Showing posts with label policy. Show all posts
Showing posts with label policy. Show all posts

Tuesday, April 04, 2023

Italy bans ChatGPT (over privacy concerns)

As the first major action by a nation to limit the spread and use of generative AI, Italy's government has taken the step to formally ban ChatGPT use not only by government employees, but by all Italians.

As reported by the BBC, "the Italian data-protection authority said there were privacy concerns relating to the model, which was created by US start-up OpenAI and is backed by Microsoft. The regulator said it would ban and investigate OpenAI 'with immediate effect'."

While I believe this concern is rooted in a misunderstanding as to how ChatGPT operates - it is a pre-trained AI, that doesn't integrate or learn from the prompts and content entered into it - given that OpenAI does broadly review this injected data for improving the AI's responses means there is enough of a concern for a regulator to want to explore it further.

Certainly I would not advise entering content that is private, confidential or classified into ChatGPT, but except in very specific cases, there's little to no privacy risk of your data being reused or somehow repurposed in nefarious ways.

In contrast the Singaporean government has built a tool using ChatGPT's API to give 90,000 public servants a 'Pair' in Microsoft Word and other applications they can use to accelerate writing tasks. The government has a formal agreement with OpenAI over not using any data prompts in future AI training.


What Italy's decision does herald is that nations should begin considering where their line is for AIs. While most of the current generation of large language models are pre-trained, meaning prompts from humans don't become part of their knowledge base, the next generation may include more capability for continuous finetuning, where information can continually be ingested by these AIs to keep improving their performance.

Specific finetuning is available now for certain AIs, such as OpenAI's GPT3 and AI21's Jurassic, which allows an organisation to finetune the AI to 'weight it' towards delivering better results for their knowledge set or specific goals. 

In government terms, this could mean training an AI on all of Australia's legislation to make it better able to review and write new laws, or on all the public/owned research ona given topic to support policy development processes.

It makes sense for governments to proactively understand the current and projected trajectory of AI (particularly generative AI) and set some policy lines to guide the response if they occur.

This would help industry develop within a safe envelope rather than exploring avenues which governments believe would create problems for society.

Read full post...

Tuesday, January 24, 2017

You've Been Hacked - how far should governments go to protect against the influence of foreign states?

Like most people with a broad digital footprint I've been hacked multiple times, usually in fairly minor ways.

Around ten years ago I had my PayPal account hacked through malware in the Amazon site, costing me $300.

PayPal staff insisted this was a legitimate payment for goods (which I hadn't ordered) being delivered to my legitimate address in Norway (despite having provably never visited the country). I've been very cautious & limited in my PayPal use since, and never recommend them.

Over Christmas last year my Social Media Planner site was hacked and seeded with malware. Fortunately my IT team was able to identify, isolate and address the matter, without affecting visitors, but costing me financially (two weeks downtime). It's fine now BTW, with extra protections in place.

I've had a Skype account taken over by someone in Eastern Europe, who used it for phishing before I could reclaim it, had basic account details stolen in Yahoo, LinkedInDropBox and a range of other large-scale hacks of commercial services over the last five years - excluding the Ashley Madison hack (I've never been a member).

I'm not the only one affected by any means, well over 10 billion accounts were hacked in 2016 alone, with Australian politicians, police and judges outed as affected in at least one of these hacks (and a few in this one too).

Much of this widespread hacking results in the theft of limited personal information. On the surface it may appear to pose little risk to individuals or organisations. 

However the individual reuse of passwords and usernames can turn these hacks into a jackpot. This allows hackers, and clients they sell hacked data to, to access a wider range of accounts for individuals, potentially uncovering richer information that is useful for identity theft, economic theft, intelligence gathering or for influencing decisions and behaviour.

Despite all the reports of hacking, it seems many people still treat this lightly - the world's most popular password remains '123456'.

Most governments, however, do not. Securing their networks is a major challenge and a significant expense item. The data agencies hold has enormous political and economic value that could be easily misused to the detriment of the state if it falls into the wrong hands, or into the right hands at the wrong time.

It's not simply about troop movements or secret deals - early access to economic or employment data, access to the 'negotiables' and 'non-negotiables' for a trade deal, or even to the locations and movements of senior political figures (to know who they meet and for how long) can be used for the financial and political advantage of foreign interests at the expense of a state's own interests.

For the most part, Australia's government is decent at managing its own network security. This isn't perfect by any means, but there's a good awareness of the importance of security across senior bureaucrats and largely effective ongoing efforts by agencies to protect the secure data they hold.

However in today's connected world national interest goes far beyond the networks directly controlled and managed by governments. As we've seen from the US (and now Germany), political parties and individual politicians have also become hacking targets for foreign interests,

This isn't surprising. Politicians, potential politicians and even academics have long been targets for funding assistance and free or subsidised study trips to nations hoping to cultivate influence in various ways. In fact these approaches provide some positive benefits as well - by creating personal relationships between powerful people that can lead to improved national relationships, trade deals and even avert wars.

Hacking, however, has few of these positives, as we saw in the release of Democratic National Congress emails by Wikileaks, which were most likely obtained through Russian state-sponsored hacking and likely was designed to influence the US's election outcome.

Whether you believe the cumulative findings of the US intelligence community or not, it is certain that foreign states, and potentially large multi-nationals corporations, will continue to target political parties, and individual politicians, seeking insights into how they think and levers of overt and covert influence for economic and political gain.

Hacking will continue to grow as one of the major tools in this work.

The Australian Government is taking this seriously - and kudos to them for this.

However even this focus on political parties neglects a wide range of channels for influencing current and potential future politicians. What about their other memberships and personal accounts?

Politicians and potential politician are well-advised to position themselves in various community and business groups to improve their networks, build relationships and future support. They are also just as likely as other Australians to use the internet - for work and personal reasons.

This means they're likely to have numerous online accounts with both domestic and foreign-owned services, with varying levels of security and access control. 

On top of this, it's not simply politicians who may be the targets of influence. Political advisors and activists often shape and write party policy positions, despite never being publicly elected. Influence an advisor and you can influence policy, as the many registered lobbyists know only too well.

Equally bureaucrats across government often are exposed to material that could, if shared with foreign interests, cause some form of harm to a state. We've seen this in insider trading by an ABS staff member, where the economic gain to the individual public servant outweighed his good judgement and public duty.

While bureaucrats are security assessed to a significant degree (unlike our politician) and selection processes are in place, backed by rules and penalties, to screen out the 'bad eggs', the potential for public servants to be influenced through hacking their personal accounts has risen along with their internet use.

Right now we're in an environment where the number of attack vectors on a politician, an advisor and on individual public servants, is much higher than at any past time in history - while our tools for protecting against foreign influences have not kept up.

Of course this goes both ways - our government also has the capacity, and often the desire, to influence decisions or negotiations by other states. We've seen ample evidence of this, although it isn't really a topic our government wants to discuss.

The question for me, and I don't have a solid answer yet, is how far technically should a government go to limit the influence of foreign states.

Should governments merely advise political parties on how to secure themselves better?

Or should governments materially support parties with trained personnel, funding or even take over the operation of their networks (with appropriate Chinese walls in place)?

What type of advice, training or support should agencies provide to their staff and Ministerial advisors to help them keep their entire footprint secure, not just their use of work networks, but all their digital endeavours?

And what can be done to protect future politicians, advisors and bureaucrats, from wide sweeps of commercial services collecting data that could be useful for decades to come?

We need to have a more robust debate in this country about how foreign states and commercial interests may be seeking to influence our policies, and decide as citizens the level of risk we're prepared to accept.

Until this occurs, in a mature and informed fashion, Australia is hurtling forward into an unknown future. A future where our political system may be under constant siege from those who seek to influence it, in ways that are invisible to citizens but more wide-reaching and dangerous to our national interest than any expense scandal.

If this isn't the future that we want, then it is up to us to define what we want, and work across government and the community to achieve it.

Read full post...

Monday, November 28, 2016

Guest post from Henry Sherrell on access to open data for effective policy development

Henry Sherrell is a former Australian Public Servant who now works in policy research at the Australian National University.

As a researcher, open data has become an important input into his work. As such I thought it worth sharing (with his permission) this post from his blog, On The Move, as an example of some of the difficulties researchers still face in accessing data from the Australian Government for important policy work.

It is notable that since Henry published his post, only four days ago, the legislation regarding Henry's policy work is going back to parliament - still with no modelling of its impact on affected communities or any real public understanding of the potential consequences.

I've reproduced Henry's post as a guest post below in full. You can also view Henry's post here in On The Move.

My battle with the Australian Border Force Act: A small, but worrying, example

There are hundreds of interesting questions to ask when someone moves from one country to another. For as long as I can remember, Australia has been one of the best places to explore migration. There are two reasons for this: We welcome immigrants and the government and bureaucracy collect and make accessible robust migration data.
They are not household names but people like Graeme Hugo, the late Paul Miller, Deborah Cobb-Clarke and Peter McDonald have shaped global debates on migration. A new generation of scholars are now examining big, important questions about the intersection migration and work as well as any number of other themes, many of which will help us as a society in the future. Yet this tradition depends on access to Australian migration data from a number of sources, including the ABS, the Department of Immigration and various surveys funded by the government.
Until I received the following email from DIBP, I hadn’t realised just how uncertain this type of knowledge will be in the future:
“The data that was provided to Department of Agriculture was done so for a specific purpose in line with the Australian Border Force Act 2015 (ABF Act).  Unfortunately your request does not comply with the ABF Act and we are therefore unable to provide the requested data.”
I didn’t receive this email because I asked for something controversial. The reason this email stopped me in my tracks was I asked for something which was already largely public.
About a month ago I stumbled across the below map in a Senate submission to the Working Holiday Reform legislation.  The Department of Agricultural and ABARES had produced the map to help show where backpackers worked to gain their second visa. This was an important part of a big public debate about the merits or otherwise of the backpacker tax (as I write this legislation has just been voted on in the Senate, amended and defeat for the government).
I’d never seen this information before and I’m interested in exploring it further as there are decent labour market implications stemming from backpackers and the results may shed light on employment and migration trends. As you can see below, the Department helpfully documented the top 10 postcodes where backpackers worked to become eligible for their 2nd visa:
screen-shot-2016-11-24-at-2-48-38-pm
I get teased a little bit about the number of emails I send asking for stuff. But I’ve found you normally don’t get something unless you ask for it. So using the Department of Agriculture’s handy feedback form on their website, I asked for the data showing how many 2nd working holiday visas have been granted for each postcode.
The top 10 postcodes are already public but as the map shows, there is lots of other information about what you might term a ‘long tail’ of postcodes. One reason I wanted this information was to match up major industries in these postcodes and understand what type of work these people were doing. It would also be good to go back a couple of years and compare trends over time, whether employment activity shifts over time. All sorts of things were possible.
One thing I’ve learnt in the past is don’t ask for too much, too soon. In addition, there is always a potential privacy consideration when examining immigration data. For these reasons, I limited my request to the list of postcodes and number of second visa grants in each. That’s it.
This ensured I excluded information about individuals like age and country of birth which may compromise privacy. I also assumed if the number of backpackers in a postcode was less than five, it would be shown as “<5 as="" data.="" for="" immigration="" is="" of="" other="" p="" practice="" standard="" this="" types="">
ABARES let me know they had passed the response to the Department of Immigration and Border Protection. After following up with DIBP twice, about a month after my initial request, I received the above email which prompted a series of internal questions roughly in this order:
  • You have to be f****** kidding me?
  • If the data was provided to the Department of Agricultural with the knowledge it would be at least partially public, why isn’t the same data available but in a different format? i.e. a spreadsheet not a map based
  • How does my request not comply with the ABF Act? What’s in the ABF Act which prevents highly aggregated data being shared to better inform our understanding of relevant public debates?
And finally: why couldn’t someone work out a way to comply with the ABF Act and still provide me with data?
From what I can work out, the relevant part of the ABF Act is Part 6 pertaining to secrecy and disclosure provisions. Section 44 outlines ‘Disclosure to certain bodies and persons’ and subsection (1) is about ‘protected information that is not personal information’ disclosed to “an entrusted person”. This is the same process causing serious consternation among health professionals working in detention centres.
I am not “an entrusted person”. According to subsection (3), the Secretary of the Department has authority to designate this. Perhaps I should email and ask? Again from what I can work out, it looks like the person who created the data made a record now classified as protected information. This information is then automatically restricted to people who are classified as entrusted, including other bureaucrats, such as those in the Department of Agriculture.
Yet this begs the question. If the Department of Agriculture can publish a partial piece of a protected record, why can’t the Department of Immigration and Border Protection?
All I know is this stinks. And while this concern does not rank anywhere close to those faced by doctors and nurses who work in detention centres, the slow corrosion of sharing information caused directly by this legislation will have massive costs to how we understand migration in Australia.
Think about the very reason we’re even having a debate about the backpacker tax. Not enough people knew about immigration policy, trends and behaviour. The wonks at Treasury didn’t do any modelling on the labour market implications and the politicians in ERC and Cabinet – including the National Party – had no idea about what this might do to their own constituents. Outside the government, when I did a quick ring around in the days after the 2015 budget, the peak industry groups for horticultural didn’t think the backpacker tax would be a big deal. If I was a farmer, I’d rip up my membership. People should have known from very early on this would have real effects in the labour market as I wrote 10 days after the Budget. The fact no-one stopped or modified the tax before it got out of control shows we are working off a low base in terms of awareness about immigration.
The Australian Border Force Act is only going to make that more difficult. Hiding basic, aggregated data behind this legislation will increase future episodes of poor policy making and limit the ability of Australia to set an example to world for immigration. Our Prime Minister is fond of musing on our successful multicultural society yet alongside this decades of learning that has shaped communities, policy decisions, funding allocations and everything else under the sun.
I have no idea how I’m meant to take part in this process if access to information is restricted to bureaucrats and ‘entrusted persons’, who at the moment don’t seem able to analyse worth a damn, judging from the quality of public debates we are having. I don’t expect a personalised service with open access to immigration data. But I expect the public service to serve the public interest, especially when the matter is straightforward, uncontroversial and has the potential to inform relevant public debate.

Read full post...

Thursday, November 24, 2016

Census 2016 Senate Inquiry report - what's been recommended to avoid another #CensusFail

Both the Senate Inquiry report on Census 2016 and the Review of the Events Surrounding the 2016 eCensus (by Alastair MacGibbon, Special Adviser to the Prime Minister on Cyber Security) have just been released - I've embedded both reports below (so they appear in one place).

They are a good read with some useful recommendations for the future.

Reflecting on what has become known as #CensusFail, in comparison to other technical issues experienced by government, the Census 2016 experience probably rates as the most significant public ICT issue experienced by the Australian Government so far this century.

While in the last 15 years the Australian Government has had other incidents, these have been relatively minor, with limited public visibility or impact.

This includes incidents such as the 15 year delay in creating an Apple version of e-Tax (now rectified), launch issues with sites such as MySchool, challenges with access and security within the MyGov system, data breaches from the PCEHR (personally controlled electronic health records) eHealth system and the accidental exposure of private data for asylum seekers.

In contrast, the issues experienced during the 2016 Census have been far more widespread in their public visibility, impact and long-term ramifications for trust in government.

However, to put "the most significant public ICT issue experienced by the Australian Government this so far this century" into perspective - no-one died, no-one was hurt and no-one even lost control of their personal data.

At worst a number of government and IBM staff experienced unhealthy levels of anxiety for several days.

Given the struggles that developing countries have had to get their egovernment ICT working in the first place (with a reported 15% success rate); or the challenges advanced countries like the US have had with national systems (such as ObamaCare); or the experience of states like Queensland, which could not pay some of its Health staff for some time when its new payroll system failed, CensusFail just doesn't rate as an ICT disaster.

The actual operational impact of the 2016 Census problems was merely a short delay for people attempting to fill in the Census online.

Ultimately the ABS still exceeded the desired Census response rate, will still be releasing Census data much faster than ever before, and the agency still saved over $70 million dollars by moving more of the Census online.

However despite not actually rating as a ICT disaster, there was still a real cost to CensusFail - the perceptual and reputational damage from the ABS publicly failing to deliver on its Census Night promise, exacerbated by poor crisis engagement.

As a net result the real impact of CensusFail is on long-term governance in Australian, due to a reduction in trust in public institutions to 'do the job right the first time'.

I'm aware of other agencies now being regularly questioned by their Ministerial offices on whether they have any systems or projects which pose a similar reputational risk to the Australian Government. I've watched as the term 'CensusFail' has become the 'go to' term raised whenever a new government ICT issue is reported.

As a result the trust in government agencies to deliver complex technical solutions has been diminished, and it will take years to recover.

I hope that the recommendations in this Senate report, the lessons from Census 2016, will be top-of-mind for every public servant and Minister engaged in a significant government ICT project for years to come.

Hopefully the right lessons will be learnt - that managing your communications and public engagement well when the ICT gets wonky is critical.

In fact you can even transform a technical failure into an engagement success, if you get your messaging and timing right - strengthening, rather than weakening, trust in government.

Census 2016 Senate Inquiry Report as redistributed by Craig Thomler on Scribd


Read full post...

Tuesday, November 15, 2016

Asking 'what should be the limits on how public servants engage in social media' is the wrong question

The Australian Public Service Commission (APSC) has just released a consultation paper asking for feedback regarding how public servants may be able to 'Make Public Comment' specifically focused on social media.

It's great to see the APSC consulting on this area. It is subject to rapid change, both in the nature of the approaches and tools available for public servants to comment online, and in regards the evolution of thinking and expectations within the public service itself.

For example, Gov 2.0 and the current follow-on push for digital transformation has continued to attract new groups of potential employees and partners to the APS. These are groups with their own established (generally active, transparent and outspoken) approaches to online engagement - creating challenges for existing public sector hierarchies in both recruitment and management of these cohorts and acculturalising them to current APS norms.

Equally the blurring of the lines between private and professional continues to grow. With government policy now essentially touching on every aspect of life, existing public servants can feel constrained and muted by current requirements to not comment negatively on any policy area.

This is whether it be a public servant/parent dealing with schooling challenges, a public servant/carer dealing with NDIS challenges, a public servant/driver dealing with road infrastructure challenges, a public servant/patient dealing with health challenges, or a public servant/former immigrant dealing with family unification challenges. In all of these cases, even if their career is in a totally unrelated area of the public service, it is unwise for them to share even privately via their social media channels comments critical of the policies which are impacting their lives in a real and significant manner - just in case their public service friends report them and their public service bosses decide to define their comments as less than appropriate.

At the same time with the increasing normalisation of social media as the primary 'town square' for civil discussions (though not always so 'civil'), younger people, former APS staff (such as myself) and others who might at some point work in or to governments, are more enabled and likely to debate or share contentious political and policy issues via social networks without full consideration of the likely views of older-fashioned agency management and the impact on potential employment or contracts.

Similar to the lament of police and other security services ten years ago, who found it increasingly hard to hire individuals able to conduct important undercover work, due to the widespread adoption of social media (forcing a shift to profile cleansing from profile hiding), it's rare for any young person to not have an active social presence online, potentially touching on a range of politically sensitive topics - if not crossing professional lines with beach and party shots.

Similar to the debate over whether children should be seen and not heard, I've witnessed a number of older senior APS managers express their ongoing views that public servants should neither be seen nor heard in public debate - despite this going further than even the existing guidance for how public servants may engage in public discourse.

Moving on to the current consultation process, there's a few assumptions in the approach which could significant impact the outcomes.

Benefits vs Risks

Firstly the entire consultation, while nominally appearing to aim to be neutral, overwhelmingly concentrates on the negative impacts of public comments by public servants.

The approach largely overlooks the benefits of having an engaged workforce, interested and knowledgeable about a policy area, able to engage effectively in online debates - providing facts, busting myths and communicating compassion and concern for the communities impacted by policy decisions.

Some organisations outside the public sector have realised the value of staff as advocates for an organisation - that every staff member is connected to hundreds of peers, friends and family members who are potential customers or clients. However it seems only rare public sector organisations have recognised the same potential.

Imagine the impact of having 4,000 Health Department staff sharing the latest PBS drug additions, or carefully explaining government policy to communities who haven't been on the same journey to recognise why alternate approaches look fine on the surface, but have significant long-term negative impacts.

Imagine having over 30,000 Human Services staff sharing the latest information on changes to welfare programs, the release of new apps, or helping parents considering separation to understand their potential financial obligations to their children in a divorce.

The upside of having staff engaging socially is immense where staff are provided with the right access to tools, advice and potentially training - more effective than spending millions on 'shouting at' communities via traditional media, or even online communication campaigns.

However taking this positive approach to staff social engagement relies on a critical factor that increasingly appears in short supply in the public service - trust. Senior executives in the public sector have long been shown to be significantly disconnected from their staff - with regular APSC studies showing enormous differences in perceptions as to how well senior managers communicate and with work satisfaction levels.

With rolling pay disputes, increasingly employee concerns around the casualisation of workforces, fewer opportunities for staff to progress and ongoing budget cuts, there's a range of factors already impacting on trust relations within agencies - a largely negatively focused social media policy, designed around preventing bad behaviour rather than enabling and supporting good behaviour, is merely another straw on the back of the increasingly concerned camel.

Policy for the future of the APS

Looking further at the consultation, while it doesn't specifically exclude any group from consulting, the placement and approach strongly favours current APS staff, or the hyper-interested (such as myself).

This means the consultation will largely be biased around current staff and their current expectations, having little consideration of potential staff who increasingly consider their ability to engage freely on social media as a right rather than a privilege restricted by an employer.

This could lead to amended guidance on social media engagement that progressively discourage good people from potentially considering APS roles, particularly in emerging areas related to digital.

Given social media comments are forever, there's an entire group of young, university educated, visionary and innovative people who, under strict APS social comment policies, may never be eligible for APS employment based on their past personal views 'poisoning' their ability to be impartial.

The questions for consideration included within the consultation are quite broad and I've covered each below with my views.

1. Should APS employees be prevented from making public comment on all political issues? Should there be different rules for different groups of APS employees?

Even Ministers only focus on their own portfolio policies and challenges, so it's highly impractical to expect public servants at any level to be sufficiently across all political issues to be able to avoid commentary on topics that affect them personally, but may (to a greater or lessor extent) also touch on significant political issues.

Equally with political policies now touching on most areas of life, even indirectly, there's little that a public servant could say that could not be deemed a public comment on a particular issue, even if via a slightly drawn bow by a hostile outside party.

The impact of this would be similar to the impact of the current APSC policy, to cause many public servants to choose not to engage in public debate at all. Given that public servants are generally well-educated and well-informed and trained to form opinions based on evidence, this presents a significant loss to public debate within Australia and the exclusion of expertise that could otherwise shift and shape national views.

I'm aware of experts who have been effectively silenced in their areas of expertise due to a government engagement for a different set of their skills. This weakens Australia's democracy, rather than protects it.

While it may seem prudent to at minimum limit the scope for public servants to engage publicly at least within their own policy area, the area in which they have greatest experience and expertise, this is also counter-intuitive.

I do believe that public servants should strive to present the positives of current policy positions and effectively communicate set government to the public including, if they so choose, via their own social media accounts - even when respectfully making it clear that their views might differ from the government's, but that their role is to carry out the policies irregardless of personal opinion.

However in areas where policies are under debate, not yet confirmed by government or otherwise not set, public servants should have the right to choose to engage in the public debate and express their views in a respectful manner. Due to their experience in their own policies areas, it would be expected that their views would be well-informed and therefore support the public debate.

In essence I believe that public servants should be exemplars of public engagement in democracy, not simply 'bag carriers' for agencies. Through positive, respectful and evidenced sharing of their views they not only contribute to the content but to the shape and effectiveness of public debates in Australia, fostering effective democratic engagement - thereby supporting Australia's underpinning principles as well as perceptions of the public service and government.

As to the second question, of different rules for different groups, I understand how more senior or personally expert public servants can have a bigger impact on public debates - and this is appropriate, when used sensitively. This is no different from the different regard to voices from across Australia's democracy - different groups will always hold different voices in higher, or lower, regard, based on positional influence, knowledge or celebrity.

Constraining more knowledgeable or senior public servants to keep a debate 'level' makes no practical sense, and while I can see where certain elected or senior appointed officials may have concerns over being 'outshone' or having their decision-processes impacted by senior public servants, or more hierarchically junior celebrity individuals or experts, this is more related to ego than to good policy formulation processes.

Ultimately evidence and outcome effectiveness should drive policy processes - and even when this isn't perfectly the case, agencies should always strive to champion the right approach and leave it to elected officials (who can also be unelected) to make decisions on particular courses. As such allowing public servants to speak in undefined policy areas with respect and evidence is totally appropriate and supports robust and engaged democratic processes (even if this may at times personally annoy Ministers or senior public servants with specific ideological agendas).


2. Should APS employees be prevented explicitly from making critical public comment about services or programs administered by their agencies?

While this question appears reasonable on the surface, it overlooks the sheer scale and extent of some agencies, and the absence of effective internal processes to manage programmatic issues or failures.

Firstly, certain programs and services are frequently moved between agencies due to machinery of government changes or due to agreements between agencies where one may deliver services for another. This means that a public servant having issues with a program one week, and commenting about this publicly, could suddenly find themselves under investigation after a Minister or senior public servant decides to move the service into their agency.

Secondly, the scale of agencies, and the lack of communication of their range of activities, can mean that public servants may be unaware that a particular program or service is actually administered by their agency, particularly if delivered by external contractors or other agencies. Again this could easily catch out public servants who are not omnipotent - an expectation that is unrealistic when even Ministers can often be unaware of all the activities in the nooks and crannies of agencies within their remit.

Finally, agencies must commit to having effective internal dispute resolution processes for staff having issues with specific programs or services administered by their agencies. These are in place in some, but not all cases - leaving some public servants with no internal avenue to resolve disputes and thereby driving some to speak out publicly. Agencies would eliminate a significant amount of the potential for this risk by instituting effective internal dispute resolution processes.

If public servants are using and finding concerns with certain services or programs from their agency it is highly likely that members of the community will be as well, meaning that staff concerns should be treated like a canary in a coal mine - an early indicator of an issue that the agency needs to address and solve.

Essentially APS employees should not be prevented (if that were even possible) from making critical public comment about services or programs administered by their agencies. However they should be held to a high standard of providing evidence, of engaging respectfully and making it clear that these are their personal views only. Few programs will achieve 100% happiness rates amongst the communities affected by them, and recognising and acknowledging alternate views, even from within the organisation delivering them, is a sign of a mature and secure organisation committed to continual improvement and the engagement of staff who will act to improve outcomes, not merely remain silent about poor ones.

3. Should senior public servants have specific limitations about making public comments?

Per my response to the first question - no. However they should be held to a high standard of evidenced and considered responses, and selective engagement.

It is still relatively rare for senior public servants to actively engage in public discourse, particularly via social media channels - and this is a significant loss of role models who could help set a respectful tone for engagement across the community. If senior public servants fear criticism, or fear criticising their Ministers publicly this helps reinforce a status quo where their expertise, knowledge and experience is subordinated to snap decisions, supporting the gradual degradation of trust and respect in government and agencies.

Where senior executives strategically engage in public debates as 'eminent Australians' they both enrich the conversations and model a form of democratic engagement that others across the community are influenced to follow.

That said, this engagement should be respectful and carefully timed, rather than proliferate. They must also ensure that they demonstrate that they can work effectively with Ministers' offices even when disagreeing with policy. This can be a delicate high wire to walk and many current senior public servants may not have the depth of experience with social channels to carry this out effectively. This will change over time.

Currently few senior public servants engage at all via social channels, and I believe this is a significant loss to public discourse in Australia.

4. Should public servants posting in a private capacity be able to say anything as long as it includes a clear disclaimer stating that the opinion they have expressed is purely a statement of their own opinion and not that of their employer and is otherwise lawful?

Looking at this realistically, any public servant, or individual, can set up a pseudonymous account and say anything they want with limited chance of detection or identification (due to the large number of such accounts). Indeed it is likely that a number of public servants already do this in order to be part of the groups they wish to associate with online.

I believe that public servants, by way of their employment, should be held to a higher standard of engagement than general citizens, therefore should be expected to remain fair in their comments and criticisms, obey all laws regarding abusive or otherwise inappropriate behaviour on social media channels (as suggested in the question) and is evidenced where feasible - noting that not all areas of opinion lend themselves to evidence.

Public servants should model the digital engagement behaviour that a democratic society should aspire to, helping to foster productive and insightful debate, dispel misinformation and accurately direct people to where they can receive the help they require.

Currently I believe that APSC gudiance is more directed at an outdated view of 'impartial', which includes 'passionless' and 'unemotional'. Public servants should be free to be excited and passionate about their work and about principles that matter in democracy. This positively enhances their perceived capacity to be effective in service to the public, whereas emotionless engagement only serves to diminish effective debate.


5. Are the requirements of the APSC guidelines expressed clearly? Can they be made simpler and easier to understand?

I have never been a fan of the current APSC guidelines for public comment via social media.

They leave too many gray areas for senior management discretion around what is meant by 'harsh or extreme', 'strong criticism' or 'disrupt the workplace' - which I have seen used negatively against exceptional people by jealous bosses, to the loss of the public sector.

They are too broad, effectively covering every policy from every parliamentary party or independent - leaving public servants in a live minefield where, at any time, additional mines can be placed under their feet.

Overall they are negatively focused - looking at the downside risk of social media engagement without fully embracing the potential benefits of effective involvement by public servants in public discourse.

As an ex-public servant this blog, which touches on various policy areas, programs and initiatives - often in a critical but constructive manner, would never have been started under this APSC policy. Given my readership and the level of positive engagement it's had, I can't see how this would have been a better outcome for the public service.

Equally I've not been prepared to work directly for a government with this level of restrictive social media policy, and have spoken to many other people from the private world who ceased considering a public service career after seeing the draconic provisions in the current guidelines.

Of course the majority of the public service have continued to work productively under the current guidelines, however I saw an 80% reduction in public servant engagement online in the twelve months after its introduction - with many people closing down social accounts, going silent or shifting to pseudonyms to protect themselves.

This has had a negative impact on the online public policy debate in Australia and these personal accounts cannot be replaced by departmental accounts, which do not have the peer-to-peer engagement or influence of individuals online.

Looking at the international perspective, there's now far deeper and more constructive engagement by US, UK and NZ public servants on social channels then by Australians.

Ultimately, under the current APSC guidelines, any Australian public servants who wish to participate in public democracy online must weigh the negative impact if they ever stray, in their management's opinion, over a wide gray line, even only once within thousands of posts.

This makes the risk to the individual simply not worth it - but the cost to Australian democracy of the silencing of these voices is immense.

Read full post...

Wednesday, October 26, 2016

It's past time for governments to mandate security levels for all internet-connected devices

On the tail of the 2016's Census issues dealing with four relatively small distributed denial of service (DDOS) attacks, the US East Coast was recently hit by a massive DDOS attack that succeeded in taking offline, or at least slowing down, major sites - from Amazon, Twitter and Spotify to PayPal and Netflix.

This major attack, involving millions of devices, had global impacts - including impacting the websites of range of Australian companies - retailers, banks, media services, insurance companies and hotels.

This type of attack isn't new - for years organisations have had to harden their computers and networks to fend off DDOS and more focused hacking attempts.

In fact a DDOS attack is often considered one of the most unsophisticated approaches - simply flooding a network with an unmanageable number of requests from hundreds, thousands or millions of hijacked devices until the routers and web servers collapse under the pressure.

However this latest attack was different in several regards to what organisations now should plan for.

Firstly it was on a scale that few had imagined. The company targeted, Dyn, provides backbone services for the internet and was well prepared for massive DDOS attacks. However this attack was at a scale that even such a service was unable to fend off without significant disruption for hours.

Secondly, the approach didn't use the normal range of compromised and poorly patched internet-connected devices to launch and sustain the DDOS attack. Normally hackers conscript or buy access to 'botnets' made up of hundreds or thousands of poorly maintained computers on insecure networks, using malware on these PCs to launch an attack.

In this case, however, the people responsible used open source hacking software to tap into a network of devices connected to the internet - security cameras,  Digital Video Recorders and web cameras, amongst other types.

The majority of these devices were older, with many were linked to one specific Chinese manufacturer who develops white-label products for others to brand and sell. Most relevant, these devices had little if any security in place to prevent hijacking. They are also unpatchable - they can never be secured in ways that make it hard, if not impossible, for hackers to take them over.

In other words, these non-computing insecure devices are a permanent threat to the internet. They can easily be used in malicious or military cyberattacks by anyone with the inclination to do so.

While the manufacturer has issued a recall for these permanently insecure devices (though its unknown how many devices will be returned as part of this process), the growth of the 'internet of things', where DVRs, smart fridges, air conditioners, cars and all kinds of household and work appliances are linked to the internet for monitoring and management purposes, poses a growing threat to the ongoing viability of the internet.

With billions of devices progressively being connected to the internet, there's little in the way of mandated or legislated requirements for devices to be secure to a given standard at a point in time, or have their software regularly upgraded to ensure that known security risks are patched.

While most countries specifically regulate and test products designed for health use, power use and radio spectrum to verify they won't cause harm, few nations have similar requirements for security.

Largely this remains in the general 'fit for purpose' terms in relevant trade practice legislation, which is effectively useless when a device, such as a baby monitor or smart fridge, can remain fit for purpose and be used in a economic or politically inspired cyberattack at the same time.

This isn't a future issue. I can name six types of non-computing devices in my home which are, right now, internet capable - DVRs, TVs, web cameras, security cameras, air conditioners and light globes.

Households across Australia, and the world, are rapidly adopting or upgrading to these devices for convenience and improved management purposes - but security requirements are lagging badly.

This is an area where it's not sufficient for governments to trust that manufacturers and retailers will 'do the right thing' on an ongoing basis.

Some manufacturers and supplies  might cut corners in their software, or not realise the significance of how their devices could be remotely accessed and used maliciously. Others may discontinue products or go bankrupt, leaving devices unsupported.

The end result is not necessarily a risk to the consumer who bought the product, but rather a broader risk to society that these devices are used in an attack that damages companies or governments.

There's also a risk that companies or unscrupulous governments may use these 'smart' connected devices themselves to spy on citizens. Indeed this may already be happening.


Now some governments, such as the Australian Government have begun offering advice to citizens on how to secure their personal networks. A good home firewall will, currently, help keep many potentially insecure devices protected against external risks.

However this is merely a stopgap. Firewalls have flaws, can be bypassed and are not consistently installed or maintained by households.

With internet-connected devices already proliferating, many already in households and businesses may be impossible to secure, as were many of those used in the recent US cyberattack.

For governments to protect societies against cyberintrusions - economic loss, political damage and inconvenience, there needs to be far more consideration of the potential risks around internet-connected devices - and fast.

Extra: I've just read a post that sums up this issue very eloquently, so have embedded it below...

Read full post...

Thursday, October 13, 2016

Disruption is often simply a failure to prepare and evolve

Digital disruption is one of the buzz terms of the last few years, underscoring the increasingly rapid changes in society, industries and governments as new ideas and techniques enabled by digital technologies take hold.

Photo by Tsahi Levent-Levi
While some embrace this disruption (generally those doing the disrupting), for many it remains an unsettling or even negative concept.

Disruption implies a disturbance or breakdown in the existing order, a situation where the status quo is overturned in an unpleasant way. To disrupt a process is seen as interfering with the ordinary course of events, and 'disruptors' of events or organisations are rarely looked on in a positive light.

While many disruptions are predictable, they are often not avoidable - such as the impacts of a natural disaster or the consequences of a terminal illness.

Equally disruptions in business and governance, through new technologies, ideas and approaches, can often appear to come rapidly out of 'left field', even when they can have been expected for a long time.

However in many of these cases, disruption has a much greater impact on societies and organisations than it needs too, not because it was unexpected or not discussed, but because leaders refused to see the writing on the wall, and begin a process of communication, adaptation and evolution soon enough.

A classic example is Kodak Eastman - the inventor of the digital camera, whose business was destroyed by the product it originally designed and marketed.

Kodak did not go bankrupt because no-one within or outside the company could see the impact of digital cameras, or their widespread adoption into mobile phones, laptops, tablets, drones and more. The company failed because the company's leaders chose to believe that their business could not be disrupted, that their name, reputation and products would allow them to survive no matter where the market went.

As a result they adapted too little and too late to the 'digipocalypse', where film cameras rapidly disappeared and even the digital camera market fell as people started using other devices as their primary photographic tool.

When I hear business and government leaders speak of disruption, of new industries replacing old or new thinking flushing out the old, I often wonder how much is just talk and how much actual action is taking place in their organisations to adapt to new realities.

Few disruptions are truly unpredicted, although their course may be unpredictable, with some technologies being rapidly adopted and others festering amongst early adopters for decades.

Organisations that are truly committed to survival and growth don't talk about the 'disruption' due to digital, but of the opportunity to re-imagine their business models and redesign their operations, preparing for and adopting innovations and new ideas in an evolutionary manner.

By preparing early and evolving continuously these organisations never actually face actual disruption, because they are almost always in the right place at the right time, with the talent, tools and techniques at hand to move with the market, rather than trying vainly to keep up.

When these organisations are tripped up by market or social change, it's due to velocity, not disruption, and they remain well-equipped in talent and tools to pivot their operations to minimise any disruption.

If your organisation is facing digital disruption, consider why that might be the case.

Was the disruption truly unpredictable? Or did your management fail to watch the market closely, or ignored advice on the basis of their belief that the status quo was unshakeable?

Is the disruption due to a lack of preparation in the face of a clear and present danger? Or due to an unwillingness to change, even at the point of extinction?

While change is a constant feature of business and social environments, disruption is simply what happens to organisations who fail or fear to face change. Organisations that do not design structures, generate strategies or train and recruit staff who can lead and support the internal transition in a prepared and evolutionary way.

Therefore any organisation that has been disrupted should first look inwards, not outwards, for the cause, and take appropriate steps to ensure that, if it survives, it never makes the same mistake again - to inadequately prepare itself for environmental and market change.

And any organisation that foresees disruption ahead should be preparing now. In order to turn a potential disruptive event into a much less impactful, evolutionary step, that causes far less disruption or damage and buoys the organisation to greater future success. 

Read full post...

Friday, August 26, 2016

How to shut down the easiest path for hackers into your organisation

In the news today is a story about how the Department of Prime Minister and Cabinet has issued guidance to staff on how to manage their personal profiles on Facebook.

According to the The Age's article, 'Nanny state!' New crackdown on public servants' Facebook the department "now insists its public servants lock their personal Facebook accounts with the tightest possible privacy settings and tells them how to configure their passwords".

Based on The Age's article the policy states that "Profiles must use a robust and secure password to protect the account from brute-force hacking attempts".

"This password must be at least seven characters long and contain a mixture of punctuation and alpha-numeric characters".

The policy apparently threatens disciplinary action and even dismissal for non-compliance for both staff and contractors.

I've not yet read the policy so can't comment on the details, and there's also apparently some other parts of the policy dealing with what public servants can comment on, which I don't expect to agree with.

However, I find the advice on security and passwords as fair, long overdue, and something that all organisations should consider providing to their staff.

Hacking is fast emerging as one of the most significant commercial risks for corporations and public agencies, with organised crime and nation-states mobilising sophisticated teams of computer hackers in the search for commercial and political advantage.

Few weeks go by without a major international company or online service being hacked for data, and alongside this the growth of ransomware - where hackers lock organisations out of their own systems and demand money for access - is proving to be a challenge worldwide.

Many large organisations have extensive security provisions in place to protect their data and services against hackers and security advisors are working as hard to keep their system protected as hackers are to find new ways in, in a cyber cold war.

However IT systems are not the only way into an organisation's data heart. 'Social engineering', a term referring to coercing staff to create a chink in an organisation's security armour, is increasingly one of the easiest ways for hackers to sidestep security professionals.

Social engineering takes many forms.

Leaving USBs with malware at a location where staff might pick them up and unsuspectingly put them into an organisational system, sending them email attachments supposedly containing cute kittens (with a cyberworm inside), fooling them with a fake email from security into believing they need to reset a system password by clicking on a link - which gives a hacker access.

There are many many ways in which employees can be fooled, even the most highly intelligent people, and used to evade or break their organisation's security.

Even if people can't be fooled, there's ways to get critical information about them which can provide clues to passwords, or provide blackmail opportunities.

For example, many people still use memorable passwords - children's names and dates of birth, anniversaries, pet and street names, achievements and more. With a little digging through publicly available information, or even information compromised from a weaker external service, hackers can quickly create a potential password list which might give them a route into a more secure system.

Unfortunately many organisations have been slow to address this threat by educating and supporting staff on protecting ALL their information online - from their secure employee logins, to their Facebook accounts and random mailing lists they sign up to.

This education is important not simply for the organisation's security, but for the personal security of individual staff members, who are also at risk from hackers who simply want to steal from them.

In fact there's every reason to believe that well constructed advice to an organisation's staff on protecting themselves online will be well received. It not only protects the organisation, it protects each individual staff member and often their families as well.

So what PM&C is doing with suggestions on passwords and locking down Facebook isn't a 'Nanny State' act - it's a sensible step that every organisation should be doing to protect their commercial information and client data, and to protect their employees.

Now a 'policy' may not be the best structure for this education - I strongly recommend that every organisation should have a 'security awareness' module in their induction program, and ensure that all existing staff receive regular training on how to protect themselves and the organisation they work for from external hacking threats.

This needs to be regular, not once-off, because of the rapid evolution of hacking and IT systems. New threats emerge regularly, as do new social engineering attacks.

Training all staff on how to secure ALL their online accounts is becoming vital for organisations that are serious about security.

In fact I believe that organisations who lose control of personal, private or confidential client, staff or government data should be penalised more harshly if they've not taken steps to guard against social engineering through staff training.

So if your organisation wants to continue to improve your security, don't simply invest in new IT systems and security advisors. Regularly train your staff on how to protect themselves online and they'll help you protect your organisation.

Read full post...

Wednesday, August 03, 2016

The consequences of dropping the ball in digital engagement - The ABS and Australian Census 2016

Next week Australia will be holding its 17th national census (since 1911), led by the Australian Bureau of Statistics, which is itself celebrating its 110th anniversary as an agency (albeit with a name change midway).

This is an auspicious occasion for another reason. While it has been possible to complete the census online in both 2011 and 2006, when the ABS first trialled an online completion system - 2016 will mark the first occasion when the ABS expects a majority of households to complete their census surveys online.

In fact, Duncan Young, head of the 2016 Census process, is on record stating that the ABS expect 65% - two-thirds - of households to complete the Australian Census online, rather than in paper form.

This is a fantastic achievement and speaks highly to the ABS's commitment to quality data collection and maintaining a forward-facing approach to trialling and adopting new technologies.

This commitment has also been typified by the ABS BetaWorks Blog (sadly now defunct), ABS CodePlay (sadly not repeated) and the work the ABS has done to expose data in open and machine-readable formats, including ABS.Stat and APIs such as for the Population Clock.

Data collected by the ABS, particularly via the Australian Census, underpins an enormous amount of evidence-based decisions made by all levels of Australian government, as well as by companies who access the information to guide their commercial decisions.

The census is also an enormous undertaking. To quote Wikipedia quoting the 2011 Census site, "the 2011 Census was the largest logistical peacetime operation ever undertaken in Australia, employing over 43,000 field staff to ensure approximately 14.2 million forms were delivered to 9.8 million households." The cost was $440 million.

That makes the census a prime target for budget cuts - with the idea of reducing the frequency of the Australian Census to every ten years, or reducing its complexity, thrown around last year before being dropped.

The impact of not having regularly collected census data, collected in a compulsory manner from all households, can be hard for Australians to imagine.

However in countries like Lebanon, which hasn't had a census since 1932, the lack of accurate data leads to opinion-based government decision-making, which is generally viewed as a poor alternative to fact-based policy decisions.

The need for compulsory collection of census data was highlighted by the decision by the former Canadian government to make their long-form census voluntary in 2011, resulting in a massive drop in participation and corresponding degradation of data quality.

Called "a disaster for policy makers", unfortunately it suited the Canadian government of the day to not have accurate data in order to provide them greater room for making ideological decisions, rather than decisions that were based on facts. The net result was a drop in participation from 95% to 68%, a more expensive Census process (due to increased mailout of forms to prompt engagement), the resignation of several of the most experienced and competent senior officers in Canada's statistical agency, ongoing issues for national, provincial and local Canadian governments in identifying disadvantage, population numbers, statistical population changes and reduced capability for companies to make appropriate commercial decisions without investing in further expensive research.

The current Canadian government reinstated the compulsory long-form census, which completed collection in May this year.

So regular compulsory censuses are a BIG DEAL for a nation, and Australia has a very strong statistical foundation to build on.

The ABS has also demonstrated leadership in how it has marketed and communicated past Australian Censuses. In particular in 2011 the ABS demonstrated global leadership in the use of digital channels and tools to promote the importance of the Census and lift participation.

Through quirky best practice engagement on Twitter and Facebook, which made the Australian Census front-page news for all the right reasons, the development of an interactive online service allowing people to 'place' themselves within Australia, and a mobile game which allowed people (particularly kids) to see how census data was used in civic decision-making, the ABS knocked it out of the park in terms of its communication strategy and implementation.

That's a fantastic base for the ABS to build from. I think a number of people were expecting the same, or better, engagement from the ABS in 2016.

Alas, it was not to be. In 2016 little of the previous engagement brilliance is evident from the ABS.

While the ABS has repeated a level of their communication via Twitter, it's basically a shadowy repeat of their 2011 strategy - as though new management said "repeat the good stuff from five years ago, but don't update anything or take any risks".

The ABS is also remaining stalwart and largely silent in the face of several decisions which have left census collection exposed.

Their online service has been exposed as using an older and less secure security standard in order to support older browsers, rather than taking an approach which warns people and encourages them to upgrade to a more secure technology.

For non-technical people, an analogy would be the police waving past someone without headlights on a dark night onto a crowded and unlit highway in order to not slow down the traffic flow.

On another front, the ABS is confronting a surge of privacy concerns around its decision to keep names and other personal details connected to census data for at least four years. Taken without consultation with the public, this decision has raised alarm bells with privacy advocates and organisations such as Electronic Frontiers Australia, as well as with former senior officials of the ABS.

While the ABS has been fighting back to some degree, they've not really addressed the concerns in an effective way.

#Censusfail is continuing to grow as a hashtag, with a number of people considering ways to circumvent responding to the census, avoiding providing personal information or considering providing false information.

Should enough people take one of these steps it would reduce the value of the census to Australia.

I must admit that I've also become concerned about the ABS's approach, and unconvinced by the ABS's engagement on this front to-date.

I totally support and value the ABS as an organisation, and all the people that work there - however they are burning much of the goodwill they established in 2011 and potentially devaluing the census, and hurting all Australian governments through their lack of effective engagement on the issues above.

The worst thing for me is that the ABS has been a shining light in Australian government. The organisation has consistently been a leader in open data and the use of digital and social media to engage with the public.

This is important not simply for the egos of the leadership at the ABS, but is essential for good governance and effective commercial decision-making in Australia. The ABS's success serves all of us - and its failure would hurt us all.

I hope the ABS recovers from this and Australia continues to be well-served by the statistics the organisation collects.

However it would have been far better for the ABS, and all Australia, if the ABS hadn't put itself in this position of needing to recover at all.

Read full post...

Wednesday, June 15, 2016

Digital Disruption: What do governments need to do?

Australia's Productivity Commission has just released it's report on "Digital Disruption: What do governments need to do?".

It's not too long a read. The key findings fit into a few pages, and provides enough of a helicopter view to get a clear view of the direction the Productivity Commission believes agencies should take.

There's implications for every area of government, with many underlying potential impacts on how government operates, how our society functions and how government, businesses and citizens interact into the future.

Some of the recommendations include more assertively addressing risk aversion in government, properly considering the emerging skills needed for public servants and how to train or acquire them, taking a more flexible, iterative and adaptable approach to policy development to address the issue that technology is outpacing decision-making and improved collaboration and sharing throughout government and with external players to ensure the right mix of ideas and skills is in the room for complex decision making.

To make it quickly review, I've included the key findings below:

Impacts of disruption on markets and competition

Finding 2.1

The distinction between services and manufacturing is declining, with design and pre and post sales service parts of the production cycle becoming increasingly important sources of value added. This has implications for:
  • the importance of scale in production
  • the types of capital firms need
  • how much work happens within the firm and how much is outsourced
  • the types of jobs that will be created and replaced
  • the dynamics of the business cycle.
It also has implications for the National Accounts, including adjusting for changes in quality, and the long term comparability of industry classifications.

Finding 2.2

Clarity in how and when infrastructure investment decisions will be made assists firms that are developing and adapting new technologies. Uncertainty around future technology and infrastructure needs is not a reason for inaction by governments — the costs of inaction, in terms of slower diffusion in technology, can be widespread and significant.

Finding 2.3

Digital technologies are allowing firms to outsource more of their production. This outsourcing is based on access to skills as much as low cost labour, offering greater opportunities to firms in high labour cost economies. Trade policy has been slow to adapt. Substantial increases in outsourcing across international borders may necessitate government attention to:
  • secure movement of data across borders
  • regulatory requirements for delivery of service exports in other countries
  • barriers to outsourcing imposed by differential treatment across industries and products in bilateral and regional trade agreements and in behind the border policies
  • workability of rules of origin with many disparate sources of inputs to production.

Finding 2.4

Digital platforms allow households and non market organisations, such as research facilities, to engage more in the market economy by 'sharing' access to their under utilised assets. This poses structural adjustment issues for industries that have traditionally faced little competition due to regulations, such as taxis and short term accommodation. More effective utilisation of under employed assets, whether market or non market, is a positive economic outcome.

Finding 2.5

Digital technologies are changing the sources of market power, with control over data and networks providing new means for firms to hinder entry and extract rent from customers.
  • The length of time and extent to which firms can exercise market power is highly uncertain, requiring active monitoring rather than pre emptive action.
  • New regulatory tools may be needed to address these very different sources of market power arising with the digital economy. Aspects of third party access regimes could be explored as a relevant approach.

Finding 2.6

Digital platforms can help overcome information asymmetries, which have been a common justification for regulation. This can allow governments to reduce the restrictiveness of regulations seeking to provide consumer protection, subject to confidence in the information provided.

Finding 2.7

Like previous waves of technology, digital technologies should translate to productivity improvements. Indeed, the low marginal cost of replication means that intangible inputs should fall in price, boosting firm profits. However:
  • consumers may capture a larger share of growth in productivity where this is delivered in terms of higher quality products, and where enhanced competition drives down prices
  • some digital products can be difficult to monetise
  • the value of data and networks can result in a winner take all model in some digital services.

Impacts of disruption on workers and society

Finding 3.1

Developments in digital technologies, such as sensors and machine learning, are expected to widen the boundary of the types of tasks that can be automated. But there remain tasks that have proven difficult to automate, including those requiring perception, or creative and social intelligence. Just because a job can be automated does not mean that it will be.

Finding 3.2

The 'gig' economy is in its infancy, making its future effect on the nature of employment uncertain. But if the gig economy develops quickly and its spread is wide, there will be risks that need to be managed. While governments need to address real concerns, blocking these technologies is not an appropriate response.
In the longer term, depending on the scale of change, governments may need to consider whether:
  • changes to workplace relations regulations are required to accommodate a growing category of employment
  • the income support system needs to be changed to ensure it is not a barrier to workforce engagement and helps reduce income volatility for low income workers.

Finding 3.3

Simply increasing the share of STEM graduates is unlikely to resolve the low rates of adoption of digital technologies by firms. Given the relatively high underemployment of STEM graduates and apparent underutilisation of STEM skills, the current approaches are not delivering the problem solving skills needed for technology rich work environments. Beyond delivering a high competency in literacy and numeracy at the school level, initiatives could include reviewing teaching methods, increasing flexibility of university degrees and improving information on employment outcomes for students to help inform student choice.

Finding 3.4

The automation of many tasks in the workplace, with large labour saving technological advances, has not led to unemployment rates trending upwards over long periods of time. However, there is concern in parts of the community that the pace of change will accelerate, leading to substantial unemployment in the future. But dire employment scenarios remain speculative given the considerable uncertainty about the impact of automation on employment.
Past experience with structural change suggests some workers will find it difficult to secure new jobs. Government should focus their efforts on assisting displaced workers and resist pressure for industry protection or assistance.

Finding 3.5

Wages in Australia have increased at all income levels in recent decades, however they have increased more in higher deciles. Technological change that increases demand for high skilled workers has played a role in the widening of the wage distribution.
Ensuring the benefits from future technological change are shared will be an ongoing policy challenge for government. Raising the supply of skilled workers will be part of the solution, along with the continued role of Australia's tax and transfer system in reducing income inequality.

Implications of disruption for how governments operate

Finding 4.1

The pace of change has implications for how governments undertake regulatory functions. Some regulations and regulatory approaches are explicitly preventing the development and efficient adoption of technologies. In principle, governments should:
  • adopt a 'wait and see' approach to new business models and products rather than reacting quickly to regulate what may be unrealised risks
  • where relevant regulations already exist
    • adopt fixed term regulatory exemptions for innovative entrants that maintain overarching regulatory objectives (as recommended by the Business Set up, Transfer and Closure inquiry)
    • use the opportunity of disruption to reform markets where there have been undue regulatory restrictions by removing restrictions that impose a competitive disadvantage on incumbents rather than extend existing restrictions to new business models
  • where regulation is needed to manage negative externalities, take a proportionate approach (that is, balance the benefits and costs) and regulate outcomes not technologies.
  • take an evidence based approach drawing on Australia's scientific agencies in making assessments of the risks to the community from new technologies
  • regularly review regulations affected by digital technologies, especially where an increasing share of activity is mediated through digital platforms
  • assign the responsibility for reporting to the parties best able to comply at least cost, and design transparent mechanisms for dealing with complaints.

Finding 4.2

Governments do not necessarily need to be involved in the development of standards, but where standards are mandated (as a form of technical regulation), following good regulatory principles would mean that standards:
  • are the minimum necessary to achieve regulatory objectives
  • maximise interoperability
  • follow international standards where practicable and relevant, unless use of standards based on Australian technology would deliver higher net community benefits
  • are developed in consultation with the private sector.
In negotiating international standards, the interests of the Australian economy rather than individual businesses should be of primary consideration.

Finding 4.3

Governments contribute to promoting innovation across the economy by delivering a low cost operating environment for innovative activities. This could include:
  • removing disincentives for universities to work collaboratively with business and encouraging the sharing of knowledge
  • ensuring transparent policy objectives and predictability in those areas most affected by developments in technologies
  • improving the functioning of cities to attract and retain highly skilled workers and innovative firms.

Finding 4.4

To improve the reliability and usefulness of information provided by digital intermediaries governments could:
  • reduce regulations aimed at the provision of information on a product or service, where consumers are more effectively able to get this information through another avenue (such as an online rating system)
  • encourage digital platforms to develop industry standards to improve the reliability of feedback and right of reply and prevent the use of gag clauses on consumers
  • encourage industries to develop a common or standardised language around product offerings to assist consumers in making comparisons
  • ensure existing broader governance structures for consumer complaints are sufficient to give consumers and businesses confidence in the use of digital intermediaries.

Finding 4.5

Digital technologies allow for more pervasive collection of data on individuals and firms and can be a medium for harassment and security breaches. This may change what is needed in order to:
  • protect individuals privacy
  • prevent the unlawful use of information
  • maintain the integrity of digital networks.
The case for government action in these areas relies on ensuring that the likely benefits of any restrictions outweigh the costs of restrictions to the community.

Finding 4.6

There remains further scope for regulators to adopt new technologies that reduce the burdens incurred in obtaining regulatory outcomes, undertake more effective risk based assessment, and substantially improve engagement and the targeting of monitoring and enforcement activity.

Finding 4.7

Better information systems and scope to monitor services delivered and their outcomes could improve the efficiency and timeliness of human service delivery by:
  • allowing consumer choice to play a greater role in the delivery of human services
  • using linked information on services and customers to better target service delivery and introduce more integrated services
  • reducing the cost and improving the safety of people involved in areas such as environmental management and emergency services.

Finding 4.8

Technologies embedded in infrastructure and greater use of digital platforms to link infrastructure with users and suppliers offer governments considerable scope to:
  • assess infrastructure usage and the responsiveness of demand to pricing and to introduce efficient pricing technology
  • augment and maintain public infrastructure in ways that minimise disruption to its use
  • optimise investment in public infrastructure, better matching the build requirements to evolving needs.

Finding 4.9

Governments (particularly at a subnational level) have already made increasing use of digital technologies in on the ground service delivery. Some adoption of technology in regulatory processes is also evident. There remain, however, issues that governments need to confront before the benefits of digital technologies can be more widely realised.
  • A risk averse culture in the development of policies that are wide reaching within the relevant jurisdiction could be assuaged by measures such as: greater use of policy trials, relying on precedents from other jurisdictions; and drawing on recommendations and advice of independent agencies.
  • Skill sets within the public service need to evolve in tandem with technological change. The capacity of agencies to recruit staff with relevant skills and shed those with inadequate skills could be enhanced by more flexible performance management and termination conditions in agency enterprise agreements.
  • A sharing of data and cooperation between agencies would improve capacities to solve complex problems that do not fit neatly into the competencies of a single agency.
  • Governments need to find ways to:
    • exploit, in their program delivery and policy making processes, the increased transparency that comes with digital technologies
    • avoid locking in details of policy responses at early stages without scope for genuine re evaluation 'en route' to the end objective.

Read full post...

Bookmark and Share