COVID-19 Emergency: importance of the open-source in tracking apps

0

 

The choice of Bending Spoons as the software house responsible for the development of “Immuni”, has caused controversy about the lack of clarity regarding the license with which it will be released. In the beginning, it was unclear[1] whether it would be released under a proprietary license or an open-source license. Subsequently, the Government made it clear that Immuni will be released under an open-source license, specifically the Mozilla Public License v.2[2]. For the sake of clarity and transparency, an app that processes sensitive data such as health data[3] should be released under an open-source license. Only the latter can guarantee a high degree of transparency: in this way, everyone can look at the source code and understand how data are processed. In this respect, art. 9.2 GDPR states that to process data concerning health “suitable and specific measures to safeguard the rights and freedom of the data subject” shall be provided. Moreover, the European Data Protection Board’s Guidelines provide that “the application’s source code should be made publicly available for the widest possible scrutiny”[4]. But what does open-source mean specifically, and what are its implications regarding copyright?

 

Open-source, free software and GNU-Linux

Computer programs can be divided into two groups: proprietary software[5] and open-source software. The former is licensed to the end-user by the software owner. The license could be free (Whatsapp is an example of free proprietary software) or granted to the final user paying a fee (e.g. Microsoft Windows). In proprietary software, the source code is kept secret: final users cannot analyze it to know how it works and cannot modify to tailor it to their needs.

Open-source software is distributed either in its compiled version (installable and executable by the final user) and its source code version. In this way, final users, having access to the source code of the program can modify it according to their needs[6]. The term “open source” was coined by Christine Peterson[7] and it was adopted in 1998 by the founders of the Open Source Initiative (OSI). Only software licensed under an OSI-approved Open Source license should be labeled as “Open Source Software”[8].

Sharing the code was a common practice from the 60s until the 80s. The first lines of code have been written mainly at the University of Berkeley and the Massachusetts Institute of Technology. It was there that C language was born, which constitutes still today the foundation of the most used programs and UNIX[9] operating system, from which macOS and GNU-Linux[10] distributions are derived[11].

In the early 80s, AT&T, a USA telecommunications giant that contributed to the development of UNIX, began to claim intellectual property rights to the source code of the operating system. From these disputes in the year 1985, Richard Stallman[12], a young programmer at Harvard and MIT, founded the Free Software Foundation, laying the basis of free software philosophy. Stallman decided to re-write UNIX and leave the source code free and open. He called this project “GNU[13], a recursive acronym that means “GNU’s not UNIX”. To be a complete and working OS, GNU lacked a kernel, which is the core of an operating system that allows communication between hardware and software. This problem was solved by another young programmer, a Finnish computer science student, Linus Torvalds[14]. GNU’s kernel takes his name: Linux. Operating systems derived from GNU-Linux are nowadays used by the vast majority of coders and cybersecurity specialists and it is highly favored for its stability and speed.

There are GNU-Linux distributions created for every need: Ubuntu offers a user-friendly environment; Lubuntu is a “light” version of Ubuntu capable of running even on older computers; Debian offers a minimum environment and it is more suitable for experts rather than common users; Kali Linux is a distro created for IT security specialists; CaineOS is a Ubuntu fork used for digital forensic purposes. GNU-Linux strictly embraces the philosophy of free software[15], which is based on the “four freedoms[16]:

  • the freedom to run the program as you wish, for any purpose (freedom 0);
  • the freedom to study how the program works, and change it so it does your computing as you wish (freedom 1). Access to the source code is a precondition for this;
  • the freedom to redistribute copies so you can help others (freedom 2);
  • the freedom to distribute copies of your modified versions to others (freedom 3). By doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this.

Copyright vs Copyleft

Any use of the proprietary software outside of the terms and conditions of the license, such as illegal downloading of the program, the use of a pirate version, or the distribution of unauthorized copies, constitutes copyright infringement[17].

The license contract is called end-user license agreement (EULA)[18]: it is a legal contract between a software developer and the final user. The former gives the latter the right to use in a non-exclusive way the computer program, without giving access to the source code[19].

Open-source software is also released under a license: the most popular is the GPL (General Public License), according to which the program can be freely distributed and used, the source code must be shared and can be freely modified. GPL also includes a clause called copyleft: programs resulting from the modification of software subject to GPL must be distributed with the same license or with a compatible license. One cannot modify an open-source program and then redistribute it under a proprietary license or otherwise different from GPL[20].

The author of the software that uses a GPL license, waives certain copyright rights granting access to the final user the source code, the right of reproduction and distribution of the software. The final user must respect the terms and conditions of the license, and then the copyleft clause[21].

Not every open-source software is distributed under GPL: MIT license, for instance, is much more permissive than GPL and does not have a copyleft clause.  Apache License v.2 allows the re-distribution of the code in a commercial license. It only requires including a statement that the software is licensed under the terms of the Apache License. BSD license v.3 (Berkeley Software Distribution) gives the final user almost total freedom. Distribution is permitted, either in binary code or source code under certain conditions[22].

Mozilla Public License is a weak copyleft license: it seeks to balance the concerns of proprietary and open-source developers. MPL can be converted either into a copyleft license or to a proprietary license.[23]

The open-source business model from Microsoft and Linux’s perspective

Since the software is released for free, one could ask how it is possible to make money out of open source. The business model is completely different from commercial software: final users pay for using the program and then software owners earn from selling copies.

First of all, we have to understand that open-source development is much simpler than it may seem. OS community usually meets in some online platforms, such as GitHub, in which they start to collaborate with a software project. We have to think about OS development as the work of thousands of software developers collaborating. Everyone contributes to writing a small piece of code; usually some pieces of source code suitable for the program are already present and available in the form of libraries, in their turn released under an open-source license. Most of them contribute to writing pieces of code for free: GNU-Linux, the best example of open source software we can make, is the result of a collaboration of coders that have been contributing to develop and update various GNU-Linux distros.

Where is the convenience of developing and sharing software without being paid? OS business model is based on a different approach: one could require assistance to implement and execute the software in its corporate computer network. There could be someone who prefers a customized version of the program that can satisfy his or her real needs. In these cases, the final user pays coders for their job. This does not mean that coders release the software under a proprietary license: the modified software remains open-source and the paid amount represents an extra service fee.

On this path, we can mention Red Hat Linux Enterprise[24]: it is a GNU-Linux distro for enterprises that is released under an open-source license. If you want to use it, you have to pay a fee for support and assistance. With this system, Red Hat Linux Enterprise develops and distributes open-source software and it makes profit by selling assistance for the product. The same goes for Canonical[25], a company that provides updates and support for Ubuntu.

So, the myth according to which money can be made just with proprietary software is debunked. It’s not a coincidence that Microsoft, pioneer of proprietary software philosophy, not only bought GitHub in June 2018 for a price of 7.5 billion dollars[26]but also developed a new version of its browser Edge, re-writing it starting from Chromium’s source code, an open-source browser on which Google Chrome is based. Furthermore, Microsoft’s code editor Visual Studio Code is open source: it has been released under MIT license, albeit the official version is released under a proprietary license. Microsoft, with this open-source breakthrough, seems to have made the right choice. It would be no surprise if in a few years even Windows will embrace open-source philosophy.

Should tracking apps be open source?

While having access to the source code ensures greater transparency concerning how personal data are processed, on the other hand, there may be security concerns. Reading and analyzing the source code can lead to the discovery of bugs and malfunctioning, and some cybercriminals might take advantage of it. In Norway, for instance, they have decided to keep secret the source code[27], embracing the so-called technique “security through obscurity[28],that means give limited pieces of information about the functioning of a system.

The fact that bugs and errors in the code are public, is not always a bad thing. Indeed, developers could be encouraged to write high-quality code. Furthermore, we have to understand that not every hacker is a criminal. There are the so-called “white-hats”, that are ethical hackers who work to protect systems and people, and in our case, they could warn the software developer when they discover a vulnerability[29]. There is, therefore, strong collaboration and incentive to find bugs, sometimes even higher during this process, than during a closed-source software development process[30].

Anyway, as we have already said, EU and EDPB have adopted an open-source approach towards tracking apps. The hope is that everything will be done with the utmost transparency and that the right to privacy embodied in art. 8 of the Chart of Fundamental Rights of the European Union will be respected without “ifs and buts”.

 

 

 

[1]See Ordinanza 10/2020of Commissario Straordinario per l’attuazione e il coordinamento delle misure di contenimento e contrasto dell’emergenza epidemiologica Covid-19

[2]See update of 21stApril 2020, Ministro per l’Innovazione Tecnologica e la Digitalizzazione, available at https://innovazione.gov.it/un-aggiornamento-sull-applicazione-di-contact-tracing-digitale-per-l-emergenza-coronavirus/

[3]Art. 9.1 GDPR states that the “processing of personal data revealing racial or ethnic origin, political opinions […] data concerning health […] shall be prohibited”.

[4]See point 37 Guidelines 04/2020 EDPB; see also Annex, §3.GEN-3: “The source code of the application and of its backend must be open, and the technical specifications must be made public, so that any concerned party can audit the code, and where relevant – contribute to improving the code, correcting possible bugs and ensuring transparency in the processing of personal data.”

[5]In this article one considers proprietary software every computer program distributed just in its compiled version, without the source code, independently whether it is a freeware (closed-source software released for free), a shareware (closed software free for a limited period of time, e.g. 14 or 30 days) or a freemium software (basic functionalities of the program are free, premium functionalities are to be paid).

[6]See The Open Source Definition: https://opensource.org/osd

[7]https://en.wikipedia.org/wiki/Christine_Peterson

[8]See https://opensource.org/faq#osd

[9]LERNER J., The simple economics of open source,2000,available here: http://www.nber.org/papers/w7600; p. 3

[10]More precisely, GNU-Linux is not a UNIX based operating system, but it is a UNIX-like OS

[11]LERNER J., op. cit.,p. 5

[12]https://en.wikipedia.org/wiki/Richard_Stallman

[13]https://www.gnu.org/home.en.html

[14]https://en.wikipedia.org/wiki/Linus_Torvalds

[15]Richard Stallman believes that “free softwareand open sourcestand for almost the same range of programs. However, they say deeply different things about those programs, based on different values. The free software movement campaigns for freedom for the users of computing; it is a movement for freedom and justice. By contrast, the open source idea values mainly practical advantage and does not campaign for principles. This is why we do not agree with open source, and do not use that term”;See https://www.gnu.org/philosophy/open-source-misses-the-point.en.html

[16]https://www.gnu.org/home.en.html

[17]According to Italian law, computer programs are protected through copyright under l. 633/1941 (legge sul diritto d’autore), art. 64-bis, ter and quater.

[18]http://www.linfo.org/eula.html

[19]MARABINI F., La tutela giuridica del software e l’open source, in Ciberspazio e Diritto (2/2017), p. 412

[20]See McGOWAN D., Legal Implications of Open-Source Software, 2000,available at SSRN, link: http://papers.ssrn.com/paper.taf?abstract_id=243237

[21]MARABINI F., op. cit., pp. 414-415

[22]The 3-Clause BSD License, available here: https://opensource.org/licenses/BSD-3-Clause

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

[23]https://en.wikipedia.org/wiki/Mozilla_Public_License

[24]https://www.redhat.com/en/about/company

[25]https://canonical.com

[26]https://news.microsoft.com/2018/06/04/microsoft-to-acquire-github-for-7-5-billion/

[27]https://www.simula.no/news/digital-contact-tracing-qa

[28]https://securitytrails.com/blog/security-through-obscurity

[29]In addition to white hat, there are black hat (real criminals, they hack computers and networks for malicious purposes) and grey hat (they are placed in the middle of white hat and black hat); see: https://www.lifewire.com/black-hat-hacker-a-white-hat-hacker-4061415

[30]Avv. Cosetta Masi, Immuni, Open Source e Sicurezza, available at: https://www.avvocatomasi.com/post/immuni-open-source-e-sicurezza

Share this article!
Share.

About Author

Leave A Reply