Volkswagen, IoT, the NSA and open source software: a quick note

(Attention conservation notice: the most interesting paragraph is the one about project NiFi, starting “Finley also writes…”)

According to Klint Finley in Wired, the lesson from the Volkswagen testing scandal is to use more open source software in more places. In particular, that Internet of Things (IoT) devices should be driven by open source software (even though the VW was not an IoT case). Here is Finley:

To protect consumers and realize its true promise, the Internet of Things must go the direction of the software and hardware that supports the Internet itself: it must open up…

Today, the vast majority of smart home gadgets, connected cars, wearable devices, and other Internet of Things inhabitants are profoundly closed… Ostensibly, this is for your own protection. If you can’t load your own software, you’re less likely to infect your car, burglar alarm, or heart monitor with a virus. But this opacity is also what helped Volkswagen get away with hiding the software it used to subvert emissions tests.

This seems wrong on two counts.

Finley writes about initiatives like the OpenWrt operating system for embedded devices as an alternative, but a lot of IoT devices already run on Linux. What stops individuals from being able to exert control over their gadgets is the use of Linux permissions structures, not the openness of the OS code. IoT security frameworks will be much like security frameworks on Android and other mobile operating systems: sandboxed applications running in their own user space, using the security features of the operating system. The open source/closed source distinction is essentially irrelevant to the problem.

Finley also writes that the closed nature of some IoT devices “makes it harder to trust that your thermostat isn’t selling your personal info to door-to-door salesmen or handing it out to the National Security Agency.” Which is ironic, because the software that might be handing out your personal info to the NSA is already open source. The NSA NiagaraFiles  project provides routes data among different computer networks and protocols. The NSA recently released this software as open source, and it is now hosted as an Apache project called NiFi. So that is the open source community (in the form of Apache) actively assisting the NSA in its data collection activities. The core developers on the project are all from the NSA and defense contractors (link). And NiFi is being touted as a big thing for IoT applications, so that your personal info can be more effectively routed to more destinations. The NiFi project is one more step in the active collaboration of Apache with the NSA, which I discussed back here and here, and tangentially in my FORTHCOMING BOOK.

The VW case is important and raises some big questions, but open-source vs closed source software is not  one of them. For a better take, see Zeynep Tufekci here.

(Full disclosure and openness: in my day job I have some involvement in IoT projects. My employer — FOR WHOM I DO NOT SPEAK –uses a mixture of open source and proprietary code in its work.)