If I catch COVID-19, somebody needs to contact everyone I’ve contacted over the prior couple weeks so they can take appropriate action. This is called contact tracing, and we have 21st century technology to help. As we emerge from our global pandemic shelters, I can install an app on my cell phone to build a database of everyone I contact. This will come in handy, because, as of June, 2020, the only proven tool we have to fight COVID-19 is quarantining people.
What could possibly go wrong with a piece of software that builds a database of everyone I contact? Nobody would abuse all that information, would they? Nah, of course not. And Snow White and the Seven Dwarfs are real people. And other myths.
Where this leads
It didn’t take long for a contact tracing app to abuse data. Take a look at this Washington Post article – or this PDF if the original article is behind a paywall. It seems North and South Dakota partnered with a North Dakota software company named ProudCrowd to build a free Apple IOS contact tracing app named Care19. Well, guess what – the software reports what it finds to outside companies. Who wudda thunk it? Naturally, those outside companies throw all that data away. Just trust ’em ’cause they say so.
Here is where we’re headed. I’m supposed to install a black-box piece of software inside my phone, and I’m supposed to trust this software to track everyone I contact, but keep it all private. And I’m supposed to trust it because, well, it promises it won’t do anything bad. Yeah, sure, why not.
But wait a minute. We use black-box software in our phones every day, right? Don’t I bring Google everywhere I drive in return for free turn-by-turn directions? Don’t I tell Facebook every time I see toilet paper at the grocery store? We’ve been disclosing details about ourselves to social media apps for more than ten years. Why should we care about one more app that builds a database of everyone we contact?
Great question. Here’s why. I choose to share portions of my life on social media websites. I assume the whole world will see anything I post, no matter what I set for privacy settings, and so I try to be careful. And I get mad when social media companies abuse my trust. But with black-box contact tracing apps, somebody can build a whole profile on me and abuse it any way they want without my knowledge. No matter how much they spend on feel-good marketing, how am I supposed to trust it? Why do I need to make a tradeoff between Big Brother and fighting a disease that could kill me?
A better way to do it.
Adopt open. Only install contact tracing apps built the open source way. This isn’t my idea. Mike Bursell suggested it in his AliceEveBob blog back in April, 2020. I embraced it because it makes so much common sense. Mike commented below on a draft of this blog post and I’ll quote one sentence here.
If you’d like to know more about the vibrant culture around open source (and other movements like “open management”), then Opensource.com is a great place to start.Mike Bursell, Red Hat Chief Security Architect, Barr Hall, Essex, United Kingdom
Full disclosure – I am also a Red Hat employee. But this is my blog post and might not reflect any Red Hat official position.
Proprietary vs. Open
With the traditional proprietary model, software details are secret and vendors go to great lengths to protect their intellectual property. As they should – just like clothing knock-offs, somebody could steal all their hard work and sell products for a fraction of the cost. It happens all the time. Here’s one famous case when Chinese networking equipment maker, Hauwei stole code from Cisco and used Cisco’s code in its own products.
But sometimes, proprietary vendors abuse their secrets. Microsoft did it in the 1990s. Today, Google and social media companies’ revenue models depend on sharing subscriber personal information.
Open source turns all that on its ear. With open source, intellectual property is in the public domain and ad-hoc teams around the world collaborate to get things done. Often, an acknowledged owner accepts or rejects improvements based on merit, and continuously releases updated versions. Licensing terms usually allow anyone to use the software as they see fit, with an obligation to contribute any improvements they may build back into the community. Customers pay for support, not software acquisition. The system works as long as the community trusts the owner; if the owner violates the community trust, anyone is free to take the software in a different direction, and just like a free market, the community will decide who to follow.
Open source advocates have a saying. It’s not free as in beer, it’s free as in freedom to choose.
Both approaches have positives and negatives. The proprietary approach is good because customers can hold one vendor accountable for everything. It’s bad because it provides lots of opportunities for abuse. The open source approach is good because open source communities really are free markets. It’s bad because free markets are chaotic.
Academics and business leaders have written volumes contrasting both approaches. Here are a couple good ones about open source and an open way to operate: The Cathedral and the Bazaar, by Eric Raymond, and The Open Organization, by Jim Whitehurst.
Many people who don’t know better dismiss open source as a 1960s hippie movement. My ears still ring from a potential customer back in my IT consulting days who said, “I’ll never buy open source software. Why would I trust my company to stuff written by a bunch of teenagers in their parents’ basements?” I wonder if that guy still lives in fantasy-land. In the real world, open source software is at the heart of everything that makes the 21st century world work. Anyone who turns on a light, makes a phone call, browses the internet, uses a bank, or accesses any modern service we take for granted, interacts with open source software.
Don’t believe me? Here are 34 billion reasons why you should. If IBM was willing to spend $34 billion to buy the world’s leading open source company in 2019, maybe the public should take notice.
Open source software should be at the heart of any contact tracing application I install on my cell phone. I want a community of developers who care about privacy to earn my trust by operating transparently. I want the code behind this software available for examination by interested parties. I want public forums and passionate discussions about design decisions. I want organized chaos continuously fueling a vibrant free market of ideas, and a vibrant free market of ideas continuously fueling organized chaos. And I want software that releases early and often with incremental improvements. With those ingredients in place, good algorithms, quality, and proper security will be natural consequences.
Why would anyone contribute any open source project? Recognition is a biggie. Contributing to an effort to limit the spread of a global pandemic might look good on a resume. It might lead to a great job opportunity. Working on open source teams also provides lessons in teamwork and leadership. And for this app, it’s the right thing to do.
Maybe an organization with deep pockets might want to take this on and pay people to build it. Put it on the P&L as a marketing expense. Or make money by selling support subscriptions. Or tap community creativity and look for other ways to make it self-sustaining.
Profit is good. Gaining it by abusing private information is bad. If privacy is important to you, if you don’t want black box software on your phone sharing a database about everyone you contact with who-knows-who, but you do want software that can help you and people you love if you get sick, then make noise. Forward a link to this blog post widely. Contact your Senators and Representatives. Demand they demand an open source solution for contact tracing.
Do it now. Because a virus is knocking at your door.