POST request containing a new facebook status update. Facebook.com would receive that request, see that it has a valid authentication cookie, think you made it from their website, and post the status under your name. That's very bad. It's easy how this can be an immensely profitable vulnerability when it comes to, for example, POSTing shopping orders on amazon.com or editing administrative records in a corporate web system.
How do we block this type of attack? The puzzle is we need a way to verify that the request was made from a web page under our control. Here's a way to do that: require that the request content contain a randomized key that matches a key in the request cookies. As mentioned earlier, browsers send cookies along with each request based on the domain the request is going to. So facebook.com can set such a key in the user's cookie collection for facebook.com, and then send this key back in the request body whenever it makes a POST request. The third-party website, however, is unable to read the key from the cookie collection for facebook.com, because browser blocks it from reading such cross-domain requests. But the browser does send this key back as part of the cookie collection for any requests to facebook.com. Thus by checking to see that the request has a key that matches the one sent in the cookie collection, we can confirm that--provided the browser properly implements the same-origin policy--the request came from the same domain. In asp.net, these keys are known as anti-forgery tokens. They are part of the asp.net MVC assembly. Click here for more on how to use anti-forgery tokens to prevent CSRF.
To sum up, you should be using anti-forgery tokens for every POST, PUT, and DELETE http request. Even for things like logins, since a CSRF could potentially log users into the wrong account--a variant of phishing that could lead a user to accidentally expose sensitive information to a different user. Every time, for everything other than GET. And you should make sure your GETs are true GETs--they should have zero effect at all on the state of your data on the server.
Like a lot of web security issues, the story begins with the same-origin policy. All browsers enforce a policy whereby they will block http requests from a site with one domain name to a site with a different domain name, unless the response from that outside domain says to honor the request. An important caveat, though, is that the browser only blocks the origin site from reading the response from the second domain if the second site does not allow cross-domain requests. Since the browser cannot know ahead of time what the second domain's cross-domain policy will be, it can't block the first site from making the request.
So consider the following scenario: you sign into facebook, the site places an authentication cookie in your browser which your browser then sends with all requests to facebook.com to verify to facebook.com that you are in fact you, and that you have authorization to view and control the account. Browsers automatically send all cookies that belong to the domain that an http request is going to. This means that when an interesting-looking news article comes up in your facebook feed and you open it up in another tab, the javascript in that site can actually make an http request to facebook.com, and your browser will actually send your real, valid authentication cookie along with this forged request! Facebook.com, unable to tell what domain the request was made from, will actually reply with the real corresponding information from your facebook profile. Fortunately though, the browser will read the reply and see that facebook is not authorizing this third party domain to read it, and will block the other site from reading any your private facebook information.
Unfortunately, that same-origin policy comes too late in the process for other types of requests. Suppose that third-party website you clicked on instead sends a POST request containing a new facebook status update. Facebook.com would receive that request, see that it has a valid authentication cookie, think you made it from their website, and post the status under your name. That's very bad. It's easy how this can be an immensely profitable vulnerability when it comes to, for example, POSTing shopping orders on amazon.com or editing administrative records in a corporate web system.
How do we block this type of attack? The puzzle is we need a way to verify that the request was made from a web page under our control. Here's a way to do that: require that the request content contain a randomized key that matches a key in the request cookies. As mentioned earlier, browsers send cookies along with each request based on the domain the request is going to. So facebook.com can set such a key in the user's cookie collection for facebook.com, and then send this key back in the request body whenever it makes a POST request. The third-party website, however, is unable to read the key from the cookie collection for facebook.com, because browser blocks it from reading such cross-domain requests. But the browser does send this key back as part of the cookie collection for any requests to facebook.com. Thus by checking to see that the request has a key that matches the one sent in the cookie collection, we can confirm that--provided the browser properly implements the same-origin policy--the request came from the same domain. In asp.net, these keys are known as anti-forgery tokens. They are part of the asp.net MVC assembly. Click here for more on how to use anti-forgery tokens to prevent CSRF.
To sum up, you should be using anti-forgery tokens for every POST, PUT, and DELETE http request. Even for things like logins, since a CSRF could potentially log users into the wrong account--a variant of phishing that could lead a user to accidentally expose sensitive information to a different user. Every time, for everything other than GET. And you should make sure your GETs are true GETs--they should have zero effect at all on the state of your data on the server.
A common trope in politics is the "broken promises" theme. Everyone thinks that politicians breaking promises are a ubiquitous feature of the political landscape. It's the theme of CNN's "keeping them honest" segment. Politifact devoted an entire -ometer to just Obama's promises. Underlying the trope is a basic, assumed narrative: a politician, angling to win cheap votes, promises stuff he doesn't have any intention of delivering, and then once in office turns his back on the voters and ignores those commitments.
The thing is, politicians actually don't actually do this.
Ok, sure say stuff like "As president, I will ___" and then, as president, that thing never actually happens. But then, that's just democracy--no individual is capable of delivering all, or even most, of what they want to do because others want to do different things. When a politician says "As president, I will ___" they don't mean they will seize the military and compel the nation at gun point to accept that thing. They mean that they will try to do that thing with in the political constraints of the democratic system.
Take Obama's promise to close Guantanamo. You can't claim he didn't actually support this policy or try to implement it. He drastically reduced the number of prisoners there, and did in fact implement a plan to move the remaining prisoners to the mainland US, and then close the base. But then in the face of strong political opposition Congress passed a law explicitly prohibiting him from carrying out the rest of that plan. In fact, rumor is that Obama is still working on an alternative solution to close Guantanamo in the face of this altered circumstance. This isn't what it looks like when someone breaks a promise; it's what it looks like when a politician goes about implementing the policies he advertised in his campaign.
You can also come up with lots of examples from President Bush. He "promised" to privatize social security but failed to marshal that policy into effect due to to the fact it was massively unpopular. But to say that he broke his promise to privatize social security is simply incorrect: it was a policy he earnestly supported and tried to enact.
My point here is that the central plank of the "broken promises" trope--that politicians cynically make promises they don't intend to honor just to win cheap votes--is not a very accurate description of US politics. For the most part, politicians earnestly believe what they're saying. For the most part, politicians actually do try to honor their promises. It is also true that in the US the vast majority of all policy efforts end in defeat. Our system has a lot of veto-points where policy ideas go to die: sub-committees, committees, the house, 100 filibustering Senators, the president's pen, the Supreme Court. Blaming a politician for breaking promises that he earnestly tried to keep only magnifies the power of those who actually killed the promise by penalizing those who propose ideas.
By ensnaring politicians who propose new ideas, the "broken promises" trope causes the very thing it chastises.
The thing is, politicians actually don't actually do this.
Ok, sure say stuff like "As president, I will ___" and then, as president, that thing never actually happens. But then, that's just democracy--no individual is capable of delivering all, or even most, of what they want to do because others want to do different things. When a politician says "As president, I will ___" they don't mean they will seize the military and compel the nation at gun point to accept that thing. They mean that they will try to do that thing with in the political constraints of the democratic system.
Take Obama's promise to close Guantanamo. You can't claim he didn't actually support this policy or try to implement it. He drastically reduced the number of prisoners there, and did in fact implement a plan to move the remaining prisoners to the mainland US, and then close the base. But then in the face of strong political opposition Congress passed a law explicitly prohibiting him from carrying out the rest of that plan. In fact, rumor is that Obama is still working on an alternative solution to close Guantanamo in the face of this altered circumstance. This isn't what it looks like when someone breaks a promise; it's what it looks like when a politician goes about implementing the policies he advertised in his campaign.
You can also come up with lots of examples from President Bush. He "promised" to privatize social security but failed to marshal that policy into effect due to to the fact it was massively unpopular. But to say that he broke his promise to privatize social security is simply incorrect: it was a policy he earnestly supported and tried to enact.
My point here is that the central plank of the "broken promises" trope--that politicians cynically make promises they don't intend to honor just to win cheap votes--is not a very accurate description of US politics. For the most part, politicians earnestly believe what they're saying. For the most part, politicians actually do try to honor their promises. It is also true that in the US the vast majority of all policy efforts end in defeat. Our system has a lot of veto-points where policy ideas go to die: sub-committees, committees, the house, 100 filibustering Senators, the president's pen, the Supreme Court. Blaming a politician for breaking promises that he earnestly tried to keep only magnifies the power of those who actually killed the promise by penalizing those who propose ideas.
By ensnaring politicians who propose new ideas, the "broken promises" trope causes the very thing it chastises.