Spending GNOME's privacy money

Benefits for LWN subscribers The primary benefit from subscribing to LWN is helping to keep us publishing, but, beyond that, subscribers get immediate access to all site content and access to a number of extra site features. Please sign up today!

In 2013, the GNOME Foundation ran a successful campaign that raised funds for enhancing privacy features in the GNOME desktop and application suite. Unfortunately, subsequent changes in the organization left GNOME without a clear plan for how best to use the earmarked funds, so they remain—untouched—in GNOME's bank account. At GUADEC 2016 in Karlsruhe, Germany, the topic of how to utilize the money was revisited, and a plan has now begun to take shape.

The funding-cryptographers problem

To recap, the GNOME fundraising campaign started in December 2012 with the stated aim "to enhance GNOME 3 so that it offers one of the most secure computing environments available." Several privacy-related feature possibilities were listed on the announcement page, including enhanced disk-encryption support, Tor integration, anti-phishing features, and tools to integrate applications with system-wide privacy settings. The target amount was US $20,000, which was reached in late July 2013, a few week's before that year's GUADEC.

The campaign was much like the previous year's fundraiser to improve accessibility features. As was the case with that earlier effort, the project took some time to consider what its options were. One can see the topic recur in many of the discussions posted to GNOME's Foundation list, for example. For whatever reasons, though, a concrete plan for the privacy funds never materialized.

The explanation may be partly organizational in nature. GNOME has been without an executive director since March 2014, when Karen Sandler went to the Software Freedom Conservancy. That meant that the day-to-day duties of running the GNOME Foundation have had to be spread around among various (volunteer) members of the board.

On top of that, much of the board's time in 2014 was rather unexpectedly taken up by the trademark-infringement dispute with Groupon. Handling that extra workload in addition to the board's duties and the tasks normally tackled by an executive director was, no doubt, time-consuming.

But the subject of privacy is also a bit more nebulous than accessibility, further complicating the task of devising a game plan. At GUADEC 2014, a group of project members formed the Safety and Privacy Team and set out to create a list of potential target tasks. The ideas are quite varied in nature and touch a lot of different GNOME components and applications. Finally, it is undeniable that privacy and security features tend to score high on the perceived difficulty scale, and the reality is that $20,000 does not buy much developer time at professional rates (though what such rates are is a matter of debate, of course). So how to spend the money proved just as tricky as what to spend it on.

Breaking the logjam

The upshot, though, is that the raised funds have remained untouched in the GNOME Foundation's accounts, but they have not been forgotten. How to get the ball rolling again was a question posed to the board at GUADEC 2015 (in addition to various side discussions). And, at GUADEC 2016, security and privacy questions came up again in several sessions, including Werner Koch's keynote and Federico Mena Quintero's session on usability problems in the GNOME GnuPG front-end, Seahorse. Invariably, whenever those discussions took place, the unsolved issue of allocating the privacy-campaign funds came up.

Eventually, the board decided that it had to find someone to spearhead the process of moving the privacy work forward. Board member Cosimo Cecchi agreed to take on that task, and he hosted an unconference session on the topic (with a nearly packed room) on the last day of GUADEC 2016. The session began with a status update. Cecchi said there had been talk of paying for a professional security audit of networked GNOME applications (like GNOME Maps, Notes, and Weather) but that, upon further review, it seemed unlikely that this would be the most beneficial use of the funds, since all of those applications are TLS secured and do not handle personally identifiable information. In other words, those applications already consider privacy issues, and the costs of such an audit (which would no doubt be expensive) were deemed to outweigh the potential benefits. The same cannot be said of most of the other feature ideas proposed thus far.

He also noted that there has, in fact, been progress on the privacy front in recent years—the first item on the Safety and Privacy Team's wishlist was application sandboxing, a feature on which GNOME has made tremendous strides forward. He reviewed several of the common suggestions for how to spend the money as well, including sponsoring a series of hackfests, hiring developers, and establishing feature bounties.

For the rest of the session, Cecchi fielded suggestions from the audience on what the project should pursue and how to pursue it. Somewhat regrettably, most of the comments focused yet again on adding to the list of potential new privacy features, with fewer suggestions being made in the way of implementation ideas.

A page on the GNOME wiki now tracks the status of the project as well as the list of potential features and implementation ideas. After GUADEC, the process for moving forward on the privacy fund was discussed in the August 23 and August 30 board meetings. The minutes from the August 23 meeting are online, while the August 30 minutes have not yet been posted. Board member Allan Day did provide a brief update via email, however.

As of now, the feature bounty idea has been dropped, as has the hackfest idea. Instead, the plan is to use the funds to employ several paid interns to work on privacy-related features, with mentoring from GNOME developers. That is expected to provide the most bang for the buck, so to speak. And those internships would be directly sponsored by the GNOME Foundation, not through Google Summer of Code (GSoC), Outreachy, or other such programs—although there is certainly nothing to prevent privacy-related work taking place through other means. Day added that the GNOME community will be asked to help choose the final set of intern projects, although a time frame for the selection and the internships is still under discussion.

So it remains to be seen how many interns will be involved and what the specific projects will be, but the ball does seem to be moving forward again. In recent years, many free-software projects have learned how valuable GSoC and Outreachy interns can be; internships funded directly by GNOME for a specific purpose will, in all probability, prove equally beneficial. And there is always the possibility that the internship program will have ripple effects elsewhere in the project simply by raising the profile of privacy work—there is no shortage of privacy feature ideas, and the GNOME community seems excited to pursue them one way or another.

Whatever the new privacy features end up being, GNOME supporters will surely be pleased to see the fundraiser bear fruit after a series of interruptions.

[The author would like to thank the GNOME Foundation for travel assistance to attend GUADEC 2016.]

