Government and open source's open relationship

Open source making strides, but government isn't monogamous

While the U.S. government has historically leaned towards the use open source software, lately there have been a few signs to remind us the government can still very much be a proprietary software consumer. Is the love affair with open source cooling in the halls of government?

Last week, the U.S. Immigration & Customs Enforcement (ICE) agency announced it would be shifting all of its old BlackBerry phones to Apple iPhones, which led to some consternation about why they didn't go with a less-expensive, more open option like Android.

The day before that, at the Red Hat Government Symposium in Washington, DC, Neil Ziring, the Technical Director for the National Security Agency's Information Assurance Directorate made the argument in his talk to the gatherers that open source projects need to start focusing on the origins of their code and documenting it to the satisfaction of those government and industry customers who need to be assured that that code doesn't contain any nasty surprises.

Coming from the NSA, which has invested quite a bit of time and effort in contributing to SELinux, that was a pretty surprising statement. I'll come back this this in a bit.

First, a qualifier for anyone tempted to paint these actions and statements as a large scale move away from open source: contrary to popular belief, very few governments are completely uniform in their implementations of policy. You can tell all the agencies to get their smartphones secure and cheaply, but each agency's interpretation of that policy is going to be different.

Now, regarding the ICE: detractors of Android might argue that Android's openness and alleged vulnerability to malware was the reason why it was rejected. That could be true; the ICE may have bought into that rationalization. More likely, I think, is that if the ICE would have gone with Android phones, the far-ranging agency would have had to use different carriers and therefore different phones for any region where one carrier did better.

Since phone interfaces and software are dictated by the carriers on Android phones, that means non-uniformity from region to region. For an organization like the ICE, which depends very much on rules and consistency (oh, trust me, I know this one all too well), that option would not probably not fly. Apple, as closed as it is, remains starkly consistent across carriers.

This is a failing of Android's distribution model, but not an open source problem.

Back to the NSA remarks, there have been some efforts to attempt to tie provenance to open source code before, usually to some criticism. While it would be ideal to track the identity of every contributor to an open source project, particularly in a global community, the very openness of the code means that ultimately any hidden surprises should get found.

Note the qualified "should" - I have little doubt that someone could sneak something in to any open source project, if they really wanted to. But, then, what's to stop someone from sticking malware and back doors into proprietary code? How many foreign agents are working in code shops around the world doing just that? At least, I would argue, that you have a better chance of finding something in open source code down the line.

Provenance is a nice luxury, but eventually, any consumer of open source software is going to have to rely on the vendor that sold/supports that software to vouch for its safety or (if they are a direct consumer of the code) themselves.

Read more of Brian Proffitt's Open for Discussion blog and follow the latest IT news at ITworld. Drop Brian a line or follow Brian on Twitter at @TheTechScribe. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon