You may be aware that the European Commission has been supporting the development of an online collection systems for online signatures for the European Citizens Initiative – it’s called OCS and hosted on the JoinUp platform. Now, the OCS has a number of issues which have been documented recently by the ECI campaign here.
It seems a new kid is on the block: a group/person called ‘ECI4All‘ has announced that they/he/she are “working on a product which aims to be a are replacement for the current Online Collection System for ECI”.
I’ve had a quick look at it and, well, there are some concerns…
But let me start by saying I like the idea of re-implementing the code in PHP, and the use of SourceForge to host the project is fine – though JoinUp and the EUPL would have maybe been a more politically sensitive approach.
First issue: I’m not an expert on GPL3 – but it can be quite restrictive in terms of reusing the code. For instance, you’d not be allowed to change any of it to EUPL even after adjusting it. (In fact I’ve come round to the opinion that a BSD/MIT type licence is the best option because it’s legally so much more simple, but that’s another story.)
Come out, whoever you may be
More serious issue is the anonymity of the developers. In my experiounce it is not normal for serious open source projects to be so secretive about the participants
The author(s) of the ECI4All code seem to go out of their way to maintain anonymity, which is a concern when you’re developing an application which in the end is capturing and verifying a mass of personal contact details.
There is a slight clue when committed code – some of the files are created by another SF user ‘allura’. Allura’s claimed name is Krishna and ‘he’ has been registered since 2004. But there’s not much to be found out about ‘him’ on SF – the two projects linked to the username seem to be dead or dormant.
Other clues are that the Twitter account which looks legitimate, if new (first tweet 15 January); it claims to be based in Luxembourg. A comment on the blog was signed by someone called ‘Klaus’ (with no profile)
So – I am a little suspicious! Frankly, it should not be so difficult to work out who we’re dealing with here. What’s the business model or motivation for all this work?
This puts potential users of a system using the ECI4all code in the position of having to review the code very carefully for any backdoors before having the system go live[*]. Potentially, once the code has been reviewed, it would then be logical to fork it – ie making another GPL3 project which starts from the ECI4all code but retaining transparent control over further development.
A much better solution would be for ECI4all to come out from behind the wall of anonymity and join the active online ECI community!