Julia Horwitz Archives

Recently in Julia Horwitz Category

April 17, 2014

White Hat, Black Hat, Bleeding Heart

Julia Horwitz imageLet's start with the Heartbleed bug.

Since the announcement of Heartbleed last week, everyone has been paying attention to security vulnerabilities -  a typically niche technical subject. Most internet users are, rightfully, concerned. What can they can do to protect themselves in the short term? What can Internet providers and government agencies do to help protect them in the long run? In a series of posts, I will identify and discuss the technology and policy issues involved in this important question: how can we keep the Internet secure and protect user privacy?

Last week, we found out that there is a vulnerability in the encryption code that enables about 70% of the Internet's secure connections. This story gained some traction in popular news reporting, but there wasn't much to tell without delving into a decade-long series of legal and technical conversations between lawyers, policymakers, technologist, cryptographers, engineers, and politicians. In a brief interview for Reuters, I was asked to advise consumers on how best to protect themselves from loopholes in crypto. But that's an impossible question to answer right now. Not only because there is almost nothing that individuals can do to guard against Open SSL vulnerabilities (although that is true), but also because I could not propose a solution to a problem that no one has diagnosed.

The Heartbleed bug is a flaw in Open SSL encryption that allows hackers to steal data silently and without a trace. This is obviously a problem unto itself, and it was diagnosed brilliantly by Antti Karjalainen, Riku Hietamäki, and Matti Kamunen of Codenomicon, as well as Neel Mehta of Google. But it is also a symptom of a much larger problem: a failure of both private sector companies and government agencies to protect some of our most important critical infrastructure - core Internet security protocols. This is a complex issue that relates to recent debates over cyber warfare and the role of the U.S. defense agencies in information assurance, national security, the market for security vulnerabilities, and encryption standards.

Recent debates about "cybersecurity" circle endlessly around these themes. Who is responsible for protecting Internet security? Can it be the NSA, an agency that notoriously devotes copious resources to cracking code and breaking crypto? Can the U.S. regulate so-called "bug bounties," in which the government pays independent coders to locate zero-day vulnerabilities? Is the private sector obligated to inform the government if "zero-day" security vulnerabilities are found? And, if so, which agency is responsible for informing the public -the NSA, tasked with "information assurance," or DHS, tasked with protecting "critical infrastructure?" The brightest minds have so far been talking around and past each other in an effort to unify all these conversations into the legal and technical panacea that would prevent future Heartbleeds. The questions are too weighty to tackle all at once, but too interconnected to answer individually.

My goal in this series of blog posts is to pull apart the threads of these interconnected conversations. I would like to examine each issue in turn, in the hopes that by looking at each element of the precipitate, we may find the key to the solution. In my next post, I plan to discuss "critical infrastructure:" what we mean when we say it, who is tasked with protecting it, whether (and if so, how) it includes the Internet, and whether in the context of critical infrastructure, "the Internet" includes the protection of cryptographic protocols.

Stay tuned.

March 10, 2014

Sometimes In Class Action Settlements Plaintiffs Gain Nothing, But Risk Everything

Julia Horwitz imageWhen I refer to the Constitution's "Double Jeopardy Clause," people know what I mean. You can't be tried twice for the same crime. Many have seen the Ashley Judd movie, where her character is wrongly convicted of a murder and therefore free to kill with impunity when she is released form prison. But there is a counterpoint to the Double Jeopardy Clause, and it kind of works the other way. You can't relitigate an issue you've already brought to court. That concept is called res judicata, and it creates an interesting problem when applied to consumer class action lawsuits, like the recent Facebook privacy suit.

Res judicata is a much-discussed topic of conversation among class action lawyers. The idea behind class action litigation is that, when there are too many people who have been injured in the same way, it is more efficient for the defendants, plaintiffs, and courts to resolve the case all at once. So a couple of plaintiffs put a case together and ask the court to allow them to represent all similar plaintiffs. Class certification - the process by which the court makes sure that the class action lawsuit fairly represents the rights of all the people it claims to represent - tests whether class action is the appropriate form for the lawsuit. Next, everyone who qualifies as a member of the class must be informed that the lawsuit is taking place. If a person qualifies as a class member, he or she is automatically added. Qualifying people who do not want to be in a class have to opt out.

And here is the gamble for a potential class member: the outcome of the case binds the class members permanently. If you are a member of a class and the case is litigated, you win or lose right along with everyone else in the class. That means that, if you don't like the outcome of the case, and you think your own lawyer could have done a better job, you can't go back to court unless you can show that the lawyer representing your class truly did not represent your interests. You have already had your day. It also means, of course, that if you can't afford a lawyer, you didn't understand that you could be compensated for an injury that you suffered, or you don't know how to get litigation started, the class action lawsuit takes care of it for you. You don't have to do anything - just elect not to opt out of the class. This principle - that you are precluded from litigating the same case twice - is res judicata.

But it's unclear whether that principle applies to settlement agreements at the end of class action lawsuits as well. That is to say: what if you are a member of a class that wins a case, but your lawyer works out a settlement agreement with the losing defendant that doesn't allow you to recover anything? Can a settlement agreement be so unfair that it reaches back in time and makes the original class certification and opt-out notice invalid?

In a 2003 case called Dow Chemical v. Stephenson, the Supreme Court decided that a settlement agreement could be so unfair that it retroactively excused otherwise qualifying class members from opting out. Stephenson and Isaacson, the two plaintiffs, had been injured by exposure to Agent Orange during the Vietnam War.  When they sued the chemical manufacturer, the lower court threw out their case on the grounds that a previous class action settlement barred their claims. However, the settlement agreement only provided money to pay class members for 10 years following the lawsuit. By the time Stephenson and Isaacson discovered that they had been injured, the settlement fund had already expired. The chemical manufacturer had been punished in the form of having to establish a ten-year settlement fund. But Stephenson and Isaacson had not been compensated. This, the Supreme Court decided, meant that the two veterans had not been adequately represented in the class action. Their inability to recover settlement funds reached back in time and "opted them out" of class membership.

I wondered about the role of res judicata in the context of Fraley v. Facebook, a class action lawsuit in which EPIC recently submitted an amicus brief. In Fraley, the defendant Facebook had used the images of Facebook users (including minor children) to advertise products. A group of parents filed a class action lawsuit against Facebook to vindicate the rights of children who had been subject to this advertising scheme. As a result of the lawsuit, Facebook and the parents agreed to a settlement, wherein Facebook would pay money to organizations that advocate for children's privacy. But the settlement agreement did not prevent Facebook from continuing to use children's images in advertisements, and the organizations selected to receive funds were not the groups that have objected to Facebook's use of images in advertising since the scheme began. The settlement agreement was so bad that one of the groups who had been selected to receive funds chose to turn the money down. The settlement agreement, said the group, left the class members worse off than they would have been without any settlement at all.

If the settlement agreement was that bad (and, personally, I think it was), is it possible that none of the plaintiffs' rights were vindicated as a result of the lawsuit? Is there an argument to be made that the settlement agreement both allowed Facebook to continue its injurious behavior and also prevented the plaintiffs from ever challenging that behavior again? Are the organizations whose interests actually do align with those of the class members (for example, the group who refused the funds) barred from litigating the same issue? Or did the deficient settlement agreement reach back in time and opt everyone out of a class that would not reap the benefits of a settlement agreement?

Maybe a class member will speak up, and then we'll find out.

January 28, 2014

Barthes on FOIA

Julia Horwitz image I recently revisited "The Death of the Author," an essay about narrative voice by the poststructuralist critic Roland Barthes. In it, Barthes rejects the phenomenon often labeled "authorial intent," essentially concluding that a text speaks for itself, and that its author, without prior history or consciousness, only comes into being upon transcribing the text. Much of this theory - like much of semiotics - is a thought experiment, designed to distance the reader from the text and create a tension between the authenticity of a narrative and the limits of textual interpretation. But part of the theory, it occurred to me, might be instructional in the legal context. Perhaps "The Death of the Author" describes a process that is analogous to - or even an instantiation of - a legal canon of construction.

The EPIC Open Government Project has been wrestling with a particular issue of statutory interpretation for the last few months. The Freedom of Information Act describes the timeline by which the requester must receive the requested records. The first, located at 5 U.S.C. §552(a)(6)(A)(i), provides that an agency, upon receipt of a FOIA request, shall "determine within 20 days (excepting Saturdays, Sundays, and legal public holidays) after the receipt of any such request whether to comply with such request and shall immediately notify the person making such request of such determination and the reasons therefor." The second, located at 5 U.S.C. §552(a)(6)(E), provides that an agency shall provide "for expedited processing of requests for records (I) in cases in which the person requesting the records demonstrates a compelling need; and (II) in other cases determined by the agency."

These provisions, to our mind, were to be read along the same timeline. Upon receiving a request, an agency has 20 days in which to make a determination and respond to the requester. An agency must also provide for requests that are particularly deserving of immediate attention and create a system for expediting those requests. Where an ordinary request would result in a determination after 20 days, an expedited request would result in a determination more quickly than that. Twenty days is the outer boundary of the timeline, and some requests are treated with more urgency within that timeline.

To our bafflement, we started to encounter agencies in the course of litigation that denied that these provisions related to each other. According to their reading, § 552(a)(6)(A)(i) circumscribed an absolute timeline: 20 days in which to issue a determination. Section 552(a)(6)(E), however, described a relative timeline: an expedited request was moved to the front of the queue of FOIA requests. Once an agency had granted expedited treatment, the logic went, the request was governed by § 552(a)(6)(E), and not by § 552(a)(6)(A)(i). As long as the agency had truly moved the request to the head of the line, the agency was satisfying its legal obligation under the FOIA.

We are still struggling to understand this interpretation of the statute. How could a grant of expedited processing permit an agency to exceed the 20-day timeline prescribed for non-expedited requests? Under that theory, an agency could evade an absolute timeline altogether by granting every request for expedited processing. Surely that would eviscerate the significance of having a provision for "expedited" treatment. Congress could not have meant for the most urgent requests to become unmoored from any timeframe.

But what does "Congress" mean? If we wanted to determine Congress' intent in drafting these two provisions, whom could we ask? Does one member of Congress have the authority to speak to "Congress'" intent in drafting the FOIA? Two members? A quorum of those who contributed to the original Freedom of Information Act debates on the floor and those who participated in any of the FOIA's many amendments?

Or does, in reading a law like the FOIA, "Congress" become a separate, discrete entity? Perhaps "Congress" is something like Barthes' conception of  "the Author": a narrative force generated solely by - and wholly contingent on - the text it produces. Perhaps there is no "Congress" with respect to the FOIA outside of the text of the FOIA. But if this is the case, how is either party to determine what "Congress" intended?

It occurred to me that the voice of Congressional intent might be the Court. It is, after all, "emphatically the province of the court to say what the law is." The D.C. Circuit Court of Appeals recently ruled on the significance of the word "determination" in the context of the FOIA. The requester understood "determination" to mean that the agency was required, in 20 days, to complete processing of the entire request. The agency understood "determination" to mean an acknowledgement, or a communication to the requester that the processing was underway. The Court ruled that a "determination" meant something in between: a preliminary assessment of the number of documents located, any exemptions that the agency planned to assert, and an approximate timeline for document production. This ruling ends the obscurity of that word in the text. The Court has provided a definitive exegesis, and the problem of the FOIA-Congress' intent is now a moot point.

But this illustration signals the collapse of the "The Death of the Author" metaphor with respect to the American legal system. For Barthes, an author cannot be generated from a text alone; there must also be a reader who, in engaging with the text, creates the "Author." He writes, "The reader is the space on which all the quotations that make up a writing are inscribed without any of them being lost; a text's unity lies not in its origin but in its destination." Whether or not this proposition is true of law generally (Holmes and Dworkin would likely have some choice words on the subject), it cannot be true of statutory interpretation. Were the proposition true, EPIC's understanding of Congress' intended FOIA timeline would be as valid an authentic, self-generated truth as the government's understanding would be. There would be two "Authors" - two "Congresses" - and the Court would generate a third. Instead, the Court has ruled on the text; we know now, legally, what the text says.

I'm still persuaded by the idea that "Congress" must be understood as something other than the Representatives and Senators who sponsor the bills that become the text of our laws. But in the universe of statutory interpretation, it cannot be true that the "Author" is dead. On the contrary, in a legal dispute like the FOIA dispute between EPIC and the government, the entire source of the conflict is the disconnect between reader and author. Whether law exists in the absolute or whether it only comes into being when enacted by the people it governs, the practice of law is contingent on both its origin and its destination - its author and its reader. Barthes writes, "Once the Author is removed, the claim to decipher a text becomes quite futile. To give a text an Author is to impose a limit on that text, to furnish it with a final signified, to close the writing. Such a conception suits criticism very well, the latter then allotting itself the important task of discovering the Author (or its hypostases: society, history, psyche, liberty) beneath the work: when the Author has been found, the text is 'explained'-victory to the critic."

And that derisive parenthetical describes the substance of statutory interpretation, and effectively ends the analogy.

About this Archive

This page is an archive of recent entries written by Julia Horwitz.

Find recent content on the main index or look in the archives to find all content.