The Volokh Conspiracy - Florida Court Orders Disclosure of Breathalyzer Source Code:

Tim Howland (mail) (www):

As a software engineer, I was most interested in the specifics of the system- there were multiple versions of the software burned into the EPROM's. This means that some of the breathalyzers were running different versions of the software than was originally certified by the state- meaning that there was no guarantee that the software that determined whether someone lost their car, their job, and probably went to prison, had ever been tested...

There is an interesting parallel in the adoption of Microsoft Windows overseas- many governments prefer to use open-source software, as it can be examined for back doors. Microsoft has had an "NSA_KEY" embedded in it's crypto systems for years (and a track record of borderline illegal behavior). In all likelihood, this key doesn't do anything in particular- but if you are the Chinese or Venezuelan government, which would you choose?

When important stuff is on the line, most engineers will prefer to use open source tools for these reasons- you can tell what the system will do. Open Source software and algorithms have come to completely dominate the cryptography field- security through obscurity is just too risky.

11.4.2005 10:29pm

(link)

Bruce Hayden (mail) (www):

I agree with Tim, having worked in software for 15 years before I went into law. The defendant here showed that there is a likelyhood that the software in the subject machine differed from that certified, because it showed different rev numbers - and that is what revision numbers typically mean in the software world. Good lawyering.

I am not surprised at the prosecution's position here, but am totally unsympathetic. As Declan points out from the decision:

"Unless the defense can see how the breathalyzer works," the judges wrote, the device amounts to "nothing more than a 'mystical machine' used to establish an accused's guilt."

I also am totally unsympathetic with the manufacturer of the machines. Transparency is the cost of being in this type of business.

Despite its dependence on Florida law, the decision makes enough logical sense that I would expect that it will be persuasive precedent in other jurisdictions. After all, they all face the same problems - whether courts should be able to depend on machines with unknown workings.

11.5.2005 10:01am

(link)

Beerslurpy (mail) (www):

I'm sure certain police would love a machine that they could just point at people and convict them of crimes.

I have heard from a number of local attornies that beating a DUI or a speeding ticket is harder than beating a murder charge and at least as expensive.

11.5.2005 2:53pm

(link)

Larry Faria (mail):

As Tim Howland and the decision pointed out, none of the jurisdiction's breathalyzers was alike. I can't see any court in any state not considering that material, regardless of the statute specifics.

11.6.2005 6:27pm

(link)

Mike S.:

It certainly is an interesting decision but now I wonder did this open pandora's box?

If the source code was written in 'C' a high level computer language, then a compiler must be used to turn the code into assembler or low-level source code. Is the next step requiring to see the source code of this compiler?

Perfectly reasonable 'C' source code could produce erronious results using a flawed compiler. The same should apply for the other tools used in creating the binary EEPROM memory image and downloading this to the EEPROM.

Mike

11.7.2005 2:15pm

	[Eugene Volokh, November 4, 2005 at 4:27pm] Trackbacks Florida Court Orders Disclosure of Breathalyzer Source Code: Declan McCullagh (news.com) reports on this decision by a three-trial-judge panel in Florida. Note that the decision relies heavily on Florida statutes -- it's not clear whether courts in other states would take the same view, though one can certainly argue for the same result using a more general right-to-discovery-of-relevant-evidence argument that isn't limited to Florida law. (link) Tim Howland (mail) (www): As a software engineer, I was most interested in the specifics of the system- there were multiple versions of the software burned into the EPROM's. This means that some of the breathalyzers were running different versions of the software than was originally certified by the state- meaning that there was no guarantee that the software that determined whether someone lost their car, their job, and probably went to prison, had ever been tested... There is an interesting parallel in the adoption of Microsoft Windows overseas- many governments prefer to use open-source software, as it can be examined for back doors. Microsoft has had an "NSA_KEY" embedded in it's crypto systems for years (and a track record of borderline illegal behavior). In all likelihood, this key doesn't do anything in particular- but if you are the Chinese or Venezuelan government, which would you choose? When important stuff is on the line, most engineers will prefer to use open source tools for these reasons- you can tell what the system will do. Open Source software and algorithms have come to completely dominate the cryptography field- security through obscurity is just too risky. 11.4.2005 10:29pm (link) Bruce Hayden (mail) (www): I agree with Tim, having worked in software for 15 years before I went into law. The defendant here showed that there is a likelyhood that the software in the subject machine differed from that certified, because it showed different rev numbers - and that is what revision numbers typically mean in the software world. Good lawyering. I am not surprised at the prosecution's position here, but am totally unsympathetic. As Declan points out from the decision: "Unless the defense can see how the breathalyzer works," the judges wrote, the device amounts to "nothing more than a 'mystical machine' used to establish an accused's guilt." I also am totally unsympathetic with the manufacturer of the machines. Transparency is the cost of being in this type of business. Despite its dependence on Florida law, the decision makes enough logical sense that I would expect that it will be persuasive precedent in other jurisdictions. After all, they all face the same problems - whether courts should be able to depend on machines with unknown workings. 11.5.2005 10:01am (link) Beerslurpy (mail) (www): I'm sure certain police would love a machine that they could just point at people and convict them of crimes. I have heard from a number of local attornies that beating a DUI or a speeding ticket is harder than beating a murder charge and at least as expensive. 11.5.2005 2:53pm (link) Larry Faria (mail): As Tim Howland and the decision pointed out, none of the jurisdiction's breathalyzers was alike. I can't see any court in any state not considering that material, regardless of the statute specifics. 11.6.2005 6:27pm (link) Mike S.: It certainly is an interesting decision but now I wonder did this open pandora's box? If the source code was written in 'C' a high level computer language, then a compiler must be used to turn the code into assembler or low-level source code. Is the next step requiring to see the source code of this compiler? Perfectly reasonable 'C' source code could produce erronious results using a flawed compiler. The same should apply for the other tools used in creating the binary EEPROM memory image and downloading this to the EEPROM. Mike 11.7.2005 2:15pm