Showing posts with label privacy. Show all posts
Showing posts with label privacy. Show all posts

Monday, April 09, 2018

How modern democracies face destruction if they can't stop building digital Maginot Lines

The recent revelations in the media about the collection of personal information from up to 87 million Facebook users by Cambridge Analytica and its use to influence political outcomes (successful or not), should be sending chills down the spines of everyone involved in information security, privacy and governance.

That people's data can be appropriated and used to manipulate democratic processes is a clear threat to the basis of democracies around the world - and governments appear to be flailing on what to do about this.

Now certainly corporations, such as Facebook and Google, have both legislative and business reasons to protect personal data. It's their lifeblood for making profits and without a sufficient level of public trust to keep people using these services these companies would largely disappear overnight.

However governments also have a responsibility to safeguard their citizens, and their own institutions, from external manipulations of their democratic systems - whether this come from foreign states, corporations or even particularly influential groups in society.

While Facebook is responsible for allowing a researcher to create an app that could such down the personal data of many people, even without their consent, it may not have been illegal for Cambridge Analytica to do this (although their subsequent use of this data for electoral manipulation may have been), and while Facebook may be investigated for privacy breaches, the consequences to Facebook and Cambridge Analytica appear to be more social than official to-date.

For me the spotlight is more on governments than the corporations involved. Laws exists to provide a legal basis for managing anti-social behaviour and power imbalances (such as between large organisations and individuals) such that the basic unit of the state, the individual citizen, has their personal rights protected and has clarity about their obligations as a citizen.

In this case governments did not have the laws and frameworks in place to detect, limit or even rapidly prosecute massive breaches of personal privacy or attacks on their own institutional validity.

Governments that cannot protect themselves or their citizens from external influences - whether these be physical or digital - do not remain governments for long.

I see the Cambridge Analytics scandals as another in a long series of examples as to how modern democratic governments have failed to put appropriate mechanisms in place to protect citizens and themselves from modern threats.

Like the Maginot Line built by France in the 1930s, governments are investing in expensive, unwieldy and inflexible infrastructures for past threats. And, like the Maginot Line in 1940, these infrastructures have proven again and again that they fail in the face of modern agile opponents.

Thus far the reaction by governments has largely been to acknowledge failure, promise to do better and then return to investing in legacy infrastructure, attempting to modify it as cheaply and as little as possible to address modern threats.

From the cascading series of security breaches at scale, rising digital interference in western elections and undermining of democratic institutions - I think the evidence is clear that the strategy is failing.

So what are governments to do? How do they adapt their approaches to address a threat that can come at any time, through any channel and often targets civilian infrastructure rather than state-controlled infrastructure?

The first step is to recognise that their current approach is not working. The political and commercial opponents seeking to weaken, influence, manipulate and destroy western states do not limit themselves to playing by western rules.

The second step is to recognise that this isn't a problem that governments can solve alone. Protecting government infrastructure is pointless if power grids and financial sectors are manipulated or destroyed. If a hacker wants to shut down a government office it is often easiest to cut their power or payroll than attack the government's servers directly. In the longer-term the public can be turned against a government through social media engagement using fake news and slanted reports.

The third step is to redefine what constitutes the state and what it values. Government is a tool used to govern a population. It is a component, but not the only, or even the most essential, in defining a nation's character or values.

Then, we need to rebuild our thinking from first principles. What do we value, and what do we not value? What conduct is appropriate, and by whom? How do we protect freedoms for citizens while defining their responsibilities? How do we educate citizens to understand that they have an active ongoing role and responsibility to help maintain our freedoms - that their obligation doesn't stop at a ballot box every few years? How do we redefine the role of corporations and other organisations (including government agencies) as good organisational citizens in a society? What are their rights and obligations towards citizens, stakeholders and shareholders?

This doesn't mean turning western democracy into security states. In my view the growth of state security apparatuses is a poor solution, part of the Maginot Line of centralised control that is failing so badly to protect democracy from a swarm of diverse threats. Indeed, the idea of decentralising security in favour of emphasising personal responsibility through education is, in my view, the best course to protect our nations' values.

We need an inclusive approach, backed by sound principles and collective values, that preserves what is important to our societies and inoculates us from unwanted external influences.

Without this we will lose who we are in protecting what we want - turning us into authoritarian states, the mirror of our enemies.

Read full post...

Tuesday, January 24, 2017

You've Been Hacked - how far should governments go to protect against the influence of foreign states?

Like most people with a broad digital footprint I've been hacked multiple times, usually in fairly minor ways.

Around ten years ago I had my PayPal account hacked through malware in the Amazon site, costing me $300.

PayPal staff insisted this was a legitimate payment for goods (which I hadn't ordered) being delivered to my legitimate address in Norway (despite having provably never visited the country). I've been very cautious & limited in my PayPal use since, and never recommend them.

Over Christmas last year my Social Media Planner site was hacked and seeded with malware. Fortunately my IT team was able to identify, isolate and address the matter, without affecting visitors, but costing me financially (two weeks downtime). It's fine now BTW, with extra protections in place.

I've had a Skype account taken over by someone in Eastern Europe, who used it for phishing before I could reclaim it, had basic account details stolen in Yahoo, LinkedInDropBox and a range of other large-scale hacks of commercial services over the last five years - excluding the Ashley Madison hack (I've never been a member).

I'm not the only one affected by any means, well over 10 billion accounts were hacked in 2016 alone, with Australian politicians, police and judges outed as affected in at least one of these hacks (and a few in this one too).

Much of this widespread hacking results in the theft of limited personal information. On the surface it may appear to pose little risk to individuals or organisations. 

However the individual reuse of passwords and usernames can turn these hacks into a jackpot. This allows hackers, and clients they sell hacked data to, to access a wider range of accounts for individuals, potentially uncovering richer information that is useful for identity theft, economic theft, intelligence gathering or for influencing decisions and behaviour.

Despite all the reports of hacking, it seems many people still treat this lightly - the world's most popular password remains '123456'.

Most governments, however, do not. Securing their networks is a major challenge and a significant expense item. The data agencies hold has enormous political and economic value that could be easily misused to the detriment of the state if it falls into the wrong hands, or into the right hands at the wrong time.

It's not simply about troop movements or secret deals - early access to economic or employment data, access to the 'negotiables' and 'non-negotiables' for a trade deal, or even to the locations and movements of senior political figures (to know who they meet and for how long) can be used for the financial and political advantage of foreign interests at the expense of a state's own interests.

For the most part, Australia's government is decent at managing its own network security. This isn't perfect by any means, but there's a good awareness of the importance of security across senior bureaucrats and largely effective ongoing efforts by agencies to protect the secure data they hold.

However in today's connected world national interest goes far beyond the networks directly controlled and managed by governments. As we've seen from the US (and now Germany), political parties and individual politicians have also become hacking targets for foreign interests,

This isn't surprising. Politicians, potential politicians and even academics have long been targets for funding assistance and free or subsidised study trips to nations hoping to cultivate influence in various ways. In fact these approaches provide some positive benefits as well - by creating personal relationships between powerful people that can lead to improved national relationships, trade deals and even avert wars.

Hacking, however, has few of these positives, as we saw in the release of Democratic National Congress emails by Wikileaks, which were most likely obtained through Russian state-sponsored hacking and likely was designed to influence the US's election outcome.

Whether you believe the cumulative findings of the US intelligence community or not, it is certain that foreign states, and potentially large multi-nationals corporations, will continue to target political parties, and individual politicians, seeking insights into how they think and levers of overt and covert influence for economic and political gain.

Hacking will continue to grow as one of the major tools in this work.

The Australian Government is taking this seriously - and kudos to them for this.

However even this focus on political parties neglects a wide range of channels for influencing current and potential future politicians. What about their other memberships and personal accounts?

Politicians and potential politician are well-advised to position themselves in various community and business groups to improve their networks, build relationships and future support. They are also just as likely as other Australians to use the internet - for work and personal reasons.

This means they're likely to have numerous online accounts with both domestic and foreign-owned services, with varying levels of security and access control. 

On top of this, it's not simply politicians who may be the targets of influence. Political advisors and activists often shape and write party policy positions, despite never being publicly elected. Influence an advisor and you can influence policy, as the many registered lobbyists know only too well.

Equally bureaucrats across government often are exposed to material that could, if shared with foreign interests, cause some form of harm to a state. We've seen this in insider trading by an ABS staff member, where the economic gain to the individual public servant outweighed his good judgement and public duty.

While bureaucrats are security assessed to a significant degree (unlike our politician) and selection processes are in place, backed by rules and penalties, to screen out the 'bad eggs', the potential for public servants to be influenced through hacking their personal accounts has risen along with their internet use.

Right now we're in an environment where the number of attack vectors on a politician, an advisor and on individual public servants, is much higher than at any past time in history - while our tools for protecting against foreign influences have not kept up.

Of course this goes both ways - our government also has the capacity, and often the desire, to influence decisions or negotiations by other states. We've seen ample evidence of this, although it isn't really a topic our government wants to discuss.

The question for me, and I don't have a solid answer yet, is how far technically should a government go to limit the influence of foreign states.

Should governments merely advise political parties on how to secure themselves better?

Or should governments materially support parties with trained personnel, funding or even take over the operation of their networks (with appropriate Chinese walls in place)?

What type of advice, training or support should agencies provide to their staff and Ministerial advisors to help them keep their entire footprint secure, not just their use of work networks, but all their digital endeavours?

And what can be done to protect future politicians, advisors and bureaucrats, from wide sweeps of commercial services collecting data that could be useful for decades to come?

We need to have a more robust debate in this country about how foreign states and commercial interests may be seeking to influence our policies, and decide as citizens the level of risk we're prepared to accept.

Until this occurs, in a mature and informed fashion, Australia is hurtling forward into an unknown future. A future where our political system may be under constant siege from those who seek to influence it, in ways that are invisible to citizens but more wide-reaching and dangerous to our national interest than any expense scandal.

If this isn't the future that we want, then it is up to us to define what we want, and work across government and the community to achieve it.

Read full post...

Monday, September 29, 2014

Is government paying enough attention to privacy in its mobile apps?

Australian internet usage has just reached a tipping point, with more Aussies accessing the internet via their smartphones and tablets than via laptops and desktop computers.

This has been reflected in web usage statistics, with several agencies I talk to reporting that they now receive more of their website traffic from mobile devices than from desktop and laptop computers - particularly when excluding their own staff from the statistics.

There have also now been over 500 mobile apps designed, commissioned or reused by Australian government agencies and councils to deliver information, access services and report issues, including 69 apps from Federal agencies80 from Victorian government agencies22 from Queensland government agencies and many from local councils around the country.

There's even a few notable games, such as the ABS's Run That Town and Victoria's MetroTrains Dumb Ways to Die.

As a result there's an increasing need for agencies to pay attention to how they design mobile apps to ensure they meet appropriate accessibility and privacy standards.

The latter part of this, privacy, was the subject of a recent study and guide from the Office of the Australian Information Commissioner (OAIC) - Mobile privacy: A better practice guide for mobile app developers.

The guide reported that privacy was a key consideration for citizens, with a 2013 study by the OAIC finding that 62 per cent of Australians opt not to use smartphone apps because of concerns about the way personal information would be used.

The guide also mentioned a similar study in the US by the Pew Research Centre in 2013 that found that 51 per cent of teenage app users had avoided certain apps over privacy concerns, and over a quarter had uninstalled an app because it was collecting personal information they did not wish to share.

Now that's all fine when Australian governments are designing apps properly.

However the OAIC took part in an international 'sweep' on mobile app privacy back in May. As part of this the OAIC examined 53 popular free iOS apps, with a focus on apps produced by or on behalf of Australian businesses AND Australian Government agencies.

The OAIC found that a significant number of these mobile apps did not meet Australian privacy law requirements.

‘Of particular concern was that almost 70% of the apps we looked at failed to provide the user with a privacy policy or terms and conditions that addressed privacy prior to the app being downloaded’, Mr Pilgrim said.

The OAIC also found that almost 25% of the apps examined did not appear to have privacy communications tailored for a small screen.

Only 15% of the Australian-developed apps the OAIC examined provided a clear explanation of how they would collect, use and disclose personal information, with the most ‘privacy friendly’ apps offering brief, easy to understand explanations of what the app would and would not collect and use based on a user granting permission.

I'm sure the OAIC has privately fed back information to agencies on how their apps failed to meet Australian privacy and actions are underway to rectify this.

Other agencies and councils that have developed, are developing or have partnered with commercial mobile apps also need to be aware of the risks they are taking on if they don't adequately meet Australian privacy law.

Under the updated law that came into effect earlier this year, penalties for government agencies and corporations range up to a million dollars - making the omission of a privacy statement or use of user data without clear permission quite an expensive proposition.

Hopefully agencies are aware of the OAIC's report and are ensuring that user privacy is taken into account within their mobile apps.

If not, I hope we see some high profile examples to ensure that other agencies change their behaviour.

Read full post...

Wednesday, March 12, 2014

Are you prepared for Australia's new privacy law?

Today Australia's new Privacy law comes into force, affecting Australian Government agencies, businesses with a turnover of more than $3 million or trading in personal information and all private health service providers.

As the first major change in Australian privacy law in 25 years, there's been numerous changes and updates to reflect the major changes in society over this period.

Since the last Privacy Act was introduced in the late 1980s we've seen the digitalisation of most records, the introduction of the world wide web, the rise of Web 2.0, the spread of mobile devices and the greatest increase in public expression by Australians in history.

The notion of privacy has also changed. I've always considered privacy as a transaction rather than an absolute - people trade aspects of their privacy in return for services, benefits or convenience. This has become far more widespread as an approach as organisations increasingly use personal information to shape peoples' experience of products and services, particularly online.

Generationally we've seen very different views of privacy take hold. Younger people are far more willing to share information that their elders consider 'private' and have new concerns around information that their elders share without a thought.

The new Privacy law (Privacy Amendment (Enhancing Privacy Protection) Act 2012) contains a number of stronger provisions on organisations to protect and communicate how they protect the privacy of individuals, as well as more ability for individuals to ask organisations what they know about them.

It also does a great deal to revalue personal privacy. Whereas Telstra was recently fined about $10,000 for accidentally releasing private information on about 12,000 people - valuing their privacy at 0.83c each, under the new law the penalties may be much higher - up to around $1.7 million.

If you're unfamiliar with the new privacy law, you're probably in the majority.

There's been little promotion of the change and limited information available for the public or organisations to test their current privacy approach.

There is a media release on the Office of the Australian Information Commissioner's (OAIC) site and the OAIC has done what it can - without a significant budget - to get the word out to those affected by the changes.

Unfortunately the changes haven't been promoted by any Ministers or the Prime Minister - the law was changed under the last government and the ownership may not be there.

However regardless of the promotion or not of the new law, it is now in effect. Every Australian has new rights and many organisations have new obligations they must meet in collecting, holding, sharing and protecting the private information of Australians.

To learn more about the new Australian Privacy law, visit the OAIC's guidance on the reforms at the following pages:

Read full post...

Tuesday, October 29, 2013

How do we solve falling trust in online services before it becomes critical?

A few days ago LinkedIn launched its latest IOS app, Intro.

The app promises to integrate LinkedIn profile content directly into emails, allowing more rapid connections and helping give email recipients access to a range of relevant information about the sender.

Given both Apple and LinkedIn are well-known brands, many people are likely to trust that this app is safe for them to use, that these two global companies have taken every step to ensure that users are not exposed to privacy risks.

It's also not a big decision. Intro is free and installing the app is a two-click process, done in under 30 seconds. People are unlikely to spend the time to look at the usage policy in detail, or consider the impact of such a simple decision when they trust the brands.

However, in this case, trusting LinkedIn and Apple may not be wise. Global Security Consultancy Bishop Fox released a very compelling post outlining serious concerns with how LinkedIn's new app works.

According to Bishop Fox, the app works in the same way as a 'man in the middle' hacking attack, by sending all of a user's emails through LinkedIn's mail servers. Here they could be read by LinkedIn or, if encrypted, this process could stop the final recipient from ever receiving the email.

LinkedIn states that it will keep information from the emails it captures - and while it states that LinkedIn “will never sell, rent, or give away private data about you or your contacts.” there's no clarification of what data LinkedIn might consider private, nor any solid information on how LinkedIn has mitigated against the type of security breach it suffered in 2012.

This is just a single instance of a situation where the public are being asked to trust a company to do the right thing online, while there's no guarantee they will, and often there's few ways for an individual, organisation or even a government to hold a company to account when they fail to keep their end of the trust bargain.

So the conundrum for the public has become, who can they trust online?

Clearly there must be a level of trust to use online systems, with banks and government clear cases of where trust relationships are critical for transactions and service provision. With no trust in online systems, online banking and egovernment could not exist.

Social networks are also important. As places where people store personal information and share more and more of it over time, there's a clear requirement for companies to appear trustworthy and safe.

Even search engines, which have become the front door to most websites (with Google the dominant player), have a huge trail of data on their users - what you search for helps define who you are, particularly when people use search for medical and personal matters.

The public must implicitly trust all these organisations to both play nice with their personal information and to secure it such that nefarious groups or individuals don't get it. However it has become very clear that they simply can't.

Whether it is commercial providers, who primarily use this data to identify more effective ways to sell, or governments and banks who require this data to validate individuals, the number of reported data breaches is rising - in a global environment where few governments legally require companies to report breaches to the people potentially impacted.

On top of this comes revelations of data surveillance operations by government agencies, such as the NSA, commercial entities such as the example from LinkedIn above, where the data helps them productise their users, or organised crime, who use hackers and insider sources to secure valuable data for use and resale.

However despite increasing concern over how data is secured, who can access it and how it will be used, individuals continue to use many of these online services, either because they simply cannot live their normal lives, or conduct business, without using them, or because of the "it won't happen to me" principle.

If public trust disappears, what does that mean for every organisation using the internet to build its business or to provide more convenient and cost-efficient services?

What impact would it have on government, where a shift to electronic transactions means less investment in other channels and, over time, less capability to meet citizen needs should a collapse in online trust occur?

I don't know how this situation can be resolved, particularly with the low attention paid to ensuring organisations report and rectify data breaches and be clear on how they will secure and use data.

While it is a global issue, individual governments can have an impact, by establishing a robust privacy framework for their citizens and recognising that people own their own data and any organisation allowed access to it should be held accountable for not securing or using it appropriately.

Do we have such a regime in Australia today?

I wanted to finish with an extract from the response I received from the Australian Privacy Commissioner when I reported the LinkedIn app using their email form:

Dear Craig  
Thank you for your enquiry.  
The Office of the Australian Information Commissioner (OAIC) receives a large quantity of written enquiries each day. An representative will be assigned to your enquiry and will be in contact soon. 
We aim to respond to all written enquiries within ten working days. 
If your enquiry is urgent and requires an immediate response, please telephone us on 1300 363 992 and quote your reference number. More complex phone enquiries may require a written response and may still take some time.

A response within 10 working days (14 actual days).

I wonder how many individuals may have their privacy breached, or organisations their confidential data exposed, by a single popular mobile app from a well-known company in this period of time.

Read full post...

Friday, April 12, 2013

Presentations from Social Media conference and #socadl

Earlier this week I gave presentations at Canberra and Adelaide social media conferences from Akolade and at #Socadl - the regular meetup for South Australian social media enthusiasts.

I've included my two presentations below, and they're also available in my Slideshare page.





Read full post...

Thursday, March 22, 2012

Who is watching the watchers? Civilian surveillance of government

With the widespread availability of phones in cameras and tablet devices - in fact it is hard to buy one today that doesn't include a camera - it is inevitable that people will take them out and take a snap of their most - or least favourite - public figures.

These photos and video get shared, usually online, and generally contain metadata detailing when and where they were taken.

So what is the outcome when citizens, concerned at the actions of politicians or public servant officials, begin photoing and filming their movements for accountability purposes?

David Eade (from Qld's Gov 2.0 community) has written a fabulous blog post on this topic in Govloop, Citizen Surveillance and the Coming Challenge for Public Institutions.

In this post David specifically highlights citizen surveillance of law enforcement officials and agencies - something of intense interest to anyone following cases such as the recent death of a Brazilian student after being tasered by Sydney police (by the way, for more on the rise of non-lethal law enforcement devices, watch this great TEDx Canberra video from Stephen Coleman).


What if a group of citizens, frustrated at the conduct or decisions by a government official (that is any public official - elected or appointed), took it upon themselves to organise round-the-clock surveillance of that person's movements and activities, using a group of people armed with phone-based cameras, filming only from public property (as is legal)?


What if they uploaded all these images, with commentary, to social networking sites for discussion and debate?

What if there was an organised movement, perhaps by someone like Get-Up, to release 'mug shots' of key government decision-makers in a controversial department or matter, and then invite people to photo them and report what they were doing wherever they went?

There could even be a new phenomenon known as 'public servant spotters' - people who take, publish and even trade photos of particularly rare breeds of public servants (such as Secretaries). Imagine the kudos in that community for photographing the entire SES!

This is an interesting new area for citizen power that we haven't yet seen explored very far.

In many places around the world law enforcement agents now have the legal right to detain or arrested people for photoing or videoing their activities - a course that may be increasingly hard for citizens in liberal democracies to swallow and, given the growing use of CCTV and difficulties in identifying bystanders filming a public occurance, very hard to control. Of course, in more restrictive nations people are routinely beaten or killed for filming police activities.


Is it justifiable or appropriate for governments to broaden these legal powers to all public servants?


Should these legal powers exist at all?


In a society where everyone is a journalist, able to to record and distribute video, photos, opinions and facts, how does a government and its citizens agree on what is appropriate surveillance of the activities of government officials - particularly when activities occur in public on public property at the public's expense?


I can see this becoming a growing issue for governments around the world. It is a small and simple step from reporting police activities, filming road workers or snapping photos of elected officials flirting with someone who is not their spouse to photoing and using public facial recognition tools to identify every person entering and leaving a public office.

It is then a simple matter to use social networks or Gold.gov.au to identify their responsibilities and activities. Another simple step to film or photo or text record their public activities wherever they go. Another simple step to publish their activities online, and another to use the pressure to influence their judgement and decisions.


Note this may not be the world we want, however it is the world we already have, it has just been slightly hidden behind private investigators and paparazzi.

When every citizen has a camera with them all the time, what will it mean to governments if they choose to use them?

Read full post...

Monday, January 23, 2012

New Inside Story policy: provide your full name for publication or your comment won't be published

I have had a great deal of respect for the Australian Policy Online (APO), produced by the Australian National University and University of Swinburne.

For several years the site has been a fantastic venue for serious discussions of public policy options, and a very useful source for policy resources and research. The site also, without prompting from me, republished several posts from this blog.

However, after commenting on an article in the Inside Story section of APO late last week, I received an email from the editor pointing out a change in their commenting policy.

Now anyone who submits a comment to Inside Story, as part of APO, must provide, and be prepared to have published, their full name. This new policy is detailed following their full articles using the text as below (highlight is mine):

Send us a comment

We welcome contributions about the issues covered in articles in Inside Story. Well-argued and clearly written comments are more likely to be published, and we’re now asking all contributors to provide their full name for publication. Because all comments are moderated, they will not appear immediately. Your email address is never published or shared. Required fields are marked *.
Now while I appreciate the sentiment of an editor who wishes to avoid spurious comments from people using pseudonyms or commenting anonymously, I found myself uncomfortable with the prospect of a website that forces anyone who comments to publicly reveal their real name in full.

I wrote a piece about this very topic a few months ago for Mumbrella, Toughen up - we need online anonymity, which discussed the various pitfalls involved in forcing people to reveal their real identity.

While I am sure it isn't the intent of this policy, one major risk - particularly relevant to a policy discussion site - is that of excluding certain groups from the conversation.

This includes people who, if their identity is published, may face physical or financial risk, those in witness protection programs, people who fear online attack if their views are taken the wrong way, those involved with policy making who have suggestions or questions, those under the age of 18 and more.

In many policy areas there are people who need to be cautious about revealing their real names publicly for legitimate reasons - whether the topic be health, law and order, immigration, development, gambling, climate change or something else.

While it is the right of each publication or website to define its own moderation and publication policies, the effect of this policy may be to silence people who have valid and important contributions to make, reducing the richness, robustness and usefulness of discussions.

If the primary concerns of Inside Story's editor and publisher are inappropriate comments, defamation, personal attacks and the like, these can be handled through pre-moderation (which they do already), backed up by a public moderation policy and community guidelines (which I cannot find in their site).

Alternatively Inside Story could require people to register and provide their real name in their account details, then publish comments under a name or pseudonym that the user selects. This would ensure they had real names if needed and allows regular contributors to maintain a consistent identity while still providing them with sufficient room to make valuable comments that otherwise they may not feel comfortable doing.

When Inside Story's editor, Peter Browne, (also credited as the Commentary Editor of Australian Policy Online) emailed me last week to ask if I was happy to have my comment published under my full name I thought about it for a few minutes and then decided that while I didn't mind my name being connected to my comments, it was time to take a stand, the damage to the public conversation could be too great. So I said no.

I won't be commenting further on Inside Story or Australian Policy Online while their current policy is in force, nor will I spend as much time reading the site. They remain welcome to republish my blog posts (which are licensed under Creative Commons, so I can't really stop them even if I had wanted to).

This decision may make me slightly poorer, however I believe Inside Story's decision significantly weakens their effectiveness and inclusiveness. The unintended consequence of forcing people to have their full name published alongside their comments is to make all of Australia poorer by stifling public policy discussion, particularly amongst those whose views most need to be heard.

I hope government agencies do not follow the same course on fulll names. It would severely restrict the value of the online channel to collect input on policy consultations and thereby make good policy harder to develop.

For the record, I've included a copy of my email exchange with Peter Browne, Commentary Editor of Australian Policy Online and Editor of Inside Story:
From: Peter Browne
Dear Craig, 
I’m not sure whether you noticed, but we now ask people commenting on articles to provide their full name for publication. Are you happy for your full name to appear with this comment? 
Cheers,
Peter Browne
Editor
From: Craig Thomler

Hi Peter, 
I didn't notice this policy change. I have now looked through your 'about' pages and see no mention of this - nor of your moderation policy. 
I would normally be happy for my full name to appear on my comment, and all my comments online are made on the basis that people can track down and find out who I am if they wanted to. 
However I'm not comfortable with a site that forces people to provide their full name publicly. This requirement prevents many people from commenting - those in witness protection programs, minors (such as 17yr olds), those concerned about stalkers, bullying, identity theft, privacy and so on. 
I see your policy as reducing the potential for open public dialogue without providing any safeguards. A backward step that only damages your reputation. 
It is also impossible to enforce anyway - people can use fake names and email accounts, thereby making your policy useless.
If your concern is around identity, have people register and use a unique username (which may or may not be their full name) - you still have their full name in the background, however they are not exposed publicly. 
If your concern is around inappropriate content, this should be managed through anti-spam and moderation techniques, potentially using the registration process above to allow you to identify and manage persistent offenders (where IP address isn't enough). Your moderation policy should be published so that commenters understand the basis on which they will be assessed. This is simply a matter of respect and setting the context of a discussion - similar approaches are used in face-to-face meetings. 
So in this case, I decline the publication of my comment and will not comment further on APO until your policy is adjusted to not require the publication of full names and is made easily accessible in your site along with your moderation guidelines. 
I will also be publishing this email in my blog to show the perils of requiring full names and linking to my post for Mumbrella: Toughen up - we need online anonymity (http://mumbrella.com.au/toughen-up-we-need-online-anonymity-58441). 
Cheers,
Craig
From: Peter Browne

Dear Craig,
My view is that if writers use their own names then responders should too. The policy is at the bottom of each article, just above the comment field. 
Cheers, Peter

From: Craig Thomler
Hi Peter,
Thanks for pointing this out. I had looked for dedicated 'Community guidelines' 'Comments policy' or 'Moderation policy' pages and looked at your summary articles, where I can still register or log-in to comment, but do not see the same message.
I now have looked at a full article and can see the text. It remains unclear on what basis you moderate.
Here's an example of what I mean by a moderation policy: http://myregion.gov.au/moderation-policy
I appreciate you believe that writers and commenters should have the same rights - although writers are often contributing for different reasons and have different agendas for expressing their views, some are even paid to do so, directly or indirectly (aka not necessarily by you). 
It will certainly be interesting to see how you decide to represent the writer when you receive an article from someone in a witness protection program or a whistleblower, and how you will treat comments. 
Cheers,
Craig

Read full post...

Friday, October 14, 2011

Treating bloggers right

Many organisations still haven't cottoned on to the influence of a number of blogs or how to appropriately approach and engage with them - including PR and advertising agencies who should know better.

I was reading an excellent example of this the other week, from The Bloggess, where a PR agency not only approached with an inappropriately targeted form letter, which indicated the agency hadn't even read her blog, but responded to her (relatively) polite reply with an annoyed response.

The situation really escalated, however, when a VP in the PR agency, in an internal email, called her a "F**king bitch" (without the asterisks). This email was accidentally (by the VP) also CCed to The Bloggess.

The Bloggess took a deep breath, and responded politely, however then received a torrent of abuse from the PR agency.

At this point she published the entire exchange on her blog - in a post that has already received 1,240 comments, has been shared on Facebook 8,397 times and via Twitter 5,328 times.

Her comments have also been shared widely and her post read by many of her 164,000 Twitter followers.

The Bloggess's post is a good read - particularly for government agencies and their PR representatives - on how to behave appropriately when engaging bloggers, and the potential fallout when they don't.

I'm also keeping a link handy to 'Here's a picture of Wil Wheaton collating papers' for those PR and advertising agencies who send me form emails asking me to post about their product or brand promotions on my blog (and yes there's been a few in the last six months - all Australian agencies).

Read full post...

Thursday, September 22, 2011

Toughen up - we need online anonymity

Rather than posting in my blog today, I am breaking one of the rules of blogging (always pull people back to your own blog) by pointing people to an opinion piece in Mumbrella that I wrote recently after reading a couple of other opinion pieces attacking the basis for allowing anonymous commentary online.

Toughen up - we need online anonymity

Please comment in Mumbrella (anonymously if you prefer) to continue the discussion.

Note that I wasn't paid for my opinion :)

Read full post...

Wednesday, August 31, 2011

What's in a name?

People invest an enormous amount of identity and personal energy into their own names.

Names are our unique identifiers, defining us as separate to others - even for people with common names.

So when organisations make rules about the names people can use online it can create signficant distress and dislocation for people.

It also raises questions over who can decide your identity. Can corporations deny people the use of their legal names online simply because they don't fit a narrow model of what the corporation regards as 'appropriate naming'?

A recent example I've been following is Stilgherrian's battle with Google over the use of his legal name for Google Plus. You can follow it at his blog (strong language) or read about it at The Register.

Stilgherrian changed his name over thirty years ago to a mononym - a single name. His passport and official records all reflect this and those of us who know Stilgherrian personally have never experienced any dislocation or issue with engaging with him as an individual with one name.

However Google's Plus service has defined rules for allowable names. Firstly it requires that you use your legal name (although Google is apparently not requiring evidence or checking with authorities in most cases to verify). Secondly, it requires that you have a first name and a last name and that there's no spaces or characters like an apostrophe in your name.

Now while this might fit a certain segment of the population, there's a number of people who have either only one name (as is common in a number of countries), have spaces in their names such as "Dick Van Dyke", or use apostrophes and other non-standard characters.

The net result is that Google is blocking people with names that don't match its view of what is a legal name - and requiring that people provide documented proof of their 'anomalous' legal names.

I have another friend who changed her legal name to a mononym (which includes an apostrophe) over ten years ago. About two weeks ago she announced that she was changing her name to add a 'first' name, so that she could use Facebook and other social media channels to communicate with people.

She had finally reached the point where her single name was excluding her from legitimate social interactions due to the naming policies of (mainly) US companies.

I have a real problem with this situation, for Stilgherrian, for my friend and for the millions of other people around the world who have names that don't fit Google or Facebook's views of a legal name.

Firstly, 'legal' names should be defined by governments, not corporations. Australia's governments, and many governments around the world, support a much wider variety of legal naming conventions than social networks appear to allow.

Secondly, isn't it discrimination when corporations deny you access to their service due to the format of your legal name? Denying a service to an individual just because their name is structured differently to their business rules might be legally actionable.

Finally, what right do corporations have to your legal name anyway - particularly if they make it public. Many people have good reasons for not revealing their legal name publicly. Those in witness protection programs, minors, people with embarrassing 'real' names and those who are widely publicly known by a name other than their legal name, are all candidates for using a different name to their legal name online for legitimate reasons.

It is fair to deny people access to online services, particularly when these services are in such widespread use, just because they can't publicly disclose their legal name?

All of the examples above relate to corporations. However there are examples which may also refer to government as well.

There have been calls from a number of quarters in various Australian government to restrict people to the use of their legal name when commenting online. The purported reason is that people are less likely to behave inappropriately if they can be held accountable for what they say. The subtext is that people become easier to monitor and track.

I am not a fan of this approach for governments either. Like above, there are legitimate reasons why people might choose to not use their legal name in online discussions.

It can also be very hard to identify many people from their legal name alone, given the number of duplicates that may exist. Any step taken to require legal name use would have to attach address and proof of identity in order to identify specific individuals. Even then, identity theft would lead to many misrepresented identities.

Also there are other ways authorities can identify individuals if there are legitimate reasons to do so (such as discussion of committing a crime) - using IP addresses and various analysis techniques.

What is useful for government, is being able to identify consistent identities online - whether individuals choose to use their legal names or not.

Consistent identities allow organisations to build user cases based on profiling views across different topics, supporting policy development and decision-making without compromising personal privacy or security and while allowing people to define themselves online as they choose.

Read full post...

Thursday, May 19, 2011

21st Century society vs 19th Century laws and policing

Laws have always struggled to keep up with society, however rarely in such a vivid and public way as in Wednesday's arrest of Sydney Morning Herald journalist, Ben Grubb, and the confiscation of his iPad.

The incident, well reported in the SMH, occurred when Queensland Police responded to a complaint regarding a photo hacked from one security expert's private Facebook page and displayed in a presentation at the AusCERT conference in Brisbane as an example of a major security hole in Facebook's system.

Grubb was attending the conference and received a briefing about the security hole. Seeing the public interest in telling the community that their supposedly private Facebook photos could be easily accessed, Grubb reported the matter in an article featuring the image, which I can no longer find on the SMH site.

The following day police questioned Grubb about the matter and then demanded he hand over his iPad on the basis that police wanted to 'search' it for evidence of a crime. When he was unwilling to do so, he was arrested and his iPad confiscated for a complete image of its content to be taken and analysed by police (let's not even explore the potential conflict with Australia's Shield laws, which incidentally also cover bloggers and tweeters).

The basis of police concern was that the image retrieved by the security expert and used in the SMH article was 'tainted material', stolen from a Facebook account and then passed on to others.

What is more worrying is that the Queensland police, in a press conference, then equated receiving an email containing a stolen image as 'like taking stolen TVs'. To quote:

Detective Superintendent Hay used an analogy to describe why Grubb was targeted.

"Someone breaks into your house and they steal a TV and they give that TV to you and you know that TV is stolen," he said.

"The reality is the online environment is now an extension of our real community and if we go into that environment we have responsibilities to behave in a certain way."

Let's think about this for a moment.

Firstly, when someone 'steals' an image - or music, movies, books or other online content - it isn't stealing if the content remains at the point of origin for the original owner to continue using. It may be a copyright infringement or privacy breach, but unlike stealing a television, where the owner of the television is left without it, there is no theft, simply replication.

On that basis any laws around theft simply don't apply online. You can copy my idea, my words, my images. However unless if you somehow delete the originals, you are not stealing them, you are breaching my copyright.

Secondly, when an email is sent to our email address it gets delivered regardless of the legality of its contents. We have no say in whether we receive legal or illegal messages and images. Sure there's spam blockers and the like, however these automated tools can't tell if content is legal or not, only if it violates certain rules, such as containing certain four letter words or phrases.

However, according to the QLD Police, if someone sends you an email containing a 'stolen' image, you are breaking the law. This is even though there is no way possible for you to refrain from receiving the email in the first place. You don't even have to open the email. If it has been stored on your device, based on the QLD Police's interpretation of Commonwealth law, you are a potential criminal.

This has enormous ramifications for society. Anyone can frame someone else by sending them an email. As it is relatively easy to set up a disposal email account, you can do so anonymously. This could be used against business rivals, political opponents, or even against the police themselves simply by sending them an anonymous email and then making an anonymous complaint.

Equally, if the person receiving the email is a potential criminal, then what about all the organisations whose mail servers were used to transmit the message?

When an email is sent from one person to another it can pass through a number of different systems on its journey. At each stop, a mail server copies and saves the email, checks the route then sends the email on.

In most cases these mail servers delete these emails again for storage reasons, however at a point in time each of them has received the email, making the organisations and individuals who own them liable, again, under the QLD Police's interpretation of the law.

Given the number of emails sent each day in Australia it's clear from the QLD Police's legal interpretation that most ISPs must be operated by criminals, receiving, storing and transmitting illegal content all day and night.

Applying this type of 19th Century policing and legal approach clearly isn't going to work in the 21st Century.

When everyone can publish and illegal content can be received without your consent or knowledge, laws need to change, as does police training and practice.

Without these changes government bodies will become more removed from the society they are meant to serve, unable to function effectively and efficiently in today's world.

By the way, the security analyst who originally 'stole' the Facebook images hasn't been questioned, arrested or charged. And Ben Grubb still hasn't received his iPad back.

Read full post...

Tuesday, March 01, 2011

Should an employer ever require your social media passwords as an employment condition?

At least one state agency in the US, Maryland Division of Correction, recently started requiring employees to provide their personal Facebook password and allow their employer to scrutinise their account as a condition of continued employment.

Apparently this request wasn't illegal - although it breaches Facebook's usage policy (which could mean the employee loses their account).

The rationale given by the employer was that they needed to review the contents of the account as part of the employment contract.

A video of one staff member asked to provide his personal Facebook password is below.




Now this isn't the first time an employer has required their employees to provide personal passwords as a condition of employment. The city of Bozeman, Montana might live in history as the first government to ask all of its staff to provide all their social media passwords - although they quickly dropped the policy when media scrutiny became too high, on the basis that the community "wasn't ready yet".

A number of law enforcement agencies have also apparently begun requesting this information as part of their recruitment process, as reported by USANow in the article, Police recruits screened for digital dirt on Facebook, etc.

There are also stories of financial services companies and other organisations similarly requesting access to personal social media accounts before hiring new staff.

Should employers be allowed to request your passwords?
So are there situations where an employer should be able to access their employee's private social media accounts?

Is this a breach of privacy, or an appropriate step forward for background checks, given how much background people today store in their social media accounts?

Often, for security clearances or in highly sensitive roles, staff in both public and private sector organisations are asked for all kinds of personal information as a requirement of employment. Are requiring your social media accounts details - and passwords - much of a stretch?


Here's some articles discussing the topic:

Read full post...

Thursday, November 18, 2010

The danger of permanent internet exclusion to egovernment and Gov 2.0

The internet is increasingly defining the 21st century.

It has become the primary medium used to find and share information, the most commonly used news and entertainment medium and has unleashed an outpouring of creativity which commentators, such as Clay Shirky have described as "the greatest in human history".

Equally there have been pressures to constrain aspects of the internet. Around the world a number of nations are blocking access to certain pages, websites and services - sometimes based on concerns on the appropriateness of content, sometimes due to economic or political pressure.

There have even been attempts, spearheaded by significant copyright holders, to block internet access for significant periods of time - or even permanently - from households or individuals accused of repeated copyright violations.

This last topic is worth debate in a eGovernment and Gov 2.0 context.

As governments shift information, services and engagement activities online there is greater expectation - and hope - that citizens will use the internet to interact with agencies.

By shifting services online governments can cut offices and employ less phone staff.

In a country where all citizens have the right to access the internet this is not an issue. Anyone who can engage online is encouraged to do so and offline government services can be reconfigured to suit audiences who are unable or unwilling to use the internet. Everyone wins.

However what happens in a nation where internet access can be denied to otherwise capable citizens, either for long periods of time or permanently?

What is the commercial impact after television and telephony have migrated to a (for instance) national broadband network? How would this distort these peoples' access to government services? What additional costs (at taxpayer expense) would government be forced to incur to service these people effectively? Does it exclude them from democratic participation or from vital health and welfare information?

I can't see any nation deciding to permanently cut access to an individual or household's telephony services because they used it to make a few abusive calls. Neither can I see any state denying a household access to electricity or water because one resident was convicted several times for growing illicit drugs via a hydroponic system in their bedroom.

However there are real threats emerging around the world that some individuals or households may be permanently excluded from online participation based on accusations, or convictions, for a few minor offenses.


An example is France, which enacted a 'three strikes' law in 2009. Reportedly record companies are now sending 25,000 complaints per day via ISPs to French citizens they are accusing of flouting copyright laws.

Under the law French citizens receive two warnings and can then be disconnected from their ISP and placed on a 'no internet' blacklist - denying them access to the online world, potentially permanently.

While this approach was designed to discourage illegal activity, early indications are that this doesn't appear to have succeeded as piracy may have risen. It also, apparently, has annoyed US law enforcement agencies as it may encourage greater use of freely available, industrial strength, encryption technologies, thereby making it much harder to distinguish between major criminal organisations and file downloaders and hurting law enforcement activities.

This is similar to an often-repeated storyline in Superman comics, when Superman can identify criminals as they are the only ones using lead shielding on their homes to block his X-Ray vision. If everyone used lead shielding, Superman couldn't tell the bad guys from the good guys (there's a future storyline for DC).


Most importantly a 'three strikes and you're off' approach - or equivalent law - risks permanently excluding people from the most important 21st century medium, simply for being accused three times of copyright violation. Arguably, in today's world, that's a much more severe judgement than people receive for multiple murders, rapes or armed robbery.

I don't see the Australian government rushing to embrace a similar approach, however it still raises the question of whether we need to consider internet access as a right at the same level as access to electricity or telephones.

Other nations are considering this as well. Several European countries have already declared internet access a fundamental human right, including France, which places the country in an interesting position.

The European Union (of which France is a member) has rejected a 3-strike law and, as Boing Boing reported, progressive MEPs wrote a set of "Citizens Rights" amendments that established that internet access was a fundamental right that cannot be taken away without judicial review and actual findings of wrongdoing.

As the internet has now moved from a 'nice-to-have' service to a 'must-have' utility for many people, even actual findings of wrongdoing may no longer be sufficient reason to permanently exclude people. In fact this may be legally impossible to enforce anyway, due to public access and mobile services.

Given the potential negative impacts on democratic participation, the ongoing cost to government and the potential commercial and social impacts - should it be possible for a government to legislate, a court to dictate or for ISPs to refuse to connect some citizens to the internet permanently?

Read full post...

Tuesday, October 05, 2010

In the noise of #Groggate, don't forget those silenced

I've been tracking the discussion on the outing of Greg Jericho as author of the Grog's Gamut blog by The Australian journalist James Massola.

In the last seven days there have been over 100 posts, articles and interviews and nearly 2,000 tweets on the topic - discussing freedom of speech, anonymity, media power and public interest.

Few have mentioned one of the first claims made by The Australian;

"The prolific blogger shows a strong preference for the ALP, despite the Public Service code of conduct stating that "the APS is apolitical, performing its functions in an impartial and professional manner"."
Grog disputed this in Spartacus no more, his final post last Monday before falling silent.

Whether Grog's voice remains silent is up to him and his employer - his Department and behind that the Australian Public Service. It is not up to the media or bloggers.

Across the world many talented public servants operate blogs. There are firm roots in other western democracies such as Britain, Canada, the US and even New Zealand.


Groggate is a challenge not only to broad freedom of speech in Australia - potentially silencing anyone who believes their employers may have concerns over their words - but also challenges the public service to reconsider what Australian public servants may and may not do.

There are hundreds of thousands of intelligent and educated professionals who choose to work for Commonwealth, State and local governments across Australia. They serve the governments of the day diligently, as mature adults most are fully capable of separating their work performance from their personal views (and they all vote).

How many of these intelligent and potentially influential voices will now choose to remain silent rather than face the scrutiny - both public and internal - that Grog is facing?

If Grog continues writing, it will be at the permission of his employer, potentially under greater internal and external scrutiny.

If he stops writing - due to personal reasons or the level of controversy - a thousand other public servants may not develop the courage to start.


How much public sector experience and diversity has been lost to our public debates due to Grog's outing?

We'll never know.

Read full post...

Wednesday, March 03, 2010

LinkedIn reaches a million Australian members

Most people have heard that Facebook has around 8 million active Australian accounts, and MySpace has around 2.9 million, but yesterday I was sent an email that took me a little by surprise.

Apparently LinkedIn, a professional social network, has just reached a million Australian members.

Now I can't verify the truth of this, however it does interest me as I've been a member since mid 2005 (almost five years!) and have found it an increasingly useful way to ask questions of peers, connect with colleagues, research new staff and point people to my own experience.

Like any network, the value grows as the membership grows and I'd be interested in hearing from people who don't have a LinkedIn account yet why they haven't set one up. Time, privacy, lack of interest?

Read full post...

Monday, November 16, 2009

Knowledge Shared equals Power Squared

I've written this post based on my comments in response to the post at the Gov 2.0 Taskforce site, If I could start with a blank piece of paper… (part 2).

In that comment I made a point that it is relatively easy for government agencies to technically adopt Gov 2.0 approaches. The technology, legal framework and much of the legwork on identifying and mitigating risks has been completed here and overseas - if you know where to look.

However culturally the adoption of Gov 2.0 poses much greater challenges. There are paradigm shifts required in public sector thinking and behaviour. This takes time to work through the system.

One part of this shift is related to the belief that Knowledge equals Power.

While this belief is both long-standing and happens to have been true for much of human history it is no longer true, and a more accurate meme would be Knowledge Shared equals Power Squared.

In the past knowledge was expensive to store and distribute. Those who held knowledge on a particular topic were held in high regard and could exert considerable power - and command substantial fees - based on their expertise.

This fostered practices where professions erected barriers to control the flow of knowledge and keep price points high - similar to how deBeers has been accused (and several times found guilty and fined) of controlling the supply, and therefore maintaining a high price for diamonds.

Indeed Wikipedia's definition of profession includes a number of characteristics based on containing and controlling knowledge, including the statement,

Inaccessible body of knowledge: In some professions, the body of knowledge is relatively inaccessible to the uninitiated. Medicine and law are typically not school subjects and have separate faculties and even separate libraries at universities.
For public sectors around the world the same influences have been at play, as have additional factors; controlling knowledge for privacy reasons, national security, to avoid public unrest and even - in some jurisdictions - to protect political figures.

However the knowledge hoarding model begins to fail when it becomes cheap and easy to share and when the knowledge required to complete a task exceeds an individual's capability to learn in the time available.

This has been reflected in a longitudinal study of knowledge workers that Robert Kelley of Carnegie-Mellon University conducted over more than twenty years. He asked professionals "What percentage of the knowledge you need to do your job is stored in your own mind?"

In 1986 the answer was typically about 75%. By 1997 workers estimated that they had only about 15% to 20% of the knowledge needed in their own mind. Kelley estimated that by 2006 the answer was only 8% to 10%.

Given that professionals now need to draw 90% or more of the knowledge they need to do their jobs from others, in my view 'Knowledge equals Power' is no longer true.

I believe it is now more accurate to state Knowledge Shared equals Power Squared.

While 'squared' is not empirically true, the statement reflects that to gain and hold power individuals and organisations need to share knowledge and networking.

For the public sector this shift isn't simply about opening up access to existing knowledge resources, it requires rethinking attitudes, behaviours and policies.

For example, where hiring practices focus on hiring people with exceptional personal knowledge perhaps they need to be re-weighted. We still need people with enough knowledge to form good critical judgements, however they also need exceptional networking and information processing skills so they can locate and assess the additional knowledge needed.

Organisations that rely on long-time staff as their corporate memory need to review whether this is an effective long-term strategy. Should they future-proof themselves against inevitable retirements and resignations by taking all this knowledge, codifying and placing it in a central location for everyone to access? Should they then open up this location for editing by staff (as a wiki) so that it remains current, useful and relevant?

Thirdly, personal networks can become a source of considerable strength for both individuals and the organisations that employ them. They allow a staff member to quickly source valuable knowledge from their peers and accelerate an organisation's decision making and implementation processes. However to harness this power organisations need to allow their staff to access these networks from the office - the online communities and social networks where professionals meet and discuss.

All of these steps pale in comparison with one of the biggest areas of knowledge sharing - with the community. Organisations can derive enormous value from collaborating with their customers, constituents and stakeholders. However for this to work effectively the organisation must share their knowledge openly and allow the community to see and respond quickly to each others' comments.

I'll be posting more on this topic later this week.

Read full post...

Tuesday, July 21, 2009

Shifting from Gov 1.0 to Gov 2.0

Sometimes it is difficult for those of us who are new to the public sector to really appreciate the scope of the changes required to transition government institutions and cultures from a 1.0 to 2.0 mentality.

It's not simply a process of mandating a directional change from political levels (though this is an important and needed step) and educating public servants and elected officials to the benefits, and risks, of Government 2.0. There is also a process of change required across well-established practice and culture, processes, policy and legislation, not to mention transforming the systems and mechanics of government to suit the new global age.

All of this must be done without damaging the ongoing business of government - the provision of services, maintenance of infrastructure and management of all the behind-the-scenes activities that government is responsible for.

The Washington Monthly has published an excellent article on this topic, looking at the challenges faced in the US during this transition, which is being driven very strongly from the top.

The Geekdom of Crowds looks at how some of the mechanisms of Government 1.0 are pushing back on Government 2.0, reducing the effectiveness of government transparency and data sharing and the impact of citizens who are often far more able to open up government from the outside than are those within the political and bureaucratic machinery.

Read full post...

Monday, June 29, 2009

Victorian Government Inquiry recommends that Vic Gov opens most data for free public reuse

The Victorian Government's Economic Development and Infrastructure Committee recently released the final report (PDF) for its Inquiry into Improving Access to Victorian Public Sector Information and Data.

The Inquiry was designed to look at and report back to the Victorian Parliament on the potential application of open content and open source licensing to Victorian Government information, particularly considering the economic benefits, improvements to discovery and use of data, the ICT requirements and potential risks, impediments and restrictions.

With 46 recommendations, the report is quite a hefty read (238 pages) - however there are three key recommendations the report highlights, which I hope are both adopted by the Victorian Government and considered by other governments across Australia.

These were,

  • develop a framework for free or low cost access to all possible public sector information,
  • that the government use the Creative Commons licensing model for most (around 85%) of public sector information, tapping into a simple to understand and widely used system - with the remaining 15% subject to appropriate licensing based on the need for restricted access, and
  • that the Victorian government develop a central directory enabling easier discovery of public sector information and the access conditions attached to it.
These three recommendations alone have the prospect of creating a sea change in the Victorian government's approach to the management, licensing and access to public sector data. They shift the playing field shifting from a pro-secrecy towards a pro-disclosure model allowing (most) public information to be reused by individuals, not-for-profits and the private sector to generate economic benefits for the state and drive innovation.

A fourth recommendation is also worth noting, to quote,
The Committee also considers the use of open source software (OSS) within and by the Victorian Government. One of the Committee’s recommendations is that the Government ensure tendering for software is neither licence specific nor has proprietary software-specific requirements, and that it meet the given objectives of Government.
This recommendation will help level the playing field for open source software in government. While open source is already widely used in the public sector, the lack of a responsible single vendor has sometimes raised the perceived risk of open source. Also often software has been selected on the basis of initial purchase/implementation costs rather than on the total cost of ownership, which can be manipulated by vendors of proprietary software to encourage very low-cost take-up of products but with expensive ongoing maintenance and development.

The next step is for the Victorian government to consider and adopt some, all or none of the 46 recommendations - the first of which is,
Recommendation 1: That the Victorian Government release a public statement indicating that it endorses open access as the default position for the management of its public sector information.
Recommendation 39 is also very interesting from a national perspective,
Recommendation 39: That the Victorian Government work with other jurisdictions towards national harmonisation in enhancing access to and reuse of PSI.


Many in the government 2.0 community will be waiting with bated breath.

Read full post...

Thursday, May 21, 2009

Where should government go with single sign-on?

Single sign-on is often seen as one of the Holy Grails of the internet - the ability to use a single logon to access all your secure online accounts and conduct transactions with whoever you choose.

This is seen as a way to make life easier for citizens/customers, allowing them to move easily from provider to provider, just as they may choose to move from store to store in a mall. It also reduces 'password fatigue', where users have too many passwords to remember and, correspondingly, is expected to reduce the IT cost of lost passwords.

The main risk of single sign-on solutions is also related to passwords - having a single logon for everything stored in a central location theoretically makes it easier for a hacker or identity thief to completely compromise an individual.

It might appear that the public sector has an advantage in moving towards a single sign-on for egovernment services. We have the dollars, expertise and computing power to pull together large IT projects, we don't have internal competitive pressures and possess the legislative power to change any laws necessary to allow citizens to access all government services via a single logon.

In contrast the private sector is fragmented between thousands of entities, potentially all competing for their slice of the online pie. Different online services are tied up with different intellectual property and sharing this IP would seem counter-intuitive to increasing profit margins.

However in practice the situation has been very different.

In the commercial world large and small organisations have been lining up behind a single standard for single sign-on, OpenID.

The OpenID Foundation estimates there are already over 1 billion OpenID-enabled web users and that more than 40,000 websites globally support the system.

OpenID is supported by the biggest online, authentication and IT players, including Microsoft, IBM, Verisign, PayPal, Google and Yahoo and was recently implemented by Facebook.

The system is fast becoming the global ID standard for authenticating users to websites - although I am unaware of a single case around the world where a government has adopted the same system.

On the government front single sign-on services are less developed. In Australia we've had the proprietary MyAccount service available for sometime now, linking Centrelink, Medicare and CSA customer accounts. MyAccount requires users to register separately for each agency's online service then link them together by registering a separate (fourth) account. This separate account can then be used to log into the online services for each of the agencies.

This service is presently being expanded. Australia.gov.au has indicated that they will be adopting the same single sign-on mechanism and that more agencies will be coming shortly.

The UK government has similarly been working on an independent single sign-on solution. This has encountered issues that I am sure Australia will also face - different services require different security levels, and stepping between the security necessary is more complex than simply offering a username and password.


The question in my head is whether it is possible for government to adopt the (free and open) OpenID standard rather than spend the time and money required to develop and expand a separate proprietary system.

In other words, do we need the government to continue to invest in a second 'single' sign-on when the commercial world is already well-advanced in a global solution?

The issue isn't that simple unfortunately. There are many reasons why a government may wish to own its own authentication system, such as national security, protection of citizen privacy, custom ways to 'step-up' to higher security levels (though this is also possible in OpenID).

However it is important to reconsider the value of a separate government system is from time to time, particularly if the commercial world is heading in a different direction.

Read full post...

Bookmark and Share