Public-private predicaments

I recently watched a truly excellent talk by the CIO of the German state of Schleswig-Holstein. If you have eighteen minutes to spare and are at all interested in the use of software by governments, treat yourself to the video.

If you have no interest at all in the way governments use software, then I’m hoping this essay might change your mind. Government choices about software are a bit of a big deal already, and are only becoming more so. I could overwhelm you with examples (and I will, in a moment), but they’d all be in support of one point: as the functions done by governments are increasingly digitized, decisions about software procurement and use become ever-more important.

The Schleswig-Holstein example is on the positive side of the ledger. A whole state governing apparatus has switched to the use of Free/Libre and Open Source Software for the majority of its functions, and has plans to make its transition even more complete in the next couple of years. They’re saving money on software licenses, and can then put some of that money into the improvement and implementation of existing, robust and much-used F/LOSS tools.

Schleswig-Holstein has moved away from the use of Microsoft products, which probably feels really prescient for them, watching the newest version of Windows turn into AI-packed spyware (for example: the much-discussed Recall and some very extreme telemetry). They’ve doubled down on the use of open standards in government, at least for documents, and they’re creating an ecosystem within the state to spread around the benefits of using software which is not only not at the mercy of a large, US-based corporation, but which also has the capacity to be modified to suit local needs.

On the other side of the ledger, there are an increasing number of cases where the public sector use of privately-owned software and digital solutions is starting to be an issue. In the Dutch context, the company which provides a key government service, digital IDs harmonized across government websites and affiliated services, is at risk of being acquired by a company based in the United States (summary in English or a little more background in Dutch). Even if we weren’t living in the current geopolitical context, the idea of having a foreign company providing a service which is key to the way residents interact with government feels like a dangerous move. It goes without saying that if the government owned the service itself, rather than contracting with the private sector for that service, being purchased by a foreign company would be a non-starter.

Outside of Europe, the use of Flock cameras by US police departments is demonstrating the risk of overreach in products developed by private companies, but sold to governments. As research from the Electronic Frontier Foundation has pointed out, one of the selling points of Flock’s cameras is that they are networked – and ease of data sharing means that data is only as safe as the practices of the leakiest member of the network.

Who benefits?

These situations I’m characterizing as being on the negative side of the ledger are predicaments in the relationship between the public sector and private suppliers of software and digital solutions (in Flock’s case, this also encompasses hardware). Indeed, they’re predicaments which exist because of the public sector accepting the private sector as its software supplier. The heart of many of these problems is profitability. Why does Microsoft need to chase integration of privacy-disrespecting tools into its software? So that it can keep up with its competitors who are busy doing the same, in the quest for greater profit. Why does Flock need an ever-larger and ever more-integrated network of cameras? Because having the biggest network gives it a competitive advantage, which it can leverage to get yet more customers, and hopefully at ever-higher prices. And why does a company with a captive audience of 18 or so million need to be acquired by another company? I don’t think it’s because that sweet, sweet government contract is at risk of drying up.

Now, before you call me a socialist (which would be fine, really) or tell me that governments aren’t competent enough to make software, think for a moment about what you want from the software that runs public services. It should be reliable, right? And maybe it should abide by the laws of the jurisdiction in which it’s being used. Ideally, it should have the interests of the people it’s serving as part of its design, when it comes to things like privacy and data ownership. We could go out on a limb and say that it should be running on computers that are located in the places being governed through its use. If we stop to make that wish list, chances are good that “generates profit for a company” isn’t very high in the rankings. But this is fundamentally what’s happening. The sale of identity authentication for the Dutch population is in the service of profit, not in the service of good governance. The expansion of the Flock network is absolutely not in the best interests of individuals living in the jurisdictions where those cameras are being used. And our old friend Microsoft, which has made every day April Fool’s Day by renaming its productivity suite in honour of its “AI companion” is definitely not thinking about the good of the populations being served by governments using its services.

Collapsing the myth of private sector superiority

The idea that the private sector is best placed to develop software for governments relies on a couple assumptions that I, for one, don’t think are very robust. First, there’s the assumption that if the private sector isn’t developing it, then governments will have to do it themselves. We only need to look at Schleswig-Holstein to see that this one is a fallacy. In the case of LibreOffice, used by Schleswig-Holstein, the governance model behind the software is a not-for-profit, and development is community-based. Profit-seeking is not the only motivation for software development. Now, if you’ve gone back and watched the Schleswig-Holstein video, you may be jumping up and down and shouting “What about Nextcloud?! Nextcloud is a company!” And indeed, we see from the video that Schleswig-Holstein is using Nextcloud, one of the darlings of the European data sovereignty scene. And that’s fine. The existence of some companies that make software which places user interests first, and which are consistent with the values of governments which want to use mostly Free/Libre and Open Source Software, doesn’t prevent other parties from doing it. Industry can do it, government can do it, and other models like non-profits can do it. Even better, we can have thoughtful combinations of the three, with public values playing an important role in the procurement decisions of government and public bodies. So that’s assumption one out of the way: the choice is not big tech or bust, but instead, thoughtful procurement which also accepts that there are different ways for governments to engage with software. Governments can contribute to the development of their software without being the sole developer.

The second assumption I’m not a fan of is that big companies do it better. There’s an unhelpful belief floating around in some quarters that governments are less competent and less efficient than the private sector. Regardless of whether or not that’s true, the concept of “better” requires some benchmarking. But if the services being compared in procurement processes are only offered by a couple of very specific and market-dominant companies, then benchmarking “better” and “more efficient” becomes difficult. If the procurement process for replacing everything a given government is getting from Microsoft (or indeed Flock, or any number of tools currently in use) involves looking for a one-to-one replacement, then there won’t be a lot of options available. If, instead, we’re willing to break things down into functions and look for software and services which do a part of the task, a lot more options suddenly materialize. Indeed, a lot of options that used to be in greater use than they are now become possible again, like having an email solution that isn’t tied to your office productivity suite. This is assumption two on the chopping block, then: it’s easy to argue that the private sector inherently does it better when the definition of what “it” is happens to be based on the offerings of the market-dominant players.

Put public values first

Where does all of this leave government, then? How do we escape the predicament presented by the large-scale use of public resources to enrich big players in the private sector? I don’t personally have the solution to the problem, but there are certainly some starting points. First, it’s necessary to think beyond the status quo. The use of a specific tool or service now is not a hard and fast indicator that it’s a necessary tool or service, or that the only thing it can be replaced with is something that works exactly the same way. Second, even if you do want to get as close an analogue as possible to the status quo, a broader search beyond the main solutions might yield something close enough. And third, alternatives can be investments. If you’re ditching the expensive solution from the big provider in favour of, say, some F/LOSS that already does 80% of what you want but not quite everything, that’s an opportunity to invest in a process that can allow a greater degree of involvement than buying something off the shelf.

It’s fine and dandy that governments across Europe are waking up to the risks of leaving their infrastructure in the hands of companies that may have other interests at heart. But as with the case of the Dutch unified ID system, contracting with a local provider doesn’t guarantee safety. The habit of using public money to develop and improve private products may well provide access to a service, but it doesn’t guarantee a good values match in the long run, or even ongoing and safe use of the service. It’s about time to think beyond the public-private predicament and consider alternatives that place public values ahead of private value.