Why are there no labeling requirements for software? Most people and organizations rely on critical applications, websites, and business solution platforms every day. However, we do not have much insight into what’s behind the curtain. Where does it come from? Who made it? It is much like trying to determine who built all the ancient monoliths.
When I buy food, I can look at a label that details the ingredients, nutritional breakdown, and country of origin. Most products you purchase will include country of origin at a minimum. It enables us to make a completely informed decision. Unfortunately, when it is software, there tends to be a complete lack of information available to consumers.
Why is This Important?
In today’s global economy, technology is developed around the world. Many customers would most likely view some countries as friendly and others not so much. Many of the countries viewed as unstable or adversarial are active in sponsoring industrial espionage to gain access to vital engineering, financial, and important strategic information.
Currently the Covid-19 virus is global and has forced many people to work from home. Despite the initial buzz about Zoom and how it enabled remote work better than other products, there was a great deal of news about security issues surrounding the platform. Having security issues is not unique to any software as your monthly OS security patches demonstrate. However, Zoom and similar platforms, handle information that most organizations consider confidential or top secret. Documents, spreadsheets, slides, dashboards are on display combined with human discussions putting all the information into context for anyone in the meeting.
Note: I am using Zoom as a current example. I like it and many of its features. The issue of withholding information from customers applies to the larger software market and is not unique to Zoom.
More than Bugs
The headlines about Zoom’s security flaws were followed by a news story that Elon Musk’s SpaceX had banned its use. I looked deeper into this and noted that many private and public institutions (NASA, Google, Taiwan, US Senate, German Foreign Ministry etc…) do not allow Zoom to be used. There are other applications and communications hardware, besides Zoom, that are not allowed in several organizations for varied reasons. So, are security flaws the sole reason software is not allowed in some organizations? I looked a bit deeper and mentioned in only a few articles was the fact that Zoom had a large engineering operation based in China.
Then why do some applications get banned and others not despite both having security flaws that require patching? This indicates that country of origin was a major factor when these organizations banned or limited the use of specific software applications.
So how do you find things like this out? Most likely you must ask specific, direct questions to the software company to find out. Usually, vendor websites are of no use. Sites typically only refer to the locations of headquarters and sales offices. There are never mentions of engineering or offshore contractor locations.
Zoom is an American company based in San Jose, CA. According to their website they have other offices in the following cities…
Denver, Santa Barbara, Kansas City, Atlanta, Sydney, London, Paris, Amsterdam, Tokyo
What is not mentioned is where a large part of their engineering staff is located. And again, this is typical of most software companies not to mention R&D locations. But why is this typical?
Let’s see what Zoom says…
From their March 2019 S-1 Registration filing to the Securities and Exchange Commission on page 21 under the Risk Factors section, “Security compromises experienced by our competitors, by our customers or by us may lead to public disclosures, which may lead to widespread negative publicity. In addition, we have a high concentration of research and development personnel in China, which could expose us to market scrutiny regarding the integrity of our solution or data security features.”. Sounds important.
So, are we forced to peruse SEC and other difficult to find documents to access such data? I don’t think it should be that way. I believe that customers should have all the facts before any purchase decision is made. With software being a critical part of our organizations & lives, this seems like common sense to me.
A Label Huh?
I think all consumers should have the following information provided to them. A software product “label” could be provided and might look something like this…
Country of Origin
This product’s primary technologies where developed in Country A, Country B, and Country C. This product provides internet-based computing that resides in Country A. User generated data in this product resides in Country A.
Utilized Open Source Modules
This product contains the following open source modules, open Source module 1, open source module 2.
3rd Party Modules & Services
This product utilizes the following 3rd party modules and services. Service A.
Data Movement
User generated data in this product will not leave Country A. Data will be sent to a 3rd party service, Service A, with prior user consent.
Many customers would find this information quite valuable and consider it when making purchase decisions. While some may not care at all, it is in the best interest of all customers to have this information available.
Final Thoughts
This is not an indictment against international technology engineering. I think it is a valuable approach where companies can innovate at a faster rate, adjust to change, and scale for growth. I do believe however that software companies should provide this information and let the customers decide if it is an issue or not.
For now, these “labels” are not available. But, if this is important to you and your organization, just ask
Houston, Texas