Thursday, June 09, 2011

Imprecise Statute versus imprecise Regulations

Justice Scalia on a key difference between Statute and Regulation in American law : "When Congress enacts an imprecise statute that it commits to the implementation of an executive agency, it has no control over that implemen­tation (except, of course, through further, more precise, legislation). The legislative and executive functions are not combined. But when an agency promulgates an imprecise rule, it leaves to itself the implementation of that rule, and thus the initial determination of the rule’s meaning. And though the adoption of a rule is an exercise of the executive rather than the legislative power, a properly adopted rule has fully the effect of law. It seems contrary to fundamental principles of separation of powers to per­mit the person who promulgates a law to interpret it as well."

In software terms, I think of it this way: if you write an API, make sure somebody else implements it as well as you. Your API will be that much better for it. True meaning is the result of independent interpretation.

Monday, June 06, 2011

Digital Signing and Action at a Distance

Love the story today about President Obama and the auto-pen. Gotta love the pic of Thomas Jefferson’s Polygraph on that page too.

Both Jefferson's gadget and the auto-pen raise the question of cause and effect in the legal concept of signing/notarizing/witnessing.

In the old days a single cause (person with pen) created a single effect (signed vellum sheet). As soon as something - anything - intermediates between the cause and the effect, things get a lot more complex.

In IT, a so-called "digital signature" has little in common with its physical world analogs. For example a single cause may general multiple effects (one signed doc gets replicated a million times - each "copy" indistinguishable from the "original"). Moreover, the "cause" is always a computer program - not a person.

If I write the software that has the button that you press to "sign". Who/what does the signing? My software or you? If I change my software so that it just signs whatever needs to be signed, every day at 12:00 O'Clock. Who/what is doing the signing now? Given that "signed" documents produced from the latter process are completely indistinguishable from the former, how can the courts deal with the fact that my software may have gone haywire and signed a bunch of things on your behalf that never should have been signed?

In the world of bits, the blunt truth of the matter is that an "original" bit-stream of any object is a tough, tough thing to pin down. The closest analog that I know of is tamper evident content addressable storage like EMC Centera (That is what we use in the KEEP system here in Kansas).