All internet infrastructure depends to a great degree on open source software, simply because this foundational layer must be, in the words of Doc Searls and David Weinberger, “NEA: No one owns it; Everyone can use it; Anyone can improve it.” But with SSI, open source plays an even more important role. To explain this, we have tapped Richard Esplin, who for eight years held roles in sales, marketing, and product management at Alfresco, the largest open source content management system (CMS) company (acquired in 2020 by Hyland Software), and more recently director of product management at Evernym.
In 1984, the technology journalist Steven Levy published his first major book, Hackers: Heroes of the Computer Revolution [1]. Using the original meaning of the term hacker, he celebrated those pioneers in technology whose ingenuity and intellectual playfulness exemplified the positive impact of engineering. (As we explain in more detail in chapter 13, these hackers are offended when their label is applied to those who maliciously break into computer systems; hackers call them crackers [2].) At the conference to launch the book, the attendees debated the future of software technology. Stewart Brand is reported to have said the following [3]:
On the one hand information wants to be expensive, because it’s so valuable. The right information in the right place just changes your life. On the other hand, information wants to be free, because the cost of getting it out is getting lower and lower all the time. So you have these two fighting against each other.1
This tension has always existed in technology and has serious implications for our digital identities. The software industry has a strong motivation to commercialize the information that makes up our digital identities and has reaped large rewards in the process. This drive for profit meets resistance from a subset of activists and civic technologists who follow the mantra that “Information wants to be free.” They believe that society is harmed by the restriction of information, especially scientific and technical knowledge, and so encourage sharing the source code necessary to modify their software so that users have visibility into the way the software operates and can exercise control.
This approach to software development goes by different names depending on the motivation of the speaker. Those who believe sharing source code is an ethical duty because it contributes to people’s freedom call it free software or libre software. The term libre is intended to highlight the freedom of usage and the openness of engineering and is often contrasted with the term gratis to say that the movement is about more than just saving money. Free software helps democratize access to technology, increases the accountability of technology vendors, and ensures users’ freedom to control the digital tools they use. Those who use the term open source generally focus on the engineering benefits that come with providing access to the source code: faster innovation, higher quality, wider collaboration, and improved competitiveness in the marketplace.
To fully understand the world of self-sovereign identity (SSI) and the impact it can have on society, you need to know about the importance of the free software and open source movements. If you are already familiar with these concepts, you can skip to the next chapter to continue digging deeper on how decentralization shapes the SSI world.
12.1 The origin of free software
The attitude that software should be shared dates to the dawn of computing. Computational theory was conceived as a branch of mathematics in the early 20th century, and digital computation technology was developed by governmental and academic researchers who were accustomed to publishing their results. By the 1950s, it was possible to buy general-purpose computer hardware,2 but the software was not seen as an independent product, and users commonly exchanged code the same as they exchanged other technical information about their machines [4].
Technology user groups developed along with the industry, such as SHARE (https://www.share.org), which was founded by IBM users in 1955. It was in this environment that the seminal operating system Unix was created at AT&T Bell Labs, which distributed it along with the source code to academic institutions due to an antitrust settlement with the United States government that prevented AT&T from commercializing the product [5]. The adoption and broad influence of Unix were fueled by this culture of investigating, modifying, and sharing enhancements to the operating system. This eventually resulted in a free distribution of Unix (BSD) from the University of California at Berkeley that included the source code.
As the industry matured, hobbyists started experimenting with software tools outside of work. The Homebrew Computer Club nurtured great Silicon Valley entrepreneurs like Steve Jobs and Steve Wozniak as they developed the ideas that would later become Apple Software [6]. These computer clubs were also famous places to share software, which in 1975 prompted a young Bill Gates, the founder of “Micro-Soft,” to publish an “Open Letter to Hobbyists” in which he argued that what the hobbyists called “sharing” was actually stealing and would prevent a commercial software industry from being successful [7]. From that time on, most of the software industry has worked to boost the value of software by limiting its distribution and restricting access to the source code.
Some responded to the push for restrictions by increasing their efforts to share. While working as a graduate student at the Massachusetts Institute of Technology, a talented software engineer named Richard Stallman was frustrated when his co-workers in the AI lab were hired away by a company that refused to allow them to continue collaborating with him. He saw this lack of cooperation as offensive and unethical. In response, he focused on independently replicating the company’s product and releasing it as a free clone. When he proved successful at matching the work of that team of engineers, he broadened his ambition and in 1983 announced his plan to create a freely available replica of all of Unix, named GNU (a self-referential acronym for GNU’s Not Unix) [8].
Achieving Stallman’s goal of a free Unix-compatible operating system that would encourage sharing and cooperation would require innovations beyond software. In 1985, Stallman founded the Free Software Foundation (https://www.fsf.org) to collect donations, coordinate governance, and sponsor advocacy for free software projects. Working through the Foundation, Stallman identified four essential freedoms that a program’s users must have (numbered from zero “for historical reasons”) [9]:
-
The freedom to run the program as you wish, for any purpose.
-
The freedom to study how the program works and change it so it does your computing as you wish. Access to the source code is a precondition for this.
-
The freedom to distribute copies of your modified versions to others. By doing this, you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this.
Stallman wanted to guarantee these freedoms to users of free software even when the software was received through intermediaries. In 1989, he devised a legal tool that would protect user freedom by cunningly employing copyright law and software licenses—the same techniques that others use to prevent software sharing. Copyright restricts the copying of software without permission from the author, and that permission often comes in the form of a software license that dictates the terms of use. Stallman’s software license, the GNU General Public License (GPL), requires that the source code be included with any copy of the software. Further, if a developer chooses to include that code in another program, then the combined work can only legally be distributed under the terms of the GPL. Stallman branded this clever use of copyright to require sharing copyleft.
By 1991, the GNU project contained most of the components for a functional operating system, but it still lacked a kernel, which is the part that interfaces with the hardware and orchestrates all the programs. That year, a University of Helsinki student named Linus Torvalds bought a new Intel 386 PC and wrote a kernel as a learning exercise. By combining his kernel with the GNU tools, it was possible to assemble a functional Unix-compatible operating system for personal computers. Torvalds shared his kernel on the pre-web internet to see if it would be useful to anyone who might contribute improvements. He was surprised that people around the world used his work and suggested improvements.
This new operating system was soon called Linux, even though calling it GNU/Linux would have been more correct (as free software advocates like to emphasize). To manage the many contributions, and because he benefited from GNU tools during development, Torvalds changed the license to the GNU GPL near the first anniversary of development. Over time, Torvalds has been clear that he chose that license not as a political statement about the ethics of free software, but because sharing source code is a better approach to engineering [10].
12.2 Wooing businesses with open source
To explain why sharing source code results in better products, early Linux contributor and self-styled hacker anthropologist Eric Raymond drew a distinction between the top-down development of a cathedral and the competing agendas of a bazaar. Both can produce economic value, but as each person in the bazaar “scratches their own itch,” the bazaar benefits from the competition of ideas and adapts to the participants’ needs. The project also benefits from the differing perspectives of a large group of developers, as what is complex to one might be simple to another—or, as Raymond says, “Given enough eyeballs, all bugs are shallow” [11]. Aside from these pragmatic benefits, many developers see the bazaar’s individually driven collaborative development model as more fun than cathedral-style engineering.
Linux wasn’t the only software project to benefit from an open development model. The National Center for Supercomputing Applications (NCSA) at the University of Illinois at Urbana-Champaign released a free program that would allow people to publish information on the brand new World Wide Web. NCSA wasn’t interested in continuing development, but the code was available, and other developers were motivated to improve it. They self-organized as the Apache Group, and within a few years, the Apache HTTP Server was the most popular web server on the internet.
By the mid-1990s, new companies like Red Hat and SUSE were attempting to commercialize the thriving ecosystem of free software. These young businesses found it challenging to explain their emerging business models because of the countercultural style of development. Business leaders often assumed that free software could not be sold—that “free” referred to price instead of legal rights and freedoms. The ethical stance taken by Stallman and the Free Software Foundation was seen as a distraction from the commercial conversation about the benefits of collaborative development.
Regardless, the free software movement started to get significant commercial attention in 1998. First, Netscape announced it would release the source code for its web browser, which would eventually evolve into Mozilla Firefox. Next, IBM announced it would be contributing to the Apache HTTP Server. And finally, Oracle announced it would port its flagship database to Linux. These announcements pushed free software into the mainstream, and the question of how to make the free software brand palatable to businesses became a common topic at free software conferences.
By the end of 1998, most developers were using the term open source, as coined by Christine Peterson, the founder of the Foresight Institute [12]. The Open Source Initiative (https://opensource.org) was established as a legal entity to hold the trademark and arbitrate which software licenses would qualify as providing sufficient protection for user freedom. The Open Source Initiative approved a wider range of licenses than the Free Software Foundation, accommodating various commercial models; however, businesses and consumers could still have confidence that software distributed under an approved open source license would protect the four essential freedoms described by Stallman.
Although many developers immediately embraced the open source brand, Richard Stallman represents a significant faction who refuse to use the term because it doesn’t sufficiently emphasize freedom. In his words, “While a free program by any other name would give you the same freedom today, establishing freedom in a lasting way depends above all on teaching people to value freedom” [13]. As the many points of view in this book illustrate, these kinds of disagreements happen in all communities—which is why governance systems must be carefully designed (see chapter 11).
12.3 How open source works in practice
The Voyager 1 spacecraft was launched in September 1977 and exited the solar envelope on August 25, 2012. Although the probe completed its primary mission in November 1980 with a flyby of Saturn, it is expected to continue transmitting data until 2025 [14]. For NASA to keep receiving data from the spacecraft, the probe’s antenna has to stay pointed at Earth. Because the attitude control thrusters had degraded, in November 2017, the team decided to use the trajectory correction maneuver thrusters for the first time in nearly 40 years and differently than for what they had been designed.
To achieve this task, the engineers had to study the original source code. To everyone’s relief, the maneuver was successful, which will allow NASA to continue receiving data from the probe for a few years longer than previously expected [15]. NASA’s control over the software in the spacecraft yielded two important benefits: first, NASA could study the software to better understand it. And second, NASA could modify it to meet a different use case than the one for which it had originally been designed.
NASA applied these lessons while designing missions to visit Europa. It selected an open source content management system to model the relationships between the components on the craft (https://github.com/Open-MBEE). The system designers had not envisioned this use case, but they recognized that it took advantage of the system’s strengths. In addition to the benefits of being able to study and modify the code, NASA wanted others to collaborate in developing the solution [16]. It seemed unlikely that NASA would find external contributors for such a niche need, but within a year, the organization was contacted by a major aerospace company that wanted to work together [17]. Another win for open source!
This example highlights some of the reasons why many modern enterprise technology companies market open source solutions. Buyers have a perception that open source solutions will prevent vendor lock-in, be available at a lower cost, receive faster innovation, and be more secure. These benefits become possible when software freedom is respected, determined by the license under which the software is distributed.
As mentioned earlier, Linux is distributed under the GNU GPL, which was authored by Richard Stallman. This software license protects the four essential freedoms of downstream users by restricting developers who choose to use GPL code. If a developer chooses to redistribute a program that benefits from GPL software, the developer cannot select the resulting program’s license—it must be redistributed under the GPL, and the source code of any original intellectual property must also be shared. This “viral” nature is why in 2001, the CEO of Microsoft called Linux “a cancer,” as it spreads to downstream products [18]. However, it is important to recognize that individuals and organizations that adopt GPL products for their own use are not redistributing the software. In this case, the GPL has no impact on other intellectual property.
The Apache Group chose a different approach when it adapted the license used by Berkeley’s Unix distribution. The Apache License allows recipients to do whatever they want with the source code, including incorporating the software into a proprietary product that does not grant downstream users freedom. It is similar to the American concept of dedicating software to the public domain, but with consistent protections for authors and users across legal jurisdictions. This unrestricted usage allows commercial interests to participate in collaborative development without giving up control of their business models.
Bruce Perens, the creator of the Open Source Definition, summarized the three basic approaches to open source licensing that will meet most goals [19]:
-
A gift license, like the Apache license, which promotes spreading standards through widespread adoption.
-
A sharing with rules license, like the GPL, which ensures that people share under the same terms as they receive.
-
An in-between license, like the GNU Lesser General Public License (LGPL), which requires people to share their modifications to a program but not to release the larger work that incorporates it. This allows inclusion in proprietary programs but still encourages some sharing.
Perens later recognized an additional model: a time-based license, such as the Business Source License (BSL, https://mariadb.com/bsl11), which is a restrictive license that converts to an open source license at some point in the future—four years at most. This allows commercial developers to recoup their development costs while still providing the guarantees of open source to users [20].
While an open source license enables software freedom, most of the benefits of open source require community development. As important as the Apache HTTP Server is to the history of technology, the Apache Group’s biggest innovation was the democratic process it adopted to develop software collaboratively. As the Apache Group matured into the Apache Software Foundation (http://apache.org), its governance model matured to allow contributors from all backgrounds to collaborate without a single entity taking control of the software project, even when participants have competing commercial interests. This is important for avoiding vendor lock-in to the technology and insuring the project against the risk of a participant ceasing to contribute.
In chapter 11, you can see that SSI solutions add layers of governance on top of the models adopted by open source communities. These governance frameworks use many of the same practices to establish trust, align incentives, and resolve conflict. This is starting to be called open governance.
Finally, the benefits of open source also depend on the adoption of open standards. These standards allow users to migrate between software packages as their needs change over time and interoperate with users who select other software packages. Most developers of SSI solutions are already basing their work on two open standards from the World Wide Web Consortium (W3C): the Verifiable Credentials Data Model 1.0 standard (https://w3c.github.io/vc-data-model) for how to format and digitally sign interoperable verifiable credentials (chapter 7) and the DID Core Specification (https://w3c-ccg.github.io/did-spec) for how to create, read, update, and delete a decentralized identifier (DID) and its associated DID document (chapter 8).
12.4 Open source and digital identities
The fundamental goal of digital identity solutions is to establish trust between individuals and organizations. Noted security researcher and public-interest technologist Bruce Scheier identifies four methods that society uses to enforce trustworthy behavior: morals, reputation, laws, and technical systems [21]. Professor of constitutional law Lawrence Lessig points out that as our society’s dependence on information technology increases—as code becomes a regulator of behavior—technical systems become more central to our experience in a democracy. To preserve our rights, we need the ability to analyze the code and algorithms used in those systems [22].
While the rights protected by open source software are important for operating systems, web browsers, and spacecraft, they are far more important for our digital identities. As our world becomes more connected, our identity systems become increasingly “mission-critical” for our lives. Governments, businesses, and charities push for the adoption of digital identity systems to reduce the cost of completing their missions. Too often, these systems are designed to protect corporations’ interests, not the rights of users as individuals. Source code secrecy encourages such abuse.
Real-world examples of such problems are easy to come by. Mark Zuckerberg, the founder of Facebook, announced in 2019 that “the future is private” [23]. This apparent change in policy was a response to widespread outcry from the public learning how Facebook’s proprietary algorithms were used. Among other transgressions, people criticized how Facebook’s system
Similarly, the American consumer credit reporting agency Equifax has suffered from a series of data breaches culminating in the 2017 exposure of 143 million Americans’ private information (for a detailed list compiled by technology journalist and security researcher Brian Krebs, see https://krebsonsecurity.com/tag/equifax [27]). Equifax’s lack of transparency prevented the public from understanding what information was being collected on individuals, who that information was being shared with, and how poor their security systems were.
Government programs are similarly vulnerable to abuse when systems are built with proprietary source code, secret algorithms, and unknowable security. India’s Aadhaar program to create a centralized database of biometric and identity information has been criticized for
All of these results contradict the noble goals of the program.
One more example: China’s emerging social credit system, although intended to increase the trust necessary to do business [32], is being used to prevent people from complaining about local authorities even before its nationwide rollout [33].
Contrast these identity failures with the system that humanitarian NGO iRespond deployed among the Myanmar refugees in Thailand. As documented in Newsweek, the system is designed to put each individual in control of their data [34]. Although individual refugees might not have the skills necessary to examine the system’s open source components, they benefit from the analysis of many researchers who have made suggestions for improvements. The open standards used to implement the system are intended to allow the refugees to take their digital identities with them when they leave the camp [35].
This chapter demonstrates why it is imperative that identity solutions that claim to be self-sovereign need to be open source. Each identity holder must have the legal right to examine the software that provides their digital identity and collaborate with a community that can modify that software for as long as it is useful. As these systems use open standards, the identity owner’s scope for autonomy further increases. The ability to exercise our rights as individuals and citizens is no accident; to enjoy our rights, we as citizens and consumers must hold governments and vendors accountable for providing digital systems we can control.
The movement to promote software freedom with open source development contributed to the emergence and evolution of self-sovereign identity. In the next chapter, we explore how the cypherpunks built on that foundation as they created Bitcoin and other blockchain technologies that early SSI solutions use. As with free software, the philosophy behind their work is as important as their technical innovations.
References
1. Levy, Steven. 1984. Hackers: Heroes of the Computer Revolution. Anchor Press/Doubleday.
2. Raymond, Eric S. “Hacker.” 2004. The Jargon File v4.4.8 www.catb.org/jargon/html/H/hacker.html.
3. Levy, Steven. 2014. “‘Hackers’ and ‘Information Wants to Be Free.’” Backchannel. https://medium.com/backchannel/the-definitive-story-of-information-wants-to-be-free-a8d95427641c.
4. Grad, Burton. 2015. “Software Industry.” Engineering and Technology History Wiki. https://ethw.org/Software_Industry.
5. Toomey, Warren. 2011. “The Strange Birth and Long Life of Unix.” IEEE Spectrum. https://spectrum.ieee.org/computing/software/the-strange-birth-and-long-life-of-unix.
6. Levy, Steven. 2010. Hackers: Heroes of the Computer Revolution, 25th Anniversary Edition. O’Reilly Media, Inc.
7. Gates, William Henry III, 1976. “An Open Letter to Hobbyists.” Homebrew Computer Club Newsletter 2 (1). www.digibarn.com/collections/newsletters/homebrew/V2_01/gatesletter.html.
8. Williams, Sam. 2002. Free as in Freedom: Richard Stallman’s Crusade for Free Software. O’Reilly Media, Inc. Available online at Project Gutenberg: www.gutenberg.org/ebooks/5768. An updated version with changes by Richard Stallman was produced in 2010: https://www.fsf.org/faif.
9. Stallman, Richard. 2001. “What Is free software?” https://www.gnu.org/philosophy/free-sw.en .html.
10. Torvalds, Linus and David Diamond. 2001. Just for Fun: The Story of an Accidental Revolutionary. Harper Collins.
11. Raymond, Eric S. 2001. The Cathedral & the Bazaar: Musings on Linux and Open Source by an Accidental Revolutionary. O’Reilly Media, Inc.
12. Moody, Glyn. 2001. Rebel Code: Inside Linux and the Open Source Revolution. Perseus Publishing.
13. Stallman, Richard. 2007. “Why Open Source Misses the Point of Free Software.” https://www.gnu.org/philosophy/open-source-misses-the-point.html.
14. NASA JPL. n.d. https://voyager.jpl.nasa.gov/frequently-asked-questions.
15. NASA, JPL. n.d. https://voyager.jpl.nasa.gov/news/details.php?article_id=108.
16. Esplin, Richard. 2014, “Alfresco Tech Talk Live 81: Alfresco as a Model-Based Engineering Environment.” https://www.youtube.com/watch?v=SD1PFNLoc14.
17. Personal experience of the author.
18. Newbart, Dave. 2001. “Microsoft CEO Takes Launch Break with the Sun-Times.” Chicago Sun-Times (June 1).
19. Perens, Bruce. 2009. “How Many Open Source Licenses Do You Need?” Datamation. https://www.datamation.com/osrc/article.php/3803101/Bruce-Perens-How-Many-Open-Source-Li censes-Do-You-Need.htm.
20. Perens, Bruce. 2017. “MariaDB Fixes Its Business Source License With My Help, Releases MaxScale 2.1 Database Routing Proxy.” https://perens.com/2017/02/14/bsl-1-1.
21. Schneier, Bruce. 2012. Liars and Outliers: Enabling the Trust that Society Needs to Thrive. Wiley.
22. Lessig, Lawrence. 2006. Code: Version 2.0. Basic Books.
23. Kleinman, Zoe. 2019. “Facebook Boss Reveals Changes in Response to Criticism.” BBC News. https://www.bbc.com/news/technology-48107268.
24. BBC News. 2014. “Facebook Emotion Experiment Sparks Criticism.” https://www.bbc.com/news/technology-28051930.
25. BBC News. 2018. “Facebook Appeals Against Cambridge Analytica Fine.” https://www.bbc.com/news/technology-46292818.
26. BBC News. 2019. “Facebook copied email contacts of 1.5 million users.” https://www.bbc.com/news/technology-47974574.
27. Gressin, Seena. 2017. “The Equifax Data Breach: What to Do.” Federal Trade Commission. https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do.
28. Khera, Reetika. 2017. “Impact of Aadhaar in Welfare Programmes.” SSRN. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3045235.
29. Sinha, Dipa. 2018. “Aadhaar—A Tool for Exclusion.” Swarajya. https://swarajyamag.com/maga zine/aadhaar—-a-tool-for-exclusion.
30. Dixit, Pranav. 2017. “Amazon Is Asking Indians to Hand Over Their Aadhaar, India’s Controversial Biometric ID, to Track Lost Packages.” BuzzFeed News. https://www.buzzfeednews.com/arti cle/pranavdixit/amazon-is-asking-indians-to-hand-over-their-aadhaar-indias.
31. Khaira, Rachna. 2018. “Rs 500, 10 Minutes, and You Have Access to Billion Aadhaar Details.” The Tribune. https://www.tribuneindia.com/news/nation/rs-500-10-minutes-and-you-have-access-to -billion-aadhaar-details/523361.html.
32. Pak, Jennifer. 2018. “Inside China’s ‘Social Credit’ System, Which Blacklists Citizens.” Marketplace. https://www.marketplace.org/2018/02/13/world/social-credit-score-china-blacklisted.
33. Mistreanu, Simina. 2019. “Fears About China’s Social-Credit System Are Probably Overblown, but It Will Still Be Chilling.” The Washington Post. https://www.washingtonpost.com/opinions/2019/03/08/fears-about-chinas-social-credit-system-are-probably-overblown-it-will-still-be-chilling.
34. Piore, Adam. 2019. “Can Blockchain Finally Give Us the Digital Privacy We Deserve?” Newsweek. https://www.newsweek.com/2019/03/08/can-blockchain-finally-give-us-digital-privacy-we-deserve -1340689.html.
35. Sovrin. 2019. “Use Case Spotlight: iRespond, Using Sovrin to Provide NGOs with Trusted Digital Identity Systems.” https://sovrin.org/use-case-spotlight-irespond-using-sovrin-to-provide-ngos -with-trusted-digital-identity-systems.