►
Description
Presented by Mike Linksvayer, Director, Policy, and Marietje Schaake, Member of the European Parliament
Through funding, regulation, and agenda setting, public policy can and does make software more secure—and less secure. This session will dig into case studies in Europe of how public policy has supported security, or inadvertently threatened to make software more fragile, including how these policies came about, how they impact software security, and how developers influenced the policies. We’ll also cover how developers and industry are working with policymakers and governments to ensure policy supports rather than undermines security and trust, and what you can do as a developer, team member, and citizen to help.
About GitHub Satellite 2019
A community connected by code
Explore our interconnected community—and how collaboration turns ideas into innovations.
Join us in November at San Francisco's Palace of Fine Arts for GitHub Universe - https://githubuniverse.com/
A
Since
this
is
a
session
on
policy,
I
think
it's
acceptable
to
and
everybody's
excited
about
these
new
tools
and
best
practices
and
how
they
can
deploy
them
like
right
now,
in
your
day
to
day
jobs.
However,
this
is
a
session
on
policy,
so
I
want
to
look
I.
Think
I'm
I
have
permission
to
look
ahead.
A
little
bit.
I'm
really
excited
about
how
these
new
tools
and
practices
and
support
for
the
open
source
ecosystem
are
gonna
play
out
over
the
next
say.
10
years,
it's
going
to
be
amazing.
Who
knows?
A
What's
gonna
happen,
however,
something
else
is
gonna
play
out
in
that
kind
of
timeframe.
That's
also
going
to
profoundly
impact
what
developers
build
house,
how
secure
the
software
they
build
is
going
to
be
and
really
what
what
developers
career
paths
are
going
to
be,
and
that
is
developments
in
public
policy.
A
I'm
Michael
linker
from
the
github
policy
team
and
kind
of
our
hypothesis
about
the
world
is
that
the
more
developers
and
policy
makers
talk
to
each
other
and
understand
each
other.
The
better
policies
will
get
the
more
secure
software,
the
more
secure
software
will
gets
and
indeed
the
more
secure
society
will
get
and
I
I'm
even
more
pleased
to
have
with
me
on
stage
Murrieta
Chuck,
a
member
of
European
Parliament's
from
the
Netherlands.
A
A
And
you
cannot,
you
can
also
see
one
of
my
richest
columns
in
the
press.
This
is
with
Financial
Times
I
pulled
from
from
your
home
page
about
how
governments
must
halt
the
spread
of
commercial
spyware.
So
this
is
really
just
indicative
of
how
you're
influencing
the
conversation
in
a
very,
very
kind
of
informed
way,
so
I
want
I
want
to.
A
B
It
started
at
the
University
of
Amsterdam,
where
I
was
actually
really
curious
and
not
quite
finding
in
my
studies
of
sociology
and
American
Studies.
What
I
wanted
to
do,
and
there
was
a
very
new
minor
at
the
time,
so
a
small
field
of
specialization
called
new
media,
and
this
was
more
than
twenty
years
ago,
so
revealing
my
age
a
little
bit
there.
But
this
really
allowed
me
to
be
introduced
to
the
sort
of
connections
between
technological
developments,
the
emergence
of
the
world
wide
web
globalization
and
what
it
meant
for
people,
society
and
human
rights.
B
Fundamental
freedoms,
I'm,
not
a
better
thinker,
I'm,
not
an
engineer.
I'm,
not
a
coder,
but
I
tried
to
look
at
where
technology
reaches
and
what
implications
it
has
for
people.
And
since
then,
I've
continued
to
visit
hacker
conferences.
I've
been
helped
enormously
by
people
like
yourselves,
who
have
taken
the
time
to
sit
with.
Someone
like
me
to
allow
me
to
ask
stupid
questions,
and
it's
just
basically
by
keeping
track
and
by
caring
about
this
topic
and
what
the
impact
of
tech
is
on
values
and
rights.
Right.
A
B
Yeah
I'm
convinced
that
if
we
could
bring
the
worlds
of
governance,
politics
and
technology
developments,
cyber
security
closer
together,
that
would
be
better
for
everyone
and
I
mean
I.
Think
the
the
sort
of
alienation
is
mutual,
sometimes
right.
A
very
good
friend
of
mine,
Andrew
Roche,
always
says
politicians,
don't
know
the
difference
between
a
server
and
a
waiter
and,
unfortunately,
I
think
that's
often
true,
but
on
the
other
hand
a
lot
of
people
in
tech
are
not
very
familiar,
to
put
it
mildly,
with
how
democratic
processes
work.
B
B
Who
knows
how
to
find
a
conference
like
github
and
who's
gonna
be
open-minded
to
what
is
going
on
in
the
world
of
open-source,
so
I
think
we
all
on
the
policy
side
on
the
political
side,
but
also
on
the
tech
side
would
benefit
a
great
deal
from
opening
our
real
life
bubble
and
sharing
knowledge
with
each
other
in
a
constructive
way.
Right.
A
So
continuing
to
kind
of
ask
about
your
involvement
in
cybersecurity
policy,
particularly
I,
would
I
put
up
on
the
on
the
screen.
The
global
Commission
of
this
on
the
stability
of
cyberspace,
cyberspace,
which
you
serve
on
and
their
mission
statement,
which
really
kind
of
which
you
might
not
want
to
read
word
for
word
now,
but
really
kind
of
contextualizes.
The
challenge
of
the
stability
of
cyberspace,
which
certainly
developers
depend
on
to
ship
as
almost
a
geopolitical
kind
of
thing.
Yeah.
B
A
It's
not
I
think
everyone
at
least
understands
that
legislation
happens
even
if
they
don't
understand
the
mechanics,
maybe,
but
what
role
do
groups
like
the
global
Commission
on
stability
of
cyberspace
play
and
and
I?
Imagine
that
you
must
think
it's
compelling
one,
because
you
have
you
serve
on
it.
No.
B
So
the
global
Commission
is
actually
trying
to
put
forward
proposals
that
are
not
law,
but
that
are
in
the
in
the
realm
of
norms.
So
they
are
softer
than
law,
but
they
are
designed
to
be
a
common
denominator.
Where
states,
private
sector
companies,
civil
society
actors,
cyber
security
experts,
NGOs,
can
find
each
other
in
a
common
interest.
B
Then
there
is
only
one
direction,
which
is
a
race
to
the
bottom,
and
it
will
actually
equally
impact
countries
like
China
and
the
United
States.
It
will
equally
impact
the
average
Internet
user
and
a
big
corporation,
and
this
is
not
the
direction
we
want
to
go
in
and
there's
a
whole
set
of
of
norms.
We
have
I,
think
seven
now,
ranging
from
a
norm
around
electoral
integrity
and
the
the
role
of
technology,
but
also
supply
chains.
I.
Think
it's
a
hot
topic
these
days.
B
A
B
A
B
Sure
so
one
observation
was
that
in
the
market
we
saw
a
lot
of
bug,
bounty
programs
and
you
know,
incentives
for
hackers
to
use
their
knowledge
towards
the
greater
good
instead
of
selling
to
the
highest
bidder.
Who
could
also
be
you
know,
criminal
network
or
worse,
but
there's
there's
now
increasingly
bug
bounty
programs
by
big
corporations
like
Microsoft
and
others.
There
are
now
platforms
for
bug,
bounties,
I'm,
sure,
you're
you're
all
familiar
with
these,
but
in
the
open-source
space
there
are
different
incentives.
B
And
so
we
created
this
as
what
is
called
a
pilot
project
which
is
basically
kind
of
like
a
startup
in
policy.
You
really
want
to
kick-start
a
process
and
make
some
budget
available,
and
it's
been
a
big
success.
Already
there
have
been
hackathons
organized
and
even
though
the
people
responsible
in
the
European
Commission
were
a
little
bit
apprehensive
at
first.
This
often
happens
when
they
have
to
deal
with
new
things.
They
are
now
the
most
excited
about
being
part
of
this
process
and
I
really
encourage
you
to
look
at
it.
B
It's
it's
about
open
source,
so
it
should
really
meet
your
world
and
your
expertise
and
I
hope.
It
can
begin
to
bridge
this
larger
gap
between
tech
experts,
security
experts
and
policy
makers
to
think
about
the
most
economically
smart
securities,
smart,
but
also
democratically
smart,
essentially
way
of
working
with
software.
And
that's
how
I
see
open-source
software
is
the
more
democratic
way
of
working
with
technology.
Great.
A
So
do
I
so
and
ask
follow-up
to
that
I,
wonder
if
there
are.
If
there
are
other
programs
in
the
you,
that's
relating
to
open
source
or
cyber
security,
that
developers
don't
really
ought
to
be
aware
of,
and
I
I
want
to
highlight
a
a
I
just
put
up
on
the
screen,
an
excerpt
from
a
European
Commission
slide
deck
on
open-source
strategy
and
I.
A
Think
the
interesting
thing
for
people
in
this
audience
might
be
that
it
will
be
very
familiar
for
anybody's
thought
about
kind
of
open
source
maturity
in
the
enterprise
where
you
start
to
use
open
source.
Maybe
you
don't
even
know
you're
using
open
source
and
then
you're,
you
know
purposefully
using
it
and
then
you're
producing
it
and
contributing,
and
you
hope
that
it's
gonna
contribute
to
transforming
your
enterprise
well
government
at
least
a
forward-thinking
government
entity
like
the
European
Commission.
A
B
So
I'm
convinced
that
we're
gonna
see
for
better
or
worse,
but
that
we're
gonna
see
a
lot
of
tech
policy
decisions
being
made
in
the
next
couple
of
years.
I
think
on
content
moderation,
who
decides
what
stays
up?
What
goes
down
questions
of
intermediary
liability
exemptions,
there's
going
to
be
a
lot
of
policies
developed
and
if
we
don't
want
to
see
a
repetition
of
the
copyright
directive.
That
I
think
has
disappointed
many
of
us
in
this
room.
B
Where,
when
you
look
at
the
European
landscape,
there
is
an
enormous
difference.
There
are
countries
like
my
own,
which
is
a
coincidence,
but
also
friends
that
have
fairly
sophisticated
vulnerability
disclosure
mechanisms,
but
there's
also
countries
that
are
still
beginning
to
grasp
the
importance
of
this
process
and
so,
from
a
European
point
of
view.
It's
good
to
do
this
in
a
harmonized
way,
but
from
a
national
or
even
local
point
of
view.
It's
also
important.
B
The
people
that
are
responsible
for
these
decisions
see
why
it
matters
so
I
believe
that,
from
the
policy
angle,
from
the
implementation
of
policy
angle
and
from
a
sort
of
general
interest
perspective,
it
would
be
really
good
to
see
more
and
even
more
systematic
exchanges
between
communities
like
yours,
the
open
source
community
and
lawmakers.
Okay,.
A
That's
actually
what
I
want
to
talk
about
next
I,
we
were
talking
about
ways
that
government
could
kind
of
help
make
the
software
ecosystem
more
robust,
for
example,
by
doing
things
like
bug
bounties.
So
now,
copyright
directive
is
actually
a
case
study
and
how
policy
potentially
makes
the
software
ecosystem
more
fragile,
more
fragile
and
I
put
up
on
this
on
the
screen.
A
Github,
the
initial
blog
posts,
where
we
sort
of
highlighted
the
potential
threats
to
the
software
ecosystem
and
the
console
readout
that
you
see
there
is
not
real,
fortunately,
but
the
idea
is
potentially.
If
software
development
platforms
have
been
falling
under
this,
this
directive,
then
potentially
automated
filtering
would
have
been
necessary
and
that
really
could
have
made
the
the
software
ecosystem
more
fragile
because
it
could
have
you
know
your
critical
security
fix
might
have
been
blocked,
because
you
know
it's
a
false
positive
to
this
filter
that
that
we
were
forced
to
implement.
A
The
software
industry
is
just
not
pertinent
to
this
you.
You
know
you
really
want
to
go
after
social
media
platforms,
maybe,
but
this
is
only
going
to
harm
us
and
they
actually
listened,
but,
of
course
that
doesn't
mean
that
what
was
actually
passed,
even
though
this.
Fortunately,
this
exclusion
actually
made
it
and
made
it
into
the
final
legislation.
B
A
B
So
I
think
the
the
copyright
directive
will
go
down
in
history
as
one
of
the
decisions
with
most
unintended
consequences
and
with
most
derailed
lobbying
on
both
sides.
I
should
say
because
some
of
the
emails
that
you
sent
thank
you
for
that
there
were
quite
a
few
and
it
irritated
a
lot
of
people,
and
some
of
them
were,
of
course,
automatically
sent
through
or
whatever,
because
they
included
exactly
the
same
words,
which
is
usually
kind
of
a
hint
for
lawmakers
to
see
that
there's.
B
You
know
that
they're
steered
centrally
and
that
it's
not
citizen
by
citizen
who
is
writing
the
same
letter,
but
also
from
the
part
of
the
publishing
houses
from
the
movie
producers.
The
the
music
industry
I
mean
it
was
really
a
tragic
display
of
promises.
You
know
that
democracy
would
be
saved,
that
the
free
media
would
be
saved
all
by
copyrights.
Well,
if
I
think,
history
doesn't
have
such
a
great
track
record
of
all
the
positive
impact
that
copyright
protection
has
really
brought
the
world.
B
So
I
would
have
liked
to
see
this
law
pass
without
filtering
requirements
effectively.
Even
though
it's
not
there
in
wording
and
without
an
additional
copyright
protection
for
publishers,
I
think
it
is
justified
to
update
the
copyright
protection.
It's
an
outdated
law
technology
changes
very
fast.
It
can
also
be
enabling
for
companies
to
reach
larger
audiences,
but
the
the
intentions
must
have
been
good.
A
B
I
think
this
really
goes
to
show
that
having
a
broader
discussion
about
how
tech
works
and
anticipating
laws
earlier
on
building
trust
with
lawmakers.
Who
sometimes
have
you
know
a
certain
image
in
their
minds
when
they
hear
the
word
hacker
when
they
hear
the
word
coding,
I
mean
I've
heard
some
people
referring
to
their
inboxes
being
hacked
just
because
they
received
so
many
emails,
which
you
know
it
could
have
still
been
hacked,
but
it's
not
necessarily
shown
by
a
number
of
emails
coming
in.
B
A
B
A
B
Actually,
there
will
be
a
lot
of
prosecution
and,
like
legal
cases
around
this,
which
I
think
is
very
unfortunate,
I
mean
I.
Think
the
copyright
directive
was
the
best
result
for
lawyers.
To
be
honest,
because
this
ambiguity
between
the
European
decision
and
the
implementation
on
the
member
state
level
will
no
doubt
be
used
for
all
kinds
of
litigation
right.
A
So
there's
there's
this
there's
a
statement
by
some
Member
States
that
was
published
and
I.
Actually
first
became
aware
of
it
through
your
Twitter
feed
actually,
and
the
statement
by
Germany
is
actually
particularly
interesting
and
good
and
I
put
up
on
the
screen.
Two
little
brief
excerpts,
I
think
are
worth.
A
Really
quickly,
so
one
just
that
they
are,
you
know,
talk
about
how
important
the
exclusion
of
software
development
platforms
and
we
encyclopedias
like
Wikipedia-
is
so
they're,
not
not
under
this
regime,
but
the
other,
perhaps
even
more
interesting.
One.
Is
that
to
the
extent
there
are
technical
measures
required
that
the
you
should
invest
in
open-source
development
around
them.
A
I
think
that's
quite
interesting,
maybe
because,
even
though
we
might
not
like
upload
filters-
or
maybe
you
know
similar
mandates
that
come
with
other
regulation,
if
if
in
fact,
they're
potentially
impactful
to
democratic
discourse,
wouldn't
it
be
good.
If
and
we
want,
you
know
even
small
platforms
to
have
them,
wouldn't
it
be
good
if
there
were
share
technologies
that
did
not
kind
of
create
competitive,
motes
and
also
allowed.
You
know
journalists,
researchers
to
actually
look
at
the
implementation.
A
B
The
effort,
I
believe
is
entirely
legitimate
to
make
sure
that
the
rule
of
law
also
applies
online
and
that
principles
like
non-discrimination,
fair
competition,
access
to
information,
etc,
etc,
are
upheld
somehow
and
I
think
that
open
source,
as
I
mentioned,
before
sort
of
the
more
democratic
way,
the
more
public
interest
way
of
dealing
with
challenges
and
and
digitization.
So,
yes,
I
see
a
big
role
there,
but
I
I
believe
there's
a
lot
of
steps
that
could
be
taken.
I
should
be
taking
on
the
part
of
governments
to
recognize
much
more
what
their
own
role
is.
B
As
sending
you
know,
tenders
and
and
procurements
into
the
markets,
setting
setting
the
the
terms
of
reference
for
a
number
of
developments,
as
well
as
making
laws
so
I
think
bringing
these
communities
closer
together
and
also
to
hear
from
the
open
source
community
in
slightly
more
layman's
terms.
What
be
done
because
one
of
the
great
things
about
people
like
you
is
that
you
are
experts
geeks.
B
You
know
a
lot
of
stuff
about
very
specific
things,
but
that
doesn't
mean
that
people
understand
what
you're
talking
about
when
you're
explaining
it,
and
so
what
we
need
to
do
is
bridge
these
gaps.
I
often
feel
like
a
bit
of
an
interpreter.
You
know
trying
to
frame
certain
debates
that
I
hear
in
communities
like
yours
or
at
the
Chaos,
Computer,
Club
or
or
other
techie
conferences,
and
then
to
think
about.
If
I
had
to
explain
this,
to,
let's
say
the
equivalent
of
my
mother.
A
B
A
Is
all
too
true-
and
you
said
the
word
non-discrimination
in
there?
So
that's
a
great
segue,
because
I
want
to
take
the
opportunity
of
having
you
here
to
also
ask
you
about
something
that
isn't
directly
related
to
security,
but
is
about
kind
of
securing
the
policy
ecosystem
to
allow
developers
to
compete
on
a
level
playing
field
and.
B
A
B
A
Neutrality,
right
and
so
I
think
that
you
play
the
kind
of
a
key
role
in
in
ensconcing.
They
use
network
neutrality,
regulation
and
also
very
interesting.
You
did
some
kind
of
cross
border
advocacy
and
led
this
letter
that
I
have
up
on
the
screen
that
I
believe
148
of
your
colleagues
sign
encouraging
the
u.s.
to
do
the
same.
A
So
I
wonder
if
you
could
say
a
few
words
about
how
it
I
also
wanted
to
mention
the
the
European
Commission
also
just
published
a
study,
basically
saying
that
all
stakeholders
are
flying
with
network
neutrality
in
the
EU
and
I
wonder
what
developers
in
other
parts
of
the
world
that
maybe
don't
have
that
could
learn
from
your
experience.
Yeah.
B
So
I
think
the
example
for
net
neutrality
is
a
really
good
one.
Also
building
on
what
we
just
discussed.
You
know
trying
to
get
concepts
to
be
understood
by
larger
groups
of
people,
so
net
neutrality
for
the
longest
time
was
this
technical
term
that
a
lot
of
my
colleagues
like
okay,
yeah
I,
don't
know
what
she's
doing
is
probably
not
very
relevance.
So
we
don't
have
to
understand
the
details
of
net
neutrality,
but
by
framing
it
as
rules
of
the
road
for
the
digital
economy
or
as
a
fair
competition
online.
B
More
people
also
those
who
care
about
competition
issues
or
who
care
about
the
digital
economy
or
digital
signal
markets,
as
well
as
people
who
care
about
the
preservation
of
the
open
Internet
started
to
see
that
it
also
mattered
to
the
things
that
they
wanted
to
achieve,
and
it
was
a
tough
battle.
Just
like
the
copyright
one
mean
the
telcos
initially
were
not
very
thrilled
to
see
net
neutrality.
B
In
fact,
it
was
one
of
the
reasons
why
we
started
to
discuss
it
at
all,
because
telecom
operators
were
throttling
or
even
cutting
off
access
to
voice
over
IP
competition,
which
is
obviously
not
allowed
one,
because
they're
not
allowed
to
look
at
where
you're
surfing,
whether
you're
going
to
use
whatsapp
or
Skype
or
whatever,
and
two,
because
they
cannot
use
their
privileged
position
of
providing
access
to
the
Internet,
for
example,
to
discriminate
against
which
website
you
want
to
go
to.
And
that
is
what
we
have
now
put
in
in
European
law
and
I'm.
B
A
Well,
we're
working
on
that
so
I
want
to
move
move
back
to
sort
of
broader
norms
and
even
geopolitics
and
I
want
to
do
that
by
highlighting
a
paper
that
you've
published
in
the
Georgetown
Journal
of
International
Affairs
called
a
rules-based
order
to
keep
the
internet
open
and
secure
and
who
could
argue
with
a
title
like
that.
The
well.
A
It's
really
not
actually
written
it's,
it's
quite
short,
I
want
to
say
10
to
12
pages,
and
it's
it's
quite
readable,
so
I
encourage
I,
encourage
you
to
look
this
up.
It's
actually
a
really
interesting
framing
for
kind
of
what's
happening
in
the
world
of
technology
and
policy.
Today
and
I
want
to
try
to
give
you
my
take
away
from
it
and.
B
A
We
can,
we
can
see
how
it
goes
from
there.
Yes,
I
mean
basically,
the
US
and
EU
have
typically
at
least
advocated
for
a
rules-based
internet
order
in
international
order,
and
specifically
rules
based
internet,
but
over
the
last
few
years,
do
you
they've
kind
of
backed
away
or
we've
kind
of
backed
away
from
that,
because
we
see
the
Internet
is
something
to
be
feared
now,
not
necessarily
something
to
be
to
be
fostered
and
into
that
gap.
We
have
a
bunch
of.
A
We
have
kind
of
alternative
models
of
that
are
like
liked
by
authoritarian
regimes,
and
there
are,
how
do
we
get?
How
do
we
get
back
to
to
you
know
appropriate,
regular
regulation,
good
regulation,
but
but
that
defends
this
rule
bit
rules-based
order
and
makes
it
makes
it
global,
and
there
are
precedents
for
doing
that.
So
do
I
have
the
sort
of
outline
of
the
arguments
close
to
rights
and
I
wonder
how
can
developers
actually
act
on
this?
A
B
Exactly
so,
I
I
think
what
we've
seen
very
broadly.
That's
what
I'm,
trying
to
also
highlight
in
the
article
is
that
traditionally,
so,
let's
imagine
pre-internet
democracies,
European
countries,
United
States,
some
other
countries
have
believed
in
the
notion
that
the
rule
of
law
is
is
sacred,
that
people's
rights
and
freedoms
and
some
principles
need
to
be
protected.
But
strangely
enough,
despite
some
sound
bites
like
an
Internet
freedom
strategy
that
Hillary
Clinton
rolled
out,
etc,
there
has
not
been
a
fundamental
transposing
or
extension
of
this
rules-based
order
to
the
online
digital
world
and
I.
B
B
There
has
been
an
absence
of
rules
and
principles
articulated
by
the
democracies
of
this
world,
and
another
argument
that
we
often
heard
I
still
hear
today
is
don't
regulate
the
internet,
because
otherwise
China
will
do
the
same
well.
I
wish
China
would
listen
to
us,
because
then
we
would
be
in
a
in
a
more
democratic
place.
You
know
altogether.
B
A
Fantastic,
that's
a
fantastic
way
to
end
the
conversation.
I
encourage
you
to
continue
the
conversation
you
can
follow,
Marrakesh
Shaka
on
on
Twitter.
You
can
also
follow
github
policy
and
I,
encourage
you
to
also
cultivate
more
politicians
and
policy
makers
in
your
mold.
Really
talk
to
your
talk
to
your
your
representatives
and
vote.