It has become popular over the last couple of years for state and municipal governments to mandate the use or consideration of open source software (software which allows users to view and alter the source code used to build the application) for their information technology solutions. This is true both here in the United States and abroad. This trend raises some important questions for IT professionals such as me, and for the taxpayers who will be footing the bill. What purpose is served by restricting the range of choices available to IT professionals in government? Does open source software actually fulfill the stated purpose of these mandates?
One recent example of such a proposed mandate is Oregon’s HB 2892, which was introduced in early 2003, and which would require state government agencies to specifically consider open source software for all new software acquisitions, and would also require each agency to specifically provide justification when purchasing proprietary software (no such justification is required for open source software). Another example is a memo released by Massachusetts’s Secretary of Administration and Finance in September of 2003 that seemed to suggest that open source software would be given preference over proprietary solutions in state procurement (the state has since issued a statement that backs off from that stance).
In both the Oregon and Massachusetts cases, the officials responsible cite cost as one of the primary motivators driving the mandated consideration of open source software. But in neither case do these officials offer compelling evidence that the costs associated with proprietary software are consistently greater than those of open source software. Certainly, it is usually the case that the cost of acquiring and licensing proprietary software is higher than open source software. But left out of that consideration is the cost of training, maintenance, and software updating: costs that may be higher for some open source software, and may eventually outweigh the cost of licensing in the long run.
Unfortunately, it is common for government officials advocating mandated consideration of open source to assert that using open source reduce costs. The proposed Oregon statute states that, “the acquisition and widespread deployment of open source software can significantly reduce the state’s costs of obtaining and maintaining software,” without providing any real evidence that this is consistently true (or true at all). And one need only look at the case of Munich, Germany, to discover that the rosy predictions of cost savings from using open source software don’t always come true.
The city of Munich, in May 2003, decided to migrate some 14,000 computers from Windows to open source operating systems and products. Backers of the project predicted both cost savings and improved security. While the jury’s still out on security, the cost savings have not yet materialized. In fact, according to a story in Wired News, Munich paid more than $10 million more to switch to open source than it would have cost them to upgrade their systems to newer versions of Windows (after Microsoft offered discounted license fees to try to keep their business). The city council insists that the costs will be made up in the long run, but there is little evidence that this is more than wishful thinking.
In addition to the issue of cost, officials in both Oregon and Munich cite increased security as a reason for considering or switching to open source software. HB 2892 asserts that open source “guarantees the user … [e]xhaustive inspection of the working mechanisms of the software,” which is meant as a comparison to proprietary software’s closed-source code, derisively referred to as “security through obscurity”.
Open source advocates often assert that open source software is inherently more secure because more people look at the code, so it is more likely that flaws will be discovered and fixed. There are two problems with this assertion. One is that it assumes that all eyes are equal; that the people looking at the open source code are as skilled as those employed by proprietary software companies. It also assumes that all the code does in fact get “[e]xhaustive inspection.” While this may be true for high-profile projects such as the Linux kernel (the core of the open source Linux operating system), it cannot be reliably asserted for all open source code generally.
While I work primarily with proprietary software in my day-to-day work, I admire the work done by the open source community, and I think that open source software can be useful in the right circumstances and should be considered as one of many options for government agencies. But when governments use wishful thinking and flat-out incorrect assertions to mandate that open-source software be considered before proprietary software, neither the IT industry nor taxpayers are well served. Government agencies, like consumers, should be free to choose from the full range of IT solutions offered on the open market, both proprietary and open source, without the heavy finger of government on the scale. After all, who knows better how to make information technology purchasing decisions? Technologists, or bureaucrats?
G. Andrew Duthie is an author, speaker, and application developer living in Northern Virginia.