when open source is the only fair way to go

If your code can result in people being sent to jail for decades, if not death row, that code should be open source and subject to review. The courts don't seem to understand that yet.

math is logical

When you live in a world filled with technology, you’re living with the products of millions of lines of code, both low, and high level. There’s code in your car’s digital controls, all your appliances, and sprawling software, with which yours truly has more than just a passing familiarity, are way more often than not behind virtually every decision made about you by banks, potential bosses, hospitals, and even law enforcement. And it’s that last decision maker that warrants the highest scrutiny and the most worry because proprietary code is making decisions that can very literally end your life without actually being audited and examined for potential flaws. Buggy software in forensic labs means that actual criminals may go free while innocent bystanders are sentenced to decades, if not life in jail or death row for their actions, so criminal defense attorneys are now arguing that putting evidence in a black box to get a result is absurd, and want a real audit of at least one company’s software. Sadly, their requests have so far been denied by the courts for a really terrible reason: that the company is allowed to protect its code from the competition.

Instead of opening up its source code, the company in question, Cybergenetics, simply says its methods are mathematically sound and peer reviewed, so that should be the end of discussion as far as justice is concerned. So far, the courts seem to agree, arguing that revealing code will force the company to reveal its trade secrets despite the fact that its entitled to keep them. And while its unlikely that Cybergenetics is doing anything willfully malicious or avoiding an audit for some sort of sinister reason, the logic of saying that because their methodology seems sound, the code implementing it should be beyond reproach is fatally flawed. Just because you know a great deal about how something should be done doesn’t mean that you won’t make a mistake, one that may completely undermine your entire operation. Just consider the Heartbleed bug in the open source OpenSSL. Even when anyone could’ve reviewed the code, a bug undermining security the software was supposed to offer was missed for years, despite all the methodology behind OpenSSL’s approach to security for the package was quite mathematically sound.

So what could Cybergenetics not want to share with the world? Well, knowing what I’ve had the chance to learn about code meant to process DNA sequences, I can provide several educated guesses. One of the most problematic things with processing genetic data is quantity. It simply takes a lot of time and processing power to accurately read and compare DNA sequences and that means a lot of money goes solely to let your computers crunch data. The faster you could read and compare genetic data, the lower your customers’ costs, the more orders you can take and fulfill on time, and the higher your profit margins. What the code in question could reveal is how its programmers are trying to optimize it and tweak things like data types, memory usage, and mathematical shortcuts to get better performance out of it. All of these are clearly perfectly valid trade secrets and knowing how they do what they do could easily give competition a very real leg up on developing even faster and better algorithms. But these optimizations are also a perfect part of the code for evidence-compromising bugs to hide. It’s a real conundrum.

It’s one thing if you’re running a company which provides advanced data warehousing or code obfuscation services, where a bug in your code doesn’t result in someone going to jail. But if a wrong result on your end can cost even one innocent person a quarter century behind bars, an argument centered around your financial viability as a business just doesn’t cut it. Perhaps the patent system could help keep this software safe from being pilfered by competitors who won’t be able to compete otherwise while still keeping the code accessible and easy to review by the relevant experts. Otherwise, if we let commercial considerations into how we review one of the most important types of forensic evidence, criminal defense attorneys have an easy way to do what they do best and raise reasonable doubt by repeating how the method of matching is top secret and is banned from being reviewed solely to keep up the company’s revenue stream. Or ask the jury how they would feel if an algorithm no one is allowed to review not to compromise the creators’ bank accounts decides their ultimate fate in a complicated criminal case.

# tech // computer science / crime / evidence / law

  Show Comments