In a result that I find to be both groundbreaking and inevitable (based on my earlier musings about law and technology), a panel of Florida judges has ruled that the source code behind a device used to create criminal evidence must be disclosed to the defense team.
A three-judge panel in Sarasota County said that a defense expert must have access to the source code--the secret step-by-step software instructions--used by the Intoxilyzer 5000. It's a simple computer with 168KB of RAM (random access memory) that's manufactured by CMI of Owensboro, Ky."Unless the defense can see how the breathalyzer works," the judges wrote, the device amounts to "nothing more than a 'mystical machine' used to establish an accused's guilt."
This is completely rational since there's no other way to prove that the device hasn't been tampered with by police and that it's working as was intended when when it was certified for use as evidence. Similar reasoning requires that the internals of any hardware/software system should be made available to the defendant of any criminal case in which such a system plays an evidentiary role. For example, if a person is put on trial for embezzlement and an accounting balance sheet is used as evidence, the defendant should insist on access to the source code of the accounting software in question to ensure that it hasn't been modified to falsely incriminate him.
The right to examine source code used to generate evidence is necessary to remove reasonable doubt from criminal cases -- and the more technology involved in the case the more inherent doubt it creates. Such a right will make it harder to prosecute information-based crimes, and will also further endanger the (already doomed) protections enjoyed by intellectual property, but I don't see any alternative since any properly positioned defendant can otherwise so easily claim to have been framed by malicious software.
(HT: Eugene Volokh.)
Well, actually, there is another way -- a better one.
Perusing source code would be of little value in determining the accuracy of the device it purports to control. There are too many links in the chain to operation, and too many ways to suborn that chain.
But the law could instead recognize that a diagnostic device such as a breathalyzer is part of the chain of evidence for a crime. The device would be sequestered in the same fashion as other evidence, and the prosecution compelled to surrender it for independent testing at the defense's request.
Testing intended to subvert a device's "reputation" as a "reliable witness" would have to be conducted according to rules, of course. The central idea is scientific: can it demonstrably distinguish between control cases and "the real thing"? What is its rate of "false positives," and under what conditions? As these were the criteria applied to the acceptance of such evidence as fingerprints and DNA, they ought to apply equally well to other sorts of assay techniques.
Yes, that would impose an additional burden on law enforcement and on prosecutors. But your core contention seems strong to me, while the ability to infer reasonably that the provided source code is what really governed a particular device on the date of its use in a particular case seems incredibly easy to attack.
Did O.J.s knife have source code? Thankfully, he is still looking for the real killer.
FWP: But there's no way to demonstrate through testing that the particular application of the device that led to the evidence in question wasn't a special case that will never come up again... particularly if the defense is arguing that the device was purposefully corrupted.