It seems a day doesn’t go by without news about governments outside the US voicing support for Open Source. For example, France and China are working to support Open Source middleware. The British Tories supports Open Source. So does the Australian government. And the list goes on. But the US is not totally in step with the rest of the world. While support in the US is growing, it’s not always along a smooth path.
For example, consider regulations from the FCC announced last week that are about to go into place. The FCC has ruled that Open Source cryptography methods used as part of software radio is inherently less secure than non-published proprietary methods. They argue that published open source software is more vulnerable to hackers and there is “a high burden to demonstrate that it is sufficiently secure”. The FCC argument recommends an approach of “security through obscurity”.
It’s interesting to note that Cisco provided some of the logic behind the FCC ruling. The FCC argument contends that if the source code for the radio is open then hackers could easily endanger public safety by potentially doing things like altering the code to output more power, or operate on inappropriate frequencies.
The regulations are around a new technology called software phones, single devices that can receive signals from multiple sources, like television and cell phones. C|Net News quotes Bernard Eydt, chairman of the Software-Defined Radio (SDR) Forum as arguing against the ruling, saying that “there is no reason why regulators should discourage open-source approaches that may in the end be more secure, cheaper, more interoperable, easier to standardize, and easier to certify”.
SDR Forum corporate members, Motorola, AT&T Labs, Northrup Grumman, Virginia Tech, and others have voiced concern over the FCC decision and have signed a petition asking the FCC to reconsider.
The language in the SDR petition “recommends that in its future opinions and rulemakings, the Commission (FCC) place less emphasis on the confidentiality of security methods, and instead focus on the standards that assure confidentiality of cryptographic secrets in operation.”
The Software Freedom Law Center also released a whitepaper that tried to spin the FCC announcement as a support for Open Source. The whitepaper notes that the FCC’s authority extends only to hardware. The whitepaper contends:
“Since software is a representation of a mathematical algorithm, it is not a “device”, “home electronic equipment” or a “home electronic … system.” Further, there is no precedent for applying the device certification rules to software except as installed as a component of a specific hardware device. Indeed, the FCC has explicitly limited the certification requirements to ‘hardware-based device[s].’ Both of these facts make it clear that the FCC rules do not apply to software by itself, but only to hardware-based devices. “
