EKR: May 2009 Archives

William Saletan has a confusing article in Slate about GW Pharma's new cannabis-based product, Sativex:

Sativex is a cannabinoid pharmaceutical product standardized in composition, formulation, and dose, administered by means of an appropriate delivery system, which has been, and continues to be, tested in properly controlled preclinical and clinical studies. Crude herbal cannabis in any form--including a crude extract or tincture--is none of those things.

So there. Sativex isn't pot. It's a carefully refined derivative: "Once the plants have matured, they are harvested and dried. GW then extracts the cannabinoids and other pharmacologically-active components ... [to] arrive at a pharmaceutical grade material." Patients are further expected to regulate their intake to separate pot's approved effects--relief of pain and spasms--from its unapproved effects:

By careful self-titration (dose adjustment), most patients are able to separate the thresholds for symptom relief and intoxication, the 'therapeutic window', so enabling them to obtain symptom relief without experiencing a 'high'.

...

Every feat of re-engineering challenges our moral and legal assumptions. In the case of Sativex, two positions are under attack: the left's lazy tolerance of recreational marijuana in the guise of legalizing medical marijuana and the right's opposition to medical marijuana on the grounds that it's just a pretext. By refining, isolating, and standardizing pot's medicinal effects, pharmaceutical companies are showing us how to separate the two uses. Are you for symptom relief or getting stoned? That used to be a fuzzy question. Now it's concrete: Do you want the reefer or the spray?

As far as I can tell from the above, the story is that Sativex does get you high if you take enough; it's just that they're packaged it in a such a way that it's easy to take a small enough dose that it relieves whatever symptoms you allegedly have without getting you high. On the other hand, if you take a higher dose, presumably you do get high. But of course, the same thing is true of pharmaceutical opioids as well, and people abuse them. To the extent to which we have deterred such abuse it's because we have found opioids which provide pain relief with less euphoria and/or we've adulterated them so it's unsafe to take enough to get really high (e.g., the acetaminophen in vicodin). And of course we still have plenty of abuse of high-end opioids like demerol. I don't see any evidence that either of these has happened with Sativex.

Maybe I'm missing something, but I don't see how this usefully divides the world between people who are in favor of getting high and people who are in favor of symptom relief. On the contrary, Sativex seems like a new cool way to get high without the inconvenience of lighters, coughing, smelling like smoke, etc. I'm sure there are some people who like the ritual of actually smoking pot, but I suspect most would be perfectly happy to skip that and just get high. How exactly does being able to buy the active ingredients at Walgreens discourage use by stoners?

I've been thinking about getting myself a Kindle 2. The primary use I have here is for travel (backpacking and business travel). On backpacking trips I usually end up reading a couple hours a day, either at night or in the mornings, so I can easily go through a modest-sized book on a weekend trip. The Kindle 2 weighs in at 10 oz (290g), less than plenty of paperbacks, which seem to run about .5g/page, so this is more or less a wash on a short trip and looks like a win on a longer trip. Even on a short trip, a reader has the advantage that you don't need to commit to what you're reading in advance.

Anyway, the Kindle 2 is clearly flawed (screen too small, no PDF translation, too expensive) but it may just be over the line of being useful. Some of this stuff is fixed in the Kindle DX, but it's even more expensive, almost twice as heavy, and not available yet.

Have any EG readers tried the Kindle? Any comments?

Apparently, in New York, you can't vote absentee if you're dead:

OGDENSBURG, N.Y. (WPIX) - For Vicky Peo her one vote victory over John Wilson for election to the Ogdensburg City School Board seemed almost too good to be true. As it turned out it was too good to be true.

That final tiebreaking vote came from her brother-in-law, Franklin "Peanut" Bouchey, whose absentee ballot was ruled invalid because he actually had died three days before the election.

I wonder what happens if you die right while casting your ballot.

The NYT reports on a foiled terrorist plot to bomb some synagogues in New York City:

The men, all of whom live in Newburgh, about 60 miles north of New York City, were arrested around 9 p.m. after planting what they believed to be bombs in cars outside the Riverdale Temple and the nearby Riverdale Jewish Center, officials said. But the men did not know the bombs, obtained with the help of an informant for the Federal Bureau of Investigation, were fake.

Maybe it's just me, but if I were going to blow some stuff up, I would think I would want to test my gear beforehand. How hard can it be to find some unobtrusive place to make sure your detonators work, explosives are good, etc.? This seems like good practice even if you're not worried about someone giving you fake explosives. I mean, your average two man open source software project does regression testing before they release; you'd think if your project was killing a bunch of people you'd want to take a similar level of care.

Of course, since it's not exactly a secret that the FBI likes to run this kind of operation, an extra level of caution seems appropriate. For instance, you could pick a random sample out of the explosives, detonators, etc. test it, and then you have some kind of handle on the quality of the product. Your average movie drug dealer knows about this kind of cut and choose. Don't terrorists watch TV?

I spent Tuesday working the polls for the California special election in which all the propositions that were supposed to unscrew the California budget crisis went down in flames. Some observations:

• Turnout was very light. This is a precinct with about 1700 registered voters, of which about 1/2 are vote by mail. We got (from memory) 109 actual voters and 97 people dropping off their vote-by-mail ballots. The county reports 6.68% in-person turnout and 21.31% VBM turnout.
• Pollworkers aren't paid well, but we are paid. Given this turnout, the state is paying almost $6/ballot just for the pollworkers alone. I imagine that the other costs are significant as well.
• We were issued over 1000 blank ballots. Even in the 2009 Presidential election we didn't use that many and in this case we just ended up with a ridiculous number of extras. Of course, it's not entirely clear how to decide how many ballots to print, since you don't have a precise model of turnout and you don't want to be caught with no extras. With that said, however, you'd think twice expected turnout would be enough.
• Pollworkers seem to mostly hate the DREs: they're complicated to set up and tear down and the pollworkers (who are often retirees) don't understand how to operate them: every time someone wanted to vote on our DRE (Sequoia AVC Edge), I had to stop whatever I was doing and activate the card for the voter. I'm not sure how the precincts where nobody understands computers work.
• Voters, on the other hand, seem to like the DREs. The instructions we received were to assume people wanted to vote paper (central count optical scan) and just hand them a paper ballot unless they asked for the DRE. However, for privacy reasons once someone had asked to use the DRE we had to try to get four more people to do it. The next four people I gave the choice to (I didn't load it at all) all chose the machine.
• The printers on the DRE really suck. We're required to print two extra results summaries and post them: the paper in our printer got misaligned somehow and gradually was creeping rightwards, so by the end the leftmost letter or two of each word was being completely cut off. You'd think people could get this right.
• In Santa Clara County, if you are a VBM voter but you turn in your VBM ballots, you can vote as a regular voter. However, if you don't have your VBM ballots, you need to vote provisionally (to ensure that you didn't also vote by mail). We had a number of voters claim that they had not received their ballots and we had to vote them provisionally. This is a pain for everyone.
• Closing the polling place is really complicated and takes forever. You have five separate bags and like 20-30 separate kinds of items that all need to go into the right bag and then sealed. You're constantly digging through your pollworker's manual to try to figure it out. I'm not sure how to simplify the process entirely, but at minimum it might help to have a single per-precinct checklist for each job so that you could just walk through it. That's not true now.

All of this for 109 votes on propositions we already knew would fail days before.

Like any sane consumer of Vietnamese food, I'm fond of Sriracha sauce, that crusty squeeze bottle of red spicy goodness which is a standard item on every table in your average Pho dive. There's only one brand that counts here: Huy Fong's rooster-branded version. This NYT covers the history:

What Mr. Tran developed in Los Angeles in the early 1980s was his own take on a traditional Asian chili sauce. In Sriracha, a town in Chonburi Province, Thailand, where homemade chili pastes are favored, natives do not recognize Mr. Tran's purée as their own.

Multicultural appeal was engineered into the product: the ingredient list on the back of the bottle is written in Vietnamese, Chinese, English, French and Spanish. And serving suggestions include pizzas, hot dogs, hamburgers and, for French speakers, pâtés.

"I know it's not a Thai sriracha," Mr. Tran said. "It's my sriracha."

Wikipedia has a more complete backstory. Anyway, I'm not obsessed with authentic—more interested in tasty.

Seen tonight at SFO:

Looks to me like the 2010 model year of the Camry is out, but I guess the 2007 was pretty cool too.

USENIX conferences use this tool called HotCRP to manage the conference review process. Like other systems, you rate papers on a numeric scale (1-5). When you ask for a summary of the papers, the system displays a cute little graphic of how many people have chosen each rating (and even a cute little mouseover that displays the mean and SD), but once you have more than a few papers to look, it's a bit inconvenient to get a sense of the distribution. Maybe the PC chairs have a tool, but PC members don't. Luckily, it's easy to extract it from the HTML source. Here's a Perl script that will suck out the scores and compute the mean:

#!/usr/bin/perl
while(){
    next unless /GenChart\?v=([\d,]+)/;
    
    @scores=split(/,/,$1);
    
    $sum = 0;
    $ct = 0;

    for($i=0; $i<=$#scores; $i++){
	$sum += ($i + 1) * $scores[$i];
	$ct += $scores[$i];
    }

    $mean = $sum / $ct;
    
    print "$mean\n";
}

You just do save as¹ and shove the file into the script on stdin. Extracting standard deviations and the name of the paper are left as exercises for the reader.

^1. Note: you need to save as source not a complete Web page/directory. Otherwise the browser helpfully saves the images and rewrites the links to point to your local disk, which breaks everything. Took me a while to figure out what the heck was going on with that one.

Joseph Hall models one of the t-shirts I made for participants in the California Top-To-Bottom Review.

For those who don't recognize it, here's the inspiration.

In other news, apparently I'm now a security guru.

Ed Felten posts about the Minnesota Breathlyzer case (I've written about it here):

The problem is illustrated nicely by a contradiction in the arguments that CMI and the state are making. On the one hand, they argue that the machine's source code contains valuable trade secrets -- I'll call them the "secret sauce" -- and that CMI's business would be substantially harmed if its competitors learned about the secret sauce. On the other hand, they argue that there is no need to examine the source code because it operates straightforwardly, just reading values from some sensors and doing simple calculations to derive a blood alcohol estimate.

It's hard to see how both arguments can be correct. If the software contains secret sauce, then by definition it has aspects that are neither obvious nor straightforward, and those aspects are important for the software's operation. In other words, the secret sauce -- whatever it is -- must relevant to the defendants' claims.

I'm not sure this argument is right in the general case. Ignoring the specific case of breathalyzers, if I want to develop a new piece of software, it's pretty helpful to have a worked example to rip off. To take a simple case, if I wanted to build a new NAT (a pretty well-understood technology) I'd rather start with some existing package than build everything myself. It's not that there is anything secret in one of these gizmos, just that it would give you something to imitate/test against, etc. This would be especially true if I could actually copy the source, not just mimic it. Conversely, if I were the vendor of an existing system, I wouldn't necessarily want to assist my competitors.

Three further observations: First, I expect it's a lot less of an advantage to have the source code for a device like a breathalyzer or a voting machine. First, it's not a generic PC wired to a bunch of network ports: there's a bunch of sensors and stuff that can't be sourced from your average OEM network gear manufacturing plant (this is more true for breathalyzers than voting machines). Second, a lot of the business of selling something like this is engaging with law enforcement, voting officials, etc. There's more too it than just getting your boxes on the shelf at Fry's. Consequently, it's probably not as much of a competitive advantage to save on engineering costs as it might be in some other business.

Second, if every breathalyzer vendor is required to disclose their source code, it makes it a fair bit harder for your competitors to just steal your source code, since, at least potentially, you can see their source code and have an opportunity to demonstrate that it's a copy of yours. Of course, this doesn't rule out less blatant copying, using the original system as a template/regression test system, etc.

Third, we're kind of stretching the definition of "trade secret" here, at some abstract level. As Ed observes, if the system is straighforward, what's the secret? On the other hand, it's fairly consistent with the relatively expansive tech industry definition of trade secret.

Oh, this is just great:

BERKELEY -- The University of California, Berkeley, today (Friday, May 8) began notifying students, alumni and others that their personal information may have been stolen after hackers attacked restricted computer databases in the campus's health services center.

The databases contained individuals' Social Security numbers, health insurance information and non-treatment medical information, such as immunization records and names of some of the physicians they may have seen for diagnoses or treatment.

UC Berkeley administrators pointed out that the hackers fortunately did not access University Health Services's (UHS) medical records, which include patients' diagnoses, treatments and therapies. Those records are stored in a separate system and were not affected by this crime.

First, since when are immunization records and the names of the physicians you've seen not treatment information? Even if you don't know my diagnosis, which doctors I saw still leaks potentially sensitive information about my medical history. If my records show that I saw an oncologist, it's a reasonable guess that I have cancer. If my records show that I got vaccinated for Hep B or plague, you might reasonably deduce something about my risk factors. And of course the sheer number of visits (based on the rest of the page, the dates of visits seem also to have been leaked) isn't exactly uninformative; if I'm seeing a doctor every week, something is probably wrong. I'm not saying Berkeley necessarily did anything wrong by having this information on this computer—it's got to go somewhere—but this stuff sure seems sensitive to me.

One might also ask why my medical billing records need to contain my SSN. Apparently they're using it as some sort of patient locator, but that's not what I would ordinarily call good practice (distressingly common, though, and apparently that's their excuse).

My Vibram FiveFingers showed up today (REI free shipping to your local store). I hear they run big and after trying on the 45s I went with the 44s. This seems like the best compromise size: my big toe is pretty long and it's jammed right up against the toe pocket but my little toe is only about halfway into the pocket. Putting them on take a little bit of getting used to, but since I've been wearing Injinjis, I'm used to the whole individual toe thing.

I work from home a lot and go around barefoot quite a bit, so I figured that the FiveFingers wouldn't be that much of a change. Not so, though. Obviously, you can fel them in between your toes so that's different, but there's something else too. When I'm really barefoot I tend to be real conscious of that and walk lightly. The FiveFingers are just solid enough feeling that I tend to walk more like I would in a normal shoe, but since there's no actual padding in the sole, there's a fair amount of impact. This isn't a problem on carpet or hardwood, but on asphalt or concrete it's pretty noticeable and somewhat unpleasant. When I was outside I found myself having to be really conscious to walk on my toes more than my heels. I haven't been brave enough to really try running in them yet; I took a few strides and it did not feel good, so I suspect there's a lot of adaptation you'd need to do if you were going to go for a substantial run.

I'll be the latest person to pile on Mike Galanos's piece in CNN about how Plan B shouldn't be available OTC to 17 year olds:

Think of a 17-year-old girl. Most of the time she's a high school senior, still living at home with Mom and Dad. She still needs her parents in the tough times. But they will be cut out of a traumatic situation. All thanks to U.S. District Judge Edward Korman. Korman stated in his order, "The record shows that FDA officials and staff both agreed that 17-year-olds can use Plan B safely without a prescription."

Now keep in mind birth control pills require a doctor's prescription, but a drug that is more powerful doesn't? The effective ingredient in Plan B is the synthetic progestin levonorgestrel and this is also found in daily oral contraceptives. Some forms of birth control that require a prescription have levonorgestrel, while Plan B has significantly more of the synthetic hormone. Do we really want our daughters putting something like this in their bodies without a doctor? I still want Mom and Dad in on this.

This is bogus on a number of levels.

First, oral contraceptives arguably should be sold OTC (Grimes summarizes the debate here). The only real arguments for requiring a prescription are (1) that it forces women to get seen by their doctors, which is otherwise good, but sort of paternalistic and (2) that compliance isn't as good if you get them in a non-medical setting. As for the "more powerful" argument, that doesn't follow at all. There's a difference between occasional and acute usage. If I have a bad muscle sprain and need to take 2400 mg/day of ibuprofen, even for a few days, I think nothing of it, but I would see a doctor before settling into a regime of 1200 mg/day for the rest of my life. Third, pregnancy really is pretty bad for you and there is plenty of evidence that emergency contraception is safe, so it's not really like you need a doctor to make these tradeoffs for you. Finally, what the heck do mom and dad have to do with this medical argument? Unless they're doctors, they're no more qualified than the woman/girl to have an opinion.

Some argue that a girl can get an abortion without parental notification in some states, so why not Plan B? But just because those states got it wrong by leaving parents out of the loop doesn't mean others should follow suit. And the larger point is, society must help parents, not undermine their rights by keeping them in the dark on their child's life-changing decision.

Here's some perspective for you: In most states, minors can't get a tattoo, body piercings or go to a tanning salon without a parent's permission, but we are going to leave them alone to take Plan B.

I suppose there's legitimate room for discussion about whether or not we should have parental notification laws for abortion, but this just ignores the very real issues with them. To state the obvious: many kids (especially girls) have sex even when their parents disapprove or without their parents knowledge. If they suddenly find themselves in a situation where they need EC, either because they have a condom failure or (shocking, I know) they had unprotected sex, having to ask their parents to get it comes with a huge amount of baggage. And we haven't even gotten to situations where the pregnancy is a result of abuse by a family member. None of this applies to tattoos, body piercings, or tanning salons. Again, it may be the case that it's still better policy to require parental consent (I don't think so, but that's not my point here), but it's disingenuous to suggest that there's a straight line from tattoo parlors to Plan B.

I question that, when we are cutting a doctor out of the decision to administer a powerful drug. Timing is essential to the drug's effectiveness, Plan B supporters say, so getting parents and doctors involved would unnecessarily delay the teen's ability to pop the pill the "morning after." Does it really take that long to get a prescription

This is a joke, right? Try to put yourself in the position of a 17-year-old girl who just had a condom break. You've got to get up the nerve to tell your parents you're having sex with your boyfriend and then calm them down enough to get to the doctor and get a prescription, all within 72 hours? That doesn't seem like a lot to ask? Even if all you have to do is see a doctor without your parents, might there not be some logistical difficulties, like figuring out where to get one that won't show up on your families insurance paperwork? And because of the time limit, this essentially sentences some girls to either an abortion or carrying the pregnancy to term, neither of which is that attractive if you didn't want to get pregnant in the first place.

I also don't buy the argument that this will help with unplanned pregnancies and abortions. The Center for Reproductive Rights says making Plan B more widely available could reduce them, but The New York Times reports that since 18-year-olds were allowed to get Plan B without a prescription in 2006, there has been no evidence of it having an effect on the country's teen pregnancy or abortion rates.

This is distressing, but I don't see how this is an argument against giving 17-year-old girls choices.

But let's get back to the first point: We are making it available to high school girls. We're enabling teenagers to act carelessly with an easy way out. During a recent discussion on my show, Jackie Morgan MacDougall, supervising producer of the Web site Momlogic.com, said it best. "Teenagers are known for thinking they're untouchable and here we are saying that they can continue to do that and that there aren't any consequences." With Plan B, they can do it now and deal with it later.

Don't tell me high school dynamics won't play in here. The boyfriend will talk his girlfriend into unprotected sex with the promise of buying the "morning after pill" the next day. Any 17-year-old boy will be able to buy this drug, just as any 17-year-old girl will.

Yes, this could encourage unprotected sex and that means a greater risk for sexually transmitted diseases. What about the 17-year-old girl who may get Plan B for her 15-year-old sophomore friend? These are the kind of decisions high school girls will make.

Wait, what? In my book, things that are fun (like sex) are good. Things that aren't fun (like getting pregnant when you don't want to) are bad. Things that make it possible to do things that are fun without experiencing things that aren't fun are also good. This is the part that makes me nuts about this kind of article (and also William Saletan's article, to some extent); what's careful and what's not is situation-dependent. Just like you can safely climb more aggressively when you're roped up than when you're not, a different level of care is appropriate if you can get EC than if you can't. Having sex (or any other activity) involves a certain level of risk, and it's not careless or irresponsible to take such calculated risks, nor is it careless or irresponsible to adjust your behavior when superior protection becomes available.

Now, clearly there's still a pretty significant level of residual risk in terms of STDs to be concerned about, but consider that as an argument against EC. The underlying logic of Galanos's position is that we should deny girls EC so they'll be more afraid of pregnancy and thus use protection against STDs. That's a pretty crude kind of reasoning (paternalistic again) and it's imposing a significant cost on those girls who get pregnant when they otherwise would not have for a more or less theoretical incentive benefit.

I think the 15-year old part is your hint to the real objection: we don't want teenage girls having sex, so anything that makes it less risky is bad. Needless to say, I don't subscribe to this theory.

After catching The Incredibly Hulk the other night, I wonder if we're starting to exhaust whatever vitality is left in the mainstream comic book movie (I still hope Watchmen will be good). Sure, Liv Tyler looks really good and a lot of stuff gets blown up and, but mostly it's just an incoherent mishmash of overacting, CGI, cameos (Bill Bixby, Lou Ferrigno, Stan Lee, and Rickson Gracie all make appearances) and in-jokes ("you wouldn't like me when I'm hungry"). Is this really the best 150 big ones can do? I hear Iron Man is good, though...

Wired sums up 10 confusing plots in a single page. Spoilers, naturally.

The Downfall remix meme reaches it's probably Zenith with Hitler's discovery that his Tesla will be delayed. Not safe for work.

Craig asks:

You also need your testing to include whatever tricks are used by the highway patrol administering the test in order to "trick" it into giving false positives. Maybe it's more likely to FP if you leave the device in front of the outlet of you car's heater or AC? Maybe it's more likely to FP if you hold it upside-down for 60 seconds before the guy blows into it? Analysis of the source code would be the simplest way of determining if any process-manipulation could result in more false positives, and then you could investigate in your defense whether or not any of those manipulations were in fact occurring in the field.

It's like voting machines. You can run a ton of lab test where you feed it fake votes and lo! it reports what you fed in. But when you have someone deleting batches of votes in the field in some odd way and it nukes some other batch... You discover that by accident, but then once discovered it's open to deliberate manipulation.

It's important to distinguish between accidental errors and deliberate malfeasance by the police. No matter how much effort we put into engineering the breathalyzer, I'm not particularly sanguine that we'll be able to build a system that is immune to tampering by the police. Even if the device always gives the right result for a given input, what stops the officer from just lying about the results? OK, so the device has some sort of digitally signed timestamp on each reading; the officer arranges to feed an alcohol-doped sample to the device. Maybe we can come up with some countermeasure to make sure that someone actually is breathing into it, but then maybe the police can find someone else who is drunk to take a sample from. Technical controls are good, but fundamentally the system assumes that the police are honest; remember that in traffic stops it's just your word versus the officer's. DUI arrests have technical evidence if they use a breathalyzer, but that evidence isn't designed to be proof against police tampering. If you're trying to stop that, you need a much stronger set of procedural controls, starting with videotape of the entire operation, the right to an independent test, etc.

With regard to the utility of source code, cerainly that will let you discover some kinds of errors, but only in the software portion of the system. This doesn't help you if the errors are in the sensors, or, worse yet, the sensor readings don't correlate tightly enough with the variable you're really trying to measure (namely BAC). I tend to be more inclined to do some kind of black box study, as Kevin suggests, comparing breathalyzer measurements to direct blood measurements.

The Minnesota Supreme Court has ruled that defendants in DUI cases can get discovery of breathalyzer source code. (Ruling here). Apparently this puts a pretty serious crimp in Minnesota DUI proceedings because the manufacturer won't provide the source code:

The state's highest court ruled that defendants in drunken-driving cases have the right to make prosecutors turn over the computer "source code" that runs the Intoxilyzer breath-testing device to determine whether the device's results are reliable.

But there's a problem: Prosecutors can't turn over the code because they don't have it.

The Kentucky company that makes the Intoxilyzer says the code is a trade secret and has refused to release it, thus complicating DWI prosecutions.

"There's going to be significant difficulty to prosecutors across the state to getting convictions when we can't utilize evidence to show the levels of the defendant's intoxication," said Dakota County Attorney James Backstrom.

"In the short term, it's going to cause significant problems with holding offenders accountable because of this problem of not being able to obtain this source code."

I can't find the original filings, which include an affidavit from David Wagner, so I'm not sure I'm seeing the best argument for this position. That said, however, I'm not sure that source code analysis is really the best way to determine whether breathalyzers are accurate.

At a high level a breathalyzer is a sensor apparently either an IR spectrometer or some sort of electrochemical fuel cell gizmo attached to a microprocesser and a display. The microprocessor reads the output of the sensor, does some processing, and emits a reading. Obviously, there are a lot of things that can go wrong here, and this page describes a bunch of problems in the source code of another machine, mostly that there seems to be a bunch of ad hoccery in the way the measurements are handled. For instance:

3. Results Limited to Small, Discrete Values: The A/D converters measuring the IR readings and the fuel cell readings can produce values between 0 and 4095. However, the software divides the final average(s) by 256, meaning the final result can only have 16 values to represent the five-volt range (or less), or, represent the range of alcohol readings possible. This is a loss of precision in the data; of a possible twelve bits of information, only four bits are used. Further, because of an attribute in the IR calculations, the result value is further divided in half. This means that only 8 values are possible for the IR detection, and this is compared against the 16 values of the fuel cell.

So, maybe this is bad and maybe it isn't. But it's not clear that you can determine the answer by examining the source code. Rather, you want to ask what the probability is that a system constructed this way would produce an inaccurate reading. If, for instance, the A/D converters have an inherent error rate/variance that's large compared to the sensitivity that they read out in, then it's not crazy to divide down to some smaller number of significant digits—though I might be tempted to do it later in the process. More to the point, any piece of software you look at closely is going to be chock full of errors of various kinds, but it's pretty hard to tell whether they are going to actually impact performance without some careful analysis.

On the flip side, actually reading the source code is a pretty bad way of finding errors. First, it's not very efficient in terms of finding bugs. I've written and reviewed a lot of source code and it's just really hard to get any but the most egregious bugs out with that kind of technique. Second, even if we find things that could have gone wrong (missed interrupts, etc.) it's very hard to determine whether they caused problems in any particular case. [Note that you could improve your ability to recover from some kinds of computational error by logging the raw data as well as whatever readings the system produces.] Third: there are a lot of non-software things that can go wrong. In particular, you need to establish that what the sensors is are reading actually correspond to the alcohol level in the breath, that that actually corresponds to blood alcohol level, that the sensors are reading accurately, etc.

Stepping up a level, it's not clear what our policy should be about how to treat evidence from software-based systems; all software contains bugs of one kind or another (and we haven't even gotten to security vulnerabilities yet). If that's going to mean that all software-based systems are useless for evidentiary purposes, the world is going to get odd pretty fast.