(Also carried by p2pnet)
I have seen this issue covered in a variety of locations, and is being discussed in a number of different forum. On Thursday there was a Newsforge article by Bruce Bayfield with the headline "Canadian online census discriminates against FOSS". A few citizens have written letters to their member of parliament about this embarrassment to Canada.
I thought I would weigh in on this issue as a technical, policy and security consultant.
First, I do not see this as a FLOSS/Linux vs non-FLOSS/Microsoft issue. I do not believe that the government should be expected to make implementations of software available for every platform that its citizens may use. In fact, I'm not convinced that the government should be involved in providing implementations of software to be installed on peoples computers at all, with this being the major source of my complaint.
What the government should be doing is clearly documenting the free/libre and vendor neutral standards being used to communicate between citizen and government computers, allowing a wide variety of implementations to be authored. Citizens can then choose a supplier that they trust, or get together in a coalition of citizens to create their own trustworthy implementation.
While the government may provide a list of vendors who supply compliant software, if they distribute software themselves it should be mandated to be publicly disclosed third party audited software.
Private citizens should have a legally and government protected right to make their own choices of what software they install on their computers. Computer software is just a set of rules or instructions which a computer obeys. It should be the owner of that computer and not a third party, whether a Virus author, the government or the entertainment industry, that should be able to determine what instructions the computer obeys. (See "Code is Law" Speedgeek)
The claim from the government is that the specific software in question is being used for "security" purposes. I believe that this is false, no matter what definition of security you are using, or what threat you are using this security to protect against.
The vendor-dependant platform choice.
The software happens to be dependant on specific versions of the Sun Microsystems implementation of the Java language. This implementation is only available for a subset of computers..
While vendor neutrality is a legitimate public policy concern, I do not believe this concern is critical to the question of security. Many technical people have become distracted by those who claim this implementation is insecure as they believe that this is an evaluation of the Java language or of the Sun Microsystems implementation. Whether or not the specific implementation of Java that is required to make this application work has flaws does is not critical. The critical issue is that an application written in a full featured language is being run on a persons personal computer, with all the access to other information and settings on that computer that any other application would. Whether the application is written dependant on Sun's Java, a vendor-neutral Java, or in "C" does not matter.
This code has not received third party audit
While there is a claim that the government audited this code, this should never be considered sufficient evaluation for software that is going to be installed on computers not owned by the government. The government should be expected to do their own security audit of any software that runs on government computers, but the same level of auditing should be allowed of citizens who should be able to do their own audit. Encouraging citizens to download, install and run unaudited software from the Internet on their computers is an extremely bad policy. In a world with so much harmful code being inadvertently installed on peoples computers, the government should be actively helping to educate people to never install random software from unaudited sources -- not becoming one of those unaudited sources themselves.
The government has mandated that this software be unable to receive third party audit
A group of security students at University of Ottawa (That happen to have a podcast called The Parliament Hillbillies in Ottawa) filed an Access to Information request for this software. Not only did they not receive specifications of the software or any necessary source code, they did not even receive documentation of what security policy is theoretically being implemented by this software. Not only is the implementation not able to be audited, the underlying policy being automated can not be audited.
Any claim that the government may have that the information can not be disclosed for "proprietary reasons" are invalid. This information must be disclosed, and if a vendor is unwilling to disclose this information then this issue should have been resolved as a mandatory requirement of the procurement process. Vendors who are not willing to publicly disclose for third party audit any software that will be installed and run on citizens personal computers should have been disqualified from the bidding process.
As a security person my recommendation is to stay away from any site which claims you need to download and run unaudited software on your computer. This must include government sites, so citizens are recommended to not fill in the online census and use the more secure paper version of the forms.
There are other people who have recommended a boycott the Canadian Census for other reasons.
Statistics Canada has contracted out software, hardware, and printing of the 2006 Canadian Census to Lockheed Martin--the world's biggest arms manufacturer, a maker of weapons of mass destruction, a company that continues to benefit from the war in Iraq, a company known for corruption and breaking the rules, and a company that could possibly invade our privacy under the US PATRIOT Act if it obtained such information.
While I agree with this campaign, I would still be recommending against using the online census forms even if a more trustworthy firm had been contracted. The fact that this specific firm has been contracted just adds fuel to those who quite legitimately are boycotting the online census.