Monday, March 14, 2011

Rethinking openness in the face of oppression and murder

As most of you who read this blog know, I'm a true-blue believer in Free and Open Source Software (FOSS). I believe that having the right to modify the programs you own is a fundemental right of software ownership and that denying a user that right is downright unethical. I really do believe that,but a project I'm currently working on has me seriously weighing the benefits of open vs closed in specific circumstances.

In 2009, during the Iranian presidential election protests, the Iranian government decided to try to quell the protestors communication by blocking social networking sites like Twitter and Facebook. The entire world responded and programmers jumped to creating software solutions to get around the blocks and restore protesters access to these vital communication tools. For my part, I developed a small PHP script that I dubbed "TweetFree" and released it into the wild after announcing it on Twitter.

TweetFree provided a distributed way for people to post to Twitter via the concept of a relay network. The idea was that anyone could run a TweetFree server and the protestors would access the various servers set up around the world to post their updates to Twitter, thereby bypassing the government blockage of the service.

Of course, the software was open source. When I wrote it, I thought 'If I don't open source this, people aren't going to trust it and it won't be used'. And, by the nature of PHP being an interpreted plain text language as opposed to a compiled one, open sourcing the code was a natural thing to do and an easy decision.

Now, two years later, I'm rewriting TweetFree in Real Software's RealBasic (a fully compiled language) and I'm seriously considering not open sourcing the software. Yes, I can hear the outraged gasps of the FOSS community but please put the pitchforks up while I explain my reasoning.

Open source code is fantastic. It allows anyone to modify the code to suit their specific needs instead of relying on a vendor who may or may not be responsible to their needs. Maybe YOU as a user aren't a programmer but you can always hire one to modify the software to your needs.

While that makes incredible sense in the consumer software space, I'm not so sure it works quite as well in human rights work within an oppressive and murderous regime. In fact, the main strength of open source within the consumer community actually makes it a liability within the human rights field.

Let's consider Iran as an example here. In 2009, Iranian government IT teams were all over social networking sites and blogs trying to find out where people were posting updates from and who they were. If they found these people, they were arrested, brutalized, and, sometimes, killed. One of my biggest fears during the protests was that the government of Iran would download and modify TweetFree and set up a rogue server to track and trap protesters into giving up their IP addresses. So, shortly after it was posted to the net, I made the heartwrenching decision to pull the code from the Internet in order to protect protesters lives.

Fast forward a year and a half and I'm again seeing a need for software like TweetFree. But this time, I'm more wary about open sourcing the code and I'm wrestling with the ethics of users right to modify the code versus the absolute requirement to protect the lives of those who use the service to raise their voice. In the end, I believe the need to protect lives outweighs the need to modify software. Not being able to modify software might be an inconvenience, but it's not going to get you raped, tortured, or murdered; falling victim to a rogue server that tracks you will. Not that tough of a decision is it?

Still, I believe that, for nothing more than the sake of maintaining trust, openness is important - especially in this type of enviroment. I'm going to address that by making the code inspectable by anyone who wants to inspect it. I'll even compile the code for you while you wait just to show you that the hash signatures between what I'm showing you and what you're running are the same. I'll do whatever it takes to make sure users understand that there is nothing 'spooky' or secret about the software, but I'm not going to release the code into the wild.

I'm sure this will cause some controversy among the free software purist who will say that all code, regardless of the enviroment, must be free. But as a socially focused developer, my first priority is not to cater to my own or anyone elses ideologies. My first priority is to protect the lives and safety of the people who use the tools I create. That outweighs everything. That outweighs all ideologies. That is, to borrow a line from Star Trek, the Prime Directive.

So as TweetFree Relay nears its release in the next few days, I want to encourage those of you who shy away from running any non-free code to seriously rethink your position. Your contribution to the network is desperately needed and you can make a real difference in the lives of oppressed people around the world. Don't let a technical ideology get in the way of doing a good thing. Don't let personal bias or the opinion of a bearded guru deter you from stepping in and changing the world.

The opportunity is before us and it has no ideology. It simply demands that we do the right thing.


Agi said...

even if they don't have your source code they can still pretty much do what you've described... there's something called reverse engineering.

Anthony Papillion said...

Agi: That's very true but reverse engineering can present a significant obstacle even to experienced software developers. Of course, there are many ways to get an IP address of ANY connected user to any kind of server, but my point is not making it as easy as possible for them :-)