Privacy and data protection are growing concerns in a world where companies make their revenues by the surveillance of the internet activities of their users. Asides from the scary sensation of feeling heard and observed when an ad pops up for a product you are almost sure you did not search for on the web, what can be truly damaging is what cybercriminals can do with the data —identity fraud, as the most obvious case.
However, companies are not the only ones managing personal data: governments store personal data from their citizens that could potentially be as compromising as the data gathered by companies. The more the government offers digital services and increases its presence online, the more cybersecurity becomes a concern.
Therefore, when it comes to governmental services, and the sensible data they protect, the same degree of concern as with big tech companies should be applied. If the government makes the code behind their services publicly available, it will increase trust on how citizen’s data is being handled.
What is open source?
Before explaining how open sourcing the code would help, it is useful to understand what it means for a software to be open source. The idea behind open sourcing a program is making it free, but in the words of the GNU Project, “they are free as in freedom and not as in free beer”. It means that anyone has the freedom to make changes to the program to make it their own.
The idea behind open sourcing government services is not, at first, about allowing anyone to run their own instance; that is to say, it is not about people running the software in their own computers to replicate what the government is doing. What open sourcing intends to accomplish is to allow the public to understand how the program works and therefore how the data is handled.
From a privacy perspective, it is important to understand that in the process of open sourcing a software, what is available is the code (i.e., the instructions that are given to the computer to execute) and not the data itself. In other words, the information a program uses is usually stored in a database (something similar to an Excel Spreadsheet), and the code refers to the rows and columns in that database but not to any particular piece of information.
Two kinds of audit for open source public services
Building trust through open sourcing the code would go in two steps: first, the security audit needed before releasing the code to the public; and second, the public audit that citizens can conduct on the software once it is available.
First, given the nature of the public services, the code behind the service cannot go public without a previous security audit. There is for sure certain degree of security in secrecy: if there are vulnerabilities in the code, they are more difficult to exploit, since no one outside the organization have access to the code. It does not mean, however, that the vulnerability is not there, it is just hidden.
When releasing the source code of a public service, any vulnerability hiding in the code will be at plain sight, which means that any malicious agent can take advantage of it to extract valuable data —such as personal data. With the necessary security audit before publication, then citizens know that the code has certified standards of security, or it would not have gone public in the first place.
The second step on building trust by open sourcing is the public audit of the code. Trust goes in hand with knowledge, and that is why transparency helps build trust. By being transparent about the code, the government is giving the public knowledge on how they are handling their data, if the data is properly secured, and what mechanisms they are using to secure the data. This exposure to the public also means that, as it happens in big open source projects, the source code is under the scrutiny of hundreds, if not thousands of eyes. Vulnerabilities and places for improvement are bound to be found, and fast.
Civic engagement through open source
This public audit also creates a new space for civic engagement. When discussing programming, new sectors of society get access to the public debate, which creates new opportunities to engage in a different way with the government.
Developers would get a chance to have a say on how the data treated, to verify the claims of the government and even in the spirit of open source, to propose changes on how the program is operating. This is a space for advocacy that is relatively low in resources, given the advocates already have the technical knowledge to make their advocacy.
It also means that actors such NGOs and academia can audit and propose tangible changes to public policy, and adopting them should be lower in costs for the government to implement, as these institutions would be bearing the cost of reviewing and programming. This process strengthens civil society and, at the same time, increases trust in government and their handling of the privacy of citizens.
In a nutshell…
Open sourcing means that the public has an opportunity to check the claims of privacy and data protection any given government agency makes, as well as the assurance that, before going open, the code had to be reviewed for quality to assure security. At the same time, it is also an opportunity for advocacy and makes an incidence on how policies are conducted.
In an era of increased demands for digitalization and transparency, governments can adopt practices such as open sourcing to prove their citizens they are listening to public demands.
About the author
Adriana Pineda is a first-year MPP student at the Brandt School. She holds a Bachelor's Degree in International Affairs from the UCV, Venezuela. Her main interests are open
government, open software, transparency and building trust in government.
~ The views represented in this blog post do not necessarily represent those of the Brandt School. ~