Book Review: Pleading Out

I was only a few pages in when Pleading Out: How Plea Bargaining Creates a Permanent Criminal Class made me angry. It wasn’t because of how Dan Canon wrote. It was because of what he wrote. In Bordenkircher v. Hayes, the Supreme Court held that prosecutors could, in effect, punish a defendant for asserting their right to a trial. Potter Stewart wrote that this was part of “any legitimate system which tolerates and encourages the negotiation of pleas.”

While legal systems in the United States do tolerate and encourage plea deals, a reasonable person can question the legitimacy of the system. That Paul Hayes received a life sentence for forging a $88.30 check calls the legitimacy of the system into question.

Canon spends the rest of the book making the case that the plea bargain system as practiced in the United States is not legitimate. It does not serve the interests of justice, but of power. “The American legal system,” he writes, “was designed by people in power as a tool to keep them in power whatever the cost.”

American exceptionalism

Plea bargains are rare in other countries. In the United States, 97% of convictions come from guilty pleas. Most of those are bargained. Why is that? Prior to the 1830s, plea bargains were rare in America. Attitudes started shifting when labor solidarity developed in the early industrial factories. Plea bargaining hid prosecution from the public eye, preventing scrutiny and revolt.

The expansion of federal crimes after Prohibition led to a need to process cases more efficiently. “What we have inherited is an amoral system of criminal proceedings; it cannot be called criminal justice. Expediency, not fairness, is the principal concern.”

It’s no coincidence that the United States has the highest incarceration rate and also the highest plea bargain rate. As Michelle Alexander explores in greater depth in The New Jim Crow, the legal system creates a permanent criminal underclass that has long-lasting effects.

Liberty and justice for some

The high volume of cases means that lawyers can’t keep up. Prosecutors can’t screen cases to drop the obviously bad ones. Worse, defense attorneys can’t mount vigorous defenses. Canon notes that in 15% of exonerations, the defendant gave a false confession. Thousands of innocent people are sitting in jail today because the police or prosecutors railroaded them into confessing to a crime they didn’t commit.

Because plea bargains are secretive, there’s no accountability. Wealthy defendants can work themselves into a sweet deal. Poor and middle-class defendants have to take what the prosecution offers. If they dare insist on a trial, they face persecution, not prosecution. Ask Paul Hayes. This does not benefit society.

So what do we do?

It doesn’t have to be this way. Canon writes about the decade when Alaska eliminated plea bargaining. The system adjusted. Prosecutors dropped cases they couldn’t—or shouldn’t—prove. Police got more careful with their investigations, knowing they’d actually be accountable. It wasn’t perfect, but it was an improvement.

Our current system doesn’t have to be our system forever. But it won’t change on it’s own. The first step is an informed populace. That’s why I’d recommend Pleading Out to anyone who cares about justice.

Open source is still not a business model

If you thought 2021 was going to be the year without big drama in the world of open source licensing, you didn’t have to wait long to be disappointed. Two stories have already sprung up in the first few weeks of the year. They’re independent, but related. Both of them remind us that open source is a development model, not a business model.

Elasticsearch and Kibana

A few years ago, it seemed like I couldn’t go to any sysadmin/DevOps conference or meetup without hearing about the “ELK stack“. ELK stands for the three pieces of software involved: Elasticsearch, Logstash, and Kibana. Because it provided powerful aggregation, search, and visualization of arbitrary log files, it became very popular. This also meant that Amazon Web Services (AWS) saw value in providing an Elasticsearch service.

As companies moved more workloads to AWS it made sense to pay AWS for Amazon Elasticsearch Service instead of paying Elastic. This represented what you might call a revenue problem for Elastic. So they decided to follow MongoDB’s lead and change their license to the Server Side Public License (SSPL).

The SSPL is essentially a “you can’t use it, AWS” license. This makes it decidedly not open source. Insultingly, Elastic’s announcement and follow-up messaging include phrases like “doubling down on open”, implying that the SSPL is an open source license. It is not. It a source-available license. And, as open source business expert VM Brasseur writes, it creates business risk for companies that use Elasticsearch and Kibana.

Elastic is, of course, free to use whatever license it wants for the software it develops. And it’s free to want to make money. But it’s not reasonable to get mad at companies using the software under the license you chose to use for it. Picking a license is a business decision.

Shortly before I sat down to write this post, I saw that Amazon has forked Elasticsearch and Kibana. They will take the last-released versions and continue to develop them as open source projects under the Apache License v2. This is entirely permissible and to be expected when a project makes a significant licensing change. So now Elastic is in danger of a sizable portion of the community moving to the fork and away from their projects. If that pans out, it may end up being more harmful than Amazon Elasticsearch Service ever was.

Nmap Public Source License

The second story actually started in the fall of 2020, but didn’t seem to get much notice until after the new year. The developers of nmap, the widely-used security scanner, began using a new license. Prior to the release of version 7.90, nmap was under a modified version of the GNU General Public License version 2 (GPLv2). This license had some additional “gloss”, but was generally accepted by Linux distributions to be a valid free/open source software license.

With version 7.90, nmap is now under the Nmap Public Source License (NPSL). Version 0.92 of this license contained some phrasing that seemed objectionable. The Gentoo licenses team brought their concerns to the developers in a GitHub issue. Some of their concerns seemed like non-issues to me (and to the lawyers at work I consulted with on this), but one part in particular stood out.

Proprietary software companies wishing to use or incorporate Covered Software within their programs must contact Licensor to purchase a separate license

It seemed clear that the intent was to restrict proprietary software, not otherwise-compliant projects from companies that produce proprietary software. Nonetheless, as it was written, it constituted a violation of the Open Source Definition, and we rejected it for use in Fedora.

To their credit, the developers took the feedback well and quickly released an updated version of the license. They even retroactively licensed affected releases under the updated license. Unfortunately, version 0.93 still contains some problems. In particular, the annotations still express field of endeavor restrictions.

While the license text is the most important part, the annotations still matter. They indicate the intent of the license and guide the interpretation by lawyers and judges. So newer versions of nmap remain unsuitable for some distributions.

Licenses are not for you to be clever

Like with Elastic, I’m sympathetic to the nmap developers’ position. If someone is going to use their project to make money, they’d like to get paid, too. That’s an entirely reasonable position to take. But the way they went about it isn’t right. As noted in the GitHub issue, they’re not copyright attorneys. If they were, the license would be much better.

It seems like the developers are fine with people free-riding profit off of nmap so long as the software used to generate the profit is also open source. In that case, why not just use a professionally-drafted and vetted license like the AGPL? The NPSL is already using the GPLv2 and adding more stuff on top of it, and it’s the more stuff on top of it that’s causing problems.

Trying to write your business model into a software license that purports to be open source is a losing proposition.

Book review: Habeas Data

What does modern technology say about you? What can the police or other government agencies learn? What checks on their power exist? These questions are the subject of a new book from technology reporter Cyrus Farivar.

Habeas Data (affiliate link) explores the jurisprudence that has come to define modern privacy law. With interviews with lawyers, police officers, professors, and others who have shaped the precedent. What makes this such an interesting subject is the very nature of American privacy law. Almost nothing is explicitly defined by legislation. Instead, legal notions of privacy come from how courts interpret the Fourth Amendment to the United States Constitution. This gives government officials the incentive to push as far as they can in the hopes that no court cases arise to challenge their methods.

For the first two centuries or so, this served the republic fairly well. Search and seizure were constrained to the physical realm. Technological advances did little to improve the efficiency of law enforcement. This started to change with the advent of the telegraph and then the telephone, but it’s the rapid advances in computing and mobility that have rendered this unworkable.

As slow as legislatures can be to react to technological advances, courts are even slower. And while higher court rulings have generally been more favorable to a privacy-oriented view, not everyone agrees. The broad question that courts must grapple with is which matters more: the practical effects of the technology changes or the philosophical underpinnings?

To his credit, Farivar does not claim to have an answer. Ultimately, it’s a matter of what society determines is the appropriate balance between individual rights and the needs of the society at large. Farivar has his opinions, to be sure, but Habeas Data does not read like an advocacy piece. It is written by a seasoned reporter looking to inform the populace. Only by understanding the issues can the citizenry make an informed decision.

With that in mind, Habeas Data is an excellent book. Someone looking for fiery advocacy will likely be disappointed, but for anyone looking to understand the issue, it’s a great fit. Technology law and ethics courses would be well-advised to use this book as part of the curriculum. It is deep and well-researched while still remaining readable.

It has its faults, too. The flow of chapters seems a little haphazard at times. On the other hand, they can largely be treated as standalone studies on particular issues. And the book needed one more copy editing pass. I saw a few typographic errors, which is bound to happen in any first-run book, but was jarred by a phrase that appeared to have been accidentally copy/pasted in the middle of a word.

None of this should be used as a reason to pass on this book. I strongly recommend Habeas Data to anyone interested in the law and policy of technology, and even more strongly to those who aren’t interested. The shape that privacy law takes in the next few years will have impacts for decades to come.

left-pad exposed the real problems

During halftime of Super Bowl 49, “Left Shark” became an instant pop culture phenomenon. Last week, an 11-line software package called “left-pad” became an instant tech culture phenomenon.

In you’re not familiar with what happened, here is a basic summary as I understand it: the social network/chat company Kik approached a developer and threatened him with lawyering if he didn’t remove or rename his “kik” NPM package (the package was in no way related to Kik the company). When the developer refused, Kik went to NPM, who acquiesced and reassigned ownership. As a result, the developer pulled all of his packages, including left-pad, from NPM.

Normally, this wouldn’t get much attention. However the Node.js ecosystem apparently favors many small packages, such that you end up with single-function packages like left-pad. Many NPM packages either depend on left-pad or depend on packages that in turn depend on left-pad. This led to, as some people hyperbolicly said, the Internet breaking.

Much of the discussion has focused on the technical matters. The NPM ecosystem is the subject of a great deal of ridicule. The opinion isn’t unanimous, but ridicule is the prevailing sentiment. And rightfully so, but not for the reason being discussed.

The real problem with NPM isn’t the numerous tiny packages. The problem is with how the ecosystem is apparently managed. Breaking dependencies by “unpublishing” packages is not something a mature ecosystem allows. Removing a package without consent because another developer wants to use the name is a terrible way to build and maintain a community.

The other bad part is how Kik’s lawyers were able to make all of this happen. Trademarks are not universal. Just because Kik has trademarked the term in the context of a messaging platform, that doesn’t mean the term can’t be used in another context. Maybe in this specific case, there’s infringement here. I’m not a lawyer or a judge. But the way it was handled was not at all suitable. As Ben Thompson said, “lawyers overreaching on trademark were the Mentos to an open source absolutist’s cola.

It’s a bit unfair to pin this on “an open source absolutist”. Azer Koçulu may or may not be an open source absolutist, that’s irrelevant. Lawyers tossing threat grenades and ecosystem managers not protecting the ecosystem are more important than the number of packages or having trivially-small packages.

 

 

American Broadcasting Companies v. Aereo

The Internet is abuzz with discussion in the wake of today’s ruling in American Broadcasting Companies v. Aereo, but I can’t let it go by without offering my own opinion. As a “cord cutter” who lives an hour away from most of the over-the-air broadcasters, I have a personal interest in an Aereo-like service. I’d much rather pay $8/month to receive local television broadcasts over the Internet than to pay to install and maintain an aerial antenna. So it was with much dismay (but little surprise) that I read that the Supreme Court ruled 6-3 against Aereo.

I won’t presume to say that I know the law better than six justices of the nation’s highest court. Indeed, I’m not convinced that the ruling is incorrect from a legal standpoint. It’s certainly true, as the majority held, that Congress acted in 1976 to prevent the retransmission of broadcasts by community antenna TV (CATV) systems. Aereo, according to the majority, is similar to the old CATV systems. The fact that the underlying technology is substantially different from CATV (particularly in that there’s a 1:1 correspondence between receiver and customer as opposed to the one-to-many of CATV) is irrelevant, only the customer-facing experience matters.

As Justice Scalia noted in his dissent, that’s a lousy argument. I’ll grant that Aereo was slavishly devoted to the strict letter of the law (a less generous description is “exploiting the hell out of loopholes”), but the technical implementation matters. Aereo subscribers have their own antenna (ephemerally-assigned, as I understand it) and their recordings are stored in their own account. It’s not much of a leap (except in the cost) to provide an antenna and run a coaxial cable directly from the antenna to the customer’s television. At that point, it would be very difficult to argue that the service provider is “performing”, even by the ludicrously broad definition in the 1976 update to the Copyright Act.

Even if the Court’s ruling today is technically correct for this specific case, I worry about the impact it will have on technological advances in general. While the majority took care to say that “those who act as owners or possessors of the relevant product”, you have to imagine that some enterprising entertainment lawyer is looking to step up the attack on services like Slingbox. Just as rulings against Napster, Grokster, and others have failed to end file sharing, consumers will still be able to find content they want online. It’s just a matter of whether or not the creators and distributors get paid for it. The content industry has shown to be remarkably out of tune with the consumer, and the Aereo ruling only delays the inevitable.

Of course, Aereo isn’t exactly being forced to shutter. They can stay in business by paying retransmission fees to the broadcasters (assuming such an option is economically viable for them). This is probably the outcome that would make the broadcasters happiest. The real money these days is in retransmission fees, not advertising, so broadening the viewer base without broadening the pool of people paying for content they’re entitled to (by virtue of living within the broadcast range of the station) isn’t nearly as lucrative. Alternately, if Aereo provided a specific antenna to each user (such that the user owned the antenna and Aereo just housed it), that might be sufficient to meet the conditions established in today’s ruling.

It’s unlikely that Aereo will do anything but shut down. Aereo’s CEO has said “there is no plan B”. While the Court’s ruling today may have been correct, it is wrong.

Liable for sending texts to drivers?

On episode 225 of This Week in Law, the panel discussed a recent appeals court ruling in New Jersey. According to a summary by Jeremy Byellin, the court left open the possibility that someone sending a text message to a driver might be held liable for civil damages if the driver is distracted and gets into an accident. I haven’t been able to find the actual text of the decision, so all I have to go on is Byellin’s summary. Given that disclaimer, this seems like a questionable thing to put into a ruling. To be clear, the defendant in this case was not held liable. The court appears to be saying “but if you know someone is driving and will immediately look at your text, you may be partially liable for any damages they cause.”

From a theoretical perspective, it makes sense. If you know you’ll be distracting someone operating a four-wheeled killing machine, there’s a compelling interest to disincentivize such behavior. In the real world, this is tough to prove. The easiest defense is ignorance, since the court required active knowledge to hold a person liable. Unless the driver explicitly said “I’m driving and immediately viewing all messages I receive,” there’s little to prove that the sender had sufficient knowledge to be liable.

Even if the driver did send such a message, it might never see a court room. Because the parties to the conversation would likely delete incriminating messages and most carriers limit the amount of time they store messages, Byellin says “only a very narrow percentage of cases will the content actually be discoverable.”

TWiL panelist Gordon Firemark brought up an interesting point as well. Is the government repsonsible for distracting drivers with Wireless Emergency Alert (WEA) messages? From the New Jersey ruling, the government would not be liable because it could not know if a particular recipient is driving. Still, it’s easy to see how this opens the door for additional litigation. Even if every defendant wins, there’s a real cost to having to defend against a suit.

The slippery slope that I find particularly interesting is the non-SMS case. Indiana’s texting-and driving law was wisely written to cover more than just SMS messages. However, a pedantic reading could apply it to any method of data transfer. GPS-enabled applications, such as Google Maps or Waze, can reasonably determine if a phone is mobile or not. By design, they distract drivers from the road. Could Google be sued for not disabling Maps while the car is in motion?

Probably not. Really, this is all just an academic exercise. To my knowledge, no one has ever been held liable for texting a driver, in part because it’s so monumentally difficult to prove the plaintiff’s case. But the fact that a court would basically invite unwinnable suits strikes as little more than a stimulus program for the Bar Association.

Student speech rights

To continue the legal theme from a few days ago (with the addition of some “old news is so exciting!”), a high school in Kansas suspended the senior class president for comments he made on Twitter. What did he say? ““Heights U” is equivalent to WSU’s football team“. WSU’s football team doesn’t exist. That’s it. For that, the school deemed his initial tweet and responses were disruptive to the school.

It’s not clear to me if the Heights High School is acting in accordance with legal precedent (their decision is certainly unjust, but that’s another matter). The Supreme Court has affirmed and re-affirmed restrictions on the free speech rights of students. Bethel School District v. Fraser, Hazelwood v. Kuhlmeier, and Morse v. Frederick have all served to limit what students can say.

In Tinker v. Des Moines, the Court protected non-disruptive political speech, with the disruption being the critical factor. In Bethel, Hazelwood, and Morse the speech in question was part of a school-sanctioned activity even if the activity was not on school grounds (as in Morse). It would be a great stretch to consider Mr. Teague’s Twitter account to be a school-sanctioned activity, as it appears to be his personal account. To my knowledge, no Supreme Court ruling has ever addressed a school’s ability to restrict speech that occurs outside of school events.

Arguably, the concept of in loco parentis could be used to support the ability of schools to respond to behavior that happens outside the school. I don’t agree with this, but it would be interesting to see how this argument played out in the courts. In the meantime, I expect that this may end up being discussed in court rooms for years to come. If no suit is filed, it should at least be used as an exercise in high school government classes across the country.

Facebook’s post policing

Casey Johnston had an article on Ars Technica today about Facebook’s announcement that they would step up monitoring and removal of what they deem to be hate speech. Because this appears to be driven by complaints from women’s advocacy groups, the commentary has been largely political. I’d like to set aside the specifics of this and focus on the general case. It’s an interesting move on Facebook’s part because it sets a precedent.

Long, long ago, when telephones were still a thing, there was a legal idea of a “common carrier” (it still exists, of course, I’m just employing some blogtistic license). Common carriers offered services to the general public and were generally prohibited from doing anything about the content. For example, AT&T could not cut off your phone service if you did nothing but swear and say profane things when you were on the phone.

Although phone provides are still considered common carriers, internet service providers (ISPs) generally are not. ISPs, while protected from liability under various laws (e.g. Comcast can’t be shut down because a customer used a Comcast connection to transmit child pornography), can [in my understanding] theoretically terminate service if they don’t like what you’re “saying” on your connection.

Moving up the stack, websites such as Facebook or Funnel Fiasco are neither ISPs nor are they telecommunications common carriers. The general consensus, though untested in court as far as I know, is that sites are privately owned and can allow or disallow whatever content they like. This seems to be a pretty reasonable position, but there’s a difference between Facebook and Funnel Fiasco.

Apart from having a smarter and better-looking founder, Funnel Fiasco doesn’t allow just anyone to have a presence on the site. Facebook, especially for businesses/organizations, is more than just a blog or a message board, it’s a key part of digital presence. While that doesn’t make it an ISP, it does move it away from being just a website. Perhaps some additional category (e.g. “hosting provider”) needs to enter the understanding in this context.

What makes Facebook’s policy interesting to me from my perch as an armchair lawyer is the selective enforcement. While they are well within their legal rights, does it set a dangerous precedent for them? By choosing to police some content, are they liable (legally or otherwise) for not policing other content? Can they be held liable for policing content when other substantially similar content was not policed? Can the publicness of Facebook make it a common carrier?

Eventually this will become better defined. Whether it be by legislation, regulation, or litigation.

Protecting rights in the American legal system

[Ed. note: I normally avoid politics on this blog (and frankly, just about anywhere else. It’s no longer enjoyable for me to engage in political debate), so I hope this post doesn’t violate that too much. I’ve tried to avoid making too many references to contemporary events or persons, because that’s not what this is about. I’m talking about the philosophy of the American legal system, which is not always related to the implementation.]

A friend of mine recently shared an article on The Agitator about the death of Rodney King and people’s reactions to his life and death. One line toward the end of the article particularly resonated with me:

Part of protecting rights is committing to protect them without caring too much whether the rights are held by people who are awful or wonderful.

This sounds like something Atticus Finch might have said to his children to explain why he was defending a convicted felon. To me, it seems to be the heart of the American legal system. Our notion of presumed innocence, and fourth through eighth amendments to the Constitution are all intended to be applied to everyone, whether we’d invite them into our homes or not. The mob mentality sometimes forgets these ideals, and for that we have the cold, impersonal justice system.

It can be difficult when a high-profile case doesn’t go the way you expect, or even an episode of “Law and Order”, which generally has several procedural rulings in addition to the verdict. Even in the cases where the system fails to convict a guilty person, I’m glad our system is set up the way it is. The older I get, the more appreciation I have for the philosophical foundings of American government and law. I look foward to explaining them to my daughter when she’s old enough.

Privacy in the 21st century (or at least this week)

Digital privacy has been in the news this week. The first story involves a judge ordering a woman to decrypt her laptop. There has been a lot of uninformed commentary surrounding this story, and I thought I’d add my own to the pile. My initial reaction was that it was a pretty blatant violation of the Fifth Amendment, but after further reflection, I’m not so sure. I still struggle to find the right parallel to the physical world.

I don’t believe that decrypting the data is self-incrimination, in and of itself. A person can’t avoid a search warrant by simply locking the door. On the other hand, the police already have the data (in some form) in their possession. There’s no requirement that the data be in a form that the state finds convenient.

Overall, I’m not that concerned with this decision. A valid warrant should be sufficient to require a person to turn over documents in an unencrypted form. Failure to comply is rightly contempt of court. The only problem is when a person legitimately forgets the key, because it is nearly impossible to determine if they have legitimately forgotten. Still, I’m not at all convinced that this ruling is a death knell for the Fifth Amendment.

The other story in the news came from Google, who announced that they are changing their privacy policy for accounts (this does not include search, Wallet, and Chrome). This story has caused no end of hand-wringing, but it seems to me like a severe overreaction. From what I can tell, interactions with third party sites hasn’t changed. The changes mostly make it easier for Google services to share data internally.

To me, that’s part of the appeal of using the variety of services Google offers. What’s the point of a single account if the services aren’t tightly integrated? The lack of an opt-out isn’t a compelling argument to me. Anyone who doesn’t like the privacy policy doesn’t have to use the service (though I’ll admit that if you just bought an Android phone, the cost for leaving (assuming an early termination fee with the carrier) can be prohibitive). There’s an adage that states if you’re not paying, you’re the product. I’m fine with my data being more available across my Google services and hope the promised cool things come to pass. If it ever becomes unacceptable to use Google services, I’ll take my ball and go home.