Open Source Sweden issues opinion regarding SOU 2021:1
Open Source Sweden has issued an opinion concerning SOU 2021:1, the so-called it- driftsutredningens delbetänkande ”Säker och kostnadseffektiv it-drift – rättsliga förutsättningar för utkontraktering”. ( English: “Interim report on secure and cost-effective IT operations - legal basis for outsourcing”, by the IT Operations Inquiry). In the following critical statement, the association highlights how erroneous starting assumptions, a lack of perspective and ignorance surrounding open technologies have resulted in the investigation leaving out very important issues of concern to the association, which consequently results in a bill that the association cannot support.
The association’s opinion can be found below. Anyone who wishes to know more is warmly welcome to contact the association’s working group for cloud issues through (Mathias Lindroth, convener) or our industry spokesperson (Jonas Feist). The Government publishes the various consultation responses from the consultation bodies appointed by the Government itself here: https://www.regeringen.se/remisser/2021/02/remiss-sou-20211-it-driftsutredningens- delbetankande-saker-och-kostnadseffektiv-it-drift–rattsliga-forutsattningar-for- utkontraktering/
The association’s working group for cloud issues was formed in the autumn of 2020 and consists of Mathias Lindroth (ACF Legal), Colin Campbell (Digitalist), Jonas Berndtsson (Kafit AB), Magnus Glantz (Red Hat), Tony Nicolaides (Redpill-Linpro) and Erik Lönroth (Scania CV)
Opinion; department dnr. I2021 / 00342: Stockholm, May 6, 2021
About Open Source Sweden
Open Source Sweden is a non-profit organization for suppliers of open technologies with the mandate to promote an open and well-functioning market for development, sales and delivery of open software and related services to both private and public organizations, based on open standards. To that end, the association participates and operates in international networks and similar contexts.
The so-called “it-driftsutredningen” (English: IT Operations Inquiry) is tasked with proposing legislative changes to enable secure and cost-effective IT operations in the future; The risk we see, however, is that the inquiry’s proposal will make Sweden simultaneously both less secure and less cost-effective. Read on.
Safety vs. cost-effectiveness - an erroneous fundamental assumption
The entire investigation is based on the unspoken premise that it is impossible to combine digital security with cost-efficiency. We believe that this is an error of fact and a fatally- flawed axiom. Security is a fully integrated component in modern IT solutions and does not conflict in any way with cost-efficiency. There are a plethora of systems available on the market that are both secure and simultaneously so technically advanced that it is also possible to comply with all other legal requirements (regarding, for example, licensing, privacy-protection and auditing/preservation/archival of documents). To a large extent, these systems are based on open software, which the report completely misses in its analysis of the current situation. In this opinion, open software refers to what in English is called “open source” and which meets the definition of such set up by the organization Open Source Initiative (OSI). An additional significant advantage of open software is the ability to completely eliminate the serious lock-in problems (vendor lock-in) raised by the investigation, which the association finds extremely unfortunate from the perspective of procurement law.
Constitutional interests in the balance
The inquiry proposes a new secrecy-violating provision in the “Offentlighets- och sekretesslagen” (English: “The Public Access to Information and Secrecy Act”). The rules of secrecy in OSL represent trade-offs between, on the one hand, the fundamental democratic interest in transparency - and transparency in the exercise of authority - and on the other hand, various opposing interests of comparable weight, e.g. citizens’ personal integrity and national security. The Inquiry’s proposal on a new provision to override otherwise mandatory secrecy does not respect the aforementioned order. Instead of analysing the requirements that should be set to ensure that outsourcing does not jeopardise any legitimate protected interests, the inquiry seems to elevate the authorities’ simple convenience to an equivalent weight as those interests that in many cases are found in both constitutions and international conventions. In a democracy, the starting point must be that the tools used by authorities must be adapted so that the state can fully respect the protection of human rights, national security, etc. which the people have agreed upon and which are enshrined in law ‒‒ absolutely not the other way round. If a technical solution does not enable compliance with Data Protection Regulations, to take a controversial example, the correct course of action is not to legislatively create a loophole in the law, but rather to choose another technical solution. If a given technical solution cannot generate documents in a format that legally guarantees readability, archival and retrieval over time, the answer is obviously not to disregard applicable law. The inquiry should have dismissed convenience (and other euphemisms for the same phenomenon) as motives for changes to legislation such as the OSL, the purpose of which is to ensure legitimate constitutional interests and the balance between such interests in cases where they conflict.
Long-term consequences of reactive action
The inquiry takes an unconscionably short-term perspective of the issues in their analysis. What is glaringly omitted is a deeper analysis of how, for example, lock-in affects the operation of authorities in the digital realm. How the long-term supply of skills comes into play. How authorities will be able to keep pace with the development of digital technologies in the long term. Such an analysis must naturally also include fundamental issues concerning the state’s relationship with the citizen in the coming digital world in order to be relevant. Richard Henriksson, who for ten years worked with cyber and information security at Must and later as an advisor at the Foreign Office, writes in his article “Moderna hot kräver digital suveränitet” (English: “Modern threats require digital sovereignty”):
The decisions that we as a society today choose to make, or alternatively not make,
will have far-reaching consequences for the future. Only through appropriate and modernised regulations
created for the conditions of the information society can society act in a controlled rather than a reactive way.
Article in SvD with the headline “Moderna hot kräver digital suveränitet” (Published 2020-01-21).
The impact of open software and open standards on cost-effectiveness
The investigators’ assignment has also included mapping the authorities’ ability to identify the risks and effects of lock-in, and the opportunity to benefit from technological innovation. Obstacles to cost-effective IT operations according to the authorities’ own survey responses indicate that 21% of authorities think that “vendor-dependency or other lock-in effects” are a driver of high costs. The inquiry repeatedly establishes how lock-in creates higher costs, but does not propose any serious solutions. Research in the field indicates very clearly that open software - and its companion - open formats counteracts lock-in and thus increases cost-savings . A good example of such research is Konkurrensverket’s ( English: “The Swedish Competition Authority’s”) published analysis of IT standards, lock-in and competition in the Swedish administration. In light of the above - and despite the fact that the investigation repeatedly states that lock- in is one of the main reasons for high costs, open software is mentioned only three times in the 398-page and approximately 100,000-word document. For reasons which remain obscure, the investigators have completely ignored research on lock-in effects. That research clearly describes how open software and open standards reduce the risks of lock- in. Furthermore, authorities such as Statskontoret (UK: “The National Audit Office”), Verva (English: Swedish authority for public-sector development - defunct 2008) and Kammarkollegiet (UK: Treasury sub-department) have since 2003 been developing a procurement policy that increasingly includes open software. This is completely in line with the rest of the EU. The reason for this, according to applicable research, is that they have observed how open software counteracts high costs, for example by reducing the risk of lock-in. There is therefore a wealth of practical experience that is not drawn upon in the survey. This is further underlined by the fact that open software and open standards have become a natural part of the modern IT solutions used in the business community. This is also entirely omitted from the report.
FÖRENINGEN LEVERANTÖRER AV ÖPPEN PROGRAMVARA I SVERIGE — OPEN SOURCE SWEDEN
Kansli: SINF - Svensk Industriförening
Fleminggatan 7, Box 22307
S-104 22 Stockholm