Using Closed-source Software To Catch Criminals?

[skap35]

There was a recent Slashdot article here that talks about how DUI cases are being thrown out left and right in a Florida county. The reason is that defendants have been asking for information about how the breathalizer works (in other words asking for the source code). The company that makes this particular breathalizer is unwilling to release the code. And since the state has basically failed to produce that key evidence, these cases are dismissed.

The logic behind these decisions applies to many other aspects of the government such as radar guns, and in particular, voting machines.

So when it comes to the government, should they be forced to use only open source software? Keep in mind, I'm not talking about banning Windows from government computers or anything like that. I'm specifically talking about when it comes to proving someone's guilt or innocence or dealing with counting votes.

[DavidOdden]

So when it comes to the government, should they be forced to use only open source software? Keep in mind, I'm not talking about banning Windows from government computers or anything like that. I'm specifically talking about when it comes to proving someone's guilt or innocence or dealing with counting votes.

The forensic / trial question has to be separated from the voting question. There is no reason at all why the government should have to use open-source softward in all of its dealings, and many reasons why it should not use it at all in military matters. Trials are a different matter. A person's rights are put at great risk, and establishing the validity of evidence given in court is of paramount importance. The fact is that the state does make unsupported assertions of fact which in a number of cases cannot be independently assessed. Voiceprints, for example, are of negligible probative value in establishing identity and yet they were used, and what is most problematic is that there is no objectively defined and validated procedure for interpreting voiceprints. "Qualification" usually amounts (amounted) to saying that X is an FBI agent who works in such and such lab and has boon doing this for 10 years. Under the Daubert standard a lot of the problems have gone away (I don't know if voiceprinting has been totally discredited in court). In principle, what is required is that the technique be testable and subject to independent review. This could be accomplished without revealing source code in open court.

[skap35]

In principle, what is required is that the technique be testable and subject to independent review. This could be accomplished without revealing source code in open court.

I have a problem with relying on this solution. Granted, "black box" testing like this would probably work in most situations. However, you can never prove conclusively that there are no bugs in the software without actually seeing the code.

More importantly however, is that just as a matter of principle, I think the accused has a right to review the method used to prove his guilt. Take forensic science for example. Every action taken by a forensic scientist is rigorously reviewed by the defense team to find any flaws in his method. Relying on a black box independent review of a breathalizer is no different from simply taking the forensic scientist's word for it in a trial. The defense team needs to be able to review the method (source code) used to prove the defendant's guilt.

Edited October 25, 2005 by skap35

[softwareNerd]

Most software is black-box tested. As long as the testing is good, and there is no reason to think that some factor was not considered, any claim that the software contains a bug that affected the particular case would be arbitrary. If one did not do a black-box test with samples and instead looked at source code, it would be very unconvincing. One is testing the performance of the device as a whole.

The testing method is open to review. In the case of a breathalizer, if know samples across a relavant are tested with a breathalizer and the breathalizer confirms the know values in the samples, what more does one need.

I wouldn't rule out that there could be case where looking at the algorithm is an important part of the proof. A judge would need to decide when to allow that, and with what restrictions. I think judges decide things like this all the time. For instance, one side asks that certain information be brought into the trial. The other side questions its relevance. A judge decides.

[DavidOdden]

I have a problem with relying on this solution. Granted, "black box" testing like this would probably work in most situations. However, you can never prove conclusively that there are no bugs in the software without actually seeing the code.

And furthermore, you can't prove conclusively that there are no bugs in the software even if you see the code. Though of course, seeing the code might make it more obvious that there is a bug. But note, I am not precluding inspection of code, I'm simply saying that you can validate the procedure without revealing the code in open court. I would say that the code should not be a matter that the jury deliberates over in such a case and the code specifics don't end up in the record; rather, you have the testimony of software experts on both sides who have been allowed to see the code (penalty of death or huge fine and all), who can say certain things that are directly relevant to the reliability of the gizmo. There are already these safeguards where you can go into closed session in case some matter of uncertain relevance comes us which is possibly prejudicial (to the company's interest, in this case). This would satisfy the defendant's right to challenge the evidence, without compromising the company's right to keep a trade secret. I argue that the attorney and certainly the defendant has no need or competence to review the source code (except of course if the defendant can serve as his own expert witness). The point is not that the evidence isn't subject to review, but that it's subject to controlled review.

[skap35]

This would satisfy the defendant's right to challenge the evidence, without compromising the company's right to keep a trade secret.

That would be fine in any other case. But in dealing with the cases in the link I provided, the problem is that the company is unwilling to turn over the source code to anyone. So the closed session safeguard you mentioned can't even take place because the company has refused to cooperate.

So your two arguments to justify not revealing code in open court were 1. an expert witness evaluation of the code or 2. a closed session evaluation of the code. The problem is that the company isn't even allowing either of those two options to be exercised. If the company was cooperating at least with one of those two options, I wouldn't see a problem. But this case is a different situation.

[DavidOdden]

So the closed session safeguard you mentioned can't even take place because the company has refused to cooperate.

Right, and that should be a bad choice from the market point of view. It is the right of the manufacturer to refuse to divulge crucial details of the workings of their product. The consequence should be (though only if there were a challenge in court as to the validity of the evidence) that the evidence may be inadmissible. That's the strongest outcome possible -- the question would be whether the device is provably reliable even without knowledge of the software. Given two manufacturers of a gadget, one who is willing to let the reveal the details of the device under closed session safeguards, and one who will not, then all other things being equal, the company that makes a machine whose evidence isn't admissible in court will have rather limited sales.

The ultimate consideration is whether the device or technique is reliable, and not whether a company decides against revealing source code. I don't know how breathalyzers work, but it should not be difficult to independently test them to see if there is a flaw that results in misreadings, whether it is a software problem or a hardware problem. IMO it ought to be standard that the device is calibrated before any use -- that is standard in any science. In this particular case, I think just judges are just being obstreperous, since there is no allegation (at least reported in the article) that the device is unreliable. I do think the courts have been unconscionably lax in applying the Daubert standard, but those Seminole County guys have gone overboard in the other direction, and I just don't see any merit to the claimed need to inspect the source code.