[CAVO] Update on La County

Patrick Masson masson at opensource.org
Fri Nov 2 18:19:08 UTC 2018 

Hello Friends of CAVO,

I wanted to give an update on the OSI's discussions with the LA County
Registrar-Recorder/County Clerk regarding their "Open-Source Election
Technology," Voting Solutions for All People (VSAP). After a few emails
with various legal and business offices, I was offered an opportunity
to discuss the program with the Registrar's office directly. I spoke
with, Aaron Nevarez, Division Manager, Governmental & Legislative
Affairs and  Kenneth Bennett, Program Manager, Voting Solutions for All
People.


TLDR: There is no issue, other than LA County conflating the use of
open source software as an internal platform, with the release
(distribution) of open source software. I have explained the OSI's
issues to them, asked them to modify their communications to recognize
this differentiation, and they have agreed. They also invited the OSI
to participate in their planning for the release of VSAP (if the
choose), in order to ensure they are meeting the expectations of the
open source community.


More information: The issue boils down to a (perhaps) naive
understanding, but poorly worded, press release which elevated their
internal adoption of Open Source Software, in support of their
elections system (think infrastructure, or "stack" / "platform") VSAP,
with an implication that the VSAP elections system was Open Source
Software (i.e. was distributed with an OSI Approved License). VSAP is
not Open Source Software, but rather, simply a platform created from
aggregating and customizing, 1. other Open Source applications, 2. Open
Source components, 3. Open Source libraries, and 3. Open Source
infrastructure. As we all know, 1. the label "Open Source Software"
should only be applied to software distributed with an OSI Approved
License, 2.  Open Source licenses only take affect upon distribution
(note the exception of the AGPL), and 3. there is no requirement for
any organization that only downloads, uses, or modifies Free and Open
Source software (never re-distributes or releases derivatives) to make
their internally developed and internally deployed software
available. Thus as LA County is not distributing modified code, or
redistributing Open Source code, there is no obligation for LA County
to apply an OSI license (or any license) or make that code available.
However, it also means that they should not apply the "Open Source"
label to their works while it is an entirely internal implementation.

Per the OSI FAQ:

Q. What if I do not want to distribute my program in source code form?
Or what if I don't want to distribute it in either source or binary
form?
A. ...if you don't distribute at all, then by definition you're not
distributing source code, so you're not distributing anything Open
Source. 
- https://opensource.org/faq#non-distribution

Per the FSF FAQ:

Q. If I only make copies of a GPL-covered program and run them, without
distributing or conveying them to others, what does the license require
of me?
A. Nothing. The GPL does not place any conditions on this activity.
- 
https://www.gnu.org/licenses/gpl-faq.en.html#NoDistributionRequirements



While I know there are issues related to government transparency in
elections systems for many on this list, and clearly the OSI would
recommend Open Source Software to ensure transparency in elections
technologies, those issues are outside the scope of authority for the
OSI. The issues for the OSi are specific to the language used in the
Press Release which implied LA County had developed Open Source
Software, for example:

   1. "Secretary of State Alex Padilla Certifies Los Angeles County’s
New Vote Tally System Making it California’s First Certified Open-
Source Election Technology" should have read, "[...] Making it
California’s First Certified Election Technology Built on Open Source
Technologies" 
   2. Today, California Secretary of State Alex Padilla certified Los
Angeles County’s Voting Solutions for All People (VSAP) Tally Version
1.0, making it the first publicly-owned, open-source election tally
system certified under the California voting systems standards," should
read, "[...] making it the first publicly-owned, election tally system
certified under the California voting systems standards delivered with
open-source software infrastructure."

In all fairness, after speaking with LA County, the following line from
the press release, "Los Angeles County’s VSAP vote tally system is now
California’s first certified election system to use open-source
technology" could be interpreted to appropriately describe the County's
efforts. Although I doubt this, as most software today (96%) includes
some sort of open source software (
https://www.helpnetsecurity.com/2018/05/22/open-source-code-security-risk/
).

Mr. Nevarez and Mr. Bennett also took the time to respond to each of
the questions I submitted. My notes are included (please note these are
my notes, and they have not been reviewed/approved by Mr. Nevarez or
Mr. Bennett):

   1. What open source license is the VSAP software distributed with?
Can you please point me (URL) to the text of that license?
   2. No license is included as the software is for internal use only.
Much of the software used in the development of VSAP, as well as the
software infrastructure, is open source. However again, none of this is
being released / redistributed. Currently LA County is only a consumer
of Free and Open Source Software, i.e. "using an open source stack."
   3. Where is the current code repository (URL), and the location
where the VSAP software can be downloaded (URL)?
      1. While the County does have a GitHub account for development,
it is private.
   4. Did the VSAP developers build the system from scratch, or was
this a derivative work?
      1. VSAP is built with custom code and also uses third party open
source licensed resources.
   5. Secretary Padilla referenced several benefits of open source,
"modernize election administration, security, and transparency",
"publicly-owned technology", how were county and state officials
introduced to, and educated about, about these benefits and maybe
others. (My goal here was to understand how open source was introduced
and apparently accepted--with a true understanding or not--in order to
help us gain adoption with other government agencies.)
      1. Mr. Nevarez and Mr. Bennett mentioned several state and county
initiatives on “new ways to get software certified” with open source
technology, They specifically mentioned Senate Bill 360. They also
suggested reaching out to the Secretary for more details.
   6. Is there a community of practice working with you, i.e. a group
of open source developers who are contributing to the project? (My
interest here was to assess who might be advising them and also if they
have been working with experienced open source communities)
      1. The County currently has an advisory committee called TAC
(Technical Advisory Commission), and is working with the local
community. The County is also planning on hosting a meeting in January
after the elections to discuss how the County may be able to release
VSAP and build a community around the project. The OSI was invited to
participate with a promise to follow up.
      2. There was also an interest in engaging with local area
communities and experts, SCaLE was mentioned? I offered to suggest
other resources as well.

Generally Mr. Nevarez and Mr. Bennett offered:

 * The VSAP implementation was developed as a platform through the use
of “open technologies.” There is some concern about releasing VSAP as
“open source”, due to security concerns, and they my not fully
appreciate the scope of responsibilities (resources) in managing a
project. They also recognized they may not fully appreciate how various
groups may define "Open Source" and the expectations those groups will
have for the use of that term. (I of course highlighted the Open Source
Definition as the standard, but acknowledged issues/differences among
groups, e.g.  around  "Free" and "Open")
 * The primary goal of the County was to obtain certification from the
Secretary of State due to the approaching elections.
 * An emphasis was put on meeting security standards. (I offered to
introduce the County to OSI contacts at security-focused organizations,
e.g. DoD and code.mil).
 * The County is Interested in governance models that ensure
development meets their needs, but also allows other organizations ro
realize benefits from adoption and contribution.
 * Bith Mr. Nevarez and Mr. Bennett highlighted that neither they nor
the Country are meaning to be elusive, but they simply are not sure how
to create a secure community of practice.

I hope this helps. I am happy to discuss.
Patrick




-- 
  ||  |   | || |  ||  ||  | || |  |||  |  |||  

Patrick Masson
General Manager & Director, Open Source Initiative
855 El Camino Real, Ste 13A, #270
Palo Alto, CA 94301
United States
Office: (415) 857-5398
Mobile: (970) 4MASSON
Freenode: OSIMasson
Email: masson at opensource.org
Website: www.opensource.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/cavo_lists.opensource.org/attachments/20181102/b66b9899/attachment.html>

More information about the CAVO mailing list