Tragedy of the Digital Commons

Paper by Chinmayi Sharma: “Google, iPhones, the national power grid, surgical operating rooms, baby monitors, surveillance technology, and wastewater management systems all run on open-source software. Open-source software, or software that is free and publicly available, powers our day-to-day lives. As a resource, it defies economic logic; it is built by developers, many of whom are volunteers, who build projects with the altruistic intention of donating them to the digital commons. Developers use it because it saves time and money and promotes innovation. Its benefits have led to its ubiquity and indispensability. Today, over 97% of all software uses open source. Without it, our critical infrastructure would crumble. The risk of that happening is more real than ever.

In December 2021, the Log4Shell vulnerability demonstrated that the issue of open-source security can no longer be ignored. One vulnerability found in a game of Minecraft threatened to take down systems worldwide—from the Belgian government to Google. The scope of the damage is unmatched; with open source, a vulnerability in one product can be used against every other entity that uses the same code. Open source’s benefits are also its burden. No one wants to pay for a resource they can get an unlimited supply of for free. Open source is not, however, truly unlimited. The open-source community is buckling under the weight of supporting over three-fourths of the world’s code. Rather than share the load, its primary beneficiaries, companies that build software, add to it. By failing to take basic precautionary measures in using open-source code, they make its exploitation nearly inevitable—when it happens, they free-ride on the already overwhelmed community to fix it. This doom cycle leaves everyone worse off because it leaves our critical infrastructure dangerously vulnerable.

Since it began, open source has worked behind the scenes to make society better. Today, its struggles are going unnoticed and unaddressed. The private sector isn’t willing to help—the few who are cannot carry the burden alone. So far, government interventions have been lacking. Secure open source requires much more. To start, it is time we treated open source as the critical infrastructure it is…(More)”.