Article originally published in Civio
This story also appeared in Fundación Civio A danger to public safety. This is the main argument of the Central Contentious-Administrative Court number 8 to deny Civio access to the source code of BOSCO, an application developed by the Government and used by electricity companies to know if a user, in a vulnerable situation, can receive discounts on their electricity bill.
How did we get here? In 2019, Civio showed that BOSCO was flawed and denied the social bonus to people who were entitled to receive it. We did so after receiving dozens of notices from affected people and requesting, under the Transparency Law, its technical specification, the results of the verification tests of the application and its source code. The Transparency Council made the Government, contrary, give us part of the documentation. Of course, the CTBG did not support the dissemination of the source code. And that's why we're taking him to court. This is the first judgment: dismissal and with a sentence of costs of €2,000.
A source code contains the raw instructions of a program and defines how it calculates its results. In this case, the BOSCO application is an adaptation of the regulations used to determine whether or not a person deserves to be a beneficiary of the social bonus. The Government, to reject its opening, argued during the trial that disseminating this code would pose problems of public security, as well as national defense and intellectual property. It also did so when the resolution of the Transparency Council, the act appealed by Civio, only focused on intellectual property. However, the magistrate has approved the Government's postulates.
BOSCO did not comply with the norm A more technical issue is the consideration that what the application does, by itself, is an administrative act. If so, this would reinforce our right to access the source code, under the principle of legality, to know how one or another decision is made, in the face of the protection of the intellectual property of the code, one of the arguments of both the magistrate and the Council of Transparency. According to the sentence, yes, it is an administrative act but, contrary to what we interpret, who decides is not the application, but an administrative body . Something that we question. The documents of the case, in openResolutions, sentences, resources… We make public all the information so that it is useful for other people and organizations.
The documents of the case, in open
Resolutions, sentences, appeals… We make all the information public
The truth is that the electricity companies access BOSCO to verify if a user is entitled to receive the social bonus. To access this help there are, in summary, three ways: for low income, for being a large family or for being a beneficiary of a minimum disability or retirement pension and with minimum income. These routes of entry are not exclusive. For example, other types of pensioners, such as widows, could not go through the last route, but they could go through the income route when they did not exceed the maximum income. In 2019, thanks to the functional analysis, we showed that if the box for pensioners is checked for a widow –because they are–, BOSCO, without analyzing the income, returns the message “Impossible to calculate”. And this is what the electricity companies convey to the citizen, along with the message that their request has been rejected. That is to say, there is no public employee who mediates in this act or decides anything. So there is no more public intermediation than the application itself. This is demonstrated in one of the letters we received from a person who, although entitled to this aid, was rejected due to program design flaws, as we reported in 2019.
Another case is that of large families, who are beneficiaries of the social bonus regardless of their economic situation. But if the petitioner does not allow their income data to be consulted, BOSCO denies the aid because the program needs to analyze their income, even though it is not a requirement in the regulation. What also supposes an unnecessary query of irrelevant personal data for the calculation. In the sentence, the magistrate assumes that the program applies the regulations as is . He does it without having accessed the code and without checking it. These two examples show that, at least when we caught those bugs, BOSCO was actually not compliant.
Checking is not hacking The National Cryptologic Center and the General Subdirectorate of Information and Communication Technologies of the Ministry of Industry, Commerce and Tourism affirmed, in general terms, that the dissemination of the source code of any program would allow attacks and the exposure of sensitive databases. It is true that BOSCO, in order to verify the eligibility of a possible beneficiary of the social bonus, makes different queries to public databases. So why do we ask for the source code? Do we want to hack citizens' data? Obviously not.
A good software engineering practice – basic, first-year – is that the passwords and credentials that allow access to a database are never put into the code, but into a separate configuration file. And no, we don't want these access 'keys'. There are also other additional security protocols – which we understand the administration applies – such as allowing only certain IPs, unique addresses that identify a computer or network, access to certain systems. In other words, not even with passwords could an unauthorized person access sensitive databases. But there is more: the documentation available on BOSCO clarifies that the program does not directly access, for example, data from the Tax Agency to check the applicant's income level. For this, the Intermediation Platform is located, dependent on the Ministry of Economic Affairs and Digital Transformation, which offers a service that encapsulates this step and that is prohibited to certain digital certificates approved by the administration. This certificate access is also provided for BOSCO. To make matters worse: more than a year ago the Government, “for transparency and so that the community can help us improve the app”, published the source code of Radar COVID, the application created to track and notify positive contacts for Covid -19. Did this expose our health data? No.
Finally, the Transparency Law establishes that when the legal limits (such as public security or national defense) do not affect all the information, partial access to the information will be granted. In other words, the administration could facilitate the part of the code that evaluates whether a person meets the requirements to benefit from the social bonus and omit the rest.
We believe in our arguments. And we are aware that we must defend them in court, not just in public. Therefore, we have filed an appeal . This is a lost first assault. But there is still a game to play.
NO to opacity in computerized decision processes
We are going to do everything possible to reverse the ruling and obtain transparency about the computer programs that already make decisions about our lives and our rights. And we will pay while we can the costs that are necessary. But we are also going to be very honest: it would send a nice message, and it would help us a lot, if more people -hopefully thousands- made the determination to say NO to the opacity in computerized decision processes.
If you can, we ask you to join us and help us reverse this decision in court .
YES, I WANT TO HELP
Thank you for your commitment.