In a move to build better relationships with certain classes of customer, Microsoft in 2001 began allowing them to look at portions of Windows source code. Several programs were set up, serving selected enterprises, “most valuable professionals,” OEMs, system integrators, academics and several other customer categories all grouped under one heading: the Shared Source Initiative.
A later addition to the scheme, launched in January 2003, was the Government Security Program (GSP). Under its auspices, government agencies from qualifying countries can view source code for current versions, beta releases and service packs of Windows 2000, Windows XP, Windows Server 2003 and Windows CE.
In addition, says Microsoft — subject to such requirements as U.S. export approval — qualified GSP participants also can obtain access to cryptographic code and development tools. There is one caveat, however: Participating bodies can’t modify the code except in limited circumstances in close collaboration with Microsoft.
Seeing Is Believing?
“The GSP was crafted specifically to address the burgeoning security concerns and vulnerabilities of national governments and their key agencies,” according to Jason Matusow, manager of the Shared Source Initiative program. “As a highly focused program targeting security issues, the GSP promotes centralized coordination behind a sponsoring national agency that focuses on security as its core mission or priority (typically, the national interior ministry, IT ministry or a dedicated security department). This agency ordinarily conducts the overall security review on behalf of the central government, and then may bring other agencies into the source-access program as warranted to undertake specific security-related projects.”
Jupiter Research’s Microsoft specialist, Joe Wilcox, doesn’t disagree — but like other industry observers, he believes this is only half the story. “Keep in mind,” he told TechNewsWorld, “that Microsoft is a U.S. company, and there can be concerns that a U.S. company might have some ‘support’ from the government — some back doors into the software, that kind of thing. Those suspicions don’t have to be true to be a problem for Microsoft. By allowing some access to the code, it can alleviate those fears and fears around security in general.”
Wilcox, who said he views the program as a response to the “open-source threat,” pointed out that several countries have incentives to consider alternatives to Microsoft software and even to any U.S.-produced commercial software. “Countries like China, India and Russia,” he noted, “have good reasons to try and develop their own indigenous software industries. And one way to do that is to build around open-source projects like Linux. With this program, Microsoft is trying to present them with an alternative.”
Perception or Reality?
Does the Shared Source Initiative — and the GSP in particular — represent a shift in Microsoft’s thinking about “openness” in software? Certainly, the section of its Web site dealing with the general topic of open-source software sounds surprisingly positive.
“Microsoft believes the results of government-funded basic research should be widely available and that permissive open-source licenses often maximize availability and usefulness,” it says. “Open-source software is one important part of the software ecosystem.” What Microsoft wants, according to the document, is “neutral public procurement rules that allow governments to select software that offers them the greatest value.”
But security consultant Richard Forno, author of The Art of Information Warfare and other books, sees the GSP as representing no real change in Microsoft’s approach. It is, he believes, more a matter of perception than of substance: “My gut feeling is that it is to present the appearance of openness and getting some trust. It’s ‘shared’ source, but it’s not ‘open’ source.”
According to Microsoft’s Matusow, about 60 nations’ governments have been approved for participation, and more than 30 are now on board. Approval under the GSP is granted largely on the basis of a country’s intellectual-property laws, which Microsoft says must be able to protect its copyrights.
Commitment the Key
China, in fact, seems to have been one of the earliest participants, even though the Chinese government is said to be leaning toward open-source procurement. Given China’s reputation on intellectual-property legal issues, this suggests some flexibility in Microsoft’s judgment of what it takes to protect its IP.
“Steve Ballmer has made several trips over there, meeting with ministers and cabinet-level folks, trying to get them to tighten up their IP controls and regulations,” said Forno. “Obviously, that’s a huge market that Microsoft wants to break into, and I can understand their desire. But the last I heard, China is still proceeding with its own version of Linux and going with the open-source approach, for whatever reason. China certainly hasn’t improved its IP restrictions any.”
But according to Microsoft’s Matusow, “the GSP eligibility list continues to expand as more nations endeavor to bring their IP regimes into accord with international standards. The GSP agreement in China is the result of the ongoing commitment, partnership and investment Microsoft has already made in the Chinese software industry…. We have a very positive, dynamically growing relationship with the People’s Republic of China, including several joint initiatives.”
Million Eyes on the Code
Microsoft says a million individuals now have access to Windows source code through various parts of the Shared Source Initiative. To the uninitiated, that may sound like cause for sleepless nights in a company famously protective of its designs. “The GSP goes well beyond simple source access,” Matusow told TechNewsWorld. “Trust and partnership don’t happen simply because of source code availability.”
And, as Joe Wilcox pointed out, “I think it’s safe to assume that anyone outside of Microsoft given access to the source code sees it under very controlled circumstances.”
At a practical level, such control might be provided by the access mechanism, which involves use of a smart card allowing developers to inspect the code from approved locations in an SSL-protected online format. Additional practical protection may be afforded by the sheer volume of the code.
“We’re talking about millions of lines of code,” Wilcox pointed out. “Nobody’s going to get a quick look at that and be able to steal Microsoft intellectual property.”