A few years ago I was at a meeting where a salesman was trying to pitch his terribly expensive closed-source software to our company. Since security of our data was very important, this topic was raised a few times. I asked about how they encrypted their data. The salesman replied that since security was so important, the company created a proprietary encryption algorithm which was secure because no one knew how it was implemented. He seemed a bit flustered when I burst out laughing.1
If you’re reading this blog, you probably have a technical bent and know that the vast majority of software out there has bugs. The larger the project, the more bugs. In fact, I’ve never worked on any significant (you know, large) piece of corporate software without known bugs. I’m constantly talking to friends who complain bitterly about long-standing problems with their systems. So why is closed-source software allowed to take a witness stand and accuse you of crimes when you’re not allowed to cross-examine it?
The tech Web site “ars technica” recently reported about a Minnesota man who won the right to examine a breathalyzer’s source code. The manufacturer of the breathalyzer does not wish this code to be released, nor does the state of Minnesota (why the latter is objecting is anyone’s guess). Defendants in Florida have also have won the right to analyze the source code used in breathalyzers.2 This is welcome news.
In the United States, the Sixth Amendment to the U.S. Constitution reads as follows (emphasis mine, obviously):
In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the Assistance of Counsel for his defense.
But what do you do when your accuser is a series of ones and zeros? This is, of course, becoming more and more common. Here in the UK, officials in Cumbria have been caught lying about faulty speed cameras. London was forced to refund over £300,000 due to faulty speed cameras. A man in Dorset luckily managed to prove he was only driving 13 miles an hour despite the camera claiming he was driving at 51 miles per hour.
It’s not just criminal cases where this is a concern. Many people assume that if you’re accused, you must be guilty and it’s tough to work up sympathy for drunken and reckless drivers. Then how about sympathy for your right to vote? We’ve had more fantastic news about California effectively banning touch screen voting. Why? Because of poor security and many software bugs. The California Secretary of State also wants the attorney general to bring criminal and civil charges against Diebold for fraud. While criminal cases are important, the voting machine fiasco is even more important. Take away your right to vote and nothing else matters.
The problem here is not an open source versus closed source debate. I have no problem with companies producing or adopting closed source software. That’s their choice. Instead, this is a human rights issue. After all, not only are we being erroneously convicted by buggy software, we’re being killed by it, too. While I understand official’s desire for the labor saving benefits of software, we cannot continue to pursue this while ignoring the human side.
This is why I firmly believe that any software with substantial risk to harm your life or liberty must be open source. I’m not saying that it should be free or that manufacturers should not be allowed protections, but the protection of the people must come first. Certainly we could come up with schemes for various systems which might purport to thoroughly test them without opening up the code, but there are too many systems and too many parameters for us to do this safely on a case-by-case basis.
How this would work in practice is anyone’s guess. I’ve done a fair amount of human rights advocacy work, but I’m hardly a lawyer. As the RIAA has done an excellent job of demonstrating, we frequently don’t know how to handle the changes being wrought by technology. Forbidding certain categories of code from being closed source will likely cause serious financial issues with many companies. Even if releasing their code as open source wouldn’t significantly impact them, their investors may well panic and cause their stock to suffer. Also, software flaws thus revealed may well open the companies up to litigation and I’m quite certain that many politicians would rush to their defense. Somehow the rights of the people keep getting ignored.
2. Perversely, the Florida state legislature felt that the rights of a private corporation were more important than the rights of Floridians and passed a bill making breathalyzer source code unavailable to the defense.
Imagine if you were accused of a crime but the state would not reveal which law you had broken. Code is law indeed.
@chromatic: Quite so - as imagined to nightmarish effect in "The Trial" by Franz Kafka.
Great article. But you missed the most important case-in-point. any software with substantial risk to harm your life or liberty must be open source. The software that most regularly has the ability to harm a given person is the electronic health record (EHR) software. The vast majority of EHR software is dangerously proprietary. gplmedicine.org is my site focused on this issue.