FSFE: NHS England should not hide public code behind closed doors
England’s National Health Service (NHS England) is preparing to make most of its public source code repositories private by default, according to recent reports. The move appears to be based on concerns that public code repositories could be scanned by AI systems to identify vulnerabilities. The reported internal guidance, referred to as “SDLC-8”, would require public repositories to be made private unless an explicit exception is approved.
The Free Software Foundation Europe (FSFE) considers this a serious move in the wrong direction. Taking already public repositories offline does not prevent attackers from analysing deployed systems, dependencies, interfaces, or binaries. Depublishing does not make code unseen, nor does it remove existing copies, and it is not an effective security measure. Instead, it removes a fundamental pillar for security: the ability of independent experts, researchers, and other public bodies to inspect, reuse, and improve the code, and to report on security issues.
“Depublishing public code is not a security strategy. 'Security through obscurity’ has been debunked as a security measure for a long time”, says Johannes Näder, FSFE Senior Policy Project Manager. “Making repositories private does not protect NHS systems. It only limits who can help find and fix problems. The same is true for future code: releasing publicly funded software as Free Software creates better conditions for scrutiny, accountability, and security than locking it away by default.”
Releasing publicly funded software as Free Software is the core demand of the FSFE’s “Public Money? Public Code!” initiative. It is also the principle behind existing NHS and UK guidance: NHS England’s own Service Standard states that new source code for public services should be open and reusable because public services are built with public money. UK government guidance similarly requires new source code to be open and reusable, while allowing only narrowly defined exceptions.
“If NHS England decides to depublish its services' code, that would directly contradict its own guidance and the wider UK principle of making publicly funded code open by default, says Näder. Security concerns should be addressed through proper software engineering: secret management, vulnerability handling, dependency maintenance, reviews, and defence in depth. A blanket shift from open by default to closed by default is disproportionate and counterproductive."
Free Software enables independent audits, fosters local expertise, and allows public bodies to share and improve solutions together. In the health sector, where trust, resilience, and accountability are essential, these benefits are particularly important. Furthermore, “Public Money? Public Code!” fosters innovation and is one of the most effective tools to reduce lock-in, reducing public administrations’ dependency on proprietary vendors, and enabling digital sovereignty.
The FSFE therefore calls on NHS England to reverse any blanket private-by-default policy for publicly funded code, to publish the reported guidance, and to reaffirm that Free Software remains the default for publicly funded software.