The degree to which some companies have control over common operating systems, purported to be open source, is concerning.
Julie M. Anderson is managing director of Civitas Group and an expert with SafeGov.org, an online IT forum promoting secure cloud computing security.
In recent weeks, the federal government has accelerated its efforts to promote the use of open source platforms as a way to improve the array of digital services it offers.
At the same, agencies are looking to secure the more powerful (but potentially vulnerable) landscape of mobile devices federal employees increasingly use in the workplace.
But when agencies make open source-driven decisions on which mobile operating systems they should entrust with data, the degree to which some companies have control over common operating systems, such as Android, is concerning.
Today’s federal IT landscape is quickly evolving. In the past month, the Federal Chief Information Officer Council released its U.S. Digital Services Playbook, calling for greater use of open source technologies. Meanwhile, the Obama administration tapped a leader to head its new U.S. Digital Service team to aid the implementation of such programs across federal agencies -- with an explicit mandate to employ open source solutions.
These endeavors also carry across federal mobility efforts, which include an estimated $2 million in spending on mobile device hardware alone.
These smartphones and tablets – a combination of agency-furnished and bring-your-own-device setups – are in the hands of thousands of government employees.
Many of these phones run the Android operating system, which is owned and managed by Google, but still purports to be an open source platform.
Advantages of Open Source
Open source platforms have existed for decades. The most well-known platform, Linux, was established in 1991 for servers and desktop computers.
Linux continues to exist in Android’s base code, but Android OS is rigorously controlled by Google. While the Android Open Source Project creates its own modified versions of the software and leverages volunteer efforts worldwide, these projects often require users to “jailbreak” their devices in order to override Google’s heavy restrictions.
These sorts of roadblocks to innovation and crowdsourcing raise the questions: Is Android really the type of open source platform the federal government has recently been touting? And should for-profit entities wield control over so much government data?
The standard OS that Google pushes out with its devices comes with its own set of security and privacy issues.
For instance, when installing Gmail accounts onto a new Android smartphone like the Samsung Galaxy S5 or the Google Nexus 5, Android’s default setting is to upload the user’s photos and files to Google-owned services like Google Plus and Picasa.
While some of these settings can be disabled by corporate or government-managed BYOD program administrators, the lines are often blurred. This means if government employees take photos on their smartphones for work-related purposes, they may unknowingly be sending the photos to be synced with Google’s for-profit, ad-driven services.
Preserving True Open Source
Both private and public actors can take steps to encourage an open source approach for Android:
- To become truly open source, Android should allow community development to perform any activity on its mobile devices in the tradition of Linux. The current approach limits the potential for innovative solutions to benefit all users.
- Simultaneously, mobile device manufacturers should combine their efforts and elicit more concessions in their contracts with Android to allow for greater flexibility.
- Furthermore, it is critical that services on Android devices should not be tied or bound to the platform. Simply put: Users must be given the choice to turn off the services or use alternatives.
- Finally, the government should hold its industry partners to higher standards when it comes to how they conduct themselves. Consumers and online privacy advocates have already begun saying enough is enough when it comes to invasive techniques, like Facebook’s Messenger App or YouTube’s Google Plus log-in requirements.