The Council is able to publish the law better and faster than ever before. With the District’s previous codification contractor, updates to the DC Code were published three times a year, and there could be a five-to-seven month delay in seeing the latest laws. But the Open Law Library has shortened the publication process to about a week after a law is enacted.
It also means we’re all getting to see more of the actual law that governs us—not the law as it was months ago.
This is pretty common in government agencies from what I've seen. Many contractors take forever to do even the most basic of changes because of how contracting works in order to milk as much money as possible.
But agencies that move towards open source initiatives, non-profits etc end up being a lot more responsive and overall end up a lot better off. Unfortunately there's a lot of entrenched commercial entities (ex Oracle) that want things to remain the same so it's going to be hard to rout them. Initiatives like this give me a bit of hope though.
I saw that as the core message justifying the headline. He as a civic hacker has interest in modern methods arriving in administrative circles and bringing a spotlight to it - inspiring others to do as well.
I was surprised I knew the author - he maintains mail-in-a-box, a popular mail selfhosting package.
> My edit wasn’t substantive. This sort of “technical correction,” as lawyers would call it, didn’t need to be passed by the Council and signed by the Mayor.
Okay, so they didn't "change the law." It's a cool story but not a fan of clickbait titles either.
As with most things in the law, it is complicated. The District legislative process shares many similarities to the federal government's. They pass laws, which are the official representation of the will of the Council. These laws are kinda like hand-crafted change sets. Change sets that can change other change sets.
These change sets are almost impossible to use as they are, so the Council creates an official compilation of all the change sets as applied and organized by subject. This is the Code of the District of Columbia. Usually, when people think about "the law" they are thinking about the code, because that is how people interact with it.
The laws as passed by the Council cannot (and should not) be changed via pull request. Here, the useful representation of those laws, the representation used by everybody who actually interacts with the law, has been updated via PR to more perfectly reflect the underlying laws.
It would probably go over better if the phrase about changing the law were in quotations marks to indicate it is kind of being tongue in cheek. It's not entirely inaccurate, more like a smidgen of double entendre.
I mean, I'm sympathetic to your complaint. It implies something more substantive than it really means. But I also appreciate word play. (shrug)
Hi all, I'm a co-founder of Open Law Library, the non-profit that built the platform DC uses to codify and publish their laws. We were so excited when we saw a member of the public make a PR. I'm happy to answer any questions.
This is really awesome and I hope to see something like this come to my country.
One thing I was wondering is how you would deal with more tricky issues/pull requests. Obviously we probably won't see people writing whole new laws in the pull requests editor but what if it was something like a sentience was written in an unclear way and someone opened an issue asking for it to be clarified or maybe they made a PR rewriting it to make more sense while still keeping the intent the same?
We are in talks with several international governments. We would be delighted to help your country!
The system does not in any way change the legislative process, so you cannot use a pull request to make any substantive change to the law. That would include rewording, changing punctuation, fixing numbering, etc. If such a pull request were made, it would be immediately closed. As throughout history, the only way to make a substantive change to the law is to petition your representative to sponsor a bill and then convince the legislature to pass it.
So, essentially, the pull request process is useless. In fact, even changing a typo could be seen as a substantive change since it may not always be 100% clear what the correct change is. For example, in the Colored Object Restrictions Act 2018, Section 12.3.7 it might say "It is not permitted to have purple colored caqs within the city limits." could be talking about 'cats', 'cars' or maybe 'caps', and although it's obvious a typo has slipped through, these possible fixes all have very different meanings. And in the cases where the typo is obvious, and there is only one possible interpretation of the text, it doesn't actually matter and the change wouldn't have any impact...
Ah fair enough. I guess this limits the PR system to just fixing typos. Still it seems almost all of the value is in providing really easy and up to date info to everyone. Awesome work.
Kind of out there, but what prevents modification of the law from bad actors? Git history plays a part but is it possible for someone to edit a change and play all the subsequent changes on top of it, with the hope that nobody notices the sha change?
We have internal systems that allow us to audit/authenticate the repository. We will be deploying a cryptographic authentication framework based on TUF in Q1 2019 that will make it possible for _anybody_ to audit/authenticate the repository.
This is such a great way of making access to the law more open and welcoming, which is a great thing to me!
I haven't been able to check yet, but does anyone know if you are allowed to use this process to propose new laws or clarifications of laws more substantial than simple typo fixes?
Sure, you aren't going to have non-lawyers crafting legislation, but could this be used to bring up clarifications that could impact rulings or increase/decrease scope of current laws or something similar? (I'm not a lawyer, so I don't know what are big and what are small changes here)
Imagine if proposed laws could be commented on, have changes offered, debated, and ultimately decided on in an open fashion like this! With a public "audit trail" of sorts showing the history of changes the law went through.
I know this is optimistic, but I wholeheartedly believe that more openness and more people involved will ultimately lead to better laws.
I haven't been able to check yet, but does anyone know if you are allowed to use this process to propose new laws or clarifications of laws more substantial than simple typo fixes?
"You" as in you, a citizen off the street proposing a new law? Unlikely. You could use it to form the basis for a ballot initiative, I would think?
On one side it makes sense to have a public repository like git used for this, but having a private company being responsible for this it's bit strange.
The fact that a pull request was accepted was now that strange because it could have been done by the council representative.
For this kind of use case it would make more sense to me some sort of block chain, not controlled by a single company.
"This isn’t a copy of the DC law. It is an authoritative source. It is where the DC Council stores the digital versions of enacted laws, and this source feeds directly into the Council’s DC Code website at https://code.dccouncil.us/dc/council/code/."
I'm willing to bet GH is being mirrored internally as you suggest otherwise you'd be exposing the only current digital copy to hackers. That just seems a reasonable expectation to me.
So the activity is likely happening on the larger and more exposed GH service, while internally there is a daily copy bring backed up that isn't (as) exposed to hackers.
Something life that would be a great way to displace risk.
But thats not how git works. Everyone who uses the repo has a copy of it. Even if you hack GH the worst possible outcome is a hard reset of the repo, which would break pulls anyway. Unless a literal city council thinks its a good idea to not have local copies of their own law source code they are modifying regularly or something.
Seriously, I'd imagine they treat it as “someone else's problem” — like backups.
If GitHub gets hacked, I imagine their plan is “be affronted, and sue”. When GitHub's lawyers point out that the terms of service don't guarantee anything, the plan says “be even more publicly affronted that GitHub refuses to take responsibility, while taking no responsibility”.
There are cases in history where records offices were held in rebellion for political purposes. A blockchain would change means of control of records from violence to compute power.
For these purposes, the blockchain is just a fancy way to maintain accessible backups. It doesn't give anyone but the government "control". The law is always what the government in power says it is, pretty much by definition.
To be fair, I don't think anyone believes that this is the one and only source of the law in all forms. As in if GitHub suddenly started changing it on their own, we wouldn't all throw up our arms and resign to our new GitHub overlords.
It would be treated no differently than someone else trying to tamper with the written law in any form.
Paper -> Git. I don't think anyone has any problem with using Git as a medium.
The only bookstore chain where you can find the trusted, canonical copy of the book -> GitHub.
The government should host the canonical copy itself. Then, and only then, it can be replicated to any other commercial service willing to host a mirror. Be it GitHub, BitBucket, GitLab, sr.ht or anything else. Git architecture is so well suited for it that it's particularly striking to not see it done there.
Even if the canonical copy were hosted on the Council's website, you would still be trusting the hosting provider, the DNS system, and the certificate authority - all private entities.
What is needed is cryptographic authentication so that the git servers can be completely untrusted. This is also necessary to comply with the Uniform Electronic Legal Material Act (adopted by DC here: https://code.dccouncil.us/dc/council/code/titles/2/chapters/...). We will be rolling out such a system based on TUF in Q1 2019.
Although it's important matter, it's not only about the trust. I wonder what, for instance, GitLab could have done in order to get this kind of advertisement coming right from the Council.
Regardless, I would expect hosting, authoritative DNS and certificate to all be handled by the government itself. It's not a startup that's getting free vouchers for AWS to burn, public infrastructure should be either handled internally, or via some public auction on government's terms.
I do not know why it matters. Why bother adding expenseses to a government department when they can simply pay someone to do the work. Github is a private company. It is subject to the government, not the other way around...
It is really common for the government to outsource this kind of thing, and most times it results in users paying fees to the private company for access. With GitHub, no fees are necessary. So win win.
This is great, I would also love to see laws have applicable test cases created. For a practical example, in NJ they recently changed gun laws, and they forgot to include an exemption for police officers, so they ended up being restricted by the new laws the same way civilians are. (I really bit my tongue on this, not going to get political, here).
The law should have had a test case created, which would have the equivalent of ensuring that police officers are not in violation of the law, when they are serving active duty, or going home. NJ’s assembly had to rush in some middle of the night legislation to fix this “bug” in the law, that nobody caught.
I would love to see this applied to all laws. As the article states, software and law have a lot in common. Testing should be one of them.
A few years ago, while the French parliament was discussing the modifications in law to allow gay marriage, many people were scrutinizing amendments and proposed amendment, and a developer presented all the MPs work in a git repository. It really felt like the future of democracy:
It's great that DC is making their latest laws available to everyone, however it's a little scary that the commits aren't signed, meaning that anyone who gained access to the github repo could forge them (and do more than fixing typos).
Hopefully DC (and others) will look at doing GPG signatures[0,1] so that they don't have to trust github's authentication as much. Github has a nice GUI that reflects signatures with the "Verified" tag, which you can see at[2].
There are a number of technical limitations to gpg signatures. Your hypothetical attacker who has access to github can simply add his/her key and show up as a verified committer. gpg signatures have many other issues including metadata corruption, not to mention the nearly insurmountable issues around key management. As mentioned below, we have internal systems that allow us to audit/authenticate the repository. We will be rolling out a UELMA-compliant authentication scheme based on TUF in the next several months that will allow the public to authenticate the repository.
> meaning that anyone who gained access to the github repo could forge them (and do more than fixing typos).
… which would immediately be noticed by everyone using the repo. How many scenarios are there where a compromise wouldn’t include GPG keys or the attacker simply uploading their own key?
I hope you would be correct, that lots of people would notice a compromise, though I'm not convinced that this would be the case since the attacker could pretend to be the single committer.
> How many scenarios are there where a compromise wouldn’t include GPG keys or the attacker simply uploading their own key?
If the user's github credentials were compromised (lots of ways for that to happen which don't involve their system/keys being compromised, like using the same password across sites), then using GPG signatures would still allow cloners to check/detect problems since they wouldn't have the maliciously-updated github GPG key (or they might be one of the few folks still using the Web of Trust).
Furthermore, it's possible to have a local system compromise that doesn't give access to GPG keys, as keys could either be password protected or kept on a separate system that's primarily used for signatures (not extreme for a system that distributes law).
Also, signatures not only protect the latest commit, they also sign the previous commit hash(es), protecting previous commits and preventing a history rewrite. Without them, a history rewrite that left recent commits unchanged but modified some text could have the chance to go unnoticed.
> If the user's github credentials were compromised (lots of ways for that to happen which don't involve their system/keys being compromised, like using the same password across sites), then using GPG signatures would still allow cloners to check/detect problems since they wouldn't have the maliciously-updated github GPG key (or they might be one of the few folks still using the Web of Trust).
This assumes that the attacker wouldn't simply upload their own key to public keyservers with the same email address. I would be shocked if more people would notice the use of an additional key than would notice, say, Git's warning when history changes between different repos.
The big win is having multiple copies with independent access control. I'm not opposed to using GPG but in practice the benefits are fairly minimal and there's a massive usability hit for anything involving GPG. In the case of a legal code that's probably justified but it's probably well into diminishing returns.
Considering GPG is the primary protection for the Linux distros that run most of the services we're discussing* , at some point our trust falls down to it anyhow :)
* : Last I checked, the two most popular Linux distros I'm familiar with (CentOS and Ubuntu) only make their iso hashes available via http-only served files that are GPG signed
Those distributions use GPG but they also use pre-deployed signing keys rather than, say, trusting any @debian.org key on a public keyserver. When you're centralizing trust like that anyway, the differences between that and a canonical Git repo don't seem to be especially significant from a practical standpoint.
This is neat as long as DC sticks to a policy of open source laws and free access. Github has always done this, but I fear that 50 years from now we could be in a situation like access to case law where you have to pay a third party to read.
Yeah it makes me slightly uncomfortable to put the law in the hands of a private company. Github is allowed to block me for whatever reason they want, does that now mean I get locked out of this?
Would much rather see this on a self hosted GitLab but this is a good start for sure.
I have been thinking of running for local office (one seat in particular is always uncontested), and my platform would basically be: I'll set up a method for constituents to voice their opinion in a transparent way. I'm thinking something like change.org, but with some way to verify residency.
I think citizens don't get as involved as they want to because the barrier to entry is too high and the results are too opaque (don't know how many called, emailed, etc). I would love to start a movement for more open government, but I'm just not sure the demand is there.
I wonder how well code-style line-oriented diffs work for laws. If you word wrap then your single-line changes can cascade and effect many lines. If you don’t word wrap seems like you need a better way to see diffs within long lines. Seems totally solvable, but that what github does for code might not be right.
But this is so awesome, pull requesting a typo. Go DC really forward thinking.
Wikipedia seems to handle this just fine, as does most markdowns. Manual word wrapping seems like more of an issue for code than plaintext. I don't manually wrap readme's anymore, that's what window-width-aware editors are for.
My side gig, like most sites these days, publishes a privacy policy and terms of service. From the start, I published those documents in a public Git repository - it provides a clear source of what version was in force at the time of any given argument. When you might later be discussing the content of those documents in court, that can be essential.
Of course, it could also work against you, but either way, it's one less thing that's open for discussion.
While this is a great development, hosting AUTHORITATIVE text of the law at a private service (GitHub, owned by Microsoft) doesn't sound like a good idea.
Consider what would happen if Microsoft decided to delete the repo. There will still be copies of the law at different places, but there would no authoritative version. Imagine a lawsuit where each party is arguing that their copy of the law is the "correct" one.
That's because Git already provides the same solutions for problems which exist in reality (immutability, trustless, distributed). All that's left out is the opportunity for some grifter to [if we're lucky] match it at substantially greater cost.
Surely there was an open procurement process, where they considered the available options for web-based version control, and came to the conclusion that GitHub was justifiably better than its competitors.
They wouldn't just have picked someone's favourite service without thinking, because fair competition is a fundamental ingredient of a well-functioning capitalist market economy.
Here is an example of a platform like what you describe if not exactly, for the Delaware legislature.
I am linking to a particular law I followed from inception to passage, an amendment to the Delaware limited liability company Act allowing company records to be kept on Blockchain.
My main problem is that many laws are written as:
“Hereby strikes section b of USC1788(1)(iii) and replaced the word or with and”
And with this kind of system it would be standardized already on how to see what the modifications look like, or at least jump to that old version of the law easily
When the final laws are all merged together after a passed bill makes simple instructions instead of the plain text law, it would be easy to see the version history of that section of the law, or act
Yep. Like in the Delaware URL posted by GP, in the first few lines we see, "This section amends Section 18-101..." which is not linked. I don't know if this platform allows one to link to a specific version of a law, but it would seem like a logical next step to help it happen one way or another. A lot of it is probably automatable.
Thanks! All the other comments have been “hey the system you described has been around for many years, with all the problems you described but I didnt notice those just going to make a rebuttal to your idea for rebuttal’s sake”
I wonder how much this could be genericized to all (or most, or even some) states, let alone the US Code, regulations, etc. Actually, state formats and whatnot could be plugins or compilation switches.
I've actually thought about this for some years, but idly, and I haven't found the time yet to get started. It just seems like an excellent and obvious-to-me use for HTML.
The California legislature has this feature - the default landing page gives you that legal diff format, but if you hit the "Today's Law as Amended" tab you get a handy word-oriented diff: https://leginfo.legislature.ca.gov/faces/billCompareClient.x...
So the bill I linked to includes a link to a PDF of the original bill which passed, if on the other hand there were changes you would see a pdf for each version of the bill.
Florida has a search function for their statutes that allows you to then select the year/version of the law. If the Law was amended in a given year in the annotations there are “redline versions” of the law pre amendment, with changes and final.
So again similar to what you describe but as you say...limitations to existing systems. Obviously standardization is also another problem, it would be hard enough to work with federal code and 50 states but the reality is each county and city/municipality can have their own bodies of laws, rules, regulations and ordinances...so thousands of bodies of law, in the US alone.
I'm very much in favor of leveraging the advantages of version control software for legal text. Git seems perfect for this, but GitHub is a terrible choice to host it. Surely we don't want a large corporation owning the platform on which our laws are enshrined. It seems like it would be much better for this to be self-hosted.
Github does not own git, it only owns the UI that they've built on top of it. You can simply clone the repo and take it somewhere else and you can find an open source UI replacement to put on top too (e.g. Gitlab).
Github is free to use for open source projects, self-hosting by the government would only make it more expensive for the tax payer.
> Github ... owns the UI that they've built on top of it
That's the problem though. In principal, if they only use pure-git operations in the process, it would be easy to move at any point. But if they leverage the entire Github platform, i.e. PR discussion, issue tracking etc, then important parts of the legal history will be bound to the github platform.
And that's not great. Github is free for public projects for now, but as with any publicly traded tech company, they're able to change the terms of use of their product at any time to suit the needs of the company.
When we're talking about enshrining the laws of society, we're talking about a very long-term proposition. Technology companies pivot and or kill products all the time. What if we decided to record legislative history on Google Flow?
We take long-term access to the law very seriously. For the reasons you give, we rely only on native git operations. PRs are a convenient interface, nothing more.
There are technical solutions that could be used here. You can JSON dump the PR contents and Issue contents, for example, into another repository (or a branch in the same repository). It wouldn't be hard to automate that process with the GitHub API.
That doesn't solve the interop problem that would exist in trying to implement secondary UI systems that can redisplay that information usefully, but ETL of that sort is full of options and developers with experience.
JSON dumps of GitHub information would be useful to more open source projects beyond legislative history. I think a good automated solution could be generally useful, if someone wanted to invest in it.
Git is decentralized so it doesn't really matter where it's hosted. Github works since it's free, but everyone who checks out the source will have the full git history and so also becomes another repository. Easy to move a git repo to somewhere else.
While this can be argued to be true of git in a technical sense, virtually all git projects in practice have a central source of truth repository. GitHub’s entire business model is largely predicated on the fact projects will use it as their primary repository.
If we are talking about accepting PRs for drafting legislation in git, where it is hosted and who hosts it becomes extremely important. Sure anyone can clone/fork, but only the appointed central repo could become law. A clone that you or I make will likely never have this ability.
Yes, need to agree on a central place to push/pull and create PRs from. But my point is that right now people are using GitHub but if any point they want to change, or GitHub go down (or change licensing etc), they aren't beholden to them. Just push the git repository to somewhere else and agree to that. Other developers would confirm the git repo is the same.
They have what you describe, and moreover such a thing has existed in paper form since th this country was formed.
Real time access to laws as they are drafted is a Really Bad Idea. Good ideas need time to incubate. The system you want would lead to the sound byte version of legislating.
I actually really like the idea of a set of code branches like the Linux kernel has. Different groups would have their own branches and when they reach something worthy of actually considering 'outside of comity' (their still published but clearly development branch) submit a patch to a staging (discussion) branch which will then hammer things out and get feedback / analysis that leads to a version that is actually voted on.
C-SPAN already exists for “sound byte legislating.”
Plus, fine-grained version control doesn’t imply real time updates. It’s fully possible to only release the version history to the public after the law is approved.
Then the first draft can go out when it would have been normally published. Then, the main value add would be commenting and suggesting changes as well as a centralized place to see comments and suggestions as well as their reactions.
> Real time access to laws as they are drafted is a Really Bad Idea. Good ideas need time to incubate.
Good point, but if they used a distributed version control system, lawmakers could have any number of private repositories on which to craft laws before they're merged to the public master repo.
(I wouldn't expect lawmakers themselves to use git, of course; their staff would do this for them.)
I agree but politicians shouldn't be the contributors. Representatives don't actually write the laws. I'd like to see the name of the staffer or lobbyist who wrote the text. Also, it should be a federal crime to falsify the name of the author or make changes for someone else.
I’m personally not OK with a system that enables a single individual (the "lawyer" in the article) to declare modification to a law as insubstantial, then modify the law.
Some review process needs to be there, and frankly, even a typo correction IMO needs to be run by the Mayor because she/he signed one thing into law and this process changes what they signed. We cannot ever assume we know the intent of the Chief Executive, even when “obviously” in error.
OTOH, a diff system for law is awesome. California uses a similar system but it is cumbersome to do things like “show me how this section evolved over time”.
The author clearly indicates the website did not accurately reflect the act as enacted at the very beginning of the article: "Comparing the DC Code to the act that made the change, I noticed that something was amiss..."
If you want to abuse the law doing so in a public ledger that anyone accessing has a copy of (such that just reverting commits on github doesn't remove from them everyones histories) seems like a really unwise way of going about it.
Whats important is having eyes on what changes are made, and if you want to track changes and revisions to something... github (and gitlab, phabricator, etc) is pretty close to the optimization of that problem humanity has developed up to this point.
Yes, in this case, no harm done. But the process of checks and balances that are the backbone of our system of government were circumvented. Those checks and balances exist to create a hope of detecting abuse when it happens.
The Council is able to publish the law better and faster than ever before. With the District’s previous codification contractor, updates to the DC Code were published three times a year, and there could be a five-to-seven month delay in seeing the latest laws. But the Open Law Library has shortened the publication process to about a week after a law is enacted.
It also means we’re all getting to see more of the actual law that governs us—not the law as it was months ago.