Open source for the public sector

Increased public calls for transparency mean public sector CIOs should strongly consider open source applications.

Most algorithms and programs do not operate in the open. The technology that controls many aspects of our lives is often a black box, with internal workings known only to programmers. With AI, these algorithms are shrouded in even more mystery. Applications that affect life and death, the future of governments and individual freedoms are controlled by software more and more every day.

With this greater reliance on technology, there has come an increased call for openness and transparency in these systems in order to improve public trust.

The public expects elections to be fairly counted, that forensic tools used by police will give accurate readings, that the bidding process for selecting vendors’ bids will provide the most public value.

The risks presented by these systems run from classic vulnerabilities that can be used to alter votes, interfere with legal evidence or change bids after the fact; all the way to concerns that the algorithms selected may not be correct, or are biased for a certain vendor or resolution.

This will become an even larger concern as machine learning creates algorithms based on training data. Without proper controls, the outcome of these models may be influenced by the invisible choices of an unseen developer.

To combat this, many governments ask for applications to be provided under an open source licence, or at least be provided with its source code for review. Public and technical experts are then able to review the code of these applications for security issues as well as algorithmic biases or mistakes.

Cracking the code

In Australia, there have recently been calls for increased transparency of the algorithms used by the police in New South Wales. Academics are demanding police explain their use of an opaque predictive algorithm in their efforts to prevent crime, which the academics believe is leading to the harassment of young people, particularly Indigenous youths. The algorithm helps police calculate a person’s future risk of offending, categorising them as either extreme, high, medium or low risk. According to the researchers, the algorithm is ‘disproportionately’ applied to Indigenous people under the age of 18.

With algorithms making these decisions, how can we be sure those decisions are ethical and fair? With a closed code, it is impossible to assess if racial prejudice is built in. If it is, it calls into question the use of these sorts of technologies and whether they will reinforce societal inequalities.

The natural response to these concerns is to push for open source. Companies that make software packages that support the public sector should expect either to have to open a previously closed software package or make new packages that are open from the beginning.

Preparing for reviews

Public sector customers should consider vendors that are working on strategies that enable them to define existing products either as open source projects or as proprietary packages whose sources will be reviewed by outside experts. This process typically comprises two main areas of focus:

Intellectual property/open source clearance. The existing application is reviewed to confirm that all open source and commercial software components are properly licensed and listed in a disclosure document. Any component whose obligations aren’t currently being fulfilled is reviewed and remedied, or the component and source will be removed and its functionality replaced. Outdated versions of software packages will be discovered and upgraded to remove any known vulnerabilities.

If the product is to be open sourced, the final licence of the package will be used to determine which other open source or commercial components are compatible with the licence ecosystem selected for it.

Security review. Review comes after the initial clearance and is used to discover vulnerabilities in the product’s source code or weaknesses in the security model for the entire application. Problems discovered will need to be reconciled.

Public sector customers would do well to work with vendors that are taking action to prepare applications for open sourcing and private review, as these are the ones likely to be staying on the front foot. Those vendors should be encouraged to consult outside experts who can provide technical guidance on the process and provide expertise in navigating the open source community’s expectations.

It’s best to undertake this process on your own timetable, rather than have one imposed. Remediation of security or licensing issues can take weeks to months and is best done through a well-planned process — as opposed to a reaction — to put yourself in the best position to be ready for transparency.

*Hugh Darvall is Sales Director for Flexera, Australia and New Zealand.

Follow us and share on Twitter and Facebook