Evidence from a Black Box
A recent count case in Minnesota poses an interesting question. In summary, a man accused of impaired driving says he should be able to review the source code of the breathalyzer used to gather the evidence against him.
On the surface, the man’s request seems reasonable. As I understand it, the primary evidence against him is that he exhaled into a box and it displayed a number. And that number was too big. In fact, everyone who drives, impaired or not, presumably has an interest in the accuracy of the device.
But the manufacturer, CMI, Inc., and the State of Minnesota apparently disagree, and they have convinced both the trial and appeal judges that handing over the source code would be “unreasonably burdensome.” So unless the defendant launches another appeal — or perhaps buys one and sends it to a lab for analysis — he appears to be out of luck.
I’m inclined to believe that the accused is simply looking for any possible way to have the evidence against him excluded. But that’s the way the system works. To be convicted, the accused must be proven guilty beyond a reasonable doubt. He has the right to cross examine human witnesses, so it simply doesn’t make sense that he’s not allowed to examine the functioning of the machine that says he was over the legal limit.
What could go wrong
There are a number of things that could go wrong with an electronic breathalyzer. Presumably, aging or failing components that change the readings would be picked up during calibrations, so there are likely some procedural safeguards. But what if the developer made a mistake or took shortcuts? Converting the output of an optical sensor into alcohol in the breath into blood alcohol levels must involve some math. What if there is a bug in the math libraries that hasn’t been discovered?
Then there are issues such as version control. Did the right software get loaded onto the device? Has it been upgraded? Can the vendor reproduce the exact code loaded onto devices sold several years ago? Has it been modified?
The last question should send shivers down a Judge’s spine. The device is in the custody of the same person who laid the charges and, therefore, has an interest in seeing a conviction. While the vast majority of police officers play by the rules, we are obliged to ask the question: What checks and balances are in place to stop that one bad apple from tampering with the device? Without appropriate safeguards, you too could be just one firmware mod away from a criminal conviction.
What should be done
An objective third party can examine all aspects of the software development life cycle, the software, the hardware, field maintenance and related security controls. If the manufacturer has done its job, the third party report will depict a reliable and trustworthy device. In fact, if the manufacturer has done its job, it should welcome the notion of an objective third party doing just that. On the other hand, if the manufacturer hasn’t done its job, we’ll all know that, as well.
According to Bill Collins, sales manager at CMI, the product was thoroughly tested by the National Highway Traffic Safety Administration, part of the United States Department of Transportation, prior to sale to law enforcement agencies. Individual States also test the device and it has been subject to other third party examinations prior to being generally accepted by the courts. He made another very good point: Source code is only one part of the device and, to draw a meaningful conclusion, one would have to examine the entire device including both hardware and softwar.
Preserving defendant rights
While I sympathize with the company and understand its desire to keep the proprietary source code confidential, impaired driving is a crime and a conviction can have major implications, including restrictions on employment and travel. Criminal defendants must be allowed to examine the evidence against them. Intellectual property concerns are a red herring – courts have long had procedures in place to allow the examination of sensitive information in a controlled manner.
If a defendant wants to retain an expert to conduct such an analysis, he or she must be allowed to do so. If the product is solid, defendants will quickly find out that they are simply throwing their money away. Some American states including Florida agree and have upheld the defendant’s right to examine the code.
In the words of English jurist William Blackstone, “Better that ten guilty persons escape than that one innocent suffer.” Allowing any black box to produce evidence is a slippery slope that we can’t afford, and product vendors should take note. It won’t be long until other devices like digital recorders are subject to the same scrutiny. Until we illuminate inside, outside and around the box there is no justice.
Facebook safely
Facebook (along with other social networking sites) has been around for a few years, and a lot has been written about the security issues involved. Googling “facebook security†yields about 20,500 hits. But what do users really need to know?
Information about Facebook users can be broken down into several categories:
- Personal information: Facebook allows users to enter personal information such as their date of birth, home town, relationship status, sexual orientation, religious views, email address, telephone number, educational background, and employer.
- Friends: The point of social networking is to connect with “friendsâ€. Facebook users send requests to add friends, and if the potential friend agrees, they are connected on facebook. Any user who can view either of the “friends†profiles can see that they are connected. Some people allow anyone to see who their “friends” are, so social networks can be mapped.
- Photos: Facebook users can upload photos and tag people in them. For example, if a friend uploads a photo that you are in, they can tag you in the photo. Another user viewing the photo can see your name associated with the photo.
- Facebook Applications: Facebook applications allow users to post information on their profile, other user’s profiles, etc. Whether other users can see the information depends on your privacy settings (more on that later).
- Third Party Applications: Facebook and third party applications that you enable have access to information in your profile. While there are some privacy restrictions in place, you should assume that all your personal information is available to any application you add.
So how do you stay safe on Facebook? The various applications and privacy settings may be overwhelming, but the answer is simple:
- Don’t enter unnecessary personal information into Facebook in the first place. While they require that you provide your date of birth (although they have no way to verify that you are providing correct information), virtually all the other personal information is optional. If you wouldn’t be comfortable answering the same question posed by a stranger or at a job interview, don’t type it into Facebook.
- Do not supply information about your school or employer. While you might not consider your employment details particularly sensitive, doing so may give your employer a legitimate reason to object to what you have written since it may reflect on them. Unless you use Facebook for business purposes, keep your employer out of it.
- Configure all privacy settings for your profile (Settings > Privacy Settings > Profile) to ‘Only Friends’. This makes it more difficult for people who don’t know you to obtain personal information about you. You can always change this later if there is specific information you wish to share with a wider audience.
- Don’t blindly accept friend requests. Identity thieves and unscrupulous marketers may send large numbers of friend requests. If you’re not comfortable simply ignoring requests from people you don’t recognize, you can always send them a message back politely asking, “Can you remind me where I know you from?†Just remember that sending someone a message on Facebook gives them access to some information in your profile.
- Think before you post. As a general rule, don’t post anything on Facebook that you wouldn’t want posted on the Internet. You may think that only your ‘friends’ can read it, and today you might be right. However, your words may hang around Facebook for a long time. Also, you have no way to prevent a ‘friend’ from copying, printing or creating a .pdf and sharing it with others.
Facebook is a great way to keep in touch with friends. By following a few basic rules and considering the potential consequences before giving Facebook information you can keep it safe.
Privacy on Social Networks
Use MySpace, Facebook, or LinkedIn?
The Privacy Commisioner of Canada has a brief yet thought provoking presentation on social networking that’s worth a few minutes of your time.
Children’s Privacy Online
The Office of the Privacy Commissioner of Canada has posted Professor Valerie Steeves presentation deck and speech on Children’s Privacy Online on their blog. Professor Steeves from the Department of Criminology at the University of Ottawa provides a though provoking and somewhat alarming insight into how companies are turning online children’s playgrounds into research and marketing tools. Every parent should watch this video.
Why Privacy Matters
As an information security (infosec) guy I don’t blog about work. To put it mildly, customers would not appreciate it. So when I do blog about security, it’s about more general issues and events.
Here’s a good one on privacy. You might think it’ seems far fetched, but allow companies to combine information from the right databases, and it’s actually quite easy. It also could be profitable…
Keep in Touch
Kudos
Recent Comments