Do We Need a New Agency to Reveal Software Secrets?

By Lloyd Marino

We all know our computers run software.  Indeed, when you bank, use a credit card, make a phone call, or watch television, you are using software. Of course, this is just the tip of the software iceberg. The software that bears the global economy’s collective cross isn’t an app on your smartphone or your computer. They’re massive applications that run Walmart’s supply chain, Amazon’s Enterprise, Resource, and Planning processes, Hertz’ reservation system, and Toyota’s production line, perhaps explaining what prompted professor and vice chair of the Southern Center for Human Rights James Kwak to exclaim in the Atlantic that “Software runs the world.”

Five years ago, Netscape co-founder Marc Andreessen, wrote how software had become vitally important in “Why Software is Eating the World” for The Wall Street Journal. But here’s an interesting twist for today: How can we be sure the software running our lives is living up to its end of the bargain? What’s to stop the manufacturer from embedding software with secret commands, accidently or on purpose?

The truth is, many of the machines we use every day really do have secret software.  

  • Volkswagen has admitted to having secret software in its diesel engines that switched on its emissions controls during testing but off during normal driving conditions. While the company has agreed to pay $14.7 billion in penalties and car buy-backs for this cheat with its 2.0-liter four-cylinder diesel engines, Volkswagen has maintained that its 85,000 cars with 3.0-liter engines do not have this “defeat device.” However, according to Reuters, a respected German publication reported in August that U.S. regulators found secret software in the 3.0-liter engines that shut down emissions controls after 22 minutes, slightly longer than the usual emissions test.  
  • Microsoft’s personal assistant Cortana, which is part of Windows 10, Windows Phone 8.1, and other Microsoft operating systems, answers questions and responds to voice commands. This tracks the user’s location, records and analyzes voices, and may communicate information on people’s writing, calendars, and schedules back to Microsoft. How much data is sent and how does Microsoft use it? Right now, there is no way of knowing.
  • Anyone who watches NCIS or the many similar high-tech television crime solver programs knows that cell phones can be used to track people’s current locations. But you may not know that if you have an Android or Apple phone, your location information is being stored and used to track your frequent locations. And, at least in Android phones, the location history is sent to the company’s servers. While the user can disable this function, in many phones it is turned on by default. An even worse cell phone privacy violator, Carrier IQ, resulted in a $9 million settlement for violating users’ privacy by logging keystrokes, even data on passwords, and potentially sending this information to the manufacturer.

Right now, when we buy software or a device with embedded software, we have to trust the company when it tells us what the software will do. Yes, there are reviews on the web and computer magazines, but there is no one who digs deeply into the software to see if it has secrets the company is not telling us.

One option would be a government agency that can regulate software the way the FCC regulates the airwaves–but better. In a tech-driven economy, the government needs a technology solution. Right now the government does not have enough people who understand technology to examine how technology works in the marketplace nor a public-facing official who takes charge of technology policy on a national or even state level. We need an effective governing body that implements technology solutions and scrutinizes its impact on society.

However, in the current environment, the government cannot do this. The government doesn’t have the people or the know-how. Nor does it have the will. In fact, Congress eliminated the Office of Technology Assessment in 1995, even though that agency simply provided nonpartisan research studies and had no lawmaking or regulatory power.

A better solution may be a private organization to certify software and products with embedded software as safe. This is done in other fields. UL (originally Underwriters Laboratories) tests the safety of products and inspects factories before allowing them to use the UL seal. The Good Housekeeping Institute evaluates products for its effectiveness compared to advertising and packaging claims and then awards its Good Housekeeping seal to products that meet its standards.

An equivalent for software, a Software Examination Entity (SEE), would work with manufacturers to gain access to the software’s actual source code and have independent programmers and engineers examine the code to make sure it works and that there are no hidden surprises. It could then issue its own seal of approval.

Such an independent non-governmental organization may find it easier to gain the cooperation of the software industry than would a government agency with its potential for bureaucracy and regulation. It would not interfere with innovation, nor impose rules on companies. Instead, they would see the group’s seal of approval as a selling point and useful for advertising. Once the first software producer agreed to SEE’s review, all of its competitors would have to join too or risk being challenged on hiding things from consumers.

Of course, software still has enormous potential to bring many benefits to people’s lives. Still, we would be wise to create a way to protect users from hidden traps in their software and act as a watchdog for the industry. In an age of self-driving cars and automated medical car, software can be a matter of life or death. If the government cannot or will not act on its own, the industry itself must be galvanized into action to safeguard its customers and itself.

Image By: Markus Spiske

The post Do We Need a New Agency to Reveal Software Secrets? appeared first on Lloyd Marino.

Source: New feed