Archives

Categories

Source Escrow for Proprietary Software

British taxpayers are paying for extra support for Windows XP due to a lack of planning by the UK government [1]. While the cost of this is trivial compared to other government stupidity (such as starting wars of aggression) this sort of thing should be stopped.

The best way to solve such problems is for governments to only use free software. If the UK government used Red Hat Enterprise Linux then when Red Hat dropped support for old versions they would have the option of providing their own support for old versions, hiring any other company to support old versions, or paying Red Hat for supporting it. In that case the Red Hat offer would probably be quite reasonable as competition drives the prices down.

It doesn’t seem likely that the UK government will start using only free software in the near future. It’s not impossible to do so, there are organisations dedicated to this task such as Free-gov.org which aims to develop e-government software that is under GPL licenses [2]. The Wikipedia page List of Linux Adopters [3] has a large section on government use, while not all entries are positive (some have reverted) it shows that it’s possible to use Linux for all areas of government. But governments often move slowly and in the case of wealthy countries such as the UK it can be easier to just tax the citizens a little more than to go to the effort of saving money.

But when governments use proprietary software they shouldn’t be restricted in support. It seems that the only way to ensure that the government can do what it needs is to have a source escrow system. Then if the company that owned the software ceased supporting it anyone who wanted to offer support would be able to do so. This would probably require that software which is out of support be released to the public domain so that anyone who wanted to tender for such support work could first inspect the code to determine if they were capable of doing the work.

People who believe the myths about secret source software claim that allowing the source code to be released would damage the company that owns it. This has been proved incorrect by the occasions when source code for software such as MS-Windows has been released on the Internet with no apparent harm. Also Microsoft have a long history of licensing their source code to universities, governments, and other companies for various purposes (including porting Windows to other CPUs). It’s most likely that some part of the UK government already has the full source code to Windows XP, and it’s also quite likely that computer criminals have obtained copies of the source by now for the purpose of exploiting security flaws. Also they stop supporting software when they can’t make money from providing the usual support, so by definition the value to a company of the copyright is approaching zero by the time they decide to cease support.

Given the lack of success experienced by companies that specialise in security (for example the attack on RSA to steal the SecurID data [4]) it doesn’t seem plausible that Microsoft has had much success in keeping the source to Windows XP (or any other widely used product) secret over the course of 12 years.

In summary source code to major proprietary software products is probably available to criminals long before support expires and is of little value to the copyright owners. But access to it can provide value to governments and other users of the software.

The only possible down-side to the software vendor is if the new version doesn’t provide any benefits to the user. This could be a problem for Microsoft who seem to have the users hate every second version of Windows enough to pay extra for the old version. The solution is to just develop quality software that satisfies the needs of the users. Providing a legal incentive for this would be a good idea.

2 comments to Source Escrow for Proprietary Software

  • Peter Moulder

    Clarification: this source code is probably [I’d say certainly] already available to *some* criminals, conceivably including a large proportion of well-resourced criminals; but *most* criminals currently don’t have access to this source code. This is something to keep in mind when considering having such source code “released to the public domain so that anyone who wanted to tender for such support work could first inspect the code”.

  • etbe

    Most of the criminals who could use the code probably have access.

    Even if they can’t get the source over the Internet they could just apply for a job at a university that has source access. Anyone who has the skills to use the source has the skills to get such a job.

    If the source to such software is of value to criminals then they will pay for it. That means anyone who wants a sysadmin job with a pay bonus could apply for work at an organisation that has source access. If the source isn’t of enough value to criminals for them to pay a reasonable amount on a site like Silk Road then there’s no harm in releasing it.