The Specification Problem of Legal Expert Systems

Automated legal decision-making relies on computer programs called legal expert systems, that are executed on machines not capable of legal reasoning by themselves. Rather, it is up to the programmer to ensure that the behavior of the computer program faithfully captures the letter and intent of the law. This situation is merely an instance of the more general specification problem of computer science. Indeed, the way programs are written and executed requires the programmer to express her intention in a particular form of logic or statistical model imposed by the programming language or framework. On the other hand, the intended behavior of the program or specification, here communicated through the law, is usually described using natural language or domain-specific insights. Hence, every software endeavor begins with a requirement analysis, which consistsin extracting from the specification corpus a set of requirements that the computer system must obey.In the case of automated legal decision-making and legal expert systems, the members of this set of requirements are the possible legal reasoningbits that the computer program is expected to perform. Viewing the problem through this lens immediately allows for identifying the key questions forassessing the safety and correctness of legal expert systems. First, when and how is it possible to express legal reasoning as a set of requirements for a computer system? Second, how to check that these requirements are correctly translated to computer code? Third, can we ensure that the computer code does not introduced unwanted, unlawful behavior? In this article, we take a tour of the general computer science answers to these three questions and assess their efficiency in the particular situation of legal expert systems. To do so, we introduce the distinction between result-constrained and process-constrained legal specifications. From this distinction naturally stem different software solutions, ranging from machine-learning-based to algorithm-based. Finally, we conclude by a discussion about the critical software qualification for legal expert systems, and what this qualification could entail in terms of technical and organizational change

Les sciences computationnelles peuvent-elles participer à l’innovation publique ?

National audienc

Observations sur le calcul des aides au logement

À l'aide du langage de programmation dédié Catala, nous avons implémenté le calcul de l'éligibilité et du montant des aides au logement en France à partir de l'ensemble de textes législatifs et réglementaires s'y rapportant. Cette démarche correspond à la rétro-ingénierie d'une partie du système informatique CRISTAL, utilisé par l'opérateur des aides au logement et de multiples autre prestations sociales, la CNAF (Caisse Nationale des Allocations Familiales). Ce rapport présente quelques observations dont le but est d'améliorer la qualité des textes réglementaires gérés conjointement et entre autres par la direction de l'habitat, de l'urbanisme et du paysage (DHUP), la direction de la sécurité sociale (DSS) et la direction du budget (DB)

Experience report: implementing a real-world, medium-sized program derived from a legislative specification

International audienceImplementing computer programs from legislative specifications has been a longstanding academic endeavor. However, few of these experiments has so far sought to replicate a computer program that is already in production in public administration; most of them have created new programs or formalizations that cover sections of the law not previously automatically enforced by public administration. A somewhat dated but accurate state of the artof the use of legal expert systems in government agencies was compiled by Oskamp (2002). Building on the work around the Catala domain-specific language, we have chosen to engage in an exercise of replication of the existing IT system that computes the French housing benefits (and various other benefits) within the CNAF administrative agency, CRISTAL. More general context and main non-technical findings of this replication exercise can be found in a companion paper; this presentation will focus on the challenges and lessons learned about the programming act itself, in an effort of consolidation of knowledge for this line of research

Catala: A Programming Language for the Law

Law at large underpins modern society, codifying and governing many aspects of citizens' daily lives. Oftentimes, law is subject to interpretation, debate and challenges throughout various courts and jurisdictions. But in some other areas, law leaves little room for interpretation, and essentially aims to rigorously describe a computation, a decision procedure or, simply said, an algorithm. Unfortunately, prose remains a woefully inadequate tool for the job. The lack of formalism leaves room for ambiguities; the structure of legal statutes, with many paragraphs and sub-sections spread across multiple pages, makes it hard to compute the intended outcome of the algorithm underlying a given text; and, as with any other piece of poorly-specified critical software, the use of informal language leaves corner cases unaddressed. We introduce Catala, a new programming language that we specifically designed to allow a straightforward and systematic translation of statutory law into an executable implementation. Catala aims to bring together lawyers and programmers through a shared medium, which together they can understand, edit and evolve, bridging a gap that often results in dramatically incorrect implementations of the law. We have implemented a compiler for Catala, and have proven the correctness of its core compilation steps using the F* proof assistant. We evaluate Catala on several legal texts that are algorithms in disguise, notably section 121 of the US federal income tax and the byzantine French family benefits; in doing so, we uncover a bug in the official implementation. We observe as a consequence of the formalization process that using Catala enables rich interactions between lawyers and programmers, leading to a greater understanding of the original legislative intent, while producing a correct-by-construction executable specification reusable by the greater software ecosystem

Catala, un langage pour transformer la loi en code (démonstration)

National audienceLe droit codifie et régit de nombreux aspects de la vie quotidienne. Si la plupart du temps les lois sont sujettes à interprétation, dans certains domaines la loi ne permet pas d'interprétation et vise essentiellement à décrire rigoureusement un calcul ou une procédure de décision, c'est-à-dire un algorithme. Catala est un nouveau langage conçu en collaboration avec des juristes qui permet une compilation depuis une spécification proche de la loi vers un code exécutable. Contrairement aux langages traditionnels, Catala est adapté aux raisonnements cas de base/exceptions présents dans la loi ; il intègre de la programmation littéraire du droit qui facilite les mises à jour du programme. Finalement, Catala compile vers une variété de langages cibles dont OCaml. Dans cette démonstration de prototype, nous montrerons comment exprimer une partie du calcul des allocations familiales dans Catala

Rules, Computation and Politics: Scrutinizing Unnoticed Programming Choices in French Housing Benefits

The article questions the translation of a particular legal statement, a rule of calculation of personal rights, into a computer program, able to activate the rights of the concerned citizens. It does not adopt a theoretical perspective on the logic of law and computing, but focuses on contemporary welfare states, by studying the case of the calculation of housing benefit in France. Lacking access to Cristal, the source code of the calculation, we replicated the code base and met with the writers of the housing law in the ministries to conduct a critical investigation of the source code. Through these interdisciplinary methods, we identified three types of unnoticed micro-choices made by developers when translating the law: imprecision, simplification and invisibilization. Theses methods also uncover significant social understanding of the ordinary writing of law and code in the administration: the absence of a synoptic point of view on a particular domain of the law, the non-pathological character of errors in published texts, and the prevalence of a frontier of automation in the division of bureaucratic work. These results from the explicitation of programming choices, lead us to plead for a re-specification in the field of law and informatics and a reorientation of the investigations in the field of sociology of law

Turning Catala into a Proof Platform for the Law

International audienc

Étude formelle de l'implémentation du code des impôts

National audienceThe tax code, as a legislative text, defines a mathematical function that computes the income tax of a fiscal household. In order to collect taxes, this function is implemented as an algorithm by the Direction Générale des Finances Publiques (DGFiP), using a domain specific language called M (standing for "Macro-language"). We propose a formal semantics of the M language, tested thanks to data published by the DGFiP. This formalization, coupled with the public release by the DGFiP of the codebase used to compute the income tax, allowed us to produce a fully formalized artifact encoding the fragment of the tax code describing the income tax computation. We demonstrate the usefulness of such a formalization thanks to a prototype that uses an SMT solver to infer meta-properties on the income tax computation. These meta-properties could complete and refine the existing economical analysis of the redistributive effects of the income tax, as well as various social benefits. More generally, a systematic formalization of the algorithmic fragments of the law would raise the assurance level on the coherence of the French socio-fiscal system. This work has led to the development of three software artifacts: a mechanized semantics for M, an interpreter and compiler for M based on this semantics (written in OCaml), and a Python prototype of encoding the income tax computation into the Z3 SMT solver.Le code des impôts définit dans son texte législatif une fonction mathématique per-mettant de calculer l'impôt sur le revenu d'un foyer fiscal. Afin de recouvrer l'impôt, cette fonction est implémentée sous la forme d'un algorithme par la Direction Générale des Finances Publiques (DGFiP), en utilisant un langage dédié appelé M (pour macro-langage). Nous proposons une sémantique formelle du langage M, testée grâce aux données publiées par la DGFiP. Cette formalisation, couplée à la publication par la DGFiP de la base de code M calculant l'impôt, nous donne accès à une formalisation complète de la portion du code des impôts définissant l'algorithme de calcul de l'impôt sur le revenu. Nous démontrons l'utilité d'une telle formalisation grâce à un prototype à base de solveurs SMT permet-tant d'inférer des méta-propriétés sur le calcul de l'impôt. Ces méta-propriétés peuvent ensuite compléter et affiner les analyses économiques existantes sur les effets redistributifs de l'impôt sur le revenu, mais aussi de diverses allocations. Plus généralement, une for-malisation systématique des portions algorithmiques de la loi permettrait d'augmenter le niveau d'assurance sur la cohérence du système socio-fiscal français. Trois artefacts logiciels accompagnent cet article : une formalisation mécanisée de la sémantique du langage M, un compilateur pour le langage M basé sur cette sémantique, ainsi que le prototype d'encodage du code des impôts dans le solveur SMT Z3

Hacspec: succinct, executable, verifiable specifications for high-assurance cryptography embedded in Rust

Despite significant progress in the formal verification of security-critical components like cryptographic libraries and protocols, the secure integration of these components into larger unverified applications remains an open challenge. The first problem is that any memory safety bug or side-channel leak in the unverified code can nullify the security guarantees of the verified code. A second issue is that application developers may misunderstand the specification and assumptions of the verified code and so use it incorrectly. In this paper, we propose a novel verification framework that seeks to close these gaps for applications written in Rust. At the heart of this framework is hacspec, a new language for writing succinct, executable, formal specifications for cryptographic components. Syntactically, hacspec is a purely functional subset of Rust that aims to be readable by developers, cryptographers, and verification experts. An application developer can use hacspec to specify and prototype cryptographic components in Rust, and then replace this specification with a verified implementation before deployment. We present the hacspec language, its formal semantics and type system, and describe a translation from hacspec to F. We evaluate the language and its toolchain on a library of popular cryptographic algorithms. An earlier attempt in this direction by some of the same authors, was also called hacspec, and sought to embed a cryptographic specification language into Python. We now believe that the strong typing of Rust provides an essential improvement to the specification and programming workflow. This work subsumes and obsoletes that earlier attempt. Hereafter, we use hacspec-python to refer to this prior version