A Minnesota man accused of drunk driving has sued to see the source code of the Intoxilyzer 5000EN machine that busted him, and the state Supreme Court is allowing the request to go forward.
The St. Paul Pioneer Press is reporting that Dale Lee Underdahl has challenged the effectiveness of the breath analyzer used by police to arrest him for drunk driving, and he's demanding to see the source code in order to make sure the machine works as advertised.
His attorney told the paper, "The problem is, the manufacturer of the thing thinks they can hold it back and not tell anybody how it works. For all we know, it's a random number generator."
That seems... unlikely, but it is interesting that the state does not want to reveal the information that would show whether its law enforcement tools are truly accurate. The company that makes the Intoxilyzer, CMI Inc. of Owensboro, Kentucky, also has no desire to turn over the code. The state isn't sure that it has the rights to the source code, though the agreement between CMI and the state does appear to give the state the necessary control of the source code. A succession of Minnesota courts have now ruled that the defendant has a legitimate right to make sure the device is accurate, and with the recent Supreme Court decision, the matter appears to be settled.
The "source code defense" has become more popular in recent years and has occasionally resulted in the code being disclosed. In 2005, a group of Florida defendants also won the right to examine the source code of a machine.
It only seems legitimate for the accused to know if the tests are accurate and if the software in the machines works as advertised. Security researcher Ed Felten made this point back in 2005 after the Florida case hit the headlines. The issue, he said, is about "fairness for the accused. If they’re going to be accused based on what some machine says, then they ought to be allowed to challenge the accuracy of the machine. And they can't do that unless they’re allowed to know how the machine works."
As a bonus, if a company proves unwilling to turn over the code, the case is often thrown out without any need to prove that the source code is in fact flawed.
One of the common criticisms (which is also made of voting machines) of breath devices is that the "state-certified" models are updated even after they are certified. The companies that manufacture the machines make tweaks, bug fixes, and even add new features, but the machines are not generally recertified after every single source code change. This means that any given machine could potentially be running non-certified code, code which may or may not have errors. And as voting machine software has shown, assuming that such source code is rigorously locked down and tested can be a a bad idea.
Further reading:
- CNet has good coverage of the Minnesota case
- In 2005, hundreds of Florida DUI cases were thrown out after source code wasn't revealed, and Bruce Schneier thinks that's fine
- Breath analysis isn't just for cops; last year's launch of the iBreathe brought allegedly-accurate alcohol testing to the iPod, though it does not prevent intoxicated twenty-somethings from listening to '80s hair metal ballads.
reader comments