Differences between revisions 6 and 7
Revision 6 as of 2014-06-02 08:52:19
Size: 5513
Comment: Consistently use abbreviation FLOSS instead of varying mixtures of "free" and "open" arguably prone to misinterpretation.
Revision 7 as of 2014-06-04 10:13:55
Size: 7343
Editor: ?GijsHillenius
Comment:
Deletions are marked like this. Additions are marked like this.
Line 22: Line 22:
By means of this document, I am submitting my thoughts about the use of Debian, or other FLOSS (Free/Libre and Open Source Software) by the European Commission so as to meet operational and bussiness needs but without drawbacks that closed-source software represents, and to prevent therewith potential political fall-out, support a public image of responsible spending of public money, and support user needs. By means of this document, I am submitting my thoughts about the use of Debian, or other FLOSS (Free/Libre and Open Source Software) by the European Commission so as to meet operational and business needs but without the drawbacks of closed-source software. As the EU institutions are financed with public funds, it is imperative that these funds are used responsibly and in a sustainable way, contributing as much as possible to Europe and to the wider communities. Using and contributing to FLOSS, the EU will strengthen's its public image of responsible spending of public money.

Using FLOSS

- is a very efficient way to get rid of IT vendor lock-in. Public administrations should avoid being locked in by IT vendors, European Commission Vice-President for the Digital Agenda Neelie Kroes said in June 201. "This is a waste of public money that public bodies can no longer afford." (https://joinup.ec.europa.eu/news/commissioner-kroes-it-vendor-dependence-waste-public-money);

- will increase openness, and will create opportunities for sharing and re-using of ICT solutions. Quoting Serafín Olcoz Yanguas, the former chief information officer of Basque Country: "Governments using open source create future benefits (CApital EXpenditures), as part of their OPerational EXpenditure. It creates a virtuous loop between the public and private sector, with a recurring public contribution." (https://joinup.ec.europa.eu/news/basque-country-wants-european-directive-reuse-software);

- will help to save funds: see for instance
  i. Dutch city of Ede spends 92 percent less (!) than its peers on software licenses (https://joinup.ec.europa.eu/elibrary/case/dutch-city-ede-spends-92-percent-less-its-peers-software-licenses)
  ii. rench Gendarmerie: "Open source desktop lowers TCO by 40%" (https://joinup.ec.europa.eu/community/osor/news/french-gendarmerie-open-source-desktop-lowers-tco-40)

- helps to lessen the risk of political fall-out.
Line 32: Line 45:
The point in case is to provide users of the Commission IT System a secure and reliable environment for their daily work, that is under-friendly and gives reasonable guarantees that the texts and documents sent arrive unaltered at the intended addressees only, and that the documents received are identical to the documents sent by the sender. The point in case is to provide users of the Commission IT System a secure and reliable environment for their daily work, that is user-friendly and gives reasonable guarantees that the texts and documents sent arrive unaltered at the intended addressees only, and that the documents received are identical to the documents sent by the sender.
Line 34: Line 47:
Security and reliability guarantees can be given only if the system is fully auditable, which is the case if the source code is known.

This is the case for FLOSS, but not for vendor-provided software.
Security and reliability guarantees can be given only if the system can be audited completely: access to source code is essential.
This is the case for FLOSS, but not for vendor-provided software. This, for example, is the motivation for the Internet forensics research unit at the Dutch Police to use *only* free and open source solutions based on open standards and developed publicly. (https://joinup.ec.europa.eu/community/osor/news/open-source-only-dutch-police-internet-forensics)
Line 62: Line 74:
Having regard to what precedes, I am of the opinion that it would be beneficial that the EC would consider a more general use of OS and FS to cover business/operational needs. Interaction with the Debian User group in the EP could help exploration of opportunities and challenges. Since risks inherent to the use of closed-software remain as long as this software is used, a strategy of containment in relation to a phasing out should be guided by a risk/threat analysis Having regard to what precedes, I am of the opinion that it would be beneficial that the EC would consider a more general use of FLOSS to cover business/operational needs. Interaction with the Debian User group in the EP could help exploration of opportunities and challenges. Since risks inherent to the use of closed-software remain as long as this software is used, a strategy of containment in relation to a phasing out should be guided by a risk/threat analysis

DebianParl in the European Commission

Introduction

By means of SMT Reference (Ticket) Nr IM0012717721 I received the following request:
IM0012717721
Dear user,
We are working on your help request IM0012717721. Can you please provide the following information to progress your request.
Requested information :

Dear Jacques,
Refering to our discussion over the phone, please get back to us with an email in which you sum all your thoughts up.
We will then forward it to the appropriate team.

best regards,

[name]

Thank you for your cooperation.

purpose of this document

By means of this document, I am submitting my thoughts about the use of Debian, or other FLOSS (Free/Libre and Open Source Software) by the European Commission so as to meet operational and business needs but without the drawbacks of closed-source software. As the EU institutions are financed with public funds, it is imperative that these funds are used responsibly and in a sustainable way, contributing as much as possible to Europe and to the wider communities. Using and contributing to FLOSS, the EU will strengthen's its public image of responsible spending of public money.

Using FLOSS

- is a very efficient way to get rid of IT vendor lock-in. Public administrations should avoid being locked in by IT vendors, European Commission Vice-President for the Digital Agenda Neelie Kroes said in June 201. "This is a waste of public money that public bodies can no longer afford." (https://joinup.ec.europa.eu/news/commissioner-kroes-it-vendor-dependence-waste-public-money);

- will increase openness, and will create opportunities for sharing and re-using of ICT solutions. Quoting Serafín Olcoz Yanguas, the former chief information officer of Basque Country: "Governments using open source create future benefits (CApital EXpenditures), as part of their OPerational EXpenditure. It creates a virtuous loop between the public and private sector, with a recurring public contribution." (https://joinup.ec.europa.eu/news/basque-country-wants-european-directive-reuse-software);

- will help to save funds: see for instance

  1. Dutch city of Ede spends 92 percent less (!) than its peers on software licenses (https://joinup.ec.europa.eu/elibrary/case/dutch-city-ede-spends-92-percent-less-its-peers-software-licenses) ii. rench Gendarmerie: "Open source desktop lowers TCO by 40%" (https://joinup.ec.europa.eu/community/osor/news/french-gendarmerie-open-source-desktop-lowers-tco-40)

- helps to lessen the risk of political fall-out.

introduction

I am a user of the Commission IT systems with an interest in security, sustainability and transparency. This interest was educated by my previous professional activities.

I was, for instance, the administrator for the project for the design, contracts, building and deployment of large scale police and justice IT systems (Schengen Information System, SIRENE support system, the Visa Information System, and a connection between national Automated Fingerprint Information Systems), for the drafting and negotiation of the counter-terrorism strategy, as well as for the management of the Data Retention and Data Protection Directives.

core needs

The point in case is to provide users of the Commission IT System a secure and reliable environment for their daily work, that is user-friendly and gives reasonable guarantees that the texts and documents sent arrive unaltered at the intended addressees only, and that the documents received are identical to the documents sent by the sender.

Security and reliability guarantees can be given only if the system can be audited completely: access to source code is essential. This is the case for FLOSS, but not for vendor-provided software. This, for example, is the motivation for the Internet forensics research unit at the Dutch Police to use *only* free and open source solutions based on open standards and developed publicly. (https://joinup.ec.europa.eu/community/osor/news/open-source-only-dutch-police-internet-forensics)

Examples abound of state- and commercial intrusion in personal and non-public data, which can interfere with the need for a secure working environment and the interests of the Commission and the EU.

basic concepts

In my previous activities the investment made in data security was important not only to ensure the legality of criminal investigations and the constitutional rights of second and third parties, but also in the interest of the management of organisations concerned (responsibility, business continuity, liability, success, financial or reputational damage) and of system users.

The question that thus came to my mind was whether it would be possible to run FLOSS on Commission IT platforms instead of vendor-provided software.

a case for FLOSS

I came into contact with a Debian user group in the European Parliament that has similar concerns. It has successfully launched a Debian pilot that provides the guarantees that I mentioned before and that demonstrates that all software needs can be successfully addressed through FLOSS.

The issue is thus whether a similar approach is possible in the EC, under what conditions and timeframe. It is reassuring that the Commission has already experience with the use of FLOSS and Debian, f.i. for websites developed for Commissioners/Cabinets and …. If could be possible to expand on the basis of that experience.

The use of FLOSS has moreover an ethical component that is important for an organisation like the European Commission that operates with tax payers’ money. The need (and possibility) to demonstrate responsible management and use of public funds is an asset that can provide goodwill and additional benefits.

A substantial number of national governments and international organisations [source] has or is looking for those reasons into the possibility to use FLOSS.

At the level of capital and operational expenditure, the use of FLOSS that does not have to be written off and can be further developed, shared and re-used is a way to pay investment forward to society. The use of public procurement is used to promote this trend and to wane public authorities of vendor lock-in that otherwise can keep the organisations tied to exclusive provider contracts with the attached security risks and costs.

Debian is FLOSS that allows running centralised or autonomous (stand-alone) applications in a secure, transparent and independent manner can end the vendor lock-in conundrum in a way that closed-software applications never can offer. The applications that run on and with Debian can qualify for a TLS certificate and PGP (depending on the user-cultural context) to demonstrate their reliability and security.

conclusion and recommendation

Having regard to what precedes, I am of the opinion that it would be beneficial that the EC would consider a more general use of FLOSS to cover business/operational needs. Interaction with the Debian User group in the EP could help exploration of opportunities and challenges. Since risks inherent to the use of closed-software remain as long as this software is used, a strategy of containment in relation to a phasing out should be guided by a risk/threat analysis ….