Recipe
First some definitions. Let’s define an “open standard” as one that is: 1) freely available, 2) developed in an open process and 3) freely implementable, e.g., is royalty free. Clearly there are interests out there that attempt to soften these criteria, but that only demonstrates the competitive power presented by truly open standards. We see similar “dumbing down” pressures on other popular marks of distinction, such as the constant pressure by “big agriculture” to allow more permissive use of pesticides in organic/biologique food. It is almost a law of nature that any item of relative scarcity and value will be counterfeited. Dumbing down definitions is just one way to counterfeit an open standard.
At the same time there is clearly a spectrum of openness, from proprietary, trade-secret technology at one extreme, progressing through proprietary non-RAND specifications, proprietary RAND specifications, RAND standards to RF standards. But for sake of argument, let’s draw the line for open standards at these three criteria: freely available, open process, and freely implementable.
So how do you make an open standard? In the industry we have a number of years experience creating open standards. We know what works and what doesn’t. We’ve learned from experience and especially from failure, the harshest of teachers, e.g., Rambus and OOXML. At a high level, this experience has led to the following recipe for open standards, a recipe practiced by several notable standards consortia today:
- Publish your standards on the web for free download and use. This seemingly simple step has enormous repercussions for a standards organization, since it eliminates an entire business model, that of selling standards. So an organization that produces open standards must have an alternative source of income to fund its operations, for example, membership fees, corporate or government sponsorship, etc.
- Define and enforce an open process for the development of standards. Much has been written and said about the further qualities that define an open process, but generally they focus on openness, balance, lack of domination, broad-based public review, consensus, due process, right to appeal, etc. ANSI’s Essential Requirements [PDF] is an excellent outline of the minimum process requirements for ANSI, the organization that accredits US standardizers.
- Have a clearly-defined, enforceable IPR policy that ensures that implementors of the standard have royalty free (RF) access to all rights needed to implement the standard. This area evolved quite a bit, especially post-Rambus, and the best practices now include: defining obligations of members with regard to patents they may control that read on the standard, defining obligations of 3rd parties who submit comments or proposals related to a standard, ensuring copyright assignment from contributors, defined 3rd party patent disclosure obligations, etc. The complexities of rights given during the drafting of the standard, durable obligations of members who leave, and how rights transfer to future maintenance releases of a published standard — all these are concerns of standards organizations that strive to produce open standards. For reference, note the IPR policies of OASIS and the W3C. (Now there may be some of you thinking, “IPR wouldn’t matter if we would just eliminate software patents”. But it is not so easy. First, we need to consider copyright as well. And second, remember that not all standards involve only software. Many relevant technologies today are defined by standards that encompass software, hardware and physical media components , e.g., Blu-ray.)
As you can see, there is a set of corresponding rights and obligations that the standards organization must deal with. The right of the user to freely download the standard derives from the obligation of contributors to assign copyright to the standards organization, so it in turn can make the specification freely available. And the right of implementors to implement the standard without payment of royalties comes from the obligation of contributors to waive royalties from patents that they control that are necessary to implement the standard. And the right of implementors to be safe from 3rd party patent claims — to the extent this is ever possible — comes from the obligation of members to disclose such 3rd party patents.
It might be useful to compare this to a well-run open source project, one that requires that contributors sign and fax in a membership or contributor agreement, assigning copyright and making assertions regarding necessary patents. In a similar way, participation in an open standards organization requires a binding membership agreement, to ensure that there is a record of the obligations that have been undertaken.
ISO in the kitchen
Now what about ISO? I claim, quite cheekily, that they cannot cook. So let me right away make the case why ISO, by their own rules and procedures, cannot reliably develop open standards.
First, let’s look at the “free availability” question. ISO’s business model is predicated on the sale of standards. If we look at a typical example, say a copy of the C++ programming language standard, we see it sells for 380 CHF ($374.38). Note that everyone directly involved in the development of ISO standards is a volunteer or funded by outside sponsors. The editors, technical experts, etc., get none of this money. Of course, we must also consider the considerable expense of maintaining offices and executive staff in Geneva. Individual National Bodies are also permitted to sell ISO standards and this money is used to fund their own national standards activities, e.g., pay for offices and executive staff in their capital. But none of this money seems to flow down to the people who makes the standards. In fact, in the US I need to pay $1200/year for the privilege of volunteering my time to create standards that are then sold at costs that I could not afford. And what rights do you get for your $374? Very little. You can print one copy. ISO reserves almost all rights, as they explain in their copyright brochure [PDF].
Note that ISO does make a small number of its standards available for download at no cost, generally ones that originated from outside of the ISO system. (It is hard to restrict access if the standard was born free elsewhere). But these “Publicly Available Standards” represent only around 1% of the 18000+ ISO standards.
So is this compatible with an open standard? I don’t think so. And if $374 is exorbitant for me, imagine what impact these ISO standards prices have on small technology firms, especially in the developing world?
What about criterion #2, the open process? Let’s go down the ANSI essential requirements list in more detail:
On Openness, ANSI says:
Participation shall be open to all persons who are directly and materially affected by the activity in question. There shall be no undue financial barriers to participation. Voting membership on the consensus body shall not be conditional upon membership in any organization, nor unreasonably restricted on the basis of technical qualifications or other such requirements.
A big fail there for ISO. In particular, materially affected persons are not able to vote at all, but only indirectly via required membership in a National Body. The entire ISO system is non-open.
On Lack of Dominance, ANSI says:
The standards development process shall not be dominated by any single interest category, individual or organization. Dominance means a position or exercise of dominant authority, leadership, or influence by reason of superior leverage, strength, or representation to the exclusion of fair and equitable consideration of other viewpoints.
We saw during the OOXML ballot, and especially at the BRM, how this totally fell apart. It was raised several times that Microsoft was dominating the committees, sometimes representing more than 50% of the people in the room. But ISO leadership dodged the issue, saying there was nothing they could do about it, based on their rules. This may be true. But that is just acknowledgment that their rules are not able to prevent dominance.
And on Balance, ANSI says:
The standards development process should have a balance of interests. Participants from diverse interest categories shall be sought with the objective of achieving balance.
Like committees containing almost exclusively Microsoft Business Partners? Fail. In fact you can go up and down the list and ISO fails to meet these minimum requirements.
OK. Maybe it is unfair of me to subject ISO to the criteria that we use in the US to accredit little industry standards consortia. Maybe it is unfair of me to suggest that the International Organization for Standardization should meet the openness requirements that are regularly met by stalwart giants like the International Institute of Ammonia Refrigeration or the Hardwood, Plywood & Veneer Association? (Full ANSI list is here [PDF]) Maybe you tell me that it is unreasonable and asks too much. I would accept that response. But I believe that, as it is today, if ISO tried to get accreditation as a standardizer in the US, it would fail, for inability to meet basic minimum openness and due process requirements. And that saddens me. It should sadden you as well.
The 3rd and final ingredient, as we know, is the IPR policy. I ask you to glance over the ISO/IEC/ITU “Common Patent Policy” and compare it to the IPR policies mentioned above from the W3C and OASIS. I think you will first be struck by how short and fuzzy the ISO statement is, and by the complete lack of any stated obligations for ISO members with regards to patents.
For example, the main disclosure requirement is stated as:
Any party participating in the work of ITU, ISO or IEC should, from the outset, draw the attention of the Director of ITU-TSB, the Director of ITU-BR, or the offices of the CEOs of ISO or IEC, respectively, to any known patent or to any known pending patent application, either their own or of other organizations, although ITU, ISO or IEC are unable to verify the validity of any such information.
Now, I am not a lawyer, but even I can see that “any known patent or known pending patent application” is vague to the point of making it meaningless. There is zero qualifications or restrictions given. I know that there are 8 million or so granted US patents, maybe 10 million if you include pending applications, and that is just in the US. Should I report them all? That’s what it appears to be recommending (but only recommending, since it is stated as a “should” not a “shall”) when it says “any known pending patent application”.
There appears to be no serious consideration given to what the disclosure obligation is. Am I supposed to disclose patents that I actually know read on any part of the standard? On required portions of the standard? Optional portions? Mandatory requirements on optional features? Patents that I think, but am not sure that may read on a standard? Ones where there is a remote, but non-zero possibility that it reads on a standard? Ones where someone else has alleged it reads on a product that implements a standard? Ones where a jury has determined that a product implementing the standard infringes on a patent? Ones where the Federal Court of Appeals has upheld that a patent reads on a product that uses the standard? Ones where the U.S. Supreme Court has affirmed the Federal Court of Appeals decision?
You can see how ridiculous the ISO requirement is. IMHO, you could replace the ISO patent policy with a wall poster with a big yellow smiley face and the caption “Be careful!” with no essential loss of effect. ISO seems to be living in a world where Rambus never happened. Without solid obligations for ISO participants there are no corresponding strong rights for implementors.
(That’s my opinion. Again, I am not a lawyer, so don’t take any of this as legal advice. This is all my personal opinion and observation. But, geez, look again at that patent policy. Are they joking? You should then look again at the OASIS disclosure requirements for a real world example of how a disclosure obligation must be phrased for it to have any teeth whatsoever. What ISO has is more like a voluntary registration of reported patents. That is not much of an assurance post-Rambus.)
The fundamental issue is that the membership of ISO consists of National Bodies, not individuals and not corporations. So the formal members of ISO are not the patent owners. This “committee of committees” approach puts a level of administrative indirection between those who have the knowledge and control of the IP and those who formally make the decisions. It is an approach seemingly crafted to obfuscate accountability and disclaim responsibility.
The other problem is that they have attempted to craft a single patent policy that applies to all standards from ISO, IEC and ITU, for everything from document formats to paper sizes, from quality processes to bolts, screws and studs, from shipping containers to medical devices. The licensing and royalty practices of these diverse industries are equally diverse and any attempt to reduce them into a single rule will naturally lead to a lowest-common denominator statement of generalities. And if you have 18000 standards, the lowest common denominator is rather useless, as we saw above.
Another issue is that ISO is fundamentally accepting and accommodating of RAND licensing. There is no effective way for a committee to state the intent of developing an open standard, and then to maintain the pedigree and hygiene of the specification and process to assure a royalty free outcome. There is no guarantee that contributions from other NBs will be RF. There are no procedural protections against an NB who would seek to introduce patent encumbered material into the standard. In fact, there is nothing to prevent a National Body or group of National Bodies from withholding their approval of a draft unless and until a specific desired RAND feature is added to the standard, perhaps to benefit a domestic rights owner. This is all incompatible with the development of open standards.
What can be done?
So what are we to do? ISO is obviously not going away, at least not quickly. But certainly for vast swaths of important, widely-adopted standards work, ISO is simply irrelevant. The web was built on open standards that were developed entirely outside of the ISO system, and in fact could only have been developed outside of that system. Openness was key to their success. So one approach for us is simply to ignore ISO wherever possible. Certainly, do not promote procurement and policy initiates that exclusively favor ISO standards, since by doing so you eliminate from consideration the majority of relevant open standards that are available. In other words, why grant ISO a monopoly on standards, especially when they seem constitutionally unsuited to the 21st century task of creating timely, market-relevant open standards?
Another approach is for industry to make more aggressive use of the Publicly Available Specification (PAS) process, allowed in ISO/IEC JTC1, by which existing market-relevant industry standards can be turned into International Standards, largely unmodified, via an accelerated transposition procedure. This allows the technical work to originate in an industry standards organization that understands the unique requirements of open standards and that can ensure relevant protections are in place to ensure the pedigree and hygiene of the IP in the standard. Once the technical work is completed and review and consensus approval is achieved, the standard can then be transposed into an International Standard. Some have criticized this as using ISO as a “rubber stamp”, that this process does not permit NBs to fully participate in the work of creating the standard. But we must note that the PAS process is not intended as a standards development process. It is not intended as a means for ISO NBs to participate directly in the development of the standard. PAS is simply a transposition process, taking existing, relevant industry standards, and after a short review, giving them the imprimatur of an International Standard. So yes, it is a rubber stamp of sorts, but one where ISO has two rubber stamps at hand, one saying “Yes” and one saying “No”. Either can be used.
But in the end the problem isn’t the rubber stamp. The problem is that ISO has no ability to develop open standards of their own, to enforce the member obligations that ensure the rights of users to freely implement the standard, and that ISO lacks open and transparent procedures, and that ISO clings to standards publication revenue model that puts their standards out of reach for many.
For standard bodies the IEEE principles also seem very important, in particular “to seek, accept, and offer honest criticism of technical work, to acknowledge and correct errors, and to credit properly the contributions of others”.
I suppose there is the question of what things make good procedural rules that can govern a committee versus what are rules of professional ethics that govern individual behavior. Other professions, like law and medicine, have professional boards that review complaints regarding violations of professional ethics. This tends to go hand-in-hand with fields that require professional licensure.
After OOXML and it’s wild sleigh ride over ISO I couldn’t imagine any reason why I would look to ISO for anything except what to avoid.
A couple of laws I’d like to see:
If you don’t own the invention covered by your patent, you cannot enforce the patent. (Would get rid of a lot of patent trolls.)
If you conceal a patent that reads on a standard in development you cannot enforce that patent once that standard is in use. (Would stop Rambus style land grabs.)
Can delegated power be accepted or are technical members independent, though financed, to carry out their professional tasks? The concept of delegated power is flawed. Current reform ideas in the EU are directed to improve “representation”, so SME and consumer tokens get public funds to participate in the standard setting process. It is important to check the fundamental premises of governance when you consider these workarounds. Sure, the maxime “to seek, accept, and offer honest criticism of technical work, to acknowledge and correct errors, and to credit properly the contributions of others” looks like the antithesis to a recent ISO process, that is why I quoted it. What role for professional independence in the governance challenge?
@André, In ISO work we’re supposed to be representing a “national position”. But what exactly that means varies from NB to NB. In some cases, like in the US, the determination of the voting position in ISO is delegated to an sector forum of public/private interests, with the view that those active in the sector are best positioned to determine the direction of standardization in a given field. In other countries the votes are directly held by the government. In some NBs is is “whoever shows up”, with the result that some NBs have voting position determined by a single person.
IMHO, public funds are better used to develop and administer an accreditation program for international standardizers. The privileged position of mega-standardizers like ISO and IEC bring little benefit. Compare them in terms of speed, relevancy, quality, openness, etc., to industry standards organizations and I think you will find ISO far behind. Lack of competition is the problem. We’ve made ISO a monopoly. But if instead of having a single organization creating tech standards (ISO/IEC JTC1) you had a dozen more different ones, all accredited by a new “meta-ISO”, all competing on terms of openness, relevancy, quality, etc., then you have a much more interesting system.
Compare today where the W3C all but ignores ISO, because it knows that it can produces standards better and fast by itself. The result is that today you have the embarrassment that the most widely used of all markup standards — XML — is not an International Standard, though every government in the world depends on it. Allow the W3C to apply for and receive accreditation as an International Standardizer, and then you’ll quickly have IS’s for the full web platform.
This is a great post. ISO deserves much criticism for its undemocratic approach. What is all that money (from expensive memberships and several-hundred-dollar PDF files) buying, if it’s not paying the people who actually write the standards? Is it providing good value to world?
Today, out of curiosity, I wanted to check out ISO 8879 (SGML) to get a definitive answer about whether the doctype public identifier is case sensitive. (It seems to be, but it’s nice to check the primary source.) What would it cost to satisfy my curiosity? 238 Swiss francs. Good job, ISO.
The global open source software community has created all these operating systems, compilers, browsers, web servers, databases, you name it — that are truly open, truly free (as in speech and beer). But from ISO you can’t even let you download a 25-year-old PDF file for a reasonable price!
Rob, you say “Allow the W3C to apply for and receive accreditation as an International Standardizer” — it should be noted that W3C, like OASIS before it, is now a PAS submitter (keeping to itself the role of maintainer, like OASIS), so it could submit XML to ISO for approval. They may still do it, but for the time being they have decided to submit their web services standards instead (http://www.w3.org/2011/07/wspas-pr.html).
I stumbled upon this post a couple of years later, yet it has just confirmed what I am just finding out , that ISO is not ‘open’ at all. I am dumbfounded. I was led here by trying to check the ISO safety standard 12312-1 which is supposed to apply to sunglasses , in making sure they protect the eyes. But since I cant read the standard, how do i know what kind of protection it is offering?
You can be sure that the ISO committees are self-serving and self paying. The EU has hundreds of committees like this already. (Also reminds me of the Olympic committee) . I hope that we go the way of open-source and gradually push the ISO middle-men out of the business