Our system is not open source but compliant to open standards. Is it a DPG?

Answer:

No, unfortunately, your system is not a Digital Public Good.

A system that is based on open protocols or standards will in most cases be a better and more preferable system compared to a system that is not, but simply basing a system or platform on an open protocol is not sufficient to define it as a digital public good. The system also needs to be released under an open source license and it needs to comply with all the 9 indicators in the standard.

Why require the source code to be under an open source license to be defined as a DPG? There are many reasons for this, I will focus on the most important ones when it comes to larger systems that are defined as infrastructure.

Let us start by drawing up a thought experiment. A technology company creates a brilliant system to handle mobile payment between individuals, companies and government. They are also working on a concept that would run elections. Let us say that their primary market is East Africa. They develop their system based on open protocols and standards but keep the source code closed because their business model is to sell the core system to governments. They are successful and sell the system to 15 countries in East and South Africa, and because they have developed the system with open protocols, they attract more than 100 companies that develop services and integrations towards their system. The interoperability and protocols also makes it possible to send payments between users in different countries. So far this looks like a success story and a fantastic example of a DPG, right?

The problem is that the core source code now runs in 15, soon to be 20 African countries, and the vendor has full control over this source code. The countries do not, they are merely tenants, paying rent. This single vendor now has full marked control and the community of small companies that are integrated are fully dependent on the core system vendor. There are many examples of how this can go terribly wrong, but let me just ask the following questions:

• What is to stop this vendor from adding key features that are beyond the standards and protocols, and making those features mandatory both towards partners and customers? This will make it impossible for other core system vendors to integrate.
• The Digitale Public Goods standard has a “do no harm by design” requirement. How are we to verify this, without inspecting the source code?
• What is to stop this vendor from creating a backdoor, selling user information from transactions? Only the vendor can inspect the source code.
• What is to prevent this vendor from raising prices for both customers and transaction cost for the partners? The exit cost for a country will be very high, and they can not ask another vendor to take over the maintenance of the code. They do not own the code.
• What is to prevent the vendor from shutting a government out of the system if they do not make payments on time? If this is a core infrastructure system it would have serious consequences.
• If this was not a payment system but an election system, what is to prevent the vendor from rigging the count in favour of one of the candidates? No one can inspect the source code to verify.

All of these problems are more likely to be solved in a much better way if the source code is under an open license. A country should have control over their own digital infrastructure, and be able to choose their vendor, and change the vendor if needed, without having to replace the whole infrastructure.

One single company should not be able to take control over important markeds and one single company should not have control over national critical infrastructure in any country. Systems that are defined as critical infrastructure influence a country’s digital sovereignty and having control and ownership over these types of systems will always be a minimum requirement.

Open protocols do not ensure this, open source does.