At the recent annual meeting of the ICT Working Group of the ECPRD in Nicosia, Cyprus, Microsoft representatives received a number of questions on a variety of topics, in both plenary presentations and individual discussions. This memorandum provides responses to those inquiries. We have tried to address major topics and individual questions with information that is useful to the ICT Working Group. We could provide further levels of detailed information for those who desire it, and hope that this memo covers a significant amount of the information that ECPRD representatives need. We have also included a number of web links to further information on specific topics.

In this memorandum, we address the following topics:

We appreciate your continued inquiries and feedback. It is our pleasure to work with the ICT Working Group. Please contact us at any time.

Wilfried Grommen
wilgrom@microsoft.com

Security is an industry-wide issue, and as a leader in the computing industry, Microsoft understands that it carries a substantial responsibility. Microsoft is focused on enhancing security features across its platform and products, and also assisting customers meet the challenges in their current environments.

Trustworthy Computing: The Trustworthy Computing initiative at Microsoft, officially launched in January 2002, is a long-term, company-wide effort to deliver safe, private and reliable computing experiences. Trustworthy Computing addresses the multidimensional set of issues that affect the level of "trust" that people place in computing. Within this initiative, Microsoft’s security approach has three prongs:

Government Security Program: National and international public sector organizations, including national parliaments, have special IT security needs. The Microsoft Government Security Program (GSP) provides the technical information, access to Windows source code, and direct access to Microsoft security staff, necessary to be confident in the security provided by the Microsoft Windows platform.

Link: http://www.microsoft.com/resources/sharedsource/Licensing/GSP.mspx

Common Criteria Certification: Common Criteria is a government-developed, globally-accepted ISO standard for evaluating the security of IT products and systems. Certification of a software product under the common criteria standard, performed by an accredited third party lab, is strictly based on documented evidence based rigorous testing and reviews. In 2002, the European Council urged all member states to promote Common Criteria.

Microsoft is committed to having its platform products fully evaluated under this standard. Last year, Windows 2000 achieved the highest level certification for the broadest set of real world scenarios achieved by any commercially available operating system, a level called “EAL 4 + Flaw Remediation”. See http://www.commoncriteria.org/docs/EALs.html for a discussion of the different Evaluation Assurance Levels (EALs). No version of a Linux operating system has been certified at this level.

Link: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/issues

The relationship of governments and parliaments with the software industry is in the spotlight. The agenda for the ECPRD meeting reflected the broader discussion about the open source software (OSS) model, and its role in eGovernment and eParliament solutions.

Although the discussion is often cast in black-and-white terms, Microsoft believes that there is an increasingly wide spectrum of choices in the industry, choices that blend elements of the OSS and proprietary development models in a variety of ways. The marketplace currently reflects a trend towards the middle, with more OSS companies offering some proprietary software, more companies offering proprietary software on an OSS platform, more OSS applications being built on the Windows platform, and more commercial companies, including Microsoft, offering more access to source code and also encouraging collaborative development. Although some Microsoft products compete directly with some OSS products, Microsoft also recognizes that the OSS development model offers some benefits, especially transparency and community development, that can also be applied by proprietary vendors in different ways.

This variety and competition is all beneficial for customers and developers. The discussion is fading away from “OSS vs. proprietary” terms and more towards customer needs. Regardless of how software is developed or what combination of OSS and proprietary software is provided in any particular solution, customers want solutions that meet their requirements.

Over the past year, many public sector entities have considered OSS, and some national governments have issued software strategy statements concerning the future use of OSS. The national governments of the UK, Denmark, Italy, and Slovenia have provided explicit guidance on OSS use. These governments do not advocate a bias towards OSS. Instead, OSS products are rightly seen as additional competitors in the marketplace, and these governments require that software procurement be made on a fair value-for-money basis considering all choices. The public sector has many underlying interests and concerns, such as costs, value, security, interoperability, and local economic development – factors which do not rely on one single development model.
 

The speakers at the ECPRD meeting agreed that OSS is not “free of charge”. OSS advocates themselves will often correct this impression, and emphasize that they offer “freedom” to view and modify source code. Many customers, however, are focused on the wider variety of characteristics that directly relate to overall cost and value. Even these “freedoms” with OSS are not uniformly applied: services companies sometimes require that customers not modify OSS code in order to be able to commit to service levels at affordable prices.

An examination of the total costs related to a software solution recognizes that the initial procurement of software licenses is only a portion of the relevant expense. Analysts’ figures vary, but typically the software cost represents around five per cent of total ongoing costs. The necessary service costs for OSS can be higher in comparison to their commercial counterparts. Often with commercial software packages, a huge amount of resource is already built in, so for the end user the software is easy to install, integrate and maintain.

The cost equation is certainly important, but focusing solely on cost can neglect the overall value a piece of software provides, and the enhanced productivity that the software enables. Value relates to the functionality of the software and the ability of users to make productive use of the software.

Cost analyses also depend on specific environments, but these studies can offer some perspective:

Microsoft’s Shared Source Initiative, launched in 2001, is an evolving framework (not one individual license) that supports a spectrum of source licensing programs, each tailored to a particular constituent community’s specific needs for source code access, responding to customers and partners’ requests.

The range of Shared Source licenses fall within four categories:

• Customer Support: Provide source access to existing customers and the public sector to facilitate product support, deployments, security testing, and custom application development.
• New Development: Provide instructional source code through samples and core components for the facilitation of new development projects.
• Education & Research: Provide source code and documentation for use in classrooms and textbook publishing and as a basis for advanced research
• Business Opportunity: Provide licensing structure and source code to encourage mutually advantageous new business opportunities for partners.

Currently, the program includes Windows 2000 operating system, Windows XP, the Windows Server 2003 operating system, Windows CE, Windows CE .NET, the .NET C#/CLI (Common Language Infrastructure) implementations, the Visual Studio .NET Academic Tools development system, and ASP.NET Samples. Microsoft’s licensing approach ranges from reference-only grants in some licenses, to broad provisions that allow licensees to review, modify, redistribute, and sell works with no royalties paid to Microsoft. To date, Microsoft has delivered source code to more than a half-million developers and customers worldwide.

The Government Security Program (GSP), mentioned earlier, is an example both of the flexibility of the Shared Source program, and the focused attention on unique customer needs. After consultation with government security agencies and further understanding their needs, Microsoft announced the GSP in January 2003, and so far 14 governments in Europe and the Middle East have signed agreements with Microsoft. In addition to providing the transparency of the source code, this program fosters partnership between the government and Microsoft through ongoing collaboration. Representatives of participating government agencies may opt to visit Microsoft development facilities, and give direct input on public sector security requirements.
 

A presentation at the ECPRD meeting offered an inaccurate listing of countries where Microsoft source code is available. For both legal and practical reasons, there have been some geographic limitations on the program. However, the program has continuously expanded since its inception and each license has a different scope. Windows CE code is available over the Internet, to everyone in the world. The code to the Windows XP platform, because of its value, is managed through a secure portal with smart card access, and also requires more of an infrastructure for Microsoft to support, so its scope was limited to start but has expanded. Governments and parliaments are, of course, unique, and the scope of the GSP program is wider than the licenses available to private entities. Government security agencies in at least 4 of the countries on the list presented at the ECPRD meeting already have Microsoft source licenses.

If representatives of any of the parliaments in this region would like to discuss a source license, we would be pleased to speak with those officials. In addition, e-voting was mentioned as an area where code availability is important. We have not yet received any requests from governments or parliaments for source code in connection with e-voting processes, but if that is a need we can address it, either under one of our current licenses or other terms if necessary.

A great deal of confusion surrounds discussions of interoperability which stems from a misunderstanding of the distinction between the terms “open standard” and “open source.” Sometimes these concepts are equated when they are in fact separate. Many firms assist in the development and implementation of open standards, regardless of whether they sell OSS solutions.

Open standards exist to enable interoperability in a marketplace of multiple competing implementations while ensuring certain minimum requirements are met. In the software development model, it is equally possible for an open standard to be implemented in a proprietary software package or in an OSS package. It also true that software development need not be standards-based at all; some OSS is, and some is not.

Microsoft is committed to engineering interoperability into our products and has been a leader in the development of XML as an open standard that will further the trend to enable smooth and cost-effective connectivity of information, people, systems and devices, across platforms or over the Internet. This trend will continue, and Microsoft is an active supporter of it, alongside many OSS advocates and other industry partners.

Microsoft actively participates in many standards organisations and often contributes directly to the development of individual standards. For example, Microsoft recently completed the Commission-sponsored “PKI Challenge,” a successful two-year effort to promote interoperability between products that create and manage digital signatures for secure e-commerce. We are also actively engaged in developing standards for e-Government services, online privacy, wireless and mobile communications, accessibility, new “web services,” imaging and graphics, multimedia, and many other areas. And, of course, Microsoft implements hundreds of open standards in its own products.

Standards that go beyond what is necessary for interoperability, by contrast, run the risk of curbing innovation and competition. For instance, standards that require the use of a specific product prevent firms from offering innovative solutions that use different—perhaps even better—products. Such standards effectively undermine market incentives for innovation and product diversity in the interests of “sameness.” But people don’t want product uniformity, they want solutions that preserve interoperability while expanding consumer choice.

Safeguarding IT innovation in this manner, however, does not mean abandoning interoperability. On the contrary, firms that do not implement a particular standard will need to work extra hard to promote interoperability in other ways—by implementing competing standards, for instance, or by sharing even more of their own technical information with others. In either case, the marketplace will ensure that firms develop interoperable solutions where consumers want them.

Very recently, Microsoft announced the worldwide availability of a royalty-free license for its Office 2003 XML Reference Schemas, in order to improve the interoperability and transparency of the Microsoft Office product.

Governments, parliaments, customers, partners and the IT industry are looking for greater interoperability for data and document exchanges across disparate electronic borders. To promote and encourage the exchange of data in Microsoft Office 2003, customers are able to save many files “as XML”.

Microsoft has now taken the further important step of offering anyone (customers, governments, parliaments, citizens, technology departments, schools, universities, software developers, competitors) a royalty-free license for its Office 2003 XML Reference Schemas. These schemas describe how information is stored when documents are saved as XML in the Microsoft Office applications.

The Microsoft Office 2003 XML Reference Schemas are comprised of the following: Wordprocessing ML (the schema for Microsoft Word 2003), SpreadsheetML (for Microsoft Excel 2003) and FormTemplate Schemas (for InfoPath 2003).

By licensing its Office 2003 XML Reference Schemas, Microsoft is providing the technical information people need to understand the structure, tags and formatting in these documents.  One benefit of this approach is that individuals and organizations will have the option of developing and distributing software programs that can read and write files that are compatible with these schemas.

Microsoft took this step after consultation with several public sector entities, particularly recently with the Danish Ministry of Science, Research and Innovation. The Danish government persuaded Microsoft that such a license was required to meet its eGovernment requirements to enable open access to public documents.

Microsoft is also taking this step in order to build on our ongoing efforts to promote interoperability, including development and standardization work for XML itself, W3C, SOAP, UDDI, WS-Security (a security model for XML web services) and other industry standards.

Finally, by offering this license, Microsoft reemphasizes its commitment to make the Microsoft Office System a first-class development platform for XML. Microsoft recognizes that XML web services can dramatically reduce IT integration costs while also improving the productivity of end users. By providing this new licensing program, Microsoft hopes to further underline its commitment to taking positive and constructive steps toward helping customers realize the full potential of XML.

Link: http://www.microsoft.com/office/xml

As described at the ECPRD meeting, Microsoft has also crafted a license for Office binary file formats that meets many common needs expressed by governments and parliaments in various countries.

Microsoft’s “Government and Parliament License Agreement for Archival, Forensic and Security Use of Microsoft Office File Format Documentation” is the license Microsoft is offering that caters specifically to the public sector.  This is a narrow license, not intended for all purposes, but it fills a need that governments and parliaments have identified particularly with respect to archived digital files. The agreement provides licensees with authorization to make use of the relevant Office binary file format documentation to (i) develop future Office-originated document rendering technology for internal government or parliament use in the event no suitable alternative technology is then commercially available, (ii) identify certain meta-data underlying a given Office-originated document, and (iii) engage in Office-related security analyses.  Particularly with respect to the archiving issue, this license is not intended to displace current solutions, but to act in the manner of an escrow agreement if other solutions are not available in the future.
 

Microsoft has long offered customers the opportunity to create, edit and save Microsoft Office files using open formats. For example, the most recent versions of Microsoft Office allow customers to use open formats such as ASCII and HTML. Extensions to HTML in Microsoft Office are there to provide a richer experience for Office customers; such extensions simply do not show up in the browser for people who do not have a Microsoft product, but the use of the open format is still enabled.

Open file formats can play a role in fostering a more seamless exchange of data between competing software applications. However, by their very nature, open formats often allow only for a “lowest common denominator” level of uniform data reuse and display. Every piece of software contains different sets of features and implements these features from file formats in unique ways.

The mere existence of an open file format does not guarantee uniformity of presentation and display of exchanged files. In fact, despite the existence today of many open word processing formats, none achieve this type of outcome between products such as Corel WordPerfect Suite, Sun Star Office, Lotus WordPro, Open Office, and Microsoft Office.

Complete uniformity of the presentation and display of files exchanged between competing products could only be achieved if every product were exactly like its competing products. Such situations would likely limit customer choices and jeopardize future innovation. Because of this, it is commonly understood in the industry that file exchange between competing products will inherently involve some limitations.

This is a short summary of some recent and relevant policy developments relating to Open Source Software in Europe:

Despite the often-repeated, and sometimes mistaken, bad news about Microsoft, there are several developments that are less widely reported but might be of interest to ECPRD representatives.
 

Link: http://www.microsoft.com/mscorp/citizenship/report/

Microsoft’s mission is to enable people and businesses throughout the world to realize their full potential. To make that possible, we need to ensure concrete accessibility to our technologies, with special attention to people with disabilities. This effort will contribute to the goal of wide citizen access to eGovernment and eParliament services. Microsoft has received numerous awards for the accessibility of our products and our work on accessibility issues.

Microsoft has taken several measures to help enhance to integrity of the digital environment.

• Trust, Privacy, and e-Government issues in the EU: http://www.microsoft.com/mscorp/innovation/twc/issues/detlef_egov.asp
• Efforts to fight spam: http://www.microsoft.com/mscorp/execmail/2003/06-24antispam.asp