DebianParl in the European Commission

Introduction

By means of SMT Reference (Ticket) Nr IM0012717721 I received the following request:
IM0012717721
Dear user,
We are working on your help request IM0012717721. Can you please provide the following information to progress your request.
Requested information :

Dear Jacques,
Refering to our discussion over the phone, please get back to us with an email in which you sum all your thoughts up.
We will then forward it to the appropriate team.

best regards,

[name]

Thank you for your cooperation.

purpose of this document

By means of this document, I am submitting my thoughts about the use of Debian, or other Free/Libre and Open Source Software, hereafter referred to as FLOSS, by the European Commission as a way to meet operational and business needs but without the drawbacks of closed-source (or proprietary) software. I want to do that from a broad perspective, i.e. not only look into obvious issues like security, privacy and integrity of content and systems, but also from a perspective of user-friendliness, enabling collaboration and productivity, autonomy of choice of products and services, the ability to retain ownership over digital infrastructure, documents and data, creating the possibility for genuine transparency, master the degree of synergy and cooperation with other public administrations, and securing the legacy of applications for e.g. e-mail, instant messaging, collaborative document editing.

As the EU institutions are financed with public funds, it is imperative that these funds are used responsibly and in a sustainable way, contributing as much as possible to Europe and to the wider communities. Using and contributing to FLOSS can strengthen the Commissions and EU’s public image of an authority that manages and spends public money responsibly.

Introduction

I am a user of the Commission IT systems with an interest in security, sustainability and transparency. This interest was generated by my previous professional activities.

I was, for instance, the administrator for the project for the design, contracts, building and deployment of large scale police and justice IT systems (Schengen Information System, SIRENE support system, the Visa Information System, and a connection between national Automated Fingerprint Information Systems), for the drafting and negotiation of the counter-terrorism strategy, as well as for the management of the Data Retention and Data Protection Directives in the Schengen Secretariat and in DG JLS and HOME.

Core needs

The point in case is to provide the very wide variety of permanent and temporary users of the Commission IT System a secure and reliable environment for their daily work, that is user-friendly and gives reasonable guarantees that the texts and documents sent arrive unaltered at the intended addressees only, and that the documents received are identical to the documents sent by the sender.

Security and reliability guarantees can be given only if the system can be audited completely: access to source code is essential. This is the case for FLOSS, but not for vendor-provided software. This, for example, is the motivation for the Internet forensics research unit at the Dutch Police to use *only* free and open source solutions based on open standards and developed publicly. (https://joinup.ec.europa.eu/community/osor/news/open-source-only-dutch-police-internet-forensics)

Examples abound of state- and commercial intrusion in personal and non-public data, which can interfere with the need for a secure working environment and the interests of the Commission and the EU.

A case for FLOSS

I came into contact with a Debian user group in the European Parliament that has similar concerns. It has successfully launched a Debian pilot that provides the guarantees that I mentioned before and that demonstrates that all software needs can be successfully addressed through FLOSS.

The issue is thus whether a similar approach is possible in the EC, under what conditions and timeframe. It is encouraging that the Commission has already experience with the use of FLOSS and Debian, f.i. for websites developed for Commissioners/Cabinets. If could be possible to expand on the basis of that experience.

The use of FLOSS has moreover an ethical component that is important for an organisation like the European Commission that operates with tax payers’ money. The need (and possibility) to demonstrate responsible management and use of public funds is an asset that can provide goodwill and additional benefits both political as well as operational.

The Commission and European Parliament have been promoting the use of FLOSS by public administrations (see below).

At the level of capital and operational expenditure, the use of FLOSS that does not have to be written off and can be further developed, shared and re-used is a way to pay investment forward to society. The use of public procurement is used to promote this trend and to wane public authorities of vendor lock-in that otherwise can keep the organisations tied to exclusive provider contracts with the attached security risks and costs.

Debian is FLOSS that allows running centralised or autonomous (stand-alone) applications in a secure, transparent and independent manner can end the vendor lock-in conundrum in a way that closed-software applications never can offer. The applications that run on and with Debian can qualify for a TLS certificate and PGP (depending on the user-cultural context) to demonstrate their reliability and security.

Using FLOSS

Hereunder follows a summary of the main arguments for the use of FLOSS.

A very efficient way to enhance institutional autonomy and getting rid of IT vendor lock-in

The latter occurs when detailed knowledge about how the system works is available to the provider only, so that when institutions need to buy new components or licenses only that provider can deliver them. The need for public administrations to avoid being locked in by IT vendors, was affirmed by the Commissioner for the Digital Agenda, Vice-President Neelie Kroes in June 2010. "This is a waste of public money that public bodies can no longer afford." (https://joinup.ec.europa.eu/news/commissioner-kroes-it-vendor-dependence-waste-public-money).

Conducive to enhance competition, reduce prices and potentially increase quality

The 2013 Commission Communication “Against lock-in: building open ICT systems by making better use of standards in public procurement” (COM (2013) 455 final of 25 June 2013 (http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=2327) confirmed “This lack of competition leads to higher prices and some € 1.1 billion per year is lost unnecessarily in the public sector alone. […].” The economic underpinnings can be found in the Commission-sponsored study “An Economic Basis for Open Standards” http://flosspols.org/deliverables/FLOSSPOLS-D04-openstandards-v6.pdf.

Increase openness, and interaction with citizens and other public authorities

The Commission’s eGovernment action plan (COM(2010) 743, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0743:FIN:EN:PDF see also http://ec.europa.eu/digital-agenda/node/165) acknowledges that because standards make essential knowledge about a system available to anyone, implying that other potential suppliers could maintain or evolve the system under more competitive terms and conditions. This has positive effects on interactions between the Commission, citizens, private and other public organisations. Not only because products and services from different producers can be interoperable, thus making it easier and more efficient to integrate one public system with another for the exchange of data, but also since interaction will not be dependent on the use of or access to the same product.

create opportunities for sharing and re-using of ICT solutions

Quoting Serafín Olcoz Yanguas, the former chief information officer of Basque Country: "Governments using open source create future benefits (CApital EXpenditures), as part of their OPerational EXpenditure. It creates a virtuous loop between the public and private sector, with a recurring public contribution." (https://joinup.ec.europa.eu/news/basque-country-wants-european-directive-reuse-software);

Helps to save funds

There is ample proof of cost-savings of FLOSS both theoretical and actual. The European Commission's open source observatory (OSOR, part of Joinup the initiative to Join communities to connect with peers and to share interoperability solutions for public administrations, see https://joinup.ec.europa.eu/community/osor/description), has made a substantial collection of economies achieved with FLOSS, see for instance:

• Dutch city of Ede spends 92 percent less than its peers on software licenses (https://joinup.ec.europa.eu/elibrary/case/dutch-city-ede-spends-92-percent-less-its-peers-software-licenses)

• French Gendarmerie: "Open source desktop lowers TCO by 40%" (https://joinup.ec.europa.eu/community/osor/news/french-gendarmerie-open-source-desktop-lowers-tco-40)

helps to lessen the risk of political fall-out

FLOSS is (often the most) reliable software (cf a listing of quantitative data http://www.dwheeler.com/oss_fs_why.html#reliability), and in many cases has the best performance (cf http://www.dwheeler.com/oss_fs_why.html#performance). FLOSS scales, both in problem size and project size. (http://www.dwheeler.com/oss_fs_why.html#scaleability) FLOSS software often has far better security, perhaps due to the possibility of worldwide review (cf http://www.dwheeler.com/oss_fs_why.html#security).

The European Parliament approved on 5/09/2001 report A5-0264/2001 with 367 votes for, 159 against and 39 abstentions in which it called “on the Commission and Member States to promote software projects whose source text is made public (open-source software), as this is the only way of guaranteeing that no backdoors are built into programmes [and calls] on the Commission to lay down a standard for the level of security of e-mail software packages, placing those packages whose source code has not been made public in the ‘least reliable’ category”.

Total cost of ownership for FLOSS is often far less than proprietary software, especially as the number of platforms increases.

The latter benefits (reliability, performance, scalability, and security), in conjunction with the aforementioned ones (cost savings, re-use of ICT solutions, enhancer of interaction and cooperation with citizens and with and between public authorities, promoting competition, and better institutional autonomy by avoiding vendor lock-in), would contribute to making the European Commission more resilient, less prone to hacking, and unauthorised transactions. The increased freedom from control by a single source, and from licensing constraints (with its accompanying risk of audit and litigation), allows it to provide a robustly secure and confidential political and professional working environment.

Conclusion and recommendation

Having regard to what precedes, I am of the opinion that it would be beneficial that the EC would consider to further explore the use of FLOSS to cover business and operational ICT needs. Interaction with the Debian User group in the EP could help to explore opportunities and challenges, and learn from its experience. Since risks inherent to the use of closed-software remain as long as this software is used, a strategy of containment in relation to a phasing out should be guided by a risk/threat analysis is advisable.

Realizing the potential FLOSS benefits may require approaching problems in a different way. This might include using thin clients, deploying a solution by adding features to FLOSS products, and furthering understanding the differences between the proprietary and FLOSS models.

Acquisition processes may need to change to include specifically identifying FLOSS alternatives, since simply putting out a “request for proposal” may not yield all the viable candidates. FLOSS products may not be the best technical choice in all cases, of course; even organizations which strongly prefer FLOSS generally have some sort of waiver process for proprietary programs. The development of an evaluation tool to assess the benefit of FLOSS alternatives against propriety solutions, taking on board the relevant needs and variables could be a meaningful first step. The FLOSS community may offer assistance by means of, for instance a guide on How to Evaluate FLOSS Programs and the Generally Recognized as Mature (GRAM) list.

Best regards,

Jacques VERRAES

Jacques.verraes@ec.europa.eu