There is one notable aspect to the Volkswagen emission-cheating scandal that few commentators have mentioned: It would not have happened if the software for the pollution-control equipment had been open source.
Volkswagen knew it could defraud consumers and deceive regulators precisely because its software was closed, proprietary and legally protected from outside scrutiny. Hardly anyone could readily check to see if the software was performing as claimed.
Sure, dogged investigators could laboriously compare actual car emissions to emissions in artificial regulatory tests. That’s essentially what broke open the Volkswagen scandal. But that is an expensive and problematic way to identify cheaters.
The larger question is why should a piece of software that has enormous public health and environmental implications be utterly impenetrable in the first place? A locked box invites lawless, unaccountable and sloppy corporate behavior. It assures that hardly anyone can see what’s going on. Volkswagen exploited the cover of darkness for all that it could.
This lesson was driven home when columnist Jim Dwyer of the New York Times hailed free software attorney Eben Moglen – the former general counsel for the Free Software Foundation and founder of the Software Freedom Law Center – as “a prophet.” Dwyer quoted Moglen:
Intelligent public policy, as we all have learned since the earth twentieth century, is to require elevators to be inspectable, and to require manufacturers of elevators to build them so they can be inspected. If Volkswagen knew that every customer who buys a vehicle would have a right to read the source code of all the software in the vehicle, they would never even consider the cheat, because the certainty of getting caught would terrify them.
But since the code is proprietary, automakers know that they have plenty of room to cheat. Not only is the code inscrutable, automakers realize that the U.S. Environmental Protection Agency has only enough funding to test 10-15 percent of new vehicles. That means “self-certification” is the primary means of enforcement: an utter joke.
Worse, inquisitive consumers can’t even check the software themselves. Under the Digital Millennium Copyright Act, it is a crime to breach the encryption of copyrighted software and look into its source code. Wired magazine reported that last year, a number of open source advocates tried to make it legal to scrutinize copyrighted software for “good-faith testing, identifying, disclosing and fixing malfunctions, security flaws or vulnerabilities.” But of course, the politically powerful auto industry squashed the idea, claiming that open access to the code would pose “serious threats to safety and security.”
The Volkswagen scandal shows that the real, larger threat to security comes from proprietary code controlled by large corporations, not from its open release. Why should we rely upon politically compromised, budget-starved government agencies to enforce the law against corporations who can use technological lockboxes to mask their deceits? (The Volkswagen scam had been going on for years.) Why not look to a supremely effective, transparent and virtually free form of enforcement – mandatory open source code?
In the wake of the 2008 financial meltdown, some brilliant minds made the same point about the Securities and Exchange Commission’s oversight of banks and financial institutions. Why not require the disclosure of key financial statistics so that inquisitive minds could use open data analytics to spot dangerous trends in financial markets with greater speed and ferocity than the SEC?
Volkswagen has shown why open code would make automobiles safer and more environmentally benign. Why not open code, Moglen asks, for airplanes, medical devices, anti-lock brakes and throttle controls in automobiles? Open source is our best protection against criminal hacking and corporate fraudsters alike.
Memo to government regulators everywhere: Want to improve public safety and environmental compliance at a fraction of current costs and before the harm happens? Require open source code on critical technologies.