A response to ARES69111 "Towards European open digital ecosystems"

These opinions are offered as a user, developer and advocate for FOSS for 25 years. I am a computer scientist, having worked as a university professor, reseacher developer and technical writer for 35 years in the area of signals, systems and DSP. Along with my associate Ms Helen Plews we represent Boudica Security, a very small British cybersecurity company formed in 2023. We are primarily motivated by moral and political concerns around the trajectory of technology in the world today.

It's wonderful that we finally have an 11th hour recognition of the vital importance of Free Open Source Software in Europe.

"it is expected that a combination of funding and policy measures will stimulate the EU open-source sector"

We note that much of the discussion concerns potential allocation of funding to projects. Indeed, money changes everything but is often as ruinous and divisive as it is beneficial, especially without joined-up attention to policy. In our observation bad policy often works against change, merely frustrating and wasting allocated money on fighting our own bureaucracy.

With this in mind we would like to remind The Commission of some deeper, historical and social factors that surround Free Open Source Software production.

"We ask these groups to provide views on the Commission’s understanding of the problem and possible solutions"

We offer these comments in the context of what we call Civic Cybersecurity which encompasses not just technical (device, data and network) security, but social and psychological security of citizens within a digital society.

We interpret that in this initiative The Commission, as well as aiming to safeguard European digital sovereignty, is in a sense also hoping to attract FOSS developers to European projects and to sustain them economically.

Profound changes in international relations come at a time of equally profound changes in technology. Evident psychological, political and economic dangers of "AI" coincide with a cult-like gold-rush or arms-race to deploy it in every possible context whether people want it or not. We are in a situation where technological harms are being forced on populations. In this sense "markets" have completely disintegrated as any sort of economic yardstick.

Going forward, for the Parliament, the challenges of creating a joined-up and grown-up conversation on these troubling trajectories looks similar to those faced by environmentalists since the 1950s - how does one;

• petition people to think long-term?
• persuade people who are are making a fortune to put aside enormous financial gains?
• overcome the theocracy of zeal and religious extremism around tech (singularity/rapture disciples, far-right 'master-race' sorts)
• create common language for critique and exchange of positions?
• build networks of discussants open to diplomacy and constructive action?
• cultivate cool-headedness and calmness, given a context of extraordinary urgency?
• see and say some extremely inconvenient and upsetting things about our collective psychology, leadership and geopolitical situation?

We note that throughout the document the terms "open digital ecosystems" and "open source" are used. No mention of "Freedom" appears. However, these concepts are intimately bound. The global community of software developers, essentially individuals and small businesses, has historically used the term "Free Open Source Software" (hereafter FOSS) which combines the concepts of openness and freedom as inextricably linked. Whereas Software Freedom requires openness the converse is not true. We therefore urge the Commission to note that reference to what is merely "open source" is deficient in its expressive power and implications.

Furthermore the FOSS ethos intersects with

• The Unix Philosophy. A set of Software Engineering principles important to modular, interoperable design that facilitates distributed community development efforts and flexible use.
• Digital Rights. A broad set of ideas around privacy, autonomy, agency, ownership and speech in the digital realm.
• Ephemeral nature. FOSS is rarely made of "companies" but has structural fluidity. Real world FOSS development is characterised by changing team makeup, lone geniuses, nebulous groups, expedient alliances, short and long term collaborations, "forking", project merging, plurality and multiple simultaneous ownership models. Attempts to fit it into a 'corporate' box is a common and serious cause of damage.
• Diversity of leadership. Models abound, from benevolent "dictators for life", to anonymous anarcho-collectives as well as traditional organisational structures (limited liability companies, registered charities and so on)
• FOSS is people. It is not "the product" to be harnessed, farmed and "leveraged" as a commodity - by a company, a nation state or continental trade bloc. Be very careful about how you think you understand "open source".

One of the great advantages of FOSS is its dispersal of scale and risk. Big Business is a problem because it is big, not because it is business. For example, consider the hacking of the therapy company Vastaamo. It's failure is a litany of cybersecurity errors, poor compartmentalisation, bad data hygiene, failure to anonymise records… But that is not the real problem. Each technical failing could be addressed, yet such a company would be unconscionable.

The problem is scale. It is unreasonable to say that all buildings are dangerous because they may collapse. Most houses are stable enough to last hundreds of years. However, if we allow skyscrapers that are 2000 storeys high, they fall down and kill thousands of people. In the golden age of steam, engineers built bigger and bigger engines - until the boilers exploded. They found a natural limit to that technology. No company that manages sensitive patient data at such scale should be permitted, even in principle. The problem is not the cybersecurity practices of Vastaamo, but that such a company is allowed to exist at all by law.

FOSS helps because it naturally abhors giantism. Incentives to 'break up' big companies are not needed because there is natural tendency to grow to a manageable scale and stop where development allows no one single person or company to hold a monopoly on their software. However, if the margins are so small that only big companies can exist, or "software patents" allow protectionist measures, we have a more general problem in the economy. We encourage The Commission to look at the broader economic systems around software engineering in business and what else is needed alongside FOSS to create stable, secure and appropriately scaled organisms.

"A strong and developed open-source sector can effectively contribute to further EU innovation"

Europe must build its own strong digital technology industry. We must avoid the US American model of creating giants. Digital technology does not actually benefit much from scale; the Internet was not made by creating one giant "Internet Company", but rather from the concerted effort of millions of smaller businesses. Scale introduces diminishing returns (A two million investment in "AI" does not produce twice the outcomes of a one million spend).

A European model must aim to create a great many smaller businesses working to common standards and broad goals.

Innovation rests on creativity and intrinsic motivation. It is a delicate flower. It cannot be prescribed, commodified, measured and demanded.

Innovation must be understood in the context of Intellectual Freedoms, all of which are ancient. Many have been stymied by laws, and pressure from the publishing and banking industry and by US American interests, particularly their oppressive intellectual property regime.

Crucially, many impediments to innovation come from digital technology itself. Edutech arguably harms education. "AI" makes people stupid and works against the goals of "IA" (Intelligence Amplification). Removing Google and Microsoft from schools and universities would be an important step.

Many "intellectual property" laws and attempts to control knowledge now work directly against their ostensible, stated aims to "promote the arts and sciences". The ability to innovate in mathematical arts like computer code is quite dependent on;

• the right to read
• the right to discuss
• the right to investigate and research
• the right to reverse engineer
• the right to share ideas, formulas and code
• the right to modify and improve other people's ideas

It is vitally important to restore the primacy of the commons and to strengthen laws to protect the commons.

If The Commission wishes to stimulate commercial innovation we urge they first look at existing impediments to innovation and act to remove them;

• the difficulty of starting a small business (we are blessed in the UK in that it is relatively easy)
• over-complexity and of tax laws and cost of filing accounts
• getting help and advice
• less onerous employment laws (make collaboration and profit sharing collectives easier, more flexible types of business arrangements)

One such safeguard would to give European software developers complete immunity from the reach of US laws.

Another would be broad and sweeping changes to "intellectual property" law and trade agreements which we have all outgrown.

Innovation rarely comes from one group alone; from a business, from community or from government. It appears at the intersection/interface where spheres overlap. Bringing these elements together for joined-up society requires we make;

• Business less greedy and vain
• Government less haughty and power hungry
• Communities more vocal, inclusive, willing and engaged
• Individuals more psychologically secure and able to participate

Neither the environment of fear and exploitation cultivated in the USA, nor that of docility under state terror in Russia and China, are conducive to innovation.

Innovation cannot happen without education. The university system is in a dreadful mess. Pressures for fraudulent research and low quality teaching must be removed. Leadership must be completely replaced, as academic heads are now utterly lost and ideologically bankrupt.

Software developed by open communities carries with it the values of those communities. In this sense FOSS code has inescapable democratic political qualities.

Any funding initiative must include some understanding of this and posit some "prime directive" of political non-interference.

For example (top-down conflict):

Europe is not without its authoritarian elements; a cohort of "Chat control" proponents within the Commission who press for unacceptable surveillance and backdoors into communication applications.

Politicians who do not understand the technical and philosophical dimensions of code (as neither a fully industrial nor cultural production) - as frequently demonstrated by UK surveillance hawks - will quickly fall foul of the hard social reality of trying to compel technical affordances for political reasons.

Such values can not be allowed to interfere with FOSS development and the developer community would be extremely hostile to them.

In contrast (bottom-up conflict):

Many developers disagree on ethical issues such as defence or the environment. Pacifists may wish for restrictive licenses around software use in armaments. Environmentalists may prefer to stipulate that their code is not used in, for example, oil exploration. We have a long experience of seeing how these tensions play out, often very destructively.

"…identify some of the barriers that are currently hampering the EU's open-source potential"

The US American model has always favoured an approach of "most liberal interpretation". This is a significant weakness in the face of exploitative/extractive forces, but it is a stronger guarantor of enabling (positive) freedoms and opportunity (zero barriers to entry). To wit; the freedom to write and publish code is like the freedom to write and recite poetry.

One of barriers hampering EU status in the world of software is its flip-flopping and ambivalence on matters of liberality and speech.

We advise the Commission to note that embracing community development of code requires embracing the value diversity of pluralistic communities. Diverse licenses including GNU Public License (GPL) style, Massachusetts Institute of Technology (MIT) and dozens of variations will be required. The project must go eyes-open into a complex and demanding legal landscape.

So, developers must often see their code used for things they do not morally approve of. Likewise governments must accept limited control and that code they fund will be used for purposes they do not necessarily like or approve of.

A good example here is the clearly unacceptable use of image processing "AI" for non-consensual deepfake nudes. The problem lies not with any software as such, which may be configured for almost endless genuine utility, but in the immature schoolboy misogyny of Elon Musk and his company. We hope The Commission realises that software freedom will make it easier, not more difficult, to create such sofware, but will eliminate the profitable at-scale incentives for a company like "X" to even exist, along with unhinged tech megalomaniacs.

European taxpayers and officials should not see themselves as 'buying' or procuring specific products any more than expectations they might have if funding the theatrical arts. Some people will write plays that mock the King, but wise rulers have always allowed if not encouraged that. Therefore a broad-spectrum of support is most likely to work better than "running a competition to pick winners".

European FOSS developers will not allow themselves to be put in a position where funding is contingent in such a way as to apply leverage over them. Academia, and its poverty of current research under competitive grant based systems is standing proof of the failure of this approach. Nor will the community take kindly to a regime of funding or defunding for "political reasons" (although clearly the proposed initiative is political indeed). Seeking broad coalition to raise software policy above party politics would seem a sensible appraoch.

As domain experts we see cybersecurity as;

• a software quality issue
• a personal digital rights issue

In any consideration of policy and funding for FOSS we urge The Commission to hold in mind the three essential questions about cybersecurity;

• security for who?
• security from who or what?
• security to what ends?

"What does the initiative aim to achieve and how? The initiative seeks to support the EU's tech sovereignty …"

Tech sovereignty as increased self-control certainly seems a desirable goal in the face of belligerent overseas power, but it may not mean self-determination for the individual European citizen developer.

European FOSS developers are frustrated by the projection of US Imperial power through trade leverage saddling us with awful laws such as Article 6 of the 2001 EU Copyright Directive and the terrible mistake which is Software Patents (of any kind).

"…identify some of the barriers that are currently hampering the EU's open-source potential and propose a path forward to eliminate them."

The standard of standards need improving! All standards should be free for everyone to download and follow without cost or restriction. Standards and documents defining laws should never be copyrighted and no standard should ever contain anything patented. The issuance of a standard should revoke any existing software patent.

More would be achieved by removing these political chains than by any amount of available money. The former may indeed be a pre-requisite for the effectiveness of the latter.

The language speaks to a shift in power, without indicating to where that shift will be. For the FOSS community the desirability of European strength depends on the intentions of new candidate sovereigns. We urge The Commission to be clearer in defining the positive affordances and removal of encumbrances European free software developers will obtain.

"What does the initiative aim to achieve and how? The initiative seeks to support the EU's tech sovereignty and competitiveness agenda."

With whom? The term "competitiveness" is often used in a lazy fashion by economists to imply some sort of vague Darwinian fitness.

Good code is primarily collaborative, whereas competition as the US American model has shown, tends toward low quality products and perverse incentives typified by the Silicon Valley maxims like;

• build a moat
• ship now fix later
• move fast and break things
• pivot and cash-out

Europe has the opportunity to do better, not merely replicate these mistakes. As discussed above, in the scientific tradition, both openness and freedom are means to build trust and reputation, to;

• build bridges between communities
• get it right
• be responsible and minimise harms
• make long-term commitments

FOSS development thrives under conditions of freedom, and also simplicity.

European politics has always suffered from bureaucratic complexity. A compelling element of the "Brexit" campaign was fear of sluggish complexity and unaccountability.

The first instinct of developers is that any European FOSS project will be hamstrung by incompatible laws and language. Its enemies will do everything possible to exacerbate and amplify that tendency through lawfare, and that perception by propaganda.

We urge The Commission to put clear, simple, fair, streamlined process at the heart of any initiative.

We must avoid creating a circus of advisers, middlemen, procurement facilitators, certification gurus, project managers, insurance consultants…

Some complexity is inevitable but let's avoid a "gravy train" that diverts funds from getting to actual developers who write lines of code.

FOSS developers are the kind of people who just get on with stuff. They do things directly. Coders don't have time for paperwork. If they're doing any, it must be limited to useful documentation and minimal administration. It would be a tragedy to see funding for a European FOSS project ending up the way that healthcare or defence has in Britain, with middlemen intercepting large percentages of the flow, muddying waters so they can sell seminars and fast-tracks on procurement. Let's create;

• Strong incentives for money to only go directly to developers for well defined tasks that they get to set out.
• Minimal necessary bureaucracy
• Relief from excessive legal and procedural encumbrance

ARES-69111, in addressing " Problem the initiative aims to tackle" claims;

"The EU faces a significant problem of dependence on non-EU countries in the digital sphere. "

The reality is that computer code is global and interdependent. All countries therefore depend on code written within an international commons. Regional dependence is not, in and of itself, a problem. Interdependence of the digital commons is indeed a strength, preventing any one political power bloc from holding hostage the technological advancement of humanity - advancement in which the EU shares.

For diplomatic reasons ARES-69111 is measured in its language. Let us more clearly spell out here 'the problem';

We are in an era of fragmentation of the world order into power groups engaged in "political cyberwar", and who now explicitly manipulate digital elements, social and industrial, to achieve their ambitions.

Methods include;

• land grabs on the global digital commons
• lawfare, trade wars and digital gunboat-diplomacy
  • direct cyberwar as offensive hacking and surveillance
  • abuse of intellectual property laws
  • sabotage of international standards and interoperability
• interference by intelligence agencies and private hacking groups
• direct control of and by giant monopolies (Big Tech)

The upshot is digital hegemony, an often invisible imposition of political values through software systems instead of through legible democratic process. Technology ceases to be an "empowering tool for people" and becomes a proxy lever for political control. Toward these ends various groups use political pressure, trade leverage and intellectual property abuse to deploy a two-pronged attack:

• Push their code as
  • singularly definitive
  • as trusted
  • as sustainable and resilient
• Sabotage alternatives
  • curtailing freedom to develop alternatives
  • suppress innovative experimentation
  • spread propaganda undermining alternatives

In reality we are still at the dawn of computing. Big Tech products are simply one of many, many ways of doing things. They are ephemeral, untrustworthy, and increasingly based on unsustainable industrial processes.

Europe's 'problem' lies in its position between two broad approaches to nurturing technological development.

US Americans take a bottom-up laissez-faire approach in which individual code contributions are competitively aggregated into larger projects through commerce. The financial rewards rest on satisfying 'markets'. This entrepreneurial ethos essentially relies on a lack of protection for individual developers so that private investors can build extractive economies upon individual industry. In contrast the Communists, notably in China, prefer a top-down control approach in which the state expresses a collective ownership and control of developer output, while tepidly allowing ostensible "private business".

The top-down, planned model, through coordination achieves rapid scientific and engineering advances, however it lacks the creativity and diversity that comes with individual developer freedom. The bottom-up model gives freedom to coders to practice their art, but offers no support and leaves individuals exposed to exploitation in a highly predatory and unfair order. In reality for "The West", meritorious markets are a myth and the development landscape is controlled by Big Tech monopolies.

Europe is stuck in the middle. For three decades we have relied on two other power blocs to supply our needs, namely the US for software and China for hardware, each of which is respectively suited to those political environments of freedom or state control.

This is a current weakness, but an immense opportunity too.

We note that Europe lacks a clear model of how code is produced - not merely as Software Engineering, but as a social phenomenon.

While appearing on the surface to concern matters of social infrastructure and industrial production, state-level policy toward code has much in common with state control of literature and the arts. In the best cases it is hands-off.

The most accomplished computer scientist, Donald Knuth, did not accidentally title his foundational 4 volume life-work "The Art of Computer Programming". Like the literary arts, computer code has the potential to profoundly alter the social fabric and values on which all else rests.

In this regard it is necessary for the state to be eyes-on, taking a benevolent social interest in what people are developing. As technologies become more powerful and dangerous, encouraging development in the open is therefore a benefit as opposed to secretive proprietary projects that might better be reserved for military applications. This balance is difficult. However, failure to attend to it leads to the rise of charismatic megalomaniacs and pseudo-theological projects as seen in the USA of late regarding so-called "AI".

Software is therefore already subject to various forms of political control, censorship, amplification and steering, whether these are visible or not. The past three decades offer ample evidence of this, but to take one example; culturally, "social media" is a peculiarly American phenomenon, being tied to highly centralised surveillance interests. The Chinese version is overtly surveillance plus social control. A European version need not pay regard to either of these models, preferring instead a private means of social organisation and sharing based on distributed ownership of the means of computation as envisaged in the formative ARPANET.

The US (and to some extent British) model, is rooted in the microcomputer revolution of the 1970/80s, Hacker Culture and Software Freedom Movements exemplified by figures like Perry Barlow, Richard Stallman, Eric Raymond, Bruce Perens, and it extols;

• bottom-up structure, individual driven
• personal creative drive
• advancement of commons
  • free sharing as a foundational value
  • freedom to modify, study and reverse engineer
  • freedom to create and participate in communities
• intrinsic motivation
  • recognition and participation as rewards
  • values of scientific method
• non-alignment
  • global community belonging as primary association
  • nonrestrictive licensing

This model sparked the digital revolution, the communications revolution of World-Wide-Web, the digital entertainments industry (games, film and music) and the "Dot Com" revolution of digital commerce.

Unfortunately in its birthplace, the USA has been profoundly corrupted of late. Agglomeration of extreme power and obscene wealth has seen deep political changes in the United States, sadly toward fascism and domination. It now falls to Europe to uphold and champion humane philosophies until such time as the US recovers its democratic compass (which we believe will happen within 10 years).

However this remains a model for sustainable, long-term production of code as a social good, not merely an emergency stop-gap to replace Microsoft Office and suchlike with quick facsimiles. Such replacements are already in place and tested, for example LibreOffice and require only the political will to countenance and facilitate their uptake.

"…the strategy should provide a set of short- and medium-term solutions"

We urge The Commission to look beyond immediate crisis to sustainable Free Open Source ecosystems, to anticipate and prevent the failure modes that have happened across the Atlantic. The descent of the United States into corporate technofascism provides lessons on what to avoid:

• limiting the total size, capital and growth rates of software development entities
• limiting monopolies not just on markets but on protocols, access, techniques etc. This is clearly served by abolishing software patents (preserve design IP solely for actual inventions)
• consider the psychological disposition of tech-leaders with respect to their sincerity as humane stewards of "progress". If charisma, ambition and a pile of money are all that is required to be directors of humanity's future, then we are sunk.

Increasingly individual developers and small organisations are targeted in supply chain attacks, by influence, political manipulation, blackmail, ostracising (cancel culture) and direct hacking.

We urge The Commission to recognise developer vulnerability as a dimension of any FOSS policy and to supplement funds with other forms of support such as:

• liaison with intelligence services to help with security (In the UK we have civic outreach by NCSC)
• Free legal aid, police investigatory support

"What is the added value of open source for the public and private sectors? Please provide concrete examples, including factors such as cost, risk, lock-in, security, innovation, among others."

We identify the following areas of benefit to civic life from a Free and Open approach to software;

• Resilience
• Moral, democratic prerogative
• Economic opportunity

The dangers of mono-culture and the natural advantages of diversity and hybrid vigour are well known in the biological and ecological sciences. A growing awareness of this wisdom is changing the nature of engineering and technology.

Notwithstanding the "myth of markets" industrial capitalism operates by a model of top-down design plus bottom-up implementation (exploited workers under financial wage incentive). In contrast, FOSS facilitates a bottom-up (individual needs-driven) design, while still allowing a top-down (collaborative planning) model. Strong common standards for interoperability play a part here.

Diversity not only spreads direction and form, it spreads risk. As technology becomes more powerful, it's dangers to society from making mistakes grows. Unlike the Cold War era we can no longer allow a singular direction, a charge led by a tiny minority of industrial ruling classes, to define a "vision of the future" or the rules of social discourse. Otherwise we create a very real danger of - as now seen with "AI" - an irrevocable, fatal mistake inflicted by a flawed top-down design. In a multi-polar world plurality becomes an essential survival strategy. Since FOSS strongly encourages multiple inter-operating technologies in place of monoliths it improves technological safety and continuity of operations in a more turbulent, crisis-prone world.

FOSS challenges a partition of technological society into consumers (dumb users) and producers (technically elite and privileged), offering instead a participatory social model where citizens are economic and intellectual stakeholders in the technology of the day. Some significant subset of end users are also producers, so we obtain a holistic rather than prescriptive model of production.

The word "Algorithm" has recently been repurposed in the vernacular to mean "hidden and mysterious computational forces that affect individuals and society". As such it is a pejorative word for a hostile phenomenon. The moral and democratic dimension of this should be clear. In a digital society, code constitutes social rules. As for written laws and policies of elected governments it is unconscionable and dangerous for this "social code" to be opaque, or decided by unaccountable persons. A society based on FOSS is one where the code is constructed by social consensus, mutuality and common ground, and where it is transparent for examination and change.

Lastly, a participatory technological society goes some way toward reducing inequality, preventing an accumulation of capital into ever fewer, more dominant networks that can define proprietary standards, walled gardens and moats.

This need not be hostile to a market model nor private profit initiative, indeed it should be seen as a stimulus to small business in a fairer market that values diversity and interoperability. To do this incentives must be devised to break the "winner takes all" mentality.

"What concrete measures and actions may be taken at EU level to support the development and growth of the EU open-source sector contribute to the EU's technological sovereignty and cybersecurity agenda?"

"What technology areas should be prioritised and why?"

Start with the basics;

There are major problems with;

• web browsing
• public key infrastructure
• electronic mail
• web hosting
• online banking
• mobile telephone technology
• academic publishing

Funding of FOSS projects to urgently investigate and address these problems would be extremely beneficial to a future "Free Digital Europe".

"In what sectors could an increased use of open source lead to increased competitiveness and cyber resilience?"

• app stores
• education
• medicine
• maps and weather
• payment and public transport

Some of the terms in ARES69111 seem not well defined nor are the implications of pursuing them clear. While we very much welcome a European initiative to promote Free Open Source Software, and to create funding instruments to facilitate this, we suggest caution on both sides, from developers and government, before naively rushing into more state involvement in cultural production. As in many complex situation, it is often not so much about trying to "do good" as removing impediments and stopping doing bad things.

Sincerely,

Dr Andy Farnell

Ms Helen Plews

Jaunuary 20 2026

Download this document as .ODT