Followers

Thursday, September 18, 2008

Source code requests force breathalyzer maker to sober up

By Nate Anderson

The Intoxilyzer 5000EN, a breathalyzer machine used by Minnesota law enforcement, runs on a pair of Z80 processors and uses 50,000 lines of assembly code. The accuracy of that code base is now under nationwide scrutiny as defense attorneys around the country now frequently claim that the source code must be made available to them during DUI cases. Numerous courts have agreed, but vendor CMI of Owensboro, Kentucky, puts up Herculean resistance to every such request, leading to hundreds of cases being tossed by the courts.

It's gotten so bad in Minnesota that the state has gone to federal court this year, charging CMI with a host of contractual failures and asking for more than $75,000 in compensation. With police departments now losing confidence that an Intoxilyzer reading will lead to a conviction, many have switched to blood and urine testing. Such testing puts a "heightened burden" on the state's laboratory budget.

Even worse, with confidence in the devices plummeting, the state says that it may need to "replace its entire fleet of breath testing instruments" and retrain every officer who uses them.

And all this for a peek at some assembly language.

But it's a dry heat

Courts around the country have split their rulings on this issue, but a substantial minority have agreed that source code should be provided so that defendants can verify the accuracy of the tests. Minnesota, like many states, has done its own testing, keeps detailed maintenance logs for each device, and has an actual Intoxilyzer available for anyone to examine (with payment of appropriate bond, of course; these things aren't cheap!).

But defendants want more, in part to examine stories of odd or "jumpy" readings on the devices. The Pima County Superior Court last week ruled on a motion brought by 20 DUI defendants, giving them access to Intoxilyzer 8000 source code. This request was opposed by Deputy Pima County Attorney Robin Schwartz, who compared the devices to a light switch.

"No one... needs to see a schematic of wiring to know that when he flips the switch on the wall, the light will come on," Schwartz said, according to the Arizona Daily Star. What this has to do with an Intoxilyzer, where the result isn't known or observable in the direct way that a light bulb is, remains unclear; for Schwartz's sake, we'll assume that the statement was ripped grossly out of context and that, heard in court, it was a cogent remark worthy of the judge's time.

In any event, no one involved in the case seems to believe that CMI will turn over the source code, which means that all of the defendants will likely be exonerated due to lack of evidence. Sweet victory?

Turn it over

Similar cases have played themselves out around the country with similar results, and states have had enough. The Minnesota case is instructive, because it shows just how concerned about secrecy CMI can be. In CMI's own response, the company says that the source code is absolutely, positively, we-can't-stress-this-enough vital to its business interests, and not even the company president has direct access to it. A competitor—assuming that he or she can locate the cutting-edge Z80 chips used in the device—could take advantage of the company's decades of hard work, believes CMI.

Minnesota calls hogwash on the whole idea. The state believed that all these issues were addressed when CMI agreed to a state contract and submitted a half-page confidentiality agreement for its materials. But when it came to source code, CMI said the agreement wasn't good enough and instead produced "ten pages of single-spaced text" so draconian that most district court judges in the state have refused to allow its use.

One defendant in the state did get access to the code after signing the document, but CMI then billed him $1,600 to produce it. The state calls this "arbitrary and unreasonable, pointing out that slapping the code on a CD-ROM should be "little expense or inconvenience. (It appears CMI actually printed and bound the source code before turning it over).

CMI certainly can't risk losing contracts in state after state, the inevitable result of this kind of continued stonewalling, so one would expect the company to do something to work more closely with courts and law enforcement in resolving the issue. It appears that this is now happening. In the Minnesota federal case, both parties have recently agreed to some sort of consent decree that a judge will look at in December, at which time we will have more details about how the standoff may be resolved.

But the current national situation, with defendants being released en masse, with CMI losing money as states stop using their products, and with states spending time and energy litigating these cases, is clearly not sustainable. Hopefully everyone involved sobers up soon.

Original here

No comments: