ECI4all sytem: Replacement of OCS announced – but who are they?

ECI Campaign

You may be aware that the European Commission has been supporting the development of an online collection systems for online signatures for the European Citizens Initiative – it’s called OCS and hosted on the JoinUp platform. Now, the OCS has a number of issues which have been documented recently by the ECI campaign here.

It seems a new kid is on the block: a group/person called ‘ECI4All‘ has announced that they/he/she are “working on a product which aims to be a are replacement for the current Online Collection System for ECI”. 

I’ve had a quick look at it and, well, there are some concerns…

But let me start by saying I like the idea of re-implementing the code in PHP, and the use of SourceForge to host the project is fine – though JoinUp and the EUPL would have maybe been a more politically sensitive approach.

First issue: I’m not an expert on GPL3 – but it can be quite restrictive in terms of reusing the code. For instance, you’d not be allowed to change any of it to EUPL even after adjusting it. (In fact I’ve come round to the opinion that a BSD/MIT type licence is the best option because it’s legally so much more simple, but that’s another story.)

Come out, whoever you may be

More serious issue is the anonymity of the developers. In my experiounce it is not normal for serious open source projects to be so secretive about the participants

The author(s) of the ECI4All code seem to go out of their way to maintain anonymity, which is a concern when you’re developing an application which in the end is capturing and verifying a mass of personal contact details.

There is a slight clue when committed code – some of the files are created by another SF user ‘allura’. Allura’s claimed name is Krishna and ‘he’ has been registered since 2004. But there’s not much to be found out about ‘him’ on SF – the two projects linked to the username seem to be dead or  dormant.

Other clues are that the Twitter account which looks legitimate, if new (first tweet 15 January); it claims to be based in Luxembourg. A comment on the blog was signed by someone called ‘Klaus’ (with no profile)

So – I am a little  suspicious! Frankly, it should not be so difficult to work out who we’re dealing with here. What’s the business model or motivation for all this work?

This puts potential users of a system using the ECI4all  code in the position of having to review the code very carefully for any backdoors before having the system go live[*]. Potentially, once the code has been reviewed, it would then be logical to fork it – ie making another GPL3 project which starts from the ECI4all code but retaining transparent control over further development.

A much better solution would be for ECI4all to come out from behind the wall of anonymity and join the active online ECI community!

About these ads

About Peter Cruickshank

Lecturer in the School of Computing and Research Fellow in the Centre for Social Informatics at Edinburgh Napier University, Scotland. Interested in information management, politics, society, ICT, security and where they intersect. My attempts at rounding out my character include food, cinema, running, history and together with my lovely wife bringing up a boy and cat.
This entry was posted in e-participation, Europe, Uncategorized and tagged , , , , . Bookmark the permalink.

10 Responses to ECI4all sytem: Replacement of OCS announced – but who are they?

  1. xavier says:

    Hi peter,

    GPL is a fine licence, the most used one, and by the biggest open source projects (eg linux is gpl2). It came way before EUPL, that is incompatible indeed, but that isn’t an issue, no one is using it outside of EU projects anyway.

    BSD/MIT are fine licenses too, but more business friendly than the gpl.

    The author told me that he couldn’t be public at this time but it would come eventually. I’m not saying it’s the case but one valid reason might be that he is involved in an ECI that isn’t public yet, and his confidentiality agreement doesn’t allow him to be more visible at this time.

    As you know, one of the benefit of open source is that the code stands on its own. you can, and should indeed, check for security issues and backdoors. No matter if written by an anonymous coder, some anonymous contractor at the European commission or Linus Torvald. The code is secure or isn’t, no matter the author name.

    At this stage, it would be more useful to focus on the features and usability of the software and its technical infrastructure. Do you have opinion on these?

    as for allura, I’ll stop your right there: it’s the name of the software powering sourceforge, it’s a technical user ;)

    X+

  2. Hi Xavier – thanks for that. Seems to answer many of my queries :-)

    Also thanks for the correction re allura! And to think I used to be a big user of sourceforge (blush)

    The EUPL vs GPL3/GPL2/BSDdebate will run for a long time so there’s no point getting into that one

    I take your point that in principle there is no need to know or trust the developers but I think in practice, part of the verification process would include understanding the developers and their motivations. Delibrately hidden backdoors are even more difficult to audit for… the ECI app is high risk (for identity theft and hijacked democratic processes), so in depth security analysis is necessary.

    Thanks again for getting back so quickly.

    Peter

  3. Remy says:

    You make a very good point Peter, but let’s go a bit further.

    The ECI regulation makes the organisers legally responsible for the security of the personal data they collect. Which organiser in his right mind will take the risk to protect this data with software dumped on sourceforge, without any warranty, by an anonymous group ?

    “But it’s open source, just review the code yourself” reply the fanatics. So who exactly should spend the required efforts reviewing that code ? Is it the role of the organisers themselves ? Should they pay security pros to do it ? Or should they blindly trust one of the many smartasses who like to give advices on everything but never take any responsibility ?

    Next, let’s say a reckless organiser agrees to risk going to jail by using this software. Who says it will get certified ? Which organiser will risk losing months of signatures collection with a certification failure ? Oh yes sorry “it’s open source”, so probably it’s again up to the organisers to check that this software is compliant with the regulations.

    Oh, and why do you think they published a “0.1 pre-alpha” version ? Are they looking for sponsoring ? for developers ? Can’t they bother testing and reviewing their own code ? (yes, there are some bugs in this version).

    ECI4all brings some mystery and fun, but don’t hold your breath for a real-life use of this software.

    R

    • Remy – a good strong argument!

      I best say that from Xavier’s comments and Twitter feedback, it’s sounding like the ECI4all people have good intentions… but that only answers some of the issues you (and I) have raised.

      …in the end, I think the answer (for any ECI system, OCS or ECI4all or anything) is that in practice there will emerge a very small number of trusted service providers who can afford to provide the secure hosting and to carry out the required security checks.

      It’s not something a campaigning group would want to take on, unless they’re backed by big money…

      P

      • Anonymous says:

        “ECI4all brings some mystery and fun, but don’t hold your breath for a real-life use of this software.”

        What I told you ? :)

        R

  4. xavier says:

    Hi Remy,

    Do you think the OCS software by the European Commission provides any warranty ? You should read again the eupl
    “The Work is a work in progress, which is continuously improved by numerous
    contributors. It is not a finished work and may therefore contain defects or “bugs”
    inherent to this type of software development.
    For the above reason, the Work is provided under the Licence on an “as is” basis and
    without warranties of any kind concerning the Work, including without limitation
    merchantability, fitness for a particular purpose, absence of defects or errors,
    accuracy, non-infringement of intellectual property rights other than copyright as
    stated in Article 6 of this Licence.
    This disclaimer of warranty is an essential part of the Licence and a condition for the
    grant of any rights to the Work.”

    As of loosing months of signatures, it’s more than a risk and that what happened with the OCS software (the first ECI that had the OCS software certified had to wait 5 months after the launch, the next one another 2 months).

    You might not be familiar with open source, but one of the mantra is “release early, release often”. I’m sure they are bugs, as you seem to have found some, would you mind reporting which ones you found?

    If the EC had followed this, we might have had a software that wasn’t full of bugs and that still have lots of problems today.

    • Hi Xavier – good points, and I guess they reflect the impossibility of truly certifying a piece of software as infallible! I think I’ll post something on that soon…

      Right now I think I want to say that the open source development approach works best when it is community driven, with a mix of designers, coders and (importantly) stakeholders/users – logging issues, planning roadmaps etc.

      All this depends on trust and a commitment to a shared vision… which is difficult (bit not impossible) when dealing with anonymous entities!

  5. ECI 4 ALL says:

    Peter, thanks for pointing out some interesting thoughts. I will try to answer briefly:
    – license: maybe you are right, we were thinking of changing the license to make it compatible with EUPL (some license which will allow switching back and forth to/from EUPL); this would be a good idea as some parts of ECI4All are similar to OCS (for instance, we are using a 3 module approach – web app, admin app and offline app; also, text messages are copied from OCS – this will make translating the application much easier)
    – anonymity concerns: this shouldn’t be a problem as long as the system is certified by the national authorities; for instance, the authorities from Luxembourg are (too) thorough; if some part of the application does not conform to the ISO 27k standard, I am sure they will not allow the organizer to go further with the ECI if something is wrong with the system from a security point of view (or at least with its documentation)
    – you suggest that we (ECI4All) write all the code so that someone else (for instance the EC) takes it over and re-fills it with bureaucratic ideas – we have all seen how well a EC-governed open source project is going; of course, although immoral, this is possible. ECI4All it’s open source. But I am sure the project will have the same faith as the current OCS.

    Remy, it seems you are our first official hater. I will not go into any argument for two reasons:
    – you speak about anonymity and yet, you sign as “Remy”
    – you speak about jail, organizers gathering signatures without a certified system, etc; all these show that you have no real idea about what’s going on in the wonderful world of ECIs

    • Hi ECI4All., if I may call you that? :-)

      Thanks for your input, and dealing with your points in turn:

      From what I remember copyleft licenses are complicated: if you have GPL2 or EUPL, you have the option to migrate to GPL3 later – but the move backwards is not possible – so it’s a strategic decision… and good to see you thinking about it.

      Anonymity: of course, the released application should be packaged, and the package then certified. I’m guessing there is a checklist that’s used for the certification? (ISO27k is too generic)

      But as I said to Xavier, a feature of many successful opensource projects is community involvement (whcih helps build up trust). I think anonymity will in the end get become an issue, even amongst your supporters. Not yet though – it’s early days and the code’s pre-alpha, so there are no expectations. I worry that it would be different on a live system with an active user community and being used on live ECI. But I’m not you, and don’t know what your plans are! (eg what your business model is – this code is too big to be a hobby I think)

      Forking: Forking is not ‘immoral’ in the world of copyleft: look at Joomla, or what’s happening with Mint/Ubuntu or MariaDB/MySql – it’s a way for the community to regain control if trust is lost. I’d say that anonymity can mean this risk is higher. I’m not saying that it *will* or *should* happen!

      Anyway – good debate. I think it has clarified a lot of questions I had, thanks.

      Peter

      PS No labeling of people on my blog, please :-)

  6. Cristian says:

    Dear ECI4All,

    You say that “also, text messages are copied from OCS”.

    Given that OCS is licenced under EUPL, you can normally use the software for any purpose and I think the only restrictions are related to modification and re-distribution of the software:
    • if you modify it, keep intact all existing copyright mentions and identify your own modifications by prominent marks (who did it, when, for what purpose) with mention of your own copyright
    • if you redistribute it, ensure that it is done under the EUPL licence, or under a compatible licence from the list attached to the EUPL (only if this is compulsory after merging or integrating the software with a component that is licensed under the compatible licence).

    I think you forgot to mention where did you get the original and identify your own modifications…

    Cristian

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s