Do We Need a New Agency to Reveal Software Secrets?

Do We Need a New Agency to Reveal Software Secrets?

By Lloyd Marino

We all know our computers run software.  Indeed, when you bank, use a credit card, make a phone call, or watch television, you are using software. Of course, this is just the tip of the software iceberg. The software that bears the global economy’s collective cross isn’t an app on your smartphone or your computer. They’re massive applications that run Walmart’s supply chain, Amazon’s Enterprise, Resource, and Planning processes, Hertz’ reservation system, and Toyota’s production line, perhaps explaining what prompted professor and vice chair of the Southern Center for Human Rights James Kwak to exclaim in the Atlantic that “Software runs the world.”

Five years ago, Netscape co-founder Marc Andreessen, wrote how software had become vitally important in “Why Software is Eating the World” for The Wall Street Journal. But here’s an interesting twist for today: How can we be sure the software running our lives is living up to its end of the bargain? What’s to stop the manufacturer from embedding software with secret commands, accidently or on purpose?

The truth is, many of the machines we use every day really do have secret software.  

  • Volkswagen has admitted to having secret software in its diesel engines that switched on its emissions controls during testing but off during normal driving conditions. While the company has agreed to pay $14.7 billion in penalties and car buy-backs for this cheat with its 2.0-liter four-cylinder diesel engines, Volkswagen has maintained that its 85,000 cars with 3.0-liter engines do not have this “defeat device.” However, according to Reuters, a respected German publication reported in August that U.S. regulators found secret software in the 3.0-liter engines that shut down emissions controls after 22 minutes, slightly longer than the usual emissions test.  
  • Microsoft’s personal assistant Cortana, which is part of Windows 10, Windows Phone 8.1, and other Microsoft operating systems, answers questions and responds to voice commands. This tracks the user’s location, records and analyzes voices, and may communicate information on people’s writing, calendars, and schedules back to Microsoft. How much data is sent and how does Microsoft use it? Right now, there is no way of knowing.
  • Anyone who watches NCIS or the many similar high-tech television crime solver programs knows that cell phones can be used to track people’s current locations. But you may not know that if you have an Android or Apple phone, your location information is being stored and used to track your frequent locations. And, at least in Android phones, the location history is sent to the company’s servers. While the user can disable this function, in many phones it is turned on by default. An even worse cell phone privacy violator, Carrier IQ, resulted in a $9 million settlement for violating users’ privacy by logging keystrokes, even data on passwords, and potentially sending this information to the manufacturer.

Right now, when we buy software or a device with embedded software, we have to trust the company when it tells us what the software will do. Yes, there are reviews on the web and computer magazines, but there is no one who digs deeply into the software to see if it has secrets the company is not telling us.

One option would be a government agency that can regulate software the way the FCC regulates the airwaves–but better. In a tech-driven economy, the government needs a technology solution. Right now the government does not have enough people who understand technology to examine how technology works in the marketplace nor a public-facing official who takes charge of technology policy on a national or even state level. We need an effective governing body that implements technology solutions and scrutinizes its impact on society.

However, in the current environment, the government cannot do this. The government doesn’t have the people or the know-how. Nor does it have the will. In fact, Congress eliminated the Office of Technology Assessment in 1995, even though that agency simply provided nonpartisan research studies and had no lawmaking or regulatory power.

A better solution may be a private organization to certify software and products with embedded software as safe. This is done in other fields. UL (originally Underwriters Laboratories) tests the safety of products and inspects factories before allowing them to use the UL seal. The Good Housekeeping Institute evaluates products for its effectiveness compared to advertising and packaging claims and then awards its Good Housekeeping seal to products that meet its standards.

An equivalent for software, a Software Examination Entity (SEE), would work with manufacturers to gain access to the software’s actual source code and have independent programmers and engineers examine the code to make sure it works and that there are no hidden surprises. It could then issue its own seal of approval.

Such an independent non-governmental organization may find it easier to gain the cooperation of the software industry than would a government agency with its potential for bureaucracy and regulation. It would not interfere with innovation, nor impose rules on companies. Instead, they would see the group’s seal of approval as a selling point and useful for advertising. Once the first software producer agreed to SEE’s review, all of its competitors would have to join too or risk being challenged on hiding things from consumers.

Of course, software still has enormous potential to bring many benefits to people’s lives. Still, we would be wise to create a way to protect users from hidden traps in their software and act as a watchdog for the industry. In an age of self-driving cars and automated medical car, software can be a matter of life or death. If the government cannot or will not act on its own, the industry itself must be galvanized into action to safeguard its customers and itself.

Image By: Markus Spiske

Share this with your friends

2 Comments

  1. Rich Marsh , on Apr 8, 2017 at 14:38 Reply

    I’m an old geek, who worked in software for more than 20 years. I was dealing with applications of all size, from a few dozen lines through those with millions of lines of code. (I worked for Big Blue and we wrote software that ran all aspects of telephone companies and later with firms that traded options and sales of energy.)

    This is a nice idea – but the only one who could certify the code would be a software design architect who’d been involved with the project for years, and who knew what everything did. I remember one example where we found a literal in the code that ruled out the provisioning or assignment of a specific telephone number. We couldn’t find anyone who knew why, so we changed it. Bad decision. It turned out that number was used by field techs for testing purposes.

    So, an agency would not be able to do that. How many lines and routines are in Windows 10? While at Compaq, I dealt with the initial versions of Windows, when it ran on top of DOS. (Yeah, I’m that old.) Even then, it was fairly thick code.

    Instead, why not have the agency certify the architect? They could be bonded, and expected to certify that the code met certain criteria. The source could be stored (a common requirement in many contracts anyway), and the certification would go with it. Since most large apps have multiple architects, each would certify that portion of the source that is relevant to their coverage.

    I think that’s a more workable solution.

    • admin , on Apr 8, 2017 at 15:51 Reply

      Rich,

      Love the feedback, and thanks for taking the time. The idea here is to protect consumers, or at least let them know what they’re getting into when purchasing a device with any kind of software (Think IoT). Would love to hear your thoughts?

      Best Regards,
      Lloyd

Leave a Comment