Featured image courtesy Jon Moore on Unsplash

Understanding the Context

Bureaucratic transactions are no longer confined to stuffy sarkari offices. At the Centre and state levels, governments are increasingly relying on internet technologies to build more efficient, scalable, and durable solutions for citizens. Put simply, eGov has transformed how citizens interact with the Indian State. 

This ‘Digital India’ is constantly evolving with every byte of public data and personal information it collects, stores and processes. Be it their location, biometric details or financial records, citizens have a right to ask how their information is being used and protected on eGov platforms. This is where the debate on Free and Open Source Software (FOSS) finds relevance in India. While most commercial software only allows paying users to access the source code with which the program is built, FOSS are free to access, develop and be understood to a certain degree. 

In lieu of the government withholding information on who created the Aarogya Setu contact-tracing app, and with speculation running rife on a potential national adult vaccination system, it is time to consider some questions regarding our digital ecosystem: 

Under what situations should government software be closed source? Barring security-related concerns, can citizens make a case for all eGov platforms to come under Free Open Source Software licenses?

Rahul De argues that if eGov platforms use FOSS, a (tech-savvy) citizen can understand the logic of the code and how it aligns with the established tenets of Indian law. Just as we may be convinced that the FOSS approach will bolster every citizen’s right to information, academics Meera Sarma and Thomas Matheus throw caution to the wind. With an under-prepared cyber-security infrastructure, FOSS may paradoxically make citizen data more vulnerable to malicious hackers. 

As the Indian State and its citizens find their feet in uncharted eGov terrain, where does privacy and technological innovation figure on the priority list? Is our information safer in the hands of proprietary software whose workings are unclear? If you’re On the Fence, these two opinions should help.

Click on a quote to read the opinion

“Our eGov platforms (like the Aarogya Setu app) collect citizens’ data in exchange for some service (say, COVID-19 contact-tracing). In this age of algorithmic dominance, where “code is law”, citizens and civil rights groups are demanding transparency with regard to how their personal data is being used by governments and their private contractors… [OSS can also] be made available to other countries to harness the ‘soft power’ of software.”

— Rahul Dé

“[our] reliance on the code’s ‘openness’ makes OSS vulnerable to hackers who could exploit it, retrieve sensitive data and use poorly written code or ‘holes/gaps’ to carry out malicious attacks. The speed and agility demanded of OSS ecosystems does not endear itself to centralisation, or formalised security protocols and standards, all of which make it challenging for any government to adopt.”

— Dr Meera Sarma and Dr Thomas Matheus

Open source is better understood as a movement by people around the world who demand to see the source code of the software they use, so they could understand what the software is doing and also be able to modify it.

Today, governments’ use of information technology and the open source movement have advanced to such an extent that we can discuss them without having to explain their rationale and origins at great length. It is more interesting to consider whether eGov software should always remain open source and the circumstances under which there can be exceptions. 

E-Government or eGov is short for ‘electronic government’, which is the use of information technologies — the entire panoply of them — by governments. This could be for internal work, like moving files or keeping records, or for external use in interacting with citizens, businesses, or social groups. Various Indian governments have supported and developed eGov services over the years, at least from the start of this millennium.

eGov can include huge projects such as tax payments system which interact with millions of citizens as well as smaller projects that are meant for internal departmental use. Screengrab of some eGovernment services from the NeGD website.

With Open Source, Citizens Come First

Historically, commercial software has been released under proprietary licenses that restrict its use to paying buyers. They would not reveal the source code, which is the human-readable programming language, usually written in plain English text.

Our eGov platforms (like the Aarogya Setu app) collect citizens’ data in exchange for some service (say, COVID-19 contact-tracing). In this age of algorithmic dominance, where “code is law”, citizens and civil rights groups are demanding transparency with regard to how their personal data is being used by governments and their private contractors.

This is possible to a certain extent with an ‘Open Source Software’ (OSS), which, by definition, is visible and transparent. OSS is made available under licenses that allow free use and also free inspection. This has several advantages over proprietary software when it comes to the needs of users, especially when these users are citizens. With OSS, citizens can understand how a certain digital project works or how certain regulations and laws have been encoded.

Let’s take the Goods and Services Tax law in India for instance. Open source software will show you how the GST has been encoded in software for use in government calculations. This can open up auditing procedures to public and independent agencies. Imagine it to be similar to how chartered accountants examine the embedded macros and formulas in spreadsheets.

Such clarity is near-impossible in proprietary software, where only the outcome of the software’s processing, i.e., the output data, is available for scrutiny.

India’s digital infrastructure is also experiencing significant growth in the capabilities of modern technologies such as AI, machine learning, and blockchain technology. Considering this situation, it is imperative for governments to provide access to the logic of the code that they are using through open source software licenses.

The benefits do not end with accountability and privacy. Kerala’s Linux-based FOSS called ‘IT@school Project’ promises a variety of applications for educational and general purposes in more than 14,000 government and aided schools. It is estimated to save the state’s education department “₹3000 crores” by foregoing software license fees for each and every school computer.

FOSS as Soft Power

Many public departments around the world have adopted open source software because they are available at no cost. This way, less foreign exchange flows out of developing countries because most proprietary software is made in North America or Europe. Granted that free and open source software does incur expenses for maintenance and customisation, but these can be done locally and at a much lower cost than proprietary software. 

Ideally, when governments make software or get software made for their own particular needs, it should have an open source license. For example, the Home Ministry has gotten a massive country-wide database of crime software made recently, but the license under which it is being used is not open source. Because law enforcement is only done by the government, this software may not be of much use to anybody else in India. Yet, it can be made available to other countries to harness the ‘soft power’ of software. 

Since 2016, several countries have expressed interest in learning from and using the software stack built around India’s Aadhaar identity system. Open source licenses allow others to use, modify, and also distribute the said software to others, which enables it to spread to a large number of users while attributing credit to the original creators.

Yes, there are situations in which the source code of eGov software need not be made public, and governments have chosen proprietary licenses. One of the most important of these is in dealing with national security, wherein governments do not want people or organizations with malicious intents to understand how a certain code works and or how information is being routed. In such cases, eGovernment software should be used judiciously to show the inherent logic to citizens, but hide specifics from spying eyes.

Hackers are often described as “people who use computers to gain unauthorised access to data”. The original hacker movement (of testing systems to make them more secure) is intrinsically tied to the development of open-source software (OSS). 

Being available to anyone (including hackers), OSS source code lends itself to the view that being open makes it easier to find and resolve bugs in the software. And so, advocates argue that OSS is far more difficult to hack compared to closed or proprietary software. However, this same reliance on the code’s ‘openness’ makes OSS vulnerable to hackers who could exploit it, retrieve sensitive data and use poorly written code or ‘holes/gaps’ to carry out malicious attacks.

A number of attacks on OSS by hackers have proven this vulnerability. In March 2017, the personal data of 145 million customers was stolen from Equifax, one of the credit reporting agencies that assess the financial health of citizens in the USA. A vulnerability was discovered in Apache Struts, an open-source development framework used by Equifax, along with thousands of other websites. Due to the nature of infiltration, the breach was only recognised by Equifax in July 2019. Stolen data never appeared on the ‘Dark Web’ for sale, which led to the widely-accepted theory that Chinese state-sponsored hackers were behind the attack and that the reason for the attack was espionage as opposed to theft.

While there have been attempts to distinguish amongst different types of hackers (e.g., Black Hats, Grey Hats, White Hats), the line of distinction is very fine. For this article, ‘hackers’ refer to malicious hackers.

The Stakes are High

Although analysts have found commercial software to be increasingly using open source components, the call for caution needs to be louder when we discuss OSS in the context of government platforms and citizen’s information. 

In India, a row has erupted over the creation of the ‘Aarogya Setu’ COVID-19 tracing app, which was made open source (OS) by the government in May. Made mandatory for being allowed into a restaurant or boarding a flight, the app collects sensitive personal data like a citizen’s health status or their real-time location. That the app has been downloaded by over 100 million users signifies the wide-ranging and critical nature of such an OS application. 

However, an RTI inquiry revealed that the IT Ministry, National Informatics Centre and National eGovernance Division have no details as to who the app was made by and how it was created. There is no clarity on the security protocols established for protecting the data of millions of Indians or what policies are in place to prevent the misuse of information provided.

The OSS GitHub hosting the Aarogya Setu application.

At the time of writing, the app had 149 ‘pull requests’, which are changes suggested to the code. With citizen data essentially lying unprotected as things stand, an OSS platform can be misused without any direct accountability loops.

Will governments be able to keep pace with the rapid evolution of OSS?

The sheer volume and magnitude of information stored on government OSS platforms raises some significant questions. While opening up e-governance applications to the public allows for better vulnerability detection, quicker analysis of issues with the code and research for improving service delivery, these vulnerabilities are also exposed to hackers.

Being unconventional and distributed across networks, the development of OSS platforms does not always go through robust security processes. For starters, most citizens are not experts who can make sense (and use) of source code. A sustainable cyber ecosystem with ethical hackers would be a pre-requisite if security bugs are to be detected in the true spirit of OSS. In that light, the Bug Bounty programme for the Aarogya Setu app offers only a partial solution.

A key concern from a government perspective is that the OSS-development model is based on quick cycles of software release, which in turn relies on developers and code being very nimble. While this may be feasible in the commercial world, governments would need to consider higher information assurance standards, which would require an extended time period/process of review and consideration. The speed and agility demanded of OSS ecosystems does not endear itself to centralisation, or formalised security protocols and standards, all of which make it challenging for any government to adopt.

Another key issue is the common practice in OSS projects – ‘forking’. Forking is the creation of an independent OSS project by replicating an existing OSS project. Anyone can ‘fork’ because open source codes are free to use (like CC 4.0 creative commons licenses) and are allowed under the OSS ‘copy left’ agreements. It could be difficult for a government project to maintain forks in the long run, from a security and maintenance perspective. 

Most importantly, as  “project forks” branch from the main OSS project, their intent will not be linked to the innovation of the existing/main OSS project. 

In conclusion, while government frameworks exist for the adoption and evaluation of OSS, there is a chasm when it comes to showing how citizens’ privacy interests can be safeguarded while blocking the constant threat posed by hackers. This is important to consider as the hacker landscape continues to evolve rapidly, ranging from phishing attacks to cloud jacking, sophisticated and targeted ransomware attacks, deep fakes and 5G vulnerabilities. 

The growth of artificial intelligence also suggests that OSS platforms likely to face more threats from bots and other automated sources as well as smart contract hacking (using blockchain technologies). Any exploit that can successfully compromise a wide base of systems makes it lucrative for attackers, so safeguarding government systems that collect, store and process citizen’s data should be the first priority.

Rahul De is a Professor of Information Systems at IIM Bangalore. His research interests include e-Government Systems, Open Source, and AI. He has published over 75 academic articles and serves on the editorial boards of 5 international journals.
Dr Meera Sarma is an academic with the University of Liverpool in the UK. She is also the director of Cystel Academy, UK, which is an institute for cyber security and artificial intelligence. She has extensive research experience working with governments, police and the private sector on cybersecurity issues and artificial intelligence.
Dr Thomas Matheus is an academic at Newcastle Business School, Northumbria University. He is also a Consultant at Cystel Academy, UK. His research interests are in innovation, supply chain management, cybersecurity, and artificial intelligence.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.