The Spanish National Court again rejects opening the source code validating electricity subsidy applications
A new ruling upholds a government report which claims, among other things, that knowing the BOSCO code would allow us to attack its systems, mine cryptocurrencies, and even access the data of the Tax Agency.
Another setback for the transparency of applications used by public administrations that affect us. The Spanish National Court (Audiencia Nacional, in Spanish) has issued a new ruling in which it dismisses the appeal filed by Civio and upholds the stance of the 2022 judicial decision: they will not give us the source code of BOSCO, the program that decides who receives aid to pay the electricity bill and which we showed had flaws, denying the discount to people who were entitled to it.
Moreover, it imposes 1,500 euros in costs, to be paid to the State, adding to the 2,000 from the previous ruling, which two years ago also did not accept our arguments against the initial decision of the Council of Transparency and Good Governance (CTBG, in Spanish). A Council of Transparency that, along the way, has switched sides and no longer opposes our access to BOSCO’s source code. However, despite this, the ruling continues to claim things such as that allowing us access would damage intellectual property (even though the application was developed by the administration itself), would put personal data at risk, and would imperil the security of nearly all the administration’s computer systems.
Regarding security and data protection, it bases its decision on a report from the Deputy Director General of Information and Communication Technologies of the Ministry of Industry, Trade and Tourism, which it accepts without question. The report argues that accessing the source code would allow us, among other things, to use the Ministry’s infrastructure “for other purposes, such as cryptocurrency mining”, when all we want is to understand how the code of that particular application, BOSCO, works.
Moreover, it claims that we could use the Ministry’s image for scams such as phishing (even if their image and branding is available on all their websites), extortions, or blackmail. And we could access all the databases BOSCO uses, such as those of the Tax Agency and Social Security (when -obviously- the code should not contain the credentials that BOSCO uses to access those systems). The report, which the judges have accepted as valid, asserts that accessing the code would allow us to attack the Ministry’s computer systems and that they don’t have technical means to mitigate this.
However, the ruling did not take into account our arguments: such as our right to understand how an application that does make decisions without the intervention of an official works. Nor that the European Union advocates that public administration developments should opt for open-source software. Instead, it states: “Revealing the code objectively increases the severity of vulnerabilities in any computer application, especially when handling classified or sensitive information, and it is not incumbent upon the Administration to develop all applications as open source.”” And it does so without relying on any more arguments than those presented by the government at trial, some of which are hard to reconcile for anyone who understands how a computer application works.
We now have 30 days to file an appeal for cassation and hope that the Supreme Court understands, as we do, that this is a relevant issue that needs to be addressed by the courts in an objective manner, with solid technical criteria and considering that a specific application, which makes decisions on aid for millions of people, should be subject to scrutiny. The Supreme Courts accepts a limited number of appeals in cassation, evaluating only those cases that require a thorough study and involve new legal questions. We have reached this stage twice before (and won both!), so reaching the Supreme Court was our goal all along (especially considering the National Court’s limited interpretation of our Transparency Law).
A fight that began in 2018 and is not going to stop
This is the most recent chapter (but not the last, because we are not giving up) of a fight that started in 2018. It was then that, after having reported on the changes in the aid, we denounced [in Spanish] that nearly two million households would be left out if the process wasn’t explained properly and simplified. That same year, we put all our energy into helping out: we created, in collaboration with the Spanish market regulator, CNMC, an application to simplify the process. Anyone could then check if they were entitled to this aid —without having to unravel the extremely complex regulations—, and we accompanied them in the process, prefilling the forms for them. This application remains active, and updated with every change, to this day.
But it was also the year that this litigation began. It was in 2018 when we requested the functionalities and source code of BOSCO, the application that decides whether an applicant receives the aid. We received some design documents explaining how the system worked (after months of appeals, though) and, thanks to that, we showed that there were errors [in Spanish], which we reported to the government so they could be fixed.
However, and this is key to the whole process, they did not want to give us the source code, a crucial element to verify that the rest of the application worked correctly. The Council of Transparency and Good Governance (CTBG) didn’t agree with us either at the time. And in 2019 we had to go to court.
Three years later we lost the first round: the Central Administrative Court dismissed our challenge, arguing that releasing the code, in addition to contravening intellectual property, would affect both public security and national defense. And they sentenced us to costs of €2,000. We did not agree with that decision and filed an appeal, which is what was ruled on today.
Along the way, the CTBG has switched to our side [in Spanish]. Even the then Secretary of State for Digitalization and Artificial Intelligence, Carme Artigas, stated publicly feeling “very dissatisfied with the BOSCO case” and emphatically assured that “it was not true” that opening the code would attack data protection and intellectual property.
And what’s more, the inconsistencies do not end there, because while the government continued fighting in the courts to keep BOSCO’s source code closed, it released the code of Radar Covid, the application developed during the COVID-19 pandemic. Then, and only in that case, it was apparently “an exercise in transparency and an invitation to the community to contribute, if they wish, to improve a tool that seeks to help us tackle the chains of transmission of #COVID19”.