The viability of open-source programs in India: A critical analysis w.r.t. the NODE programme, GoI

Introduction

Open source commonly refers to software that uses an open development process and is licensed to include the source code.^[1] In a rudimentary sense, open-source software (“OSS”) refers to the type of software with the source code available in the public domain, that can be accessed, modified, enhanced, and redistributed by third parties. It can be seen as a departure from the conventional closed source or proprietary software model.

Proprietary software is a software-based on a closed source that is owned by an individual or a corporation. This implies that the complete access and control over such software are exercised by a specific group of people who can modify or distribute it. Unlike OSS, where the code can easily be accessed and modified by the public at large for free, proprietary software generally needs to be paid for and it can only be used by the people for the purposes as displayed by its license agreement. Thus, it can be said that OSS involves a bazaar approach while proprietary software, where only a closed group is involved in the development, adopts a cathedral approach.^[2]

The open-source movement owes its origin to the Massachusetts Institute of Technology (MIT) and the University of California, Berkeley. The efforts of these two institutions led to the development of the operating systems, GNU and Berkeley Software Distribution, responsible for the open-source licensing systems, GNU General Public License (GPL), and BSD License, respectively. [3] It must be noted that one of the principal reasons for the emergence, continued development, and the recent switch to the OSS is due to its conflict with proprietary intellectual property (“IP”) rights.

Initially, it was assumed that extending copyright and patent protection to the original works and inventions of the creators and inventors respectively, would act as an incentive for the individuals to undertake original work and bringing about innovation. However, the position, in this regard, has been rather precarious. The extensive grant of IP rights to the individuals, has, on the contrary, stifled the creation of new works and has adversely affected the spirit of innovation.

This was first expressed by Richard M. Stallman, founder of the GNU project, who said that the increased grant of proprietary IP rights, leads to the concentration of all the rights in the hands of a few and thus severely hampers the access and ability of the general public to work.^[4] It would, therefore, only be appropriate to say here that this reduced ability and increased risk involved, discourages individuals and corporations to undertake research projects, and thus greatly affecting innovation.

This is why, the open-source movement, aimed to expand the reach of software, from the creators to the general public, emerged. This should, however, not be construed to mean that the OSS is a step away or an alternative to IP protection. Instead, the open-source movement should be viewed as to be in harmony with the conventional proprietary approach, that is, while it seeks to provide the source code to the commercial user (that can be modified and redistributed by him), but at the same time seeks to provide IP protection to this work of the user, thus protecting his rights and interests.

Open Source and Intellectual Property Rights

With the switch to the open-source model, as is being witnessed in the present times, it becomes imperative to address the position of such software with respect to the copyright and patent regimes.

• Copyright Protection

One would assume that the present copyright systems seek to promote original work and innovation. On the contrary, the proponents of the open-source model maintained that this protection stifles innovation as proprietary software is based on a system of exclusion. Thus, they furthered a new system of copyright protection referred to as Copyleft.  While copyright protection is resorted to by the author to prevent duplication or modification to his original work, under the copyleft regime the copyright for the original work is secured and the work is licensed to the masses, which allows the subsequent users to further modify the work.

•  Patent Protection

Software patents came in for heavy criticism by the proponents of the open software model and are despised by the open-source community.[5] One of the primary reasons for the same is with regards to license infringements which entails that when such infringement is confirmed, the progress comes to an immediate halt and thus completely preventing any derivative programs that may arise out of the main software. The main contention forwarded by the developers, discouraging the grant of patents for software and programs, is that software inventions are too abstract and closer to mathematical algorithms.

Thus, the open-source community suggested a model that closely resembled the copyleft structure such that the codes can be directly licensed to the populace, thereby providing for subsequent modifications to the programs by the licensees (or the sub-license holders) and allowing further distribution of the enhanced code.

However, unlike copyrights where the protection of the law is extended from the day the work is created, patent protection needs to be acquired through registration which is a rather, long, and expensive process. It would, therefore, only be fitting to say here that patent protection for software is not desirable to the open-source community as well as the developers, due to increased complexities and the delays involved in patent-sharing.^[6]

Security risks involved in using Open Source Software

Despite the advantages that come with the OSS, it has its own set of vulnerabilities. Since the program is made available to the public at large, the possibility of the code being penetrated by malware cannot be negated. This threat, with respect to the security of the code, is considerably greater for open source code, as compared to proprietary codes, where the control over the code is limited to fewer hands who try to eliminate the possibilities of breaches as they may arise. The same may not be possible in the instant case due to the involvement of an extremely wide user base.

Thus, the open-source model places a wide range of obligations and responsibilities on part of the developers, as they are required to identify and to patch and remediate the vulnerabilities in the OSS in an urgent manner.

Open Source programs in India: Discussion in light of NODE

The effects of the open-source movement have been felt in India as well and today some of the largest e-governance projects and start-ups in India are running on open source.[7] In 2015, the Government of India launched the Digital India Programme which establishes open source as the most important aspect of Digital India.[8] Since then, several policy frameworks aimed to institutionalize the open-source model for e-governance projects in India have emerged such as the Policy on Adoption of Open Source Software for Government of India and Policy on Open Application Programming Interfaces (APIs) for the Government of India. Moreover, the Framework For Adoption of Open Source Software In e-Governance Systems clearly stipulates that “Government of India shall endeavour to adopt Open Source Software in all e-Governance systems implemented by various Government organizations, as a preferred option in comparison to Closed Source Software.”^[9]

More recently, the Ministry of Electronics and Information Technology (“MeitY”) had recently released a consultation whitepaper^[10] (“the whitepaper”) on the Strategy for National Open Data Ecosystem (“NODE”) and invited public comments on the same.^[11] It comes as the final step (GovTech 3.0) as a part of the GovTech or the digital governance program of the Government, that aims to enable an ecosystem that would leverage “digital  platforms for transformative social, economic, and governance impact, through a citizen-centric approach.”^[12]

The whitepaper defines NODE or GovTech 3.0 as “Open and secure delivery platforms, anchored by transparent governance mechanisms, which enable a community of partners to unlock innovative solutions, to transform societal outcomes.”[13] The whitepaper defines NODE as a shared and open platform that is based upon open API and standards and open-source code.

It would be pertinent to note here that while the whitepaper defines the term open it remains unclear as to what it refers to as the principles of openness and their application. Thus, while the whitepaper makes mention of open standards throughout its course, it is not open and remains silent as to how these standards would be implemented.

It would also be pertinent to note here that the terms such as openness, open standards, open codes, have been defined by the Government in its previous policies. However, the present whitepaper seems to be in complete disregard of these existing policies and the notions of openness attached to them and it instead provides new and ambiguous definitions of the terms contained therein, without providing a rationale for the same.

The 2014 Policy on Adoption of Open Source Software for Government of India, for instance, provides for a much wider ambit and a lucid understanding as regards to the definition of openness. Under this policy, open-source implies the availability of the source code to the community/adopter/end-user so as to enable the user to study and modify the software and even redistribute copies of either the original or modified software.^[14] Thus, as opposed to NODE (which, as it presently stands, refers to open as to merely opening the source code), the 2014 Policy provides not barely the access to the code, but also allows the user to modify and redistribute such enhanced software. Similarly, NODE can also be seen to be not in consonance with the Policy on Open APIs, issued by the MeitY, which provides that the government organizations shall make use of open APIs for quick and transparent integration with the digital governance applications.^[15]

Thus, presently, there exist conflicting views with respect to the principle of openness. It, therefore, calls for attention by the MeitY to reconcile the differences, in relation to the applicability and the standards of openness, which are present in the policy framework, so as to provide a clear understanding of the subject matter.

Another issue in the NODE policy comes with regard to security and data privacy. It is evident from the Principles for the Design of Delivery Platforms,[16] contained in the whitepaper, that digital governance would be ensured by transfer and sharing of data of the individuals between various departments of the government, so as to provide access to the services to the under NODE. Moreover, this structure also envisages public-private partnerships so as to provide better services to the individuals, however, no details with respect to maintaining data security in such cases are provided by the whitepaper. This raises serious concerns in connection to data privacy under NODE, which is based on the free flow of data between various departments and sectors. While the principle 4 contained in the whitepaper seeks to ensure data security and privacy, it does not seem to be in conformity with the protective framework, envisioned under the Personal Data Protection Bill, 2019 (“PDP Bill”).

It must be noted here that at present, India does not have comprehensive legislation that relates to personal data protection. Since the PDP Bill is pending, thus the law governing autonomy over personal data continues to be guided by the 2017 judgment of the Apex Court in the case of K.S. Puttaswamy v. Union of India.^[17]

It, however, becomes pertinent to address the legal position of the NODE framework with respect to the PDP Bill, as the government intends to introduce and establish it as the governing law in India that is aimed to protect the personal data of the individuals from the public as well as the private bodies. Here, reference must be made to Section 24 of the PDP Bill which places on obligation on the data fiduciaries to implement security safeguards “such as de-identification and encryption; steps necessary to protect the integrity of personal data and steps necessary to prevent its misuse, unauthorized access to modification, disclosure or destruction of personal data.”^[18]

However, the principles of data protection, as provided under the PDP Bill, are not addressed by the NODE framework. It needs to be ensured under the NODE framework, that provides for the free flow of data in various levels, that the data of the individual is protected at each stage and till the time it is removed from the database. It would, therefore, be appropriate to say here that an open data ecosystem, as envisioned under the NODE program, can only prove to be functional when the foundation in form of a data protection framework has been laid, such that it ensures data security at all levels, against public and private entities alike.

Conclusion

Upon bare perusal of the Strategy on a NODE, as has been furthered by the MeitY, it becomes abundantly clear that the government has had its doubts and reservations with regards to this model of openness. Thus, the framework appears to be bearing the form of an open washing project, that is, while it is repeatedly asserted that the strategy is based on the principle of openness, this openness seems to have a mere superficial existence as it currently provides for a closed operation. Moreover, NODE is not in line with the existing policy framework around the open-source or open API, as can be seen from the above discussion, adding to the ambiguity.

Another factor that casts serious doubts as regards to the feasibility of the NODE program or any other digital governance system based on open standards is the lack of data protection regime in India. While the Estonian model of governance is referred to in the whitepaper multiple times,^[19] it must be understood that a similar framework cannot be implemented at present in India, due to the difference in the level of social and legal environments of the two states. The Estonian model, while being based on the principle of openness, provides that the data ownership lies with the individual and thus limiting the openness of data.^[20] Secondly,  it must also be remembered that this digital ecosystem in Estonia, is backed by a strong data protection law, which is not the case in India.

Additionally, it remains unclear as to what object does the NODE framework seeks to achieve. The whitepaper fails to point out the fallacies or considerable concerns with respect to the prevailing system of governance and it also does not provide any solutions to the same. This makes the position of the NODE framework exceedingly precarious as to whether it will be able to achieve the desired results.

Thus, the current model of digital governance seems to be rushed into. Before such a system can be adopted and implemented in India, it is of utmost importance that a data protection framework is laid out, which would act as a building block for the e-governance system and thus, reinforcing it. Therefore, data security needs to be prioritized to ensure the smooth functioning of such a system which would ensure that the mistakes of the Aadhaar regime are not repeated in the NODE framework.

This article can be cited as:

Bluebook, 20th edn.: “Rishabh Chhabaria, The viability of open-source programs in India: A critical analysis w.r.t. the NODE programme, GoI, Metacept – InfoTech and IPR, accessible at https://metacept.com/the-viability-of-open-source-programs-in-india-a-critical-analysis-w-r-t-the-node-programme-goi/ .”

References:

---

^[1] What is open source? Opensource.com, https://opensource.com/resources/what-open-source.

^[2] ERIC RAYMOND, THE CATHEDRAL and the BAZAAR (O’Reilly Media, 1999).

^[3] Bretthauer, David, Open Source Software: A History, Uconn Library (Dec. 26, 2001), https://opencommons.uconn.edu/libr_pubs/7/.

^[4] Richard Stallman, Misinterpreting Copyright—A Series of Errors, GNU Operating System, https://www.gnu.org/philosophy/misinterpreting-copyright.en.html.

^[5] Closing the software patent loophole: Professor Lemley’s new proposal, Opensource.com, https://opensource.com/law/12/9/closing-software-patent-loophole-professor-lemleys-new-proposal.

^[6] Open source software in the shoes of intellectual property, Lexology (Dec. 31, 2012), https://www.lexology.com/library/detail.aspx?g=60f7c0f3-5c7a-4a95-8af4-e943d0b914ca.

^[7] Jacob Koshy, What is the state of ‘open source’ in India today?, The Hindu (Jan. 10, 2020), https://www.thehindu.com/opinion/op-ed/what-is-the-state-of-open-source-in-india-today/article30526393.ece/amp/.

^[8] Open Source — an extremely important aspect of Digital India!, Digital India (Jun. 25, 2019), https://digitalindia.gov.in/content/open-source-%E2%80%94-extremely-important-aspect-digital-india#:~:text=Different%20persons%20may%20have%20different,policies%20related%20to%20Open%20Source.&text=Open%20source%20as%20a%20preferred,open%20source%20and%20its%20approach.

^[9] Ministry of Communications and Information Technology,  Framework For Adoption of Open Source Software In e-Governance Systems, (Apr., 2015),http://egovstandards.gov.in/sites/default/files/Framework%20for%20Adoption%20of%20Open%20Source%20Software%20in%20e-Governance%20Systems.pdf.

^[10] Ministry of Electronics and Information Technology, Strategy for National Open Data Ecosystem (NODE), https://static.mygov.in/rest/s3fs-public/mygov_158219311451553221.pdf.

^[11] Inviting suggestions on Strategy for National Open Digital Ecosystems (NODE), My Gov, https://www.mygov.in/group-issue/inviting-suggestions-strategy-national-open-digital-ecosystems-node/.

^[12] Supra note 10.

^[13] Id.

^[14] Ministry of Communication & Information Technology, Policy on Adoption of Open Source Software for Government of India, https://meity.gov.in/writereaddata/files/policy_on_adoption_of_oss.pdf.

^[15] Ministry of Communications & Information Technology, Policy on Open Application Programming Interfaces (APIs) for Government of India, https://meity.gov.in/writereaddata/files/Open_APIs_19May2015.pdf.

^[16] Supra note 10.

^[17] K.S Puttaswamy & Anr. v. Union of India, (2017) 10 SCC 1.

^[18] Section 24, The Personal Data Protection Bill, 2019.

^[19] Supra note 10.

^[20] Helen Margetts and Andre Naumann, Government as a Platform: What can Estonia Show the World? University of Oxford DPIR (Feb. 28, 2017), https://www.politics.ox.ac.uk/publications/government-as-a-platform-what-can-estonia-show-the-world.html.