p2p news view / p2pnet: “In 2006, Canadians can fill out their census forms online for the first time - but not if they use GNU/Linux, or are free software advocates who prefer not to install a proprietary version of Java,” posted Bruce Bayfield in NewsForge last week.

He went on, “The situation raises questions of open access to government that are familiar to most of the free and open source software (FOSS) communities, all the more so because other government services are implementing systems with the same limitations. Yet none of those whom we contacted at the Census Help Line, Statistics Canada, or Bell Canada, the contractor that oversees the development of security for the site, seemed concerned about the issues. Nor were they willing to say much when the issues were raised.”

Technical, policy and security consultant Russell McOrmond weighs in on the subject. >>>>>>>>>>>>>>>>>>>>>>>>

Critical policy failures of the Canadian online Census

First, I don’t see this as a FLOSS/Linux vs non-FLOSS/Microsoft issue. Nor do I believe the government should be expected to make implementations of software available for every platform that its citizens may use. In fact, I’m not convinced the government should be involved in providing implementations of software to be installed on peoples computers at all, with this being the major source of my complaint.

What it should be doing is clearly documenting the free/libre and vendor neutral standards being used to communicate between citizen and government computers, allowing a wide variety of implementations to be authored. Citizens can then choose a supplier they trust, or get together in a coalition of citizens to create their own trustworthy implementation.

While the government may provide a list of vendors who supply compliant software, if they distribute software themselves. it should be mandated to be publicly disclosed third party audited software.

Private citizens should have a legally and government-protected right to make their own choices of what software they install on their computers.

Computer software is just a set of rules or instructions which a computer obeys. It should be the owner of that computer and not a third party, whether a Virus author, the government or the entertainment industry, that determines what instructions the computer obeys. (See “Code is Law” Speedgeek)

The government claim is the specific software in question is being used for “security” purposes. I believe that this is false, no matter what definition of security you are using, or what threat you are using this security to protect against.

The vendor-dependant platform choice.

The software happens to be dependant on specific versions of the Sun Microsystems implementation of the Java language. This implementation is only available for a subset of computers.

While vendor neutrality is a legitimate public policy concern, I don’t believe this concern is critical to the question of security. Many technical people have become distracted by those who claim this implementation is insecure as they believe that this is an evaluation of the Java language or of the Sun Microsystems implementation. Whether or not the specific implementation of Java that’s required to make this application work has flaws isn’t critical. The critical issue is that an application written in a full featured language is being run on a personal computer, with full access to other information and settings on that computer. Whether the application is written dependant on Sun’s Java, a vendor-neutral Java, or in “C” doesn’t matter.

This code has not received third party audit

While there’s a claim that the government audited this code, this should never be considered sufficient evaluation for software that’s going to be installed on computers not owned by the government.

The government should be expected to do their own security audit of any software that runs on government computers, but the same level of auditing should be allowed to citizens who should be able to do their own audit.

Encouraging citizens to download, install and run unaudited software is an extremely bad policy. In a world with so much harmful code being inadvertently installed on peoples’ computers, the government should be actively helping to educate people to never install random software from un-audited sources - not becoming one of those unaudited sources themselves.

The government has mandated that this software be unable to receive third party audit

A group of security students at University of Ottawa (who happen to have a podcast called The Parliament Hillbillies in Ottawa) filed an Access to Information request for this software. Not only did they not receive specifications of the software or any necessary source code, they didn’t even receive documentation of what security policy is theoretically being implemented by this software.

Not only is the implementation not able to be audited, the underlying policy being automated can’t be audited either.

Any claim that the government may have that the information can’t be disclosed for “proprietary reasons” is invalid. This information must be disclosed, and if a vendor is unwilling to disclose this information, then this issue should have been resolved as a mandatory requirement of the procurement process.

Vendors who aren’t willing to publicly disclose for third party audit any software that will be installed and run on citizens’ personal computers should have been disqualified from the bidding process.

As a security person, my recommendation is to stay away from any site which claims you need to download and run unaudited software on your computer. This must include government sites, so citizens are recommended to not fill in the online census and use the more secure paper version of the forms.

There are other people who have recommended a boycott the Canadian Census for other reasons.

Statistics Canada has contracted out software, hardware, and printing of the 2006 Canadian Census to Lockheed Martin–the world’s biggest arms manufacturer, a maker of weapons of mass destruction, a company that continues to benefit from the war in Iraq, a company known for corruption and breaking the rules, and a company that could possibly invade our privacy under the US PATRIOT Act if it obtained such information.

While I agree with this campaign, I’d still be against using the online census forms, even if a more trustworthy firm had been contracted.

The fact that this specific firm has been contracted just adds fuel to those who quite legitimately are boycotting the online census.

Russell McOrmond - p2pnet contributing editor
[McOrmond is an independent author (software and non-software) who uses modern business models and licensing (Free/Libre and Open Source Software, Creative Commons). He’s also the CLUE policy coordinator.]

This entry was posted on Monday, May 8th, 2006 at 2:46 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 2357 times