This blog is now hosted at

Friday, October 26, 2007

More troubling breathalyzer news

I have written previously about the Minnesota case where the company that manufactures breathalyzers is being required to produce the source code for the device in a drunk driving case (here and here).

By way of disclaimer, I do not condone the practice of drunk driving, and believe that current penalties are at least 1-2 orders of magnitude too light. Additionally, I'm focused on US law.

An article in the Seattle Post Intelligencer has, in my mind, clarified quite succinctly why we should require open availability of specifications, design documents, and source code for any software or hardware device that is used as evidence in a court of law. From the article:

In a widely anticipated decision, the Skagit County District Court judges found examples of careless or potentially flawed work done by state scientists and evidence that three people -- including state toxicologist Barry Logan -- committed misconduct.
Here's why we should have access to the designs, specifications, and implementation information:

In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the Assistance of Counsel for his defense. (emphasis mine)

That's the sixth amendment to the U.S. Constitution.

How do you cross-examine a device? How do you confront this "witness"?

You look at three things:
  1. Its design. The design may be flawed, intentionally or unintentionally.
  2. Its implementation. This is where the hardware and software (firmware) can be tested to verify correct function.
  3. The device itself. Is the device used for the test operating correctly?
Now, before you accuse me of being paranoid, read this article from the DUIBlog. The source code would not pass muster for any public safety requirement, but can be used to reliably convict you of a crime.

Imagine that there's this magical box that can decide your innocence or guilt. Whether you go to prison or not. Whether you are branded criminal.

It is truly amazing to me that we are willing to trust a device without truly verifying it. As though it has some magical power to discern. Maybe we're just too willing to trust that a commercial entity is going to produce a perfect device, or that they are "experts".

The reality of the industry is that there are a lot of mediocre developers, managers, testers and processes. The reality is that deadline pressures cause inadequate testing. The reality is that th "expert" implementer may have taken 6 weeks of Java training before starting work on the software in question.

I know that seems harsh, but it is a reality in the software industry.

Hence the need for openness.

No comments: