Open source as a lightweight regulatory alternative to lock-down

Tags: #<Tag:0x00007f7cc0d0f158>

Comment by Dave Täht, Vint Cerf, et al. of 2015-10-09 proposing an alternate regulatory regime of requiring fully auditable software and ongoing security updates, almost mandating supported free software (but not quite, for the comment doesn’t call for mandating free copyright licensing) for approved devices. This is by far the most important document on software freedom produced this year and I urge everyone to read it. I’ve copied most of the alternative proposal below (it starts on page 12, and is followed by many pages of endorsers):

In place of these regulations, we suggest that the Commission adopt rules to foster innovation and improve security and usage of the Wi-Fi spectrum for everybody.

Specifically, we advocate that rather than denying users the ability to make any changes to the router whatsoever, router vendors be required to open access to their code (especially code that controls RF parameters) to describe and document the safe operating bounds for the software defined radios within the Wi-Fi router.

In this alternative approach, the FCC could mandate that:

  1. Any vendor of SDR, wireless, or Wi-Fi radio must make public the full and maintained source code for the device driver and radio firmware in order to maintain FCC compliance. The source code should be in a buildable, change controlled source code repository on the Internet, available for review and improvement by all.
  2. The vendor must assure that secure update of firmware be working at shipment, and that update streams be under ultimate control of the owner of the equipment. Problems with compliance can then be fixed going forward by the person legally responsible for the router being in compliance.
  3. The vendor must supply a continuous stream of source and binary updates that must respond to regulatory transgressions and Common Vulnerability and Exposure reports (CVEs) within 45 days of disclosure, for the warranted lifetime of the product, the business lifetime of the vendor, or until five years after the last customer shipment, whichever is longer.
  4. Failure to comply with these regulations should result in FCC decertification of the existing product and, in severe cases, bar new products from that vendor from being considered for certification.
  5. Additionally, we ask the FCC to review and rescind any rules for anything that conflict with open source best practices, produce unmaintainable hardware, or cause vendors to believe they must only shipundocumented “binary blobs” of compiled code or use lockdown mechanisms that forbid user patching. This is an ongoing problem for the Internet community committed to best practice change control and error correction on safety-critical systems.

This path has the following advantages:

  • Inspectability - Skilled developers can verify the correctness of software drivers that are now hidden in binary “blobs”.
  • Opportunity for innovation - Many experiments can be performed to make the network “work better” without affecting compliance.
  • Improved spectrum utilization - A number of techniques to improve the use of Wi-Fi bands remain theoretical possibilities. Field trials with these proposed algorithms could prove (or disprove) their utility, and advance the science of networking.
  • Fulfillment of legal (GPL) obligations -Allowing router vendors to publish their RF-controlling source code in compliance with the license under which they obtained it will free them from the legal risk of being forced to cease shipping code for which they no longer have a license.

Requiring all manufacturers of Wi-Fi devices to make their source code publicly available and regularly maintained, levels the playing field as no one can behave badly. The recent Volkswagen scandal with uninspected computer code that cheated emissions testing demonstrates that this is a real concern.

Why is this so important?

  • It isn't purely a rear-guard action aiming to stop a bad regulation.
  • It proposes a commons-favoring regulatory regime.
  • It does so in an extremely powerful public regulatory context.
  • It makes a coherent argument for the advantages of its approach; it tries to win a policy argument.
  • The advantages are compelling.

On the first two points, contrast with the other comments asking that end user modification and open source not be effectively prohibited. None of the others propose open source as an alternative regulation. One goes so so far as to claim that FCC regulation should not make a choice among intellectual property paradigms.

The last three points are in contrast with relying on an extremely weak and resource poor private regulatory hack (copyleft) which substitutes developer caprice for a public policy argument.

There are currently 3351 filings. I haven’t searched extensively yet, but I have found one note calling for mandating open source for device firmware, from Eric S. Raymond:

Mandated device upgradeability. Mandated open source for firmware. It’s not just a good idea, it should be the law.

As far as I know Raymond is not generally a fan of direct government regulation nor of copyleft.

(Extracted and adapted from a tangentially related personal blog post.)

Bottom right of page 29. Look, it’s me!

This submission is the sort of bold activism that we need more of. It’s all well and good to opine at DEFCON and LibrePlanet about the bad state of the world, but we assume too blindly that the regulators do not require things like source disclosure for some motivated reason. In reality, they often do not know what source is, what disclosure would effect, and really it’s just never been brought to them.

1 Like

Thank you and exactly/well said!