+++ title = 'Why Open Source?' date = 2026-05-12T12:00:00-00:00 lastmod = 2026-05-12T12:00:00-00:00 tags = ['open source'] [params] author = 'Iain Learmonth' +++ All of our development efforts at SR2 Communications are released under an open source licence. This is often a condition of the grants that fund our work but we don't just use the licences to meet contractual requirements. We strongly believe that open source software is the best way to approach the technical needs of civil society organisations. Kerckhoffs's Principle is one guiding idea in this approach. The principle holds that a cryptosystem should be secure, even if everything about the system, except the key, is public knowledge[^1]. Kerckhoffs's principle was later phrased by the American mathematician Claude Shannon as "the enemy knows the system". This principle forces us to build software that would withstand a source code leak because it's already open. We cannot hide security flaws behind obscurity. Every algorithm, every protocol decision, every line of networking code must be robust enough for expert scrutiny. When vulnerabilities are found, and they sometimes are, they're found by friendly researchers who report them, rather than by adversaries who exploit them silently. This auditability also helps us build trust. When our code is fully auditable, users can verify exactly what our software does, and crucially, what it doesn't do. They can confirm we're not logging their activity, not inserting backdoors, not collaborating with adversaries. This trust is foundational. Without it, users won't risk using our tools, and the tools become useless. When we produce censorship circumvention tools, we are building in a context where there is already distrust. Censorship cannot exist without surveillance. To block content, authorities must first monitor what users are accessing. This surveillance creates a chilling effect: even when censorship isn't actively enforced, the threat of being watched leads to self-censorship. Users hesitate to search for sensitive topics, search for alternative news sources, or communicate openly. We must circumvent not only the censorship imposed technically, but the self-censorship imposed by the threat of surveillence. Funding for internet freedom work can be unpredictable. Grant cycles end. Priorities shift. If a funding gap forces us to halt development, open source ensures continuity is possible. Other organisations can pick up where we left off without needing any permission from us. They can maintain the software, apply security patches, and keep services running for users who depend on them. Even when funding is stable we cannot be everywhere at once. Our team has expertise in specific regions and network conditions, but censorship takes different forms across the world. Deep packet inspection, for example, may be implemented differently in different regions but if we have an open source framework for defeating it, we enable others to adapt our tools for their local contexts. A developer in a region we've never considered can fork our repository, modify protocols to evade their specific regional environment, and deploy it for use. Our open approach invites contributions from a global community of security researchers, computer scientists, and censorship measurement specialists. These academics scrutinise our cryptography, suggest protocol improvements, and identify vulnerabilities we might have missed. They publish papers that advance the entire field, and we incorporate their findings back into our codebase. This virtuous cycle makes our tools stronger than any closed-source alternative could be. We see open source as a strategic necessity. It builds user trust in an environment of surveillance and self-censorship. It multiplies our impact through decentralised adaptation. It harnesses global expertise for continuous improvement. It enforces genuine security that withstands scrutiny. And it ensures our mission endures, regardless of what happens to our organisation. The code we write today may outlast us. That's by design. [^1]: Kerckhoff described a number of design rules for military ciphers in 1883, and there is another principle that we also strongly agree with (translated from [the original French text](https://petitcolas.net/kerckhoffs/crypto_militaire_1.pdf)): "given the circumstances in which it is to be used, the system must be easy to use and should not be stressful to use or require its users to know and comply with a long list of rules".