Open-sourcing software developed with taxpayers’ money would help improve security in the public sector, according to FSFE spokesperson Paul Brown

Last September, the non-profit Free Software Foundation Europe (FSFE) launched a new campaign that calls for EU-wide legislation that requires publicly financed software developed for the public sector to be made publicly available under an open source software license.

According to the ‘Public Money, Public Code’ open letter, free and open source software in the public sector would enable anyone to “use, study, share, and improve applications used on a daily basis”.

The initiative, says the non-profit, would provide safeguards against public sector organizations being locked into services from specific companies that use “restrictive licenses” to hinder competition.

The FSFE also says the open source model would help improve security in the public sector, as it would allow backdoors and other vulnerabilities to fixed quickly, without depending on one single service provider.

Since its launch, the Public Money, Public Code initiative has gained the support of 150 organizations, including WordPress Foundation, Wikimedia Foundation, and Tor, along with nearly 18,000 individuals.

With the initiative now approaching its first anniversary, The Daily Swig caught up with FSFE spokesperson Paul Brown, who discussed the campaign’s progress.

The debate surrounding open source vs. closed source software shows no sign of slowing. What’s your take on open source in terms of application security?

Paul Brown: “For us, security is one of the most important aspects of the Public Money, Public Code campaign. Let me be clear: we don’t believe that open source or free software is inherently secure. What we are saying, however, is that closed software – software you can’t audit or look into – offers no guarantee of security at all.

Look at it this way: would you fly on a plane that hasn’t been inspected by a third party? Would you just believe the airline if they said it doesn’t need to be inspected, or if they said it would become more dangerous if it were inspected because the terrorists would be able to bring it down? This is absolutely absurd.

Outside of the software world, ‘secure’ normally means the plans for something have to be publicly available so they can be inspected by any third party – whether they are for a plane, bridge, train, or whatever. Even a local restaurant has to be up to code. For some reason, this is not the case with software.

On the contrary, proprietary software manufacturers have spread this lie that if they reveal how it works, then it becomes less secure, which is absurd. It’s like saying, ‘Hey we stuck the wings on with Blu Tack, but don’t worry, they won’t fall off because we didn’t tell anybody’.

If open source legislation was enacted, how would large public institutions cope with the changes to their digital infrastructure?

PB: Let me be clear: we are not asking for something that we consider unreasonable, like having public institutions switch all of their framework over to free software overnight. We are not even asking that all software purchases be open source software. What we are saying is that all software developed with public money should become public.

If, say, an institution needs, for whatever reason, Microsoft Office over LibreOffice, that is not what this campaign is about. What we are saying in the Public Money, Public Code campaign is that, if an institution needs a custom piece of software and goes and commissions it to a company, that company must free the software under an open source license.

It’s about financing the development of software to third parties, or software that is developed in-house by the publicly-paid programmers to become open source.

The FSFE’s open letter calls for safeguards against monopolistic, proprietary software developers. How widespread is the issue of public sector organizations being “locked into services” from these technology providers?

PB: You cannot trust proprietary software, whatever happens, because you cannot know what’s going on in there. It’s that simple. And even if you were a really great expert and could read binary, you often wouldn’t legally be allowed to do this anyway.

We have had cases where people have found vulnerabilities in proprietary software, and the provider has done nothing. So then when the researcher publishes the vulnerability so that other users are aware of the issue, the company has sued them.

Sure, every single system has security holes, but who are you going to trust more, the guys who say, ‘Here’s the code, look at it, if you find anything we’ll change it, or you can change it’, or the guys who say, ‘No you can’t look at it, just in case’?

The pressure that public sector organizations are under when purchasing software is mind-boggling. For example, the former British government said that local public institutions could now use LibreOffice instead of Microsoft Office. And Microsoft pushed back against that decision.

Every public institution is looking for new ways to of cut down on licensing costs, and they also see it as a way of making the software their own because it allows them to inspect it and modify it. These are the tenants of free software.

Public institutions need these kind of freedoms, otherwise they become tied to a company that they cannot get rid of – even if they turn ‘evil’.

More than 17,000 people have signed the FSFE open letter. What’s your main plan of action for the rest of the year?

PB: It’s always nice to have some milestones – to say we’ve reached 20,000, 50,000, 100,000 signatures – but the fact is that we are already pressuring policymakers to turn this into some sort of EU-wide regulation.

We are in touch with lots of public institutions all across Europe, including the European Parliament, but we also focus on European elections where we approach candidates and ask them to sign their support.

Every single time this topic comes up in Brussels, we ask the Parliament or the Commission to take this into consideration.

We are also working on supporting local initiatives with our expertise and are going to increase the amount and quality of information focused on the public or decision makers in politics and administrations.