Managing Security Risks in Open Source Software

The Israel Privacy Protection Authority (“IPPA”) recently released new guidelines regarding the use of free and open source software (“Open Source Software”) in connection with databases that contain personal data (the “Open Source Guidelines”). The Open Source Guidelines note that that Open Source Software, especially codebases that are poorly maintained, may contain cybersecurity vulnerabilities, and that use of such potentially insecure software may result in data breaches. These new guidelines are issued on the heels of a number of high-visibility vulnerabilities discovered in Open Source Software projects, including the recent backdoor which seems to have been intentionally introduced by a developer into the XZ Utils project. 

As such, the new Guidelines clarify the application of the Israeli Protection of Privacy Law- 1981 (the “Privacy Law”) and attendant regulations to database software that is based on or contains Open Source Software. Specifically, the Open Source Guidelines address the following issues:

1. Pursuant to the Protection of Privacy Regulations (Data Security)- 2017 (“Data Security Regulations”), database owners (or data controllers in EU parlance) are required to maintain a database specification document and a system architecture and inventory document.  These documents must clearly identify all the computer systems holding personal data and map the database structures used in such databases. The Open Source Guidelines clarify that such documents must describe in detail Open Source Software incorporated in or used with such systems, including the license terms applicable to such software. The Guidelines recommend using available software that allows for the mapping of the Open Source Software included in such systems.
2. The Data Security Regulations require database owners to properly maintain the systems holding personal data, and ensure the application of regular software updates of such systems. As such, the Guidelines expressly prohibit the use of Open Source Software that is not supported or maintained. We note that, while popular database software such as MySQL and MongoDB is available under open source licensing terms, such software is maintained by commercial organizations that also make such software available under paid commercial licenses. Other database software, such as PostgreSQL, is maintained by well-established open source projects. As such, in prohibiting the use of database software that is not supported or maintained, the Guidelines seem to be aiming not so much at the database software itself but rather other related software used by the organization. See below regarding the scope of the Open Source Guidelines for more information.
3. The Guidelines emphasize the obligation of database owners to ensure that databases are not connected to public networks without the use of adequate security precautions. As such, such entities are required to take appropriate precautions to ensure that any Open Source Software included in their systems do not contain malware.
4. Prior to engaging an outsourced service provider, database owners must evaluate the risks posed by the use of Open Source Software by such service provider.
5. Database owners must evaluate the risks posed by Open Source Software prior to developing or licensing systems based thereon.
6. Entities should appoint an “Open Source Program Officer”, which individual would be responsible for ensuring the ongoing maintenance and security of Open Source Software used by the entity. Database owners are also encouraged to provide their developers with training concerning the  security risks specific to Open Source Software. 

The scope of the Open Source Guidelines is broad. The Guidelines assert that they apply to all database software, as well as to “all software used to operate, manage and maintain the database, support its operation, and monitor the software and its security, as well as all software and interfaces used to communicate with the database software”. This could possibly include a broad swath of software beyond the database software itself. As such, the Open Source Guideline aims to essentially transform much of the work of open source compliance into a requirement of Israeli privacy law and regulations.

Given the broad scope and significant implications of the new Open Source Guidelines issued by the Israel Privacy Protection Authority, we recommend clients conduct thorough audits of their open source software usage to ensure compliance with data security and privacy obligations. Should you need assistance in navigating these requirements, feel free to contact us for expert guidance and support.

The information presented here is of a general nature and is not intended to answer the unique circumstances of any individual or entity. Although we strive to provide accurate and available information, we cannot guarantee the accuracy of the information on the day it is received, nor that the information will continue to be accurate in the future. Do not act on the information presented without appropriate professional advice after a comprehensive and thorough examination of the specific situation.