Showing posts with label engagement. Show all posts
Showing posts with label engagement. Show all posts

Monday, May 06, 2019

Mapping Canberra's startup ecosystem

I've had a continuing interest in start-up ecosystems across Australia, having been a member of several of these ecosystems & helping to mentor and support a range of start-ups over the years.

I've maintained a Canberra ecosystem map for about four years now, mostly for my own interest and to understand some of the relationships between different players and the startups they support.

This was inspired by work by BlueChilli on the defunct StartRail maps, which was based on some of the international work portraying startup ecosystems in the style of metro rail maps. Unfortunately they focused on Sydney and Melbourne, missing some of the smaller, yet equally vibrant, scenes in Perth, Brisbane and Canberra, all of which I am linked to in various ways.

Recently I've seen some sterling work by Gordon Whitehead mapping the startup ecosystem for the Hunter & Central Coast, which had been reinterpreted by Brian Hill of Laughing Mind.
As such I've decided to share my Canberra startup ecosystem map for anyone interested.

Also keep an eye out for the work by Chad Renando at StartStatus, who is engaged in a national effort as part of his Phd, which should provide a broader view of the Australian startup ecosystem as a whole (which tends to be city-based with a few cross-ties of various strength).

Chad has also done some intensive work looking at models for measuring startup ecosystems and identifying their strengths & weaknesses that will be very valuable to government, not-for-profit and corporate interests in years to come.

As for Canberra - here's my humble contribution....






Read full post...

Thursday, May 17, 2018

Guest Post: FatigueHack - Hackathon done right

This is a guest post from Jayden Castillo, a colleague of mine at Accenture and an active member of Canberra's innovation community. Read the original post at LinkedIn:

I recently attended the Australian Trucking Association (ATA)'s Hackathon aiming to target driver fatigue, aptly named 'FatigueHack'. I'm fairly new to Hackathons, this was my second after the AUSTRAC Codeathon in March (where I was a mentor), and my first experience as a participant along side two of my Accenture team mates.

For those unfamiliar with the concept, a Hackathon is a rapid solution environment where competitors are required to address complex challenges in a short amount of time, and come up with a working prototype to illustrate their concept. In this case, teams had 2 days to develop a viable business model which is capable of addressing fatigue in the trucking industry. Following these two days, each of the 8 participating teams had to pitch their solutions to judges and the top 3 pitched to the entire Australian Trucking Association Annual Conference delegation.

I find hackathons to be a fantastic opportunity to show what's possible, and even more impressive, what's possible in just two days. There were a few aspects of FatigueHack in particular which I believe made it exceptional, and demonstrates not only what is possible, but what innovation and solutioning will be like in The New. The 3 points below are the perfect recipe for innovation, which we must all embrace to stay at the cutting edge.

Short Timelines
We all have a tendency to procrastinate, to plan things excessively, and to over analyse. This is a product of the anti-failure mindset we've been groomed for, we naturally try to think out the whole solution and resolve any issues before we actually start doing. Being under quite a strict time limit means there simply isn't enough time for this. You are forced to make decisions and move things along quickly. This means you might not have all the problems solved straight away, but it also means there's less time between idea and the all important testing of your idea, so you can identify and resolve issues much faster.

Probably the most interesting part here was to demonstrate how unnecessary it is to give long timelines to (particularly innovative) projects. When your timeline is short, you cut out what's not important and make big strides in your solution.

Concentrated ideation
They say that innovation happens when ideas collide, and FatigueHack certainly had a lot of colliding ideas. Think and Grow Rich author Napoleon Hill describes this like brainwaves being radiated out into the ether, and being picked up on by other brains on the same wavelength. While this description might a bit unscientific, I believe there is a lot to be said for the buzz created when a lot of excited people are in close proximity. Your confidence goes up, your creativity goes up, and you are generally more open to thoughts and ideas.

Having run remote meetings and workshop sessions in the past, I can definitely attest to the value of having everyone in the same room, even if they're not all working on the same idea. Body language, excitement, drawing, gestures are all things which (still) don't translate well over digital media.

Easy access to expertise
Innovating or designing in a bubble is a dangerous thing to do. It is basically impossible to know if you're on the right track without some kind of feedback, so it becomes really easy to go down the wrong path and either solve the wrong problem or create a solution which nobody wants. I think FatigueHack managed this really well - they ran the Hackathon in the same venue at the same time as the ATA's annual conference. This was invaluable, because it meant if we had any questions at all, we could find an expert on the area within 5 minutes by simply asking around.

Having such easy access to expertise makes innovating much easier. It allows you to validate ideas very quickly, and when we were listening to the truckers talking about their experience it stimulated new ideas quickly. Our ability to iterate and refine was exponentially higher than in a normal workplace, and ideas were changing and evolving in time frames of minutes. I would love to see this translate to my (and everyone's) daily work, because the potential for generating great solutions is enormous.

Closing thoughts
This Hackathon really demonstrated to me what the future of work looks like. By getting a team together in a highly concentrated, intense environment, and providing more information and experts than we could possibly digest in 2 days, there were some fantastic outcomes (the winning idea is moving forward with creating a business!).

My personal mission is to help businesses and organisations think and act like startups, and FatigueHack is a great example of how to do that.

Read full post...

Tuesday, November 15, 2016

Asking 'what should be the limits on how public servants engage in social media' is the wrong question

The Australian Public Service Commission (APSC) has just released a consultation paper asking for feedback regarding how public servants may be able to 'Make Public Comment' specifically focused on social media.

It's great to see the APSC consulting on this area. It is subject to rapid change, both in the nature of the approaches and tools available for public servants to comment online, and in regards the evolution of thinking and expectations within the public service itself.

For example, Gov 2.0 and the current follow-on push for digital transformation has continued to attract new groups of potential employees and partners to the APS. These are groups with their own established (generally active, transparent and outspoken) approaches to online engagement - creating challenges for existing public sector hierarchies in both recruitment and management of these cohorts and acculturalising them to current APS norms.

Equally the blurring of the lines between private and professional continues to grow. With government policy now essentially touching on every aspect of life, existing public servants can feel constrained and muted by current requirements to not comment negatively on any policy area.

This is whether it be a public servant/parent dealing with schooling challenges, a public servant/carer dealing with NDIS challenges, a public servant/driver dealing with road infrastructure challenges, a public servant/patient dealing with health challenges, or a public servant/former immigrant dealing with family unification challenges. In all of these cases, even if their career is in a totally unrelated area of the public service, it is unwise for them to share even privately via their social media channels comments critical of the policies which are impacting their lives in a real and significant manner - just in case their public service friends report them and their public service bosses decide to define their comments as less than appropriate.

At the same time with the increasing normalisation of social media as the primary 'town square' for civil discussions (though not always so 'civil'), younger people, former APS staff (such as myself) and others who might at some point work in or to governments, are more enabled and likely to debate or share contentious political and policy issues via social networks without full consideration of the likely views of older-fashioned agency management and the impact on potential employment or contracts.

Similar to the lament of police and other security services ten years ago, who found it increasingly hard to hire individuals able to conduct important undercover work, due to the widespread adoption of social media (forcing a shift to profile cleansing from profile hiding), it's rare for any young person to not have an active social presence online, potentially touching on a range of politically sensitive topics - if not crossing professional lines with beach and party shots.

Similar to the debate over whether children should be seen and not heard, I've witnessed a number of older senior APS managers express their ongoing views that public servants should neither be seen nor heard in public debate - despite this going further than even the existing guidance for how public servants may engage in public discourse.

Moving on to the current consultation process, there's a few assumptions in the approach which could significant impact the outcomes.

Benefits vs Risks

Firstly the entire consultation, while nominally appearing to aim to be neutral, overwhelmingly concentrates on the negative impacts of public comments by public servants.

The approach largely overlooks the benefits of having an engaged workforce, interested and knowledgeable about a policy area, able to engage effectively in online debates - providing facts, busting myths and communicating compassion and concern for the communities impacted by policy decisions.

Some organisations outside the public sector have realised the value of staff as advocates for an organisation - that every staff member is connected to hundreds of peers, friends and family members who are potential customers or clients. However it seems only rare public sector organisations have recognised the same potential.

Imagine the impact of having 4,000 Health Department staff sharing the latest PBS drug additions, or carefully explaining government policy to communities who haven't been on the same journey to recognise why alternate approaches look fine on the surface, but have significant long-term negative impacts.

Imagine having over 30,000 Human Services staff sharing the latest information on changes to welfare programs, the release of new apps, or helping parents considering separation to understand their potential financial obligations to their children in a divorce.

The upside of having staff engaging socially is immense where staff are provided with the right access to tools, advice and potentially training - more effective than spending millions on 'shouting at' communities via traditional media, or even online communication campaigns.

However taking this positive approach to staff social engagement relies on a critical factor that increasingly appears in short supply in the public service - trust. Senior executives in the public sector have long been shown to be significantly disconnected from their staff - with regular APSC studies showing enormous differences in perceptions as to how well senior managers communicate and with work satisfaction levels.

With rolling pay disputes, increasingly employee concerns around the casualisation of workforces, fewer opportunities for staff to progress and ongoing budget cuts, there's a range of factors already impacting on trust relations within agencies - a largely negatively focused social media policy, designed around preventing bad behaviour rather than enabling and supporting good behaviour, is merely another straw on the back of the increasingly concerned camel.

Policy for the future of the APS

Looking further at the consultation, while it doesn't specifically exclude any group from consulting, the placement and approach strongly favours current APS staff, or the hyper-interested (such as myself).

This means the consultation will largely be biased around current staff and their current expectations, having little consideration of potential staff who increasingly consider their ability to engage freely on social media as a right rather than a privilege restricted by an employer.

This could lead to amended guidance on social media engagement that progressively discourage good people from potentially considering APS roles, particularly in emerging areas related to digital.

Given social media comments are forever, there's an entire group of young, university educated, visionary and innovative people who, under strict APS social comment policies, may never be eligible for APS employment based on their past personal views 'poisoning' their ability to be impartial.

The questions for consideration included within the consultation are quite broad and I've covered each below with my views.

1. Should APS employees be prevented from making public comment on all political issues? Should there be different rules for different groups of APS employees?

Even Ministers only focus on their own portfolio policies and challenges, so it's highly impractical to expect public servants at any level to be sufficiently across all political issues to be able to avoid commentary on topics that affect them personally, but may (to a greater or lessor extent) also touch on significant political issues.

Equally with political policies now touching on most areas of life, even indirectly, there's little that a public servant could say that could not be deemed a public comment on a particular issue, even if via a slightly drawn bow by a hostile outside party.

The impact of this would be similar to the impact of the current APSC policy, to cause many public servants to choose not to engage in public debate at all. Given that public servants are generally well-educated and well-informed and trained to form opinions based on evidence, this presents a significant loss to public debate within Australia and the exclusion of expertise that could otherwise shift and shape national views.

I'm aware of experts who have been effectively silenced in their areas of expertise due to a government engagement for a different set of their skills. This weakens Australia's democracy, rather than protects it.

While it may seem prudent to at minimum limit the scope for public servants to engage publicly at least within their own policy area, the area in which they have greatest experience and expertise, this is also counter-intuitive.

I do believe that public servants should strive to present the positives of current policy positions and effectively communicate set government to the public including, if they so choose, via their own social media accounts - even when respectfully making it clear that their views might differ from the government's, but that their role is to carry out the policies irregardless of personal opinion.

However in areas where policies are under debate, not yet confirmed by government or otherwise not set, public servants should have the right to choose to engage in the public debate and express their views in a respectful manner. Due to their experience in their own policies areas, it would be expected that their views would be well-informed and therefore support the public debate.

In essence I believe that public servants should be exemplars of public engagement in democracy, not simply 'bag carriers' for agencies. Through positive, respectful and evidenced sharing of their views they not only contribute to the content but to the shape and effectiveness of public debates in Australia, fostering effective democratic engagement - thereby supporting Australia's underpinning principles as well as perceptions of the public service and government.

As to the second question, of different rules for different groups, I understand how more senior or personally expert public servants can have a bigger impact on public debates - and this is appropriate, when used sensitively. This is no different from the different regard to voices from across Australia's democracy - different groups will always hold different voices in higher, or lower, regard, based on positional influence, knowledge or celebrity.

Constraining more knowledgeable or senior public servants to keep a debate 'level' makes no practical sense, and while I can see where certain elected or senior appointed officials may have concerns over being 'outshone' or having their decision-processes impacted by senior public servants, or more hierarchically junior celebrity individuals or experts, this is more related to ego than to good policy formulation processes.

Ultimately evidence and outcome effectiveness should drive policy processes - and even when this isn't perfectly the case, agencies should always strive to champion the right approach and leave it to elected officials (who can also be unelected) to make decisions on particular courses. As such allowing public servants to speak in undefined policy areas with respect and evidence is totally appropriate and supports robust and engaged democratic processes (even if this may at times personally annoy Ministers or senior public servants with specific ideological agendas).


2. Should APS employees be prevented explicitly from making critical public comment about services or programs administered by their agencies?

While this question appears reasonable on the surface, it overlooks the sheer scale and extent of some agencies, and the absence of effective internal processes to manage programmatic issues or failures.

Firstly, certain programs and services are frequently moved between agencies due to machinery of government changes or due to agreements between agencies where one may deliver services for another. This means that a public servant having issues with a program one week, and commenting about this publicly, could suddenly find themselves under investigation after a Minister or senior public servant decides to move the service into their agency.

Secondly, the scale of agencies, and the lack of communication of their range of activities, can mean that public servants may be unaware that a particular program or service is actually administered by their agency, particularly if delivered by external contractors or other agencies. Again this could easily catch out public servants who are not omnipotent - an expectation that is unrealistic when even Ministers can often be unaware of all the activities in the nooks and crannies of agencies within their remit.

Finally, agencies must commit to having effective internal dispute resolution processes for staff having issues with specific programs or services administered by their agencies. These are in place in some, but not all cases - leaving some public servants with no internal avenue to resolve disputes and thereby driving some to speak out publicly. Agencies would eliminate a significant amount of the potential for this risk by instituting effective internal dispute resolution processes.

If public servants are using and finding concerns with certain services or programs from their agency it is highly likely that members of the community will be as well, meaning that staff concerns should be treated like a canary in a coal mine - an early indicator of an issue that the agency needs to address and solve.

Essentially APS employees should not be prevented (if that were even possible) from making critical public comment about services or programs administered by their agencies. However they should be held to a high standard of providing evidence, of engaging respectfully and making it clear that these are their personal views only. Few programs will achieve 100% happiness rates amongst the communities affected by them, and recognising and acknowledging alternate views, even from within the organisation delivering them, is a sign of a mature and secure organisation committed to continual improvement and the engagement of staff who will act to improve outcomes, not merely remain silent about poor ones.

3. Should senior public servants have specific limitations about making public comments?

Per my response to the first question - no. However they should be held to a high standard of evidenced and considered responses, and selective engagement.

It is still relatively rare for senior public servants to actively engage in public discourse, particularly via social media channels - and this is a significant loss of role models who could help set a respectful tone for engagement across the community. If senior public servants fear criticism, or fear criticising their Ministers publicly this helps reinforce a status quo where their expertise, knowledge and experience is subordinated to snap decisions, supporting the gradual degradation of trust and respect in government and agencies.

Where senior executives strategically engage in public debates as 'eminent Australians' they both enrich the conversations and model a form of democratic engagement that others across the community are influenced to follow.

That said, this engagement should be respectful and carefully timed, rather than proliferate. They must also ensure that they demonstrate that they can work effectively with Ministers' offices even when disagreeing with policy. This can be a delicate high wire to walk and many current senior public servants may not have the depth of experience with social channels to carry this out effectively. This will change over time.

Currently few senior public servants engage at all via social channels, and I believe this is a significant loss to public discourse in Australia.

4. Should public servants posting in a private capacity be able to say anything as long as it includes a clear disclaimer stating that the opinion they have expressed is purely a statement of their own opinion and not that of their employer and is otherwise lawful?

Looking at this realistically, any public servant, or individual, can set up a pseudonymous account and say anything they want with limited chance of detection or identification (due to the large number of such accounts). Indeed it is likely that a number of public servants already do this in order to be part of the groups they wish to associate with online.

I believe that public servants, by way of their employment, should be held to a higher standard of engagement than general citizens, therefore should be expected to remain fair in their comments and criticisms, obey all laws regarding abusive or otherwise inappropriate behaviour on social media channels (as suggested in the question) and is evidenced where feasible - noting that not all areas of opinion lend themselves to evidence.

Public servants should model the digital engagement behaviour that a democratic society should aspire to, helping to foster productive and insightful debate, dispel misinformation and accurately direct people to where they can receive the help they require.

Currently I believe that APSC gudiance is more directed at an outdated view of 'impartial', which includes 'passionless' and 'unemotional'. Public servants should be free to be excited and passionate about their work and about principles that matter in democracy. This positively enhances their perceived capacity to be effective in service to the public, whereas emotionless engagement only serves to diminish effective debate.


5. Are the requirements of the APSC guidelines expressed clearly? Can they be made simpler and easier to understand?

I have never been a fan of the current APSC guidelines for public comment via social media.

They leave too many gray areas for senior management discretion around what is meant by 'harsh or extreme', 'strong criticism' or 'disrupt the workplace' - which I have seen used negatively against exceptional people by jealous bosses, to the loss of the public sector.

They are too broad, effectively covering every policy from every parliamentary party or independent - leaving public servants in a live minefield where, at any time, additional mines can be placed under their feet.

Overall they are negatively focused - looking at the downside risk of social media engagement without fully embracing the potential benefits of effective involvement by public servants in public discourse.

As an ex-public servant this blog, which touches on various policy areas, programs and initiatives - often in a critical but constructive manner, would never have been started under this APSC policy. Given my readership and the level of positive engagement it's had, I can't see how this would have been a better outcome for the public service.

Equally I've not been prepared to work directly for a government with this level of restrictive social media policy, and have spoken to many other people from the private world who ceased considering a public service career after seeing the draconic provisions in the current guidelines.

Of course the majority of the public service have continued to work productively under the current guidelines, however I saw an 80% reduction in public servant engagement online in the twelve months after its introduction - with many people closing down social accounts, going silent or shifting to pseudonyms to protect themselves.

This has had a negative impact on the online public policy debate in Australia and these personal accounts cannot be replaced by departmental accounts, which do not have the peer-to-peer engagement or influence of individuals online.

Looking at the international perspective, there's now far deeper and more constructive engagement by US, UK and NZ public servants on social channels then by Australians.

Ultimately, under the current APSC guidelines, any Australian public servants who wish to participate in public democracy online must weigh the negative impact if they ever stray, in their management's opinion, over a wide gray line, even only once within thousands of posts.

This makes the risk to the individual simply not worth it - but the cost to Australian democracy of the silencing of these voices is immense.

Read full post...

Monday, November 07, 2016

It's time to provide feedback on Australia's Open Government Plan

Last week the government released Australia's draft Open Government National Action Plan, a requirement to join the international Open Government Partnership, for community consultation.

Australians have until the 18th November (Edit: extended from 14th based on community feedback) to comment on the plan, at which stage the government intends to move to rapidly endorse it via Cabinet and begin implementation.

The plan is available as a PDF download from the government's Open Government Partnership website (ogpau.govspace.gov.au) as well as in web format (much easier to read) at the civil society Open Government Partnership Network site (opengovernment.org.au).

I've included the 14 commitments proposed below in brief - for more detail click through to the sites. (Edit: thanks to Asher for corrected number).

Transparency and accountability in business

The Government will enhance Australia’s strong reputation for responsible, transparent and accountable business practice. 

Open data and digital transformation 

The Government will advance our commitments to make government data open by default and to digitally transform government services. 

Integrity in the public sector  

The Government will improve transparency and integrity in public sector activities to build public confidence and trust in government. 

Public Participation and Engagement

The Government will improve the way the Australian Government consults and engages with the Australian public.

Read full post...

Wednesday, October 19, 2016

Support my ePetition for a better Australian ePetition site

Openness in government is supported by low barriers to engagement between citizens, agencies and politicians.

For example, making the House of Members' Register of Interests available publicly is great - but not THAT great if it is only available for viewing in hardcopy in one location in Canberra between the hours of 9-5pm (which used to be the case).

Recently the Australian Government launched its ePetitions site, designed to make it easier for citizens to petition government on specific issues or goals.

You probably didn't see any media headlines about it, or even government announcements - nor is the site easy to find via search or within the Parliament House's website.

If you do find it - the approach is uninspired and basic. I reviewed it compared to three other ePetitions sites internationally, and it just didn't stack up on usability, accessibility, attractiveness or tone. Read my comparison here.

There's ePetition platforms available that are far more developed and inviting, and there's lessons from international ePetition sites that clearly weren't learnt.

The cost to us, to Australia, is that people won't engage with Parliament and the Government in the ways they could, reducing the openness and effectiveness of the process.

So... I created an ePetition to Parliament. It ask them to mandate the Department to work with the broader community to implement a true Web 2.0 ePetitions platform.

This platform should be equivalent to the best of breed internationally and embed best practice design principles (such as from the Digital Transformation Office).

Slightly to my surprise, they've published my ePetition, though without actually telling me - another issue with the Aussie process.

Therefore I'd appreciate if you could sign my ePetition at: http://www.aph.gov.au/Parliamentary_Business/Petitions/House_of_Representatives_Petitions/Petitions_General/Petitions_List?id=EN0028

And then please share this ePetition with your networks.

Read full post...

Friday, September 30, 2016

Australian government ePetitions compared to international models

Australians might be surprised to learn that the Australian parliament only agreed to formally accept ePetitions in July 2015.

That was five years after it was formally recommended to parliament and follows a trend towards epetitions set by other digitally advanced democratic nations, such as the UK and USA.

In September 2016 the Australian Department of Parliamentary Services launched its epetition site allowing people to create and sign epetitions at aph.gov.au/Parliamentary_Business/Petitions/House_of_Representatives_Petitions/Petitions_General - yes that is quite a mouthful.

I've reviewed Australia's site compared to comparative sites released in the US, UK and Canada to form some conclusions on how well we've done.

However, unfortunately for Australians, the model used for Australia doesn't measure up well.

UK - ePetitions

The UK's epetitions site launched in August 2011 at petition.parliament.uk and has been restructured several times over the last five years.

Today it is a sleek, easy to access platform that hides all the technical mechanics the UK parliament requires for petitions behind a usable and simple step-by-step process.

It's very simple to find and sign a petition, with the process for responses explained clearly on each petition's page. 

Sharing tools are embedded to make it simple to encourage others to sign. It's easy to view signatures geographically by electorate (great for parliamentarians and respondents alike).

The data for each petition is immediately available via a standards-compliant data format.

The process for creating new petitions is also simple and seamless.

It uses plain English and employs a range of assistive approaches to ease first-time petitioners through the process. This includes examples of how to write a petition and flagging information that will be required in later steps so the petitioner can pre-prepare.

The site uses text matching to find similar petitions so that a petitioner can choose to sign a pre-existing petition, rather than create a near-identical one - a step that saves effort for both petitioners and for the public servants who need to manage the system.

There's clear warnings when a petitioner reaches irrevocable steps, and the system supports and encourages sharing - to help the petitioner get the petition to audiences who may wish to sign.

All in all it's a solid and well-thought out system with excellent usability - very important when considering that most people rarely petition government and need a helping hand to navigate what can be a complex and seemingly irrational process for those who do not think like bureaucrats or politicians.

USA - WethePeople

The US's epetitions site is similarly five years old - launching in September 2011. Named WethePeople and located at petitions.whitehouse.gov, the site is structured differently, but is just as simple to use, as the UK's version.

While the site doesn't offer the same geographic mapping as the UK site does, it does provide very clear step by step instructions for both signing and creating petitions and is equally clear on the goal number of signatures required for consideration.

The government's responses to epetitions (which must reach 100,000 signatures to get a response) are clearly provided with the petitions themselves, making it easy to understand what was asked and how it was responded to.

The US system requires that people creating a petition must create an account - a small barrier to entry, but one that helps with screening. 

It also makes it easy to track repeat petitioners - a useful thing for a government, if slightly invasive in privacy terms for an individual.

Something I don't like about the site is that after creating an account it sends a confirmation email with a randomly assigned password in plain text. People who don't respond straight away could easily get caught out with identity theft, although the site does force you to change it after you confirm your email.

However when changing your address the site does provide an idea of how strong your password is and makes helpful suggestions on how to improve it (something I think all government sites requiring login should do by default).

Once a petitioner has an account they also get a dashboard to track their petitions, though unfortunately it doesn't also track petitions they have signed or autofill your details when you choose to sign a petition. This may be done for privacy reasons, but there's also huge convenience and utility in these steps.

The process for creating a petition is brilliant - laid out step by step.  

The ability to look at past successful petitions as examples is a nice touch and very helpful for first-time petitioners, and the filtering approach helps guides people to structure their petitions well. 

Later in the process petitioners also get to tag their petitions by topic, providing a useful way of filtering them to the appropriate agency and providing useful statistics for the government on the 'hot topics' for citizens.

The system doesn't have the matching of similar petitions as the UK system does, but nevertheless it's very polished and well executed.

Canada - e-Petitions 

Now the Canadian epetition system is interesting as it debuted in December 2015, less than a year before Australia's system. As such it hasn't had the same amount of time as US and UK sites to refine and restructure based on use. but has the opportunity to learn from their experiences to implement the best of both sites in a Canadian context.

The site is very simply named petitions.parl.gc.ca, similar to the US and UK epetition platforms, but has taken a different approach to either the US or UK sites.

There's no ability to see the latest petitions on the main page, users must use a search tool or click to see all live petitions. This shifts the propensity for people to browse and choose to sign by adding a small 'one click' barrier to the visibility of petitions.

When a user clicks on 'View all petitions', what they see doesn't really provide enough information to decide whether to sign. Another click is needed to view the details of any specific petition. However the screen does help people refine down to a topical area quickly, unlike the US and UK sites and the keywords by petition are useful, if perhaps put ahead of more useful information such as the title and summary of what a petition is asking.

The language, unfortunately, is a touch more bureaucratic than in the US and UK sites, with petitions titled by number and reference. These may be useful to bureaucrats, but have limited meaning for users and could have been hidden from petitioners and respondents.

Petitions provide a numerical breakdown of respondents by provinces, but no map view and no easy way to download the data without screen-scraping.

Responding to a petition is slightly more complex than in the US and UK epetition sites, with it being mandatory to provide an address and phone number as well as the usual name, email address and confirmation that you're really a resident of the country. The response form is also less friendly than the other sites, using now old-fashioned red asterisks to denote mandatory fields.

Creating a petition involves an equally complex sign-up form, where a user must avow they're a Canadian - so I've not looked into the creation process. I do anticipate that it would not quite be as sleek and refined as the US and UK versions.

The responses to petitions, like in the US site, include all petition information and those that have been responded to can be found easily through the top menu of the site. However the responses are provided as PDFs rather than within the page. This adds an extra step to the process of reviewing a response and most are only one page long, so I feel this is a poor approach, adding complexity with no benefit for users.

Australia - e-Petitions

Similar to the Canadian site, Australia's epetition site is quite new, so some rough edges can be expected. 

However I did not expect as many rough edges as I found, given there's some excellent examples above to learn from.

Also as the code for WethePeople is available as opensource, it is it relatively quick and easy to start with all the US's experience and build from there. 

To start with, Australia's epetitions site doesn't have a short web address like petitions.aph.gov.au, it is deeply buried in the site at www.aph.gov.au/Parliamentary_Business/Petitions/House_of_Representatives_Petitions/Petitions_General

Now it could be argued that as Senate, House of Representatives and Committees might all accept petitions but operate differently, it needed to be buried within each of these section of the site. 

However this could have been easily handled through a single multi-choice question in a petitions process, leaving all petitions to live at the same simple petitions.aph.gov.au address - without requiring petitioners to do the hard work of understanding how government operated.

On top of this the petitions process doesn't come up in the first page of search results when looking for 'petitions' - a critical but easily fixable mistake. 

This type of simple oversight dominates the entire Australian epetitions process, with it being pretty clear than the work was done with little reference to international benchmarks or usability testing.

Moving on to the actual processes, there's currently no petitions listed so it's not possible to analyse the process for signing a petition. I would have expected that the APH would have done some work to ensure there were a few petitions at launch, as other governments did. 

Clearly this wasn't the case, with the APH potentially taking more of a 'build it and they will come' approach rather than promoting the availability of the site widely before and during its launch. The impression that leaves me is that the APH didn't really want to create this site and doesn't really welcome petitions - they'd prefer to not hear from citizens or have the hard work of dealing with any resulting work.

Regardless of whether this was the case - the impression, or perception, is the thing - and the lack of any petitions to sign at launch reflects badly on the site.

Moving on to the creation process, the process for doing so is well explained in the first page (image above) - though with far more text than is necessary (as illustrated by the other epetition sites above).

Some of the steps on this page, and later pages, are not well communicated, using very subjective and bureaucratic terms - such as "Language (must be moderate)". 


I'm not sure what 'moderate' actually means and I doubt most Australians would be able to guess what a bureaucrat would consider 'moderate language'.

However using more words to explain these types of terms would be a mistake - instead the entire page should be written in plain English, aimed at about the 5th grade level. 

In fact I quickly tested the language on the main page, and it scored at a current grade level of 10.5 - well above what is considered acceptable. The subsequent creation pages score even higher, with terms bandied around that are rarely used outside of Canberra's bureaucracy and would serve to confuse, frustrate or even upset many Australians.

The process for filling in an epetition is OK, clearly stepped out, but with far too many steps (and words) on each page. There's no way to compare your petition with existing petitions - as the UK site does - though as there's no existing petitions to compare with I'm not too concerned about this as yet.

It will become a source of additional work for public servants and frustrations for users down the track however.

There's a lot more questions and information requested than in other epetition processes - with a lot of form fields to complete, which will effectively deter many people from establishing an epetition. Whether this is a good thing, however, depends on whether you're a bureaucrat first or a citizen first (I think it's a poor approach).

Nowhere could I see clarity on the thresholds at which you might get a response to a petition, making the entire process seem like a black box - a digital black box, but a black box nonetheless.

The entire process felt very cold and impersonal, unlike the UK and US experiences - which were warm and inviting.

Given parliament serves citizens, I think it is better to strive to leave users feeling they were important welcomed guests rather than nuisances and intruders into a hostile space.
This lack of warmth was particularly characterised by the final 'thanks for submitting a petition' page - which neither thanked the petitioner, nor gave them a feeling they were important and valued. 

Even the title of the page remained 'Request a new e-petition' rather than thanking the petitioner for their engagement in Australia's democracy.

Given how often politicians and public servants complain that Australians are disengaged from politics and democracy, the way this entire epetition creation process was constructed makes it very clear that the government itself holds a lot of responsibility for pushing people away, rather than welcoming their contribution.

Summary

So given my review of the four epetition processes, from Australia, Canada, the UK and US, I can say that I'd happily and enthusiastically recommend both the US and UK approaches, slightly favouring the UK due to it's maps and sharing tools.

Canada's site is OK for a first attempt. It doesn't appear to have learnt a great deal from the US and UK experiences and asks more than it needs from citizens, but it remains usable and functional if not inviting.

Unfortunately Australia's epetitions site is a very poor effort, and reflects poorly on the government, our public service and Australia's claims of being innovative and digitally progressive.

About the most positive thing I can say about it is that at least we now have the site - so there's a starting point to improve from.

However any competent usability designer would not have built the site in the way it has been built - and it seems more of a 'tick and flick' developed with internal resources on little or no funds (not that it would have cost a great deal to have done a good job).

I'm very disappointed at the APH's efforts - and have created an epetition for people to sign accordingly (though I doubt it will make it through the APH's scrutiny process - which is far more involved than for any other jurisdiction compared).

I truly hope the APH spends more time looking at benchmarks internationally and can convince the government that epetitions are a key interaction tool with citizens, so having them feel invited and effective is critical for supporting a positive view of government.

I'll be looking in on the site from time to time to see how its going - and would happily help the APH improve the site if asked (in fact I reached out last July, but never heard from them).

This isn't just a box that government has to tick, it's a vital avenue for citizens to engage with government and an advanced democracy like Australia should recognise the importance of doing it well.

Read full post...

Wednesday, September 07, 2016

Don't ask for more information than you need (and make it clear why you're asking what you're asking)

I've just become aware of the ACT Government's consultation for a new license plate slogan.

Hosted at Your Say, the government is asking for ideas for a 30-character or less slogan, with the best ideas to be put to a public vote later this year.

I support this type of consultation approach - it provides for broad public input, with a screening step (via a panel of judges) to manage any inappropriate suggestions before a public vote.

The consultation also does a great job of explaining the process timeframe; when the decision will be made and when the license plate will be released.

One of the 'tricks of the trade' for consultations - and and engagements - is to ask the minimum number of questions required to meet the purpose of the process.

While there's often temptation to ask a few additional questions, where data might be interesting but is non-essential to the consultation's purpose, each additional question can reduce the response rate significantly.

These additional non-essential questions can also call into question what the consultation is actually designed to achieve. This can, at worst, lead to suspicion and loss of trust, but at minimum is likely to cut the honesty and number of responses, potentially damaging the ability of the consultation to achieve its purpose.

Sometimes, of course, there can be questions that appear non-essential but are necessary for the consultation to achieve its goals. In this case, the organisation engaging should make it as clear as possible why the questions are being asked, without damaging the engagement process itself.

Unfortunately it seems that the ACT government hasn't fully thought this through in its license plate slogan consultation.

Alongside asking for the slogan and where the respondent lives (important for getting ideas expressly from Canberra residents), the slogan also asks for the name and a contact number/email, as well as age and gender.

While the consultation does a good job of explaining why name and contact information might be useful, so that the finalists and winning respondent can be contacted, it's unclear why either age or gender are required in this process.

Age is a compulsory field while Gender is optional, but realistically neither is important information in the review process, nor is there an explanation as to why the ACT government would need this information.

Now this might seem a trivial thing to the agency involved in the process, after all age and gender aren't hugely personal information and, in the case of gender, is often determinable from name alone.

However by adding these fields - whether compulsory or not - the response form becomes that much more complex, and can discourage some people from responding.

That doesn't mean that this process won't get a good response rate, but it is likely to be less than it would otherwise be.

Of course it's hard to prove this in this case, as we don't have the luxury of an AB test to compare approaches - but from experience, overall responses go down when additional (and unnecessary) questions are asked.




Read full post...

Thursday, August 18, 2016

PM&C sets a new benchmark for public engagement in Open Government Partnership membership process

This morning the Department of Prime Minister and Cabinet (PM&C), through its ogpau.govspace.gov.au site, put out a call for stakeholders to express their interest in joining an Interim Working Group to help co-draft Australia’s National Action Plan (NAP) for the Open Government Partnership (OGP).

The approach that PM&C confirmed this morning is a very innovative and progressive one. I believe it is a model for government/civil society engagement in Australia that other agencies should pay close attention to.

PM&C proposed forming an Interim Working Group to decide which actions to put to the government for final sign-off and inclusion in the NAP.

The Group is expected to have up to 12 members, comprised of equal representation between government officials and civil society stakeholders. It will be co-chaired by a senior government official and a civil society representative.

Anyone can submit an expression of interest to join the Group, with expressions to outline relevant experience and expertise related to supporting transparency, accountability and open government.

It is extremely rare for government agencies in Australian to agree to 'share power' with external stakeholders in this manner during a decision-making process. The usual approach is to invite feedback from outside, but make decisions inside agencies, usually in a 'black box' manner.

The collaborative approach outlined by the OGP team in PM&C is a far more transparent and engaging one. It shows respect by granting near equal standing to external stakeholders and, through sharing decision-making responsibility, is more likely to result in shared ownership and ongoing commitment to implementing the decisions made.

The Interim Working Group announcement is the first public step progressing Australia's membership of the OGP  since the federal election. It follows a multi-stage consultation process which has included:

  • initial stakeholder information sessions run in Brisbane, Sydney, Melbourne and Canberra in December 2015 (Disclosure - I ran them on behalf of DPM&C, the presentation slides are here and a video of one of the sessions here).
  • a dual consultation process in February/March 2016 involving both an external wiki collecting action ideas for Australia's NAP  (over 200 collated ideas here) and an internal consultation with government agencies to identify actions they could commit to.
  • a Canberra-based co-creation workshop in April 2016 involving roughly 60 attendees from civil societies, agencies and individual stakeholders which aimed to aggregate and filter the collated ideas into 10-15 actions for the NAP (outcomes here). My report on the workshop, which I attended is here.
I'm very optimistic about this process, as the Department of Prime Minister and Cabinet has demonstrated significant engagement and commitment to the outcome and a willingness to listen to and involve external stakeholders throughout the decision-making process.

I hope other agencies keep a close eye on this process and the outcomes and consider where a similar approach might help them achieve public goals in a more effective and sustainable way.

Read full post...

Friday, August 12, 2016

What follows #CensusFail

I think it is now safe to say that, technically at least, #CensusFail has peaked, with the ABS and IBM successfully restoring most access for the Census 2016 site.

While there are still scattered reports of failures, not recognizing JavaScript is turned on, issues in some browsers and variable levels of access for people with VPNs, by and large the site is limping home.

Increasingly it appears that there was no large denial of service attack on the ABS, just a cascading series of issues which made the census service vulnerable to demand peaks, with perhaps a small attack being sufficient to drive it over the edge.

The repercussions and fallout for the incident will occur for a long time. Several official reviews are already in motion, all of IBM's advertising in Australia remains offline, and the ABS has not changed its engagement and communications course in any perceivable respect.

The ABS is likely to be feeling the initial impacts of the next demand spike - not of census traffic, but of Freedom of Information requests, with journalists, privacy advocates, IT experts and others all interested in understanding what decisions were made, where and by whom.

Hopefully the ABS will scale its capability effectively, unlike the Census experience, or take the high road and proactively release information, including server logs (anonymised of course) that allow external parties to understand the progression of events and clarify what occurred and the good work the ABS did to protect the data of Australians (their key commitment) throughout the incident.

The real risk now is that politicians and ABS management will try to switch back to business as usual too quickly, answering to official enquiries about the incident but refusing to answer to their real owners - Australian citizens. There's a tendency in most organisations to spring back into normal operations to quickly after a crisis, forgetting that the collective external memory is often longer than insiders expect.

The consequences of #CensusFail are likely to have ripples affecting every major government IT project, significantly reducing political and public trust in digital initiatives by many federal agencies, as well as impacting on state and local government initiatives.

In many other digital projects politicians and citizens will ask for additional safeguards to protect against a potential #CensusFail, no matter how unlikely it may be. This will add cost and time to these projects, pushing up IT expenditures at a time when budgets are being cut, causing agencies to delay and defer the more expensive or ambitious projects and attempt to keep limping along on existing infrastructure for just a year or two more.

In extreme cases this may increase risk, with already old systems pushed beyond their commercial lifespans, in broader cases it will harm innovation and cause governments to fall further behind their peers elsewhere in the world.

This seems a bleak picture, but I don't blame the ABS for this. It is a consequence of the lack of political IT expertise we continue to see across many Australian governments and of the risk-averse cultures that continue to flourish across governments despite the increasing downside risk of this stance.

It takes a long time to turn a big ship, and in this instance the ship is Australia. We are not educating our children or adults adequately to master a digital world and we do not have the level of IT knowledge or capabilities we need as yet to sustain a first-world infrastructure.

This flows through our corporations, our public service and our political leadership and it cannot be solved by the import or outsourcing of expertise.

I wish the ABS well in rebuilding their reputation following #CensusFail. In five years when the next Census is held the organisation will still be dealing with the fallout from 2016.

However the real failure and fallout in 2021 will be much greater if Australians have not invested in building our collective digital expertise to the levels we require to continue to grow our national wealth and economy, to sustain our standards of living and maintain our place as a first world democracy.

Read full post...

Wednesday, August 10, 2016

#CensusFail - What the ABS did well, what they didn't & what other agencies should learn from it - PLUS: Who attacked the Census?

I feel sorry for the ABS guys this morning - they've just seen three years of planning and effort effectively blow up in their faces, and I expect many staff are now scrambling to address the issues from overnight in order to move forward.

I know how dedicated and hard working they are, and how committed they've always been to providing a statistically accurate picture of Australia to support good government policy and services.

However I also feel it is appropriate to look at what's happened with the Census 2016 process - the good and the bad - and provide some context and thoughts for others across government on what they can learn from the ABS's experiences.

It is right after Census night, and much remains unclear - I expect a more complete picture of events to emerge over the following days and weeks. However there's still much that can be observed, critiqued and analysed from the events thus far.

Let's look at the facts to start.

This was the ABS's 17th Australian Census and the organisation has a highly enviable international reputation for its capability to effectively collect, securely store and usefully distribute Australian statistics. It is one of the best organisations of its kind globally and has been highly trusted and respected by successive governments and the Australian public for how it has conducted itself over the last 105 years.

Despite this, successive governments have progressively cut the ABS's funding, with the ABS forced to consider making the Census 10 yearly, rather than 5 yearly, due to budget cuts. In fact if not for a $250 million 5-year grant from the Coalition government in 2015 to upgrade ageing (30yr old) computer systems, it is questionable whether the ABS would be positioned to maintain Census timing and reliability.

The 2016 Census was the first in Australian history to be predominantly online. The ABS has had an online capability since the 2006 Census and was moving digital in degrees. For 2016 the ABS estimated it would cost at least $110 million extra to hold the census predominantly in paper, so the move to digital first was both sensible and pragmatic given the ABS's reduced funding.

As a result, the ABS aimed to have at least 65% of Australian households (call it about 6.5 million) complete the Census online.

Around the same time the ABS (not the government) also made a decision to retain names for up to four years (up from 18 months in 2011 and 2006) after the Census and create linking keys which would be retained indefinitely. The purpose was to allow the ABS to connect Census data with other datasets to uncover deeper statistical trends to better inform policy.

The ABS did conduct a form of public engagement over this decision to retain name data and linking keys, however this was quite limited - I wasn't aware when it was held and apparently it only received three public responses indicating concern.

The same proposal was discussed in 2006 and 2011 and rejected due to privacy concerns. I'm not sure how the ABS felt the situation or environment had changed to make this proposal acceptable.

Over the last four months privacy advocates, senior ex-staff of the ABS and non-government politicians have become increasingly vocal over this privacy change - with the discussion coalescing online at #CensusFail over the last two weeks (just prior to 'Census night').

The ABS's response to this has been to largely repeat (in various ways) 'you can trust us', and avoid publicly engaging with the issue or its underlying causes in detail.

Partly as a reaction to not feeling heard or engaged, the voices of opposition have gotten louder and louder, reaching the media and prompting at least seven Federal politicians to publicly announce they would not be providing their names to the ABS in the Census. Alongside this, IT specialists have tested the edges of the ABS's Census systems and highlighted several apparent vulnerabilities - which the ABS has also not engaged with in a public way beyond 'trust us'.

At the same time ABS phone lines for Census were widely reported to be congested - with the ABS in its site saying from 8 August that people should delay calling until the 10th (after Census night on the 9th).

It's worth noting that alongside this slowly rising opposition, the ABS was quite outspoken about how people who did not complete the Census could be charged $180 per day indefinitely until completed and those who provided false information could be charged $1,800 - although they were careful to wrap this stick in a little cotton wool, stating that there were only about 100 fines issued in 2011.

The ABS's Census campaign, similar to past Censuses, focused on 'Census night' - where Australians could take a 'pause' to respond to the Census and inform future policy for Australia. They tried to create a party atmosphere, with the Census being an engaging family experience that could be undertaken on Census night.

In fact people were able to complete the Census up to two weeks earlier (and 2 million households did), as well as complete the Census up to six weeks afterwards without any prospect of a penalty. While some people understood this, the ABS's communications campaign focused very much on that one Census night on 9th August - which was an approach likely to concentrate demand for the online Census system into a 5pm to 10pm period on that one night.

On Census night the Prime Minister and many others commented publicly via social channels on how easy the system was to use and complete - until around 7:15pm when the first issues began being reported online, with failures to submit completed Censuses and the Census site being slow and unresponsive.

From 7:30pm the level of complaints had escalated enormously, and shortly thereafter the ABS reports it took the site offline due to a series of at least four denial of service attacks on the site, one of which exploited a vulnerability in a third party service.

The Australian Signals Directorate (the government agency that other government agencies calls in when foreign interests or organised criminals digitally attack - and manage much of Australia's cyberwarfare capability) said that the attack was malicious and foreign-based.

However the ABS's Twitter account continued to cheerily post about completing the Census, TV and radio ads continued, and the ABS didn't announce the site was down temporarily until 8:38pm - almost an hour later.

The ABS then didn't announce the service would not be restored until 10:59pm - over three hours later.

This morning we learnt officially about the attack and the ABS's response. The ABS shut down the site to protect the data they had already collected, protecting the privacy of the 2 million plus Census forms successfully submitted earlier in the night.

The ABS's chief statistician, David Kalisch, told ABS radio this morning (10 August) that, "after the fourth attack, which took place just after 7.30pm [on Tuesday AEST], the ABS took the precaution of closing down the system to ensure the integrity of the data."

As reported in the Sydney Morning Herald, Mr Kalisch He also described the events that caused the issue: the system's geo-blocking protection was not working effectively, a hardware router failed, and a monitoring system "threw up queries we needed to investigate".

We've also learnt that the Privacy Commissioner is now investigating the matter.

The Minister responsible has said that the "Census [was] not attacked or hacked" - though this is somewhat of a half-truth. A Denial of Service attack is an attack, and can be used to attempt to 'brute force' access underlying data. The ABS successfully defended the site's integrity and prevented data loss (hacking), but it was definitely an attack.

Now there is currently some doubt over whether there was a Denial of Service attack, however for the purposes of this post, I'll take the ABS's word for it.

More details will emerge over the days and weeks to come, but let's look at what went wrong and why.

What went wrong and why

The issues raised prior to Census night may have explicitly focused on privacy and security, but they were really about engagement. Simply speaking, many people in the community felt that they had not been sufficiently engaged about the ABS's decision to change how long it kept personally identifiable data or how it would be linked to other datasets.

The ABS's consultation approach - which I missed entirely - appears to have failed to engage the group who were most likely to be concerned about privacy considerations, and the agency's attitude after privacy concerns were raised was too dismissive and high-handed.

This isn't simply my view - I've seen the same basic concerns raised time and time again about a level of ABS engagement arrogance and refusal to go more deeply into a conversation than 'trust us' and 'those concerned are crackpots'.

So the first thing the ABS did wrong was have an insufficiently long or engaging process of socialising the Census changes and reassuring key voices by demonstrating a very interactive process of addressing potential issues and concerns.

This perhaps speaks to the ABS biting off too much in this Census - both going to a digital-first model and introducing changes which many people felt increased the privacy risks. If the ABS had focused on one of these changes this Census (digital-first), and had then introduced the data retention changes next Census, they would have had a much easier job of it.

The concerns around privacy escalated as people found potential security holes in the Census system - such as this plaintext issue - which the ABS essentially ignored and dismissed.

Whether or not this, and other issues, were merely perceptional or were real issues which the ABS then addressed, acknowledging the concerns and addressing them in a mature and engaging manner would have gone some way to address the concerns and satisfy those raising them. Instead all the community received was government motherhood statements amounting to 'trust us'.

In a time when trust in government is low and people are regularly bombarded with media stories about data breaches, 'trust us' has no meaningful use as a government message. Instead the ABS needed to have a highly flexibly and collaborative approach to communication - inviting privacy advocates to special sessions with Census officials who could explain the technical nuances of what was being done, and policy officials who could explain the benefits of the approach.

With this style of engagement the ABS could have transformed the privacy community into advocates for the Census, rather than opponents, and greatly limited the pre-Census jitters which has resulted in a high profile loss of faith in the ABS and in the government.

A side-effect of the ABS's failure to engage was the creation and growth of the #CensusFail hashtag on Twitter - which then became a lightening rod for the subsequent issues the Census experienced on the night of 9 August.

With the ABS focusing attention through its media campaign on 'Census night' it was inevitable that most people would attempt to complete their Census forms online in a very narrow window - between 5pm and 10pm on August 9th. This was even though it was possible to complete the Census earlier or later.

With the Census being a national event and the high profile of 'Census night' due to both the ABS's positive #MyCensus campaign and the negative #CensusFail campaign, it was highly probably that someone would see the narrow high-volume Census night window as an opportunity to embarrass the Australian Government, make a privacy point or attempt to steal a massive honeypot of data that could have been mined for decades for commercial and political gain.

I'm sure the ABS foresaw this. They'd done extensive loadtesting and everything I'm sure they could to secure the system. However they were also partially responsible for creating the window in which there would be a peak load that could be exploited.

As such, the highly probably happened. Someone (or someones), somewhere in the world attacked the Census process with a series of four brute force Denial of Service attacks (again I'm taking the ABS's word that there were active attacks).

These attacks aim to flood servers with so much traffic that they give up secure information or fall over and stop working.

We know from the Australian Signals Directorate that the attacks were launched primarily from offshore. I'm unsure if the ABS had designed its system to separate known foreign and domestic traffic, which could have helped mitigate part of these attacks - but there are ways for attackers to mask their locations, so this is not a certain way to counter them.

We know that the first three attacks caused little damage other than minor delays and hiccups, but the fourth found a vulnerability in a third-party service and the ABS pulled the Census site down.

This was absolutely the right technical approach to take, but again the ABS made a series of unforced errors in its engagement.

Firstly, in the days before the Census the ABS declared that its system was unsinkable - "It won't crash". Technically this was true - it didn't. However the impact for users was the same as a crash, the system went offline.

The Prime Minister similarly said that ABS Census privacy "was absolute". This, to anyone involved in privacy and security is simply untrue - and the ABS's actions on Census night created a perception that the Prime Minister was lying or poorly informed by the ABS.

Both the actions above created a situation where the ABS over-promised and under-delivered. Rather than making people trust the ABS and Census approach, it has created more fear and uncertainty and made the ABS look, in the words of New Matilda, "like a deer caught in the headlights".

It would have been preferable if the ABS had made it clear that they had taken the advice of security and privacy specialists and taken all the actions within in their power to protect the Census process.

Rather than declaring "It won't crash", they should have said "whatever happens we will safeguard your data to the best of our ability", and highlighted that people could complete the Census over a period of time at their leisure, rather than having to pile in on 'Census night'.

In other words, agencies should underpromise and overdeliver. The ABS, like other government departments, already had a high level of trust and faith from Australians. Making undeliverable claims, as they did, to try to signal they were trustworthy only gave them enormous downside risk and challenged malicious external hackers to try to bring them down.

Next, the ABS did not tell people immediately about their actions by saying something at 7:45pm like "We've detected attempts to access Census data and, in the interests of Australians, taken the decision to take our system offline until we're sure your data will continue to be as safe and secure as possible". Instead there was no real public communication of the ABS's decision (right though it was) until Wednesday morning.

This was a major, major, engagement failure. People were engaged and trying to complete the process the ABS had asked them to complete. Yet the ABS did not have the courtesy to tell them that they could not complete it until hours of frustration afterwards (though the ABS did tell the government).

People had trusted the ABS, given up their evenings to 'take a pause' for Australia - and the ABS then left them hanging and wasting time - unsure if they would be fined.

This did more than damage trust in the ABS and government. It destroyed respect.

To other government agencies - trust and respect must be mutual. They are built slowly over time, but can be destroyed in an instant. The ABS just did that, and the impacts will be felt, by the ABS, by the Turnbull Government and by other agencies for years to come.

The impacts will be subtle. Every major IT project will be met with scepticism. Statements by Ministers and senior public servants will be disregarded and lampooned. What has been lost will take years to recover.

Now the ABS has to pick up the pieces and move forward - so what's the best way to do this?

This is a classic crisis recovery scenario writ large. Transparency is the key. The ABS has to own the issues and be proactive about engaging media and the public on what happened and why the ABS acted as it did.

It did get off to an OK start this morning with David Kalisch's interview on ABC radio. Now the community needs a continuing stream of engagement clarifying the steps the ABS has taken and what will happen next.

The last tweet from @ABSCensus was a 9:53am. it's now 1:51pm. The ABS realistically need to be communicating at least hourly on what is going on while peoples' attention is still focused on #CensusFail.

The ABS should reframe its communications campaign (using any budget it has left) to focus on how it put public interest ahead of its own reputation, pulling the Census site offline until it was certain it could guarantee the security it promised Australians.

The ABS needs to commit to deeper and longer engagement with the community and specifically privacy advocates around any future Census changes - potentially even step back from it's position on linking data, committing to working more closely to communicate the benefits and safeguards and listening to the concerns of the public.

In short the ABS has to eat humble pie.

If the ABS takes these steps it will, over time, recover the trust and respect of the public, rebuild its reputation and regain its position as one of the most respected and trusted government institutions.

However if the government and ABS can't get their story straight (already an issue) senior egos or politics get in the way, the ABS decides to be 'selectively transparent' and only share details it thinks are important to the people it deems important - the strategy will fail.

I have enormous respect and trust in the people who work at the ABS and hope they take the steps necessary to turn this tragedy into a resurgence. The responsibility for their future success is on their shoulders, and I hope they bear it well.


PS: Who attacked the Census and Australia?

I consider that there's four potential groups who may have led the attacks that led the ABS to take the website offline. Note that it's even possible that several groups attacked around the same time - seeing the same opportunity.

These are:
  • Random opportunity hackers - people who saw an opportunity to bignote themselves by claiming the Australian Census as a 'scalp'. With the ABS touting themselves as totally secure and a five hour window with maximised traffic, it wouldn't take much for an individual or group of hackers to decide to take down the Census for LOLs and credibility.
  • Organised crime - groups who systematically hack organisations for data they sell or use for fraudulent activities. These groups would see the Census as an enormous honeypot of data they can sell and resell for years to come, containing all the vital information for identity and credit card fraud. Again these groups would easily be able to pick the best time to hack the data as the ABS flagged it in their advertising, Census night when millions of households attempted to use the service. 
  • Privacy groups - 'organisations' like Anonymous often go after organisations they see as crossing the line on privacy - as the ABS was seen to be doing by a number of people. Their goal would simply be to disrupt the process as a political awareness tool.
  • State-sponsored hackers - a number of governments (China and Russia chief amongst them) use state-sponsored hackers to attack foreign governments, companies and other organisations that oppose their perspectives, embarrass them or as a tool in geopolitical positioning. In this case the Census was a high profile event for Australia, with a new one-seat majority government in place. Disrupting the Census would cause political damage and fallout, potentially even causing the government to fall, but at minimum reducing the trust Australians have in their government and creating distrust that could be exploited later. Given than Australia has been considered by China as embarrassing China on several recent occasions - over China's East China Sea installations and at the Olympics, an attack disrupting the Census might be considered proportionate retribution to 'teach Australia its place'. China has been known to perform similar acts against Australian non-government organisations, such as film festivals showing politically sensitive films - attacking the Census would be a bold escalation, but a plausible one. These hackers may also look to access data on individuals as a secondary bonus - as a foreign government could use it for years to come for commercial and political gain.
My view on the above scenarios - random hackers are least likely. Australia isn't that significant and the Census, while a public target, isn't a 'hard' one by international standards. Military targets are more often targets for credibility.

Privacy groups would have flagged the attack. Their gain is in public exposure and ridicule and, while there's been plenty of that for the ABS, they'd want to clearly own the hack and make their point.

Organised crime is more likely, but attacking on Census night is potentially too early as not all the data is in. It would be more probable these groups would target the ABS once the data is collected, or would attempt a social attack (paying an IBM or ABS staff member) as this is likely easier and less of a public signal than a brute force attack. These groups don't want public attention, so this form of public attack is rare.

In my view the most likely scenario is that state-sponsored hackers targeted the Census to embarrass the Australian Government in return for a perceived slight. I reckon the Chinese have the most reason right now to do so, although the Russians, when annoyed at Tony Abbott's 'shirtfront' comments, did send a significant navy force to Australia's coast using a G20 meeting to signal their disapproval and defiance.

There's few other nations that publicly have an issue with Australia (and the capacity to carry out this attack) - but very remote possibilities are North Korea, or the failing IS (though IS would have taken credit right away).

Read full post...

Bookmark and Share