In-Depth

Microsoft Opens Up Its Source Code—Sort of

Software giant permits governments to review—but not modify—its source code

• By Stephen Swoyer
• 01/22/2003

Microsoft’s new Government Security Program (GSP) enables governments to review the source code of its Windows 2000, Windows XP, Windows Server 2003, and Windows CE operating systems. The program also provides participants with access to technical information about the Windows platform that Microsoft wouldn’t otherwise share with its customers.

In addition, Microsoft representatives say, GSP participants are permitted to view operating system source code in a debugger but are not allowed to compile or modify the source code themselves.

Microsoft has not ruled out making changes to the source code, however, and has said that it will work closely with GSP participants to address their concerns. The software giant also extended an invitation to government representatives to visit its headquarters in Redmond, Wash. and speak with its developers.

Microsoft's criteria for GSP membership are based on a government's attitude and laws about intellectual property. As a U.S.-based company, Microsoft must adhere to U.S. Bureau of Information and Security (BIS) requirements regarding exports and can’t offer the GSP to governments or organizations that have been sanctioned by the U.S. Office of Foreign Access Control (OFAC). Even with these restrictions, Microsoft officials say that at this point they have identified more than 60 nations eligible to participate.

Microsoft is currently in discussions with 20 countries about the program. An organization representing the Federal Agency for Governmental Communication and Information in Russia has signed a GSP agreement. The North Atlantic Treaty Organization has also signed.

The program is primarily intended for central national agencies that focus on security as a core priority. State, provincial, and local agencies, as well as government agencies requiring source code access for product support, will be steered toward the Shared Source Initiative that Microsoft launched in 2001.

A Move to Blunt Open Source Momentum

The GSP is widely viewed as an attempt to blunt the momentum of open source software (OSS)—particularly of the Linux operating system—among security-conscious national agencies.

OSS has notched some notable international wins of late. Agencies in Brazil and Germany, in particular, have announced plans to move to Linux, which is offered under the terms of the GNU Public License, allowing them to review and modify its source code. Cost is at least as important a consideration as security in many government reviews.

Moreover, the results of an internal Microsoft marketing memo, leaked to OSS advocate Eric S. Raymond’s Opensource.org Web site in November 2002, paint a dire picture with respect to Microsoft’s ability to compete effectively against OSS for many international customers even with an initiative such as the GSP.

The memo, which was distributed at a Microsoft strategy meeting in Berlin in September, found that many international customers—particularly respondents in France—were interested in OSS precisely because it relieved them of a dependence on U.S.-based technology companies.

“The most effective OSS positives focus on TCO and the ability to compete with the United States,” the study indicated. “The top-rated messages for OSS among all audiences were that OSS was ‘Cheaper & allowed free copies’ (84%), followed by ‘Avoiding payment of royalties to US companies’ (81%), and ‘the opportunity to build local the local tech industry to compete with the US’ (76%).”

The memo concludes that “the greatest challenges we face are with the International audience—especially the French, Germans, and Japanese.”