Some thoughts about Bulgaria's law demanding open source software

Bulgaria has apparently passed a law recently demanding all software purchased in the future by the country to be open source. This raises a couple of procurement related questions which are worth covering here.

Art 58 of the E-Government Act states that:

Art. 58a. (New - SG. 50 of 2016, effective 07.01.2016) Upon preparation of technical and functional assignments for public procurement to develop, upgrade or implementation of information systems and e-services administrative authorities must include in the job following requirements:
1. where the subject of the contract includes the development of computer programs:
a) computer programs must meet the criteria for open source software;
b) all copyright and related rights on the relevant computer programs, their source code, the design of interfaces and databases whose design is subject to the order should arise for the principal in full, without limitations in the use, modification and distribution;
c) Development should be used repository and revision control maintained by the Agency in accordance with Art. 7c pt. 18;

(Translation via Google Translate)

It appears this law mandates Bulgarian contracting authorities to only acquire open source software from now on, although that not extends to licensing agreements. In other words if the contract calls for software to be developed, then it needs to be open source whereas if the contracting authorities wants to simply license commercial software it can continue to do so. Effectively, the open source mandate only kicks in for the creation of new software.

By demanding open source to be used, Bulgaria is taking steps to owning the software outright, instead of paying to a contractor to develop the software and then keep the underlying intellectual property which is a more common model and one that may have State Aid implications.

I think this is a good and reasonably balanced approach taken by Bulgaria. In addition to what has already been said by others (and here), one can think about added benefits from this measure. First, it avoids the lock in of the contracting authority to a piece of software which is fundamental to its operations (or else it would not have gotten it developed in the first place) and whose control lays in the hands of the contractor. I think this is probably the biggest benefit from a public sector perspective and it is worth nothing the ownership of associated IP is also demanded by the new law. Out of the top of my head I can remember a case where a Government had to pay an outgoing contractor to get data out of a database as said contractor owned the underlying source code and refused to play ball without being paid. It is important that contracting authorities understand the relevance of "owning" the underlying custom code they use, even if it is just for the purposes of making it available in open source.

On the long run, by making the code open source and having it in a central repository which is easily accessible ensures that Bulgarian future contractors can easily re-use the existing code, ensuring continuity of service and pushing costs down over the long run.

There are, however a few procurement related potential downsides to this approach.

First, it may be perceived as violating the rules demanding technical specifications not to be discriminatory, as any economic operator developing commercial software would potentially at a disadvantage. I do not see this as a real problem since any economic operator can still take part in the procedure nonetheless and the demand of open source can be seen as a requirement to own the software outright instead of just its use (which is pretty much the model for commercial software). As a comparison its like the contracting authority buying a vehicle outright instead of leasing it - the leasing companies are also at a disadvantage. At their core all technical specifications are discriminatory.

Second, there may be extra costs associated with the open source approach (at least at the beginning). The usual suppliers may try to increase prices since they will not be able to re-use the code at profit in other projects down the line. However, the added competitive pressure may actually put a lid on prices quite quickly. Even if it makes contracts more expensive now,  over time I suspect the fact code is open source and can be iterated by different economic operators will lead to lower prices overall.

Third, it is important to ensure liability is correctly allocated on each contract, especially if existing code is being re-used or re-purposed. This, however, is a problem for all software contracts or in procurement of innovation in general.

Thoughts on the White House Source Code Policy

According to this GitHub post by Mark Hopson from 18F, the US Government is considering introducing a policy whereby custom made code should include (some) distribution rights and not only the right of use. In other words, the US Government is mulling requiring developers to grant a more expansive license to the Government, so that the code can be be re-used by Federal agencies other than the acquirer. These are interesting developments, well worth some comments.

I find it fascinating that the policy is open to discussion and comments, even on GitHub as done by Mark. Here are my views on the proposed Policy as well as Mark's suggestions.

1. What is at stake

When someone buys say a license for Windows, that license includes only the use of the programme and not the rights to modify or redistribute the source code. Buying a "off the shelf" license to use Windows is manifestly different from asking a developer to come up with a custom solution for a specific problem. The proposed Source Code Policy targets the latter and not the former, ie new code that is developed specifically for the a need the Federal Government has. In general, I am in favour of making as much source code publicly available as possible under the guise of a public good.

From a procurement perspective, I find the Source Code Policy very interesting as it mitigates two major problems in procurement of innovation, albeit at a cost: (1) IP ownership and (2) State Aid.

2. IP ownership

In the last 4-5 years I have written a few times about the issue of intellectual property as the key problem in public procurement of innovation. When a new idea/implementation/solution is created as a consequence of a public procurement procedure, who should own the resulting intellectual property? Art 31 of the Directive 2014/24/EU - referring to the innovation partnership - only states that intellectual property rights need to be addressed during the procedure. We can get very specific and detailed depending on the type of intellectual property generated,* but on a general note the IP will belong either to the contracting authority or the economic operator(s) who created in the first place.

Mark suggests in its post a change in the draft policy so that it entails an acquisition of all rights to the custom code. In my view, a full blown IP acquisition by the public sector is not a great solution - managing IP is not the core business of virtually all contracting authorities and all the IP generated was a means to an end. In addition, if the contracting authority acquires the IP, it becomes responsible for both for the good and the bad which it may lead to. Case in point, if said IP infringes someone else's existing IP, guess who will be left holding the proverbial can? Sure, we can include back to back liability clauses in the original contract but that regulates the relationship between the contracting authority and the economic operator, without binding the owner of the infringed IP. Plus, if the economic operator goes bust all those nice and shiny indemnity clauses are not worth the paper they are written on.

Another downside of a complete IP assignment to the contracting authority is the loss of said IP from the wider society. Let's be honest as any IP acquired by the public sector would end up as the Lost Ark from Indiana Jones: locked in a "warehouse" of sorts, far from prying eyes and without generating any benefit for the society at large other than the contract where it was deployed. Mark's proposal of making all the code freely available would solve this problem.

The solution proposed by the US Federal Government is particularly interesting as it mitigates both downsides of a full blown acquisition. For the second it even strikes a good balance as it ensures other Federal Agencies can use it for free. As for the first, the economic operator is still on the hook for any infringement since it keeps ownership of the custom code. It may however increase the risk of litigation as more users will be deploying the code potentially raising the visibility of any IP infringements committed in the development of the custom code.

3. State Aid

Coming from an EU angle, The second problem with procurement of innovation in the EU is the potential for it to breach State Aid rules, namely Article 107 of the Treaty on the Functioning of the European Union. State Aid occurs when a an advantage to an undertaking is given by a public authority. Paying for a contract to develop an innovation while allowing the economic operator to commercially exploit the innovation would constitute, prima facie, a violation of EU's State Aid rules.

The problem, however, is somewhat mitigated by the Commission's own assumption (cf para 32) that it will not sue anyone involved in pre-commercial procurement where "an open tender procedure" has been followed, the underlying issue is still present as the primary law has not been changed and only the Commission pledge not to enforce it. In other words, the distortion to the internal market is still present - albeit legalised by the Commission pledge not sue the beneficiaries. Communications of the Commission, however do not constitute a source of EU law and ultimately the power to legislate in this matter remains with the Council (Art 109 TFEU). Do I see the Council meddling in this? Not really, hence my comment in the two preceding paragraphs.

Notwithstanding the above, it is clear that a license for a Government to re-use custom code acquired by any agency reduces the market value of said code. After all, a number of potential customers has just evaporated leaving the economic operator only with the possibility to re-use it with private clients or other public bodies not covered by the license. This reduces the level of state aid involved but does not fully solve this problem. The reduction in the potential number of customers brings me to the downsides though.

4. Other downsides

I suspect one of the unintended consequences of this policy will be an increase in prices. If economic operators know in advance they will not be able to re-sell the code to other Federal Government clients, the logical consequence is for them to jack up their prices. How much, I have no idea. Mark's solution would exacerbate this problem as the only opportunity a developer had to make money directly with the code is in that single transaction.

Ultimately, it may also lead to potential economic operators not turning up in the first place, reducing competition. Unless the code is completely separate from existing code-bases, no economic operator will accept creating a variant/fork of its "crown jewel" to be used for free by all other Government agencies. Unless, that is only the completely new code is covered by the sharing obligation. This, however, would be useless as the rest of the code would not be made available.

Another downside I see with this policy is the risk for the Government - by obtaining a license to share to other Federal Agencies but not the wider world - the Government becomes the custodian of that code. So what happens if after a security breach the code is leaked to the internet, coming from one of those private repositories? Who will be held responsible for the license violation? Mark's approach would solve this issue.

These downsides are valid both in the US (as afar as I can tell) as they would be here in the EU.

5. Bottom line

I do not want to rain on the Federal Government parade nor to chill any similar developments in the EU. If anything, I view this as the right way to go and one which balances well competing interests. Having said that, there are downsides and shortcomings to take into account.

 

*Whereas the main IP issue surrounding source code are by definition copyright, they do not end there. Out of the top of my head, there can be design rights (patents in US parlance) involved and in specific circumstances patents may be involved (yes, more common in the US than the EU).

 

Links I Liked [Public Procurement]

1. France's transposition of Directive 2014/24/EU is almost done and Le Moniteur had access to the current working draft (French only).

2. A Spanish vision of public procurement of innovation (Spanish only). Plus, the national Government produced a new version of its innovative public procurement guide, also only in Spanish.

3. The UK Government cannot save £10 billion by moving procurement online. Peter Smith is sanguine about the savings claims included in the Reform report Cloud 9: the future of public procurement. I am not fully convinced either, but it could be added to the report's figure that if competition in public procurement increased by being moved online then the ability of (some) suppliers to extract rent would be limited. This affects not only the prices today (potentially leading to their immediate reduction) but also prices in the future as the increase in competition would lead in my view to a gentler slope of increase going forward.

4. Whitehouse adopts a Open Source Software policy:

"This policy requires that, among other things: (1) new custom code whose development is paid for by the Federal Government be made available for reuse across Federal agencies; and (2) a portion of that new custom code be released to the public as Open Source Software (OSS)."

Very interesting approach by the US Federal Government. I have to wonder however how many Federal agencies will end up reusing custom code contained in the repository. This policy does have implications for procurement.

5. We're hiring: Professors, Associate Professors, Senior Lecturers and Lecturers.

What is the potential upside of public contract registers?

Over the weekend Albert published an awesome post on the competition-related downsides of public contract registers. By and large I stand on the other side of the argument, but genuinely welcome my views (and any orthodoxy) to be challenged. Contrary to some colleagues or proponents of specific policies (social policies supporters I am looking at you...) I really want to know the downsides of whatever policy I think its best.

All policies are made of tradeoffs and it is fundamental to know what those tradeoffs are. When someone tells you a certain policy has no cost or any implications (as I have been told and in public, by a well known proponent of social policies...) it usually means one of two things: either they have not looked hard enough or they do not want you to know about the downsides.

Albert and I have discussed issues surrounding transparency and competition for years. His view is pretty much the standard view of competition lawyers: extra transparency comes at a cost for competition and public procurement is a market prone to collusion in the first place. Although I have slowly come to be more nuanced in what concerns transparency during the procedure (read, my view is slowly moving on his direction), I remain bullish on the beneficial tradeoff from having more ex-post contract transparency. The crux of our difference is precisely that: I think contract registers will leave us better off, Albert probably thinks we will not. In reality there is only one way to sort this and that is by looking at data (but more on that later).

Public contract registries (post award)

On his post Albert suggests that the logic behind post award contracts registries is based on reducing the perceived shortcomings of public governance and complementing traditional public audit and oversight mechanisms by enabling citizens to monitor contract data. He is right on both counts and is the fault of proponents for public contracts registries like myself to come up with other justifications for the registries. In my view, there are valid economic reasons to push for post award contract registries, mostly connected with the reduction of price arbitrage.

On the plus side: Reduced arbitrage

One of the iceberg type problems in public procurement is information asymmetry and arbitrage. It is well known that the same supplier will charge different prices to different contracting authorities without batting an eye lid. Can we imagine this happening in other sectors? A couple of years ago Amazon tried precisely that and people went absolutely bananas. Somehow, we accept that this should be the norm in public procurement. Having said that, there are other sectors where price discrimination is an accepted practice, like airlines.

But the arbitrage arising from the lack of price information is crucial in another way. How many sectors do we perceive to be efficient if the price is not public? How would the oil market work for example? Or the stock market? Can you imagine buying houses without knowing the price paid recently in the area?

Price transparency brings efficiency into a system by reducing the scope for arbitrage. And in my view this is the strongest argument in favour of public contract registries: by and large they will make the public procurement market more efficient. How? Via two mechanisms.

First, it will allow contracting authorities to have access to more reliable information...if they are so inclined and willing to invest the time. They can more easily know what their peers paid for a similar item/service. (I am assuming here the contracts register works well and is fully searchable, which may not be the case).

Second, it provides every potential supplier in the market with granular pricing data. How much are your competitors charging for the equivalent service/good? Are we pricing ourselves out of the market? How can we be more competitive? By knowing the average pricing on a public procurement market you can easily make a decision to invest in that area (because there is arbitrage) or to stay away.

Again, let's go back to the oil example. When price of oil is high, companies invest in exploration. When it is low, they do not and hoard their supplies (that is why there is so much oil sitting in tanks at the moment). How could suppliers make those decisions if price transparency did not exist? The oil market is an excellent example where the attitudes of a strong cartel (OPEC) which supported high oil prices for years enabled lower cost suppliers to come into the market and eat that profit margin.

Once more participants in that market do not bat an eyelid to making the pricing public. And yes, I am talking about a commodity, but then a lot of public procurement is made around commodities, including oil.

There is no fundamental reason why price has to be a private piece of information. If it was always made public, it could be factored in into the decision-making of economic operators to take part or not in that market. It would be akin to patents to a certain extent. For an economic operator to be granted a patent, it needs to tell the world (by and large) how the patented invention works. That protection is time limited, so it forces economic operators to make an informed decision on going or not for it. And they still go for it in droves. They have no problem with that trade off...

To a certain extent a public contract is similar to a patent monopoly: it gives you exclusive access to a market for a set period of time. Why should we treat price differently from the crucial information that goes into patents?

A similar problem with lack of price transparency happens in the developing world where farmers have limited access to price information. Guess what happened once they start buying mobile phones...

On the downside...

The downside of the above is that price transparency makes it possible for collusion agreements to flourish. The more transparent you are, the easier it is for cartel members to police one another. Albert makes a bunch of very strong arguments along the traditional competition law line: more transparency = more and better cartels.

Albert argues that 20% of contract value are due to anticompetitive overcharging arising from cartels operating in public procurement. One of the perennial problems when talking about public procurement is the poor quality of data, particularly of "ground truth" data. By and large, we simply do not know exactly what is happening on the day to day operations of contracting authorities (another argument in favour of contract registries!) But let's assume the value is right.

If we increase post award transparency of public contracts what would happen then?

The answer is, it depends on the market. If the situation is really that bad already, there is not a lot of scope for it to get worse. However, the numbers can be wrong by an order of magnitude and in either direction. In any event, I think three things would happen:

In markets where cartels traditionally operate, things will get worse as the extra pricing information makes the policing easier. But I would limit this downside to those markets where cartels are already prevalent and no new entrants to the market are expected due to the extra transparency. The latter is possible if it becomes evident to an economic operator that a specific market is inefficient.

In markets where cartels do not currently operate, but numbers are limited, things may get worse. Yes, it is possible (as argued by Albert) that the extra pricing information may make cartels more likely. Have you ever noticed as on highway's the petrol prices tend to be more or less identical and always higher than in smaller roads? That may be a good example of where price transparency may be leading to tacit collusion.

In all other markets, competition will be enhanced at least until we reach a new equilibrium and weaker suppliers are driven out. And this is why that by and large the new equilibrium will leave us better off. This would not be valid if competition was compromised in the majority of markets, most of the time.

Albert does not address potential upsides of having more data available in terms of cartel fighting. What can be done when reams and reams of contract data are available? You can spot odd behaviours. For example, you can corroborate a whistleblower account and you can then check if certain collusive practice/tactic is happening in other sectors as well.

Small example: years and years ago I was doing a due diligence on a supposedly very competitive sector. I had access to hundreds of contracts and saw no evidence of litigation and was surprised to see that the competitiveness of companies fluctuated a lot on different procedures. I was very puzzled with the pattern, was not convinced by the company's explanation and wrote something along those lines on my report to the (foreign) client. Interesting enough, the client did not quizz me for further information...

There is another analogy that could make my argument easier to understand here and that is the debate between open and closed source software. Open source software effectively means all code is available for any one to see, peruse (and mostly) to do whatever they want with it. When it comes down to bugs and security vulnerabilities it means anyone (good or bad) can spot weaknesses in the code either for exploit purposes (bad) or to patch them (good). It also means that every new release indicates clearly what bugs were patched. Again, there are pluses and minuses here: on the one hand, everyone knows what bugs were patched, on the other hand attackers now what bugs were on the previous version and have an attack vector to use on unpatched systems. It cuts both ways.

On the closed source model, only the owner of the intellectual property knows the code and has access to it. In what concerns security this is known as "security through obscurity", ie believing that by withholding certain information companies and users are better off when it comes down to security. We have seen how well this has played out for Windows over the years and more recently for routers (more here), cars and virtually anything classified as part of the Internet of Things. Not having access to the source code has not really stopped attackers from finding vulnerabilities on various closed sourced systems.

So at the root of the discussion we have two opposite camps: one is proposing that we are better off by hiding information (security by obscurity); the other suggesting we will be better off by putting all that information out in the open (security by transparency), even though in specific case we will be worse off. Life is made of tradeoffs.

Can we minimise the competition impact of the contract information?

Personally, I still believe we will come ahead by releasing that information as soon as possible. But here are a couple of suggestions to mitigate the competition impact of post award transparency.

1. Delay the release of data

What would happen if we time delayed the release of the contract data? Say for a year or 18 months, so that by the time it came out it would no longer be of immediate use or value for cartels? This would provide an indication of the prior practice but not the current one, thus limiting the benefits for cartels but also for the market to operate more efficiently.

2. Release only aggregate data

In addition to delaying the release of data, perhaps we could aggregate data by CPV code for example. This would imply that no individual contract information is released and makes it difficult to find a balance between what type of information gets released when, but it already exists (at least in the UK) under the form of spend data.

The downside of both options is that the data exists in the first place and is kept private for a set period of time (back to the security by obscurity). In consequence, anyone invested in that market has an incentive to get access to that data before the market has, like a public procurement "insider dealing". Again, life is made of trade offs.