Submission to government re Digital Strategy for Aotearoa

This morning, I sent a submission to DIA's Digital Strategy for Aotearoa team. Thank you to members and councillors who informed this response. To participate in the process for future submissions, please join the society.

Here is the text of the submission:

Thank you for the opportunity to comment on the discussion document Towards a Digital Strategy for Aotearoa and the wider digital strategy policy area. I write as Chair of the New Zealand Open Source Society Inc., a charitable entity registered under the Charities Act 2005. Our registration number is CC42367.

The aim to create a strong, digitally-enabled society is laudable. However, we believe that the proposals place too much trust in systems that will undermine the overarching aim: "Enabling all of Aotearoa New Zealand to flourish and prosper in a digital world".

The COVID-19 Contact Tracer App demonstrates that the public sector has the capacity and capability to develop applications that meet operational requirements while using an open-source model and being privacy-conscious. This is an encouraging example. Please continue to place people, rather than technology, first.

Here are our recommendations:

  1. Consider technology to be strategically important

    Technology must be more than an operational matter. To achieve the strategy's aims, ministers must accept that technology is something that they should bother caring about. Technology is now ubiquitous in every industry. Electronic devices now provide the basis for the majority of human interaction.

    It is easy for ministers to hide ignorance by declaring that decisions relating to technology are matters for officials, technology vendors, and the socially awkward. To fully embrace the strategy that you have proposed, politicians must claim leadership in this area and recognise that tech is a matter of strategic significance.
     

  2. Be wary of shiny things

    Software projects are costly. Rolling out digital services is notoriously difficult to do on time and within budget. In the worst case, they're expensive to procure, expensive to create, expensive to run, and expensive to wind up. And then there's the political fallout.

    Although the marginal cost of digital service delivery is negligible -- it doesn't take too much effort to store a submitted web form -- it can still incur large, unexpected operational costs.

    When vendors become essential to delivering public services, the public's ability to hold government to account is weakened. Employees within private sector is not subject to the Public Service Code of Conduct. Their senior leaders are not hired by the State Services Commissioner. Perhaps most importantly, they are not subject to the Official Information Act 1982. When responsible ministers are asked questions about poor performance, suddenly everything becomes an "operational matter" or is brushed aside as "commercially sensitive".

    Using a digital-first operational model can dehumanise interactions with government. It entrenches differences that exist within our society relating to financial deprivation and tech literacy.

    This isn't to suggest that the opportunities presented by the digital era do not exist. However, as stewards of the public's money and trust, the public service should be critical of large technology vendors promising to achieve efficiency and effectiveness gains.
     

  3. Build from re-usable components

    Software procured by government should be open source, unless there is a compelling reason for it not to be. Among many other benefits, the open source model allows frictionless sharing of resources between agencies. It also goes some way to minimise the risks of vendor lock-in and vendors becoming insolvent.
     

  4. Use local hosting

    Data and application hosting must be local. This provides the highest level of assurance that New Zealand's public services are being delivered by companies subject to New Zealand law, that pay New Zealand tax and are responsive to New Zealand requirements.
     

  5. Resist the urge to build the panopticon

    2021 has not been a great year for data security. Technologies that are common in the private sector, such as invasive analytics and user tracking, are unnecessary in the context of public sector digital service delivery. Although they provide some surface-level satisfaction, they require more compute resources and reduce the service's overall responsiveness.

    Placing people first means creating applications that are accessible to the widest number of users, load quickly and perform their intended function well. It does not require a dashboard that enables officials to inspect how individuals have used the application.

    It is possible to conduct digital service delivery in a way that meets operational (and statutory) requirements without exposing users to data breaches and other forms of unnecessary risk. At times, this means designing services that might never upload personal data to the central server. At times, the government must be content to deprive itself of data that it would prefer to collect.

    As soon as something becomes implemented within software, it becomes very easy to instrument and monitor. Dashboards are attractive and easy to build. This poses significant risks. The public sector's many agencies are very attractive targets for malicious actors.
     

  6. Resist building on platforms built by others

    A Facebook account should not be required to interact with the government. Building services on top of platforms hosted by others, even platforms that are very popular, presents a huge risk to personal, cultural and national sovereignty.

    The document uses the phrase "digital tools" very broadly. Yet, "digital tools" are not created equally. Many New Zealanders rely on services that are built to serve the needs of the services' customers: advertisers. They are not designed to primarily serve their user and/or subscriber base.

    Please avoid creating government's services on top of systems that are not built to serve user interests.
     

  7. Make the strategy's indicators more measurable

    While it's extremely difficult to measure outcomes, it's still important to that the best possible indicators are chosen. To choose one area where we have particular expertise, open-source software is the pre-eminent model for developing software, yet no indicators measure its adoption within technology projects funded by the public sector.

Over the last three decades, the New Zealand public sector has largely embraced a model of digital service delivery. This has primarily been driven for efficiency reasons. It's much cheaper to ask someone to submit a form online than for that same form to be processed by a person sitting in a back office. This mindset places officialdom first. We would like to see interests of the public placed first.

Thank you again for the opportunity to comment on this important matter. The New Zealand Open Source Society welcomes the opportunity to engage in further dialogue.

Ngā mihi nui,

Tim McNamara
Chair, NZOSS Inc.
https://nzoss.nz/