The Program
This I am not too sure about. The hard part is having a wallet that is not accessible by anyone but the program. The person or server in control of the program could possibly be the weak link there. I do not want to rely on trust. There needs to be a lot of transparency and easy verification.
It is not possible. It can be made difficult with complicated hardware tripwires, but in the end someone with physical access will be able to compromise the system.
Just a thought from my 'open books' thinking, but how about the following scenario:
1)New bitcoin client from third party
2)New bitcoin client has a feature of different levels of "hold"....in other words, the bitcoin client wont send the "money" on hold
If I were a bitcoin client, I would change that wallet.dat file of course....it wouldnt be compatible with the current bitcoin client.