National Technology Officer - UK Web Site

Jerry Fishenden's Weblog Archives - Nov 2005

Nov 29 2005, beyond the blame game

Computer Weekly have run my OpEd piece today - currently online at Beyond the Blame Game. This looks at the issues surrounding so-called "IT project failures". To understand the real root causes of high-profile project failures requires a greater analysis and understanding of the way in which high-level government policy is interpreted and executed as it passes down the chain of command. Unless we can find a way of better articulating the way in which technology and business can interact to beneficial effect, we seem likely to continue to see failed IT projects and associated public service change programmes that frustrate both providers and users.

Nov 22 2005, Open XML and standards

Today sees the significant announcement that Open XML is being submitted to the ECMA and ultimately ISO to become a formal open standard. Open XML is used by Microsoft Office and in the next release, (Office 12), it also becomes the default file format (rather than the existing Office binary files).

As a result of this move, everyone will be able to save their files in a format that is a recognised open standard. This will help to meet the wider needs of electronic document records management and national archive requirements. Adaptors will be made available for earlier releases of Office (back to Office 2000) to ensure that users can continue to exchange Office documents without any loss of the high degree of interoperability that has long been taken for granted.

I’ve been highly supportive of this decision throughout all the discussions and thinking that have led up to this moment. Many UK public sector organisations and individuals have been asking about our thinking on XML, the Open Document Format (ODF) and what our response would be. The result is I believe the right one: it enables anyone with existing Microsoft Office documents to move them forwards into the open world of XML without any loss of fidelity or content. This has been the main constraint of ODF: it can result in large amounts of information being lost, given that ODF is a relatively new and unproven format and reflects the current state of play of Open Office rather than Microsoft Office.

This is the culmination of a long journey. As a company, we championed XML very early on and have natively supported its use in Microsoft Office since the 2000 release. I also think that the differing nomenclature between “Open Document Format” and “Open XML” is revealing: ODF emphasises the importance of the “document” which I think is a mistake. We have moved on from the idea of static ‘documents’ into a world where the desktop and office tools are as much about interaction and integration with backend systems as they are about writing notes and memos. The importance of XML is that it can be used to move data seamlessly between applications and systems while maintaining the semantics of that data: something that ODF is currently unable to support.

ODF lacks an essential element – support for custom defined XML schema. I find it highly unlikely that any single XML schema is going to meet all the varied needs of governments and businesses. So Open XML’s support for extensible and custom defined schema is an important differentiator too. The Open XML formats were also designed with backwards compatibility in mind – something that ODF does not address, but which is essential when talking about document management, archiving requirements and various aspects related to the legal interpretation of electronic documentation.

This decision to me is absolutely the right one: it meets the needs of our customers and partners in a responsible and mature way. And it’s also a sign of a listening and responsive Microsoft – something that I know is increasingly highly valued.

Nov 9 2005, transformational government and identity

It's been pointed out to me that there's a certain irony arising from my blog entry of Oct 31 2005 (learning from others):

... we need to ensure that [identity information] is maintained in relevant domains that limit the potential impact of any compromise. Moving to a system that no longer restricts identity thieves to a single aspect of our identity gives rise to serious concerns about the scale of the problem that could result. It would be in the UK as if we suddenly decided to hinge all of our identity relationships with Government off of a single number - National Insurance Number (NINO) for instance - rather than ensuring we keep different identity relationships separate. For example, we would not want access to our medical records or other sensitive information to be accessed using the same identifier that provides us with a service to report a faulty street lamp to a local council. Identifiers should be appropriate to their context and for the purpose for which they are being used.

Using a single identifier, such as NINO, also opens up other potential vulnerabilities - since such a common identifier used indiscriminately across all services would enable the likes of service providers to build up a profile of individuals across all their activities. Social engineering (such as the bribing of insiders) and the professional (and incredibly well-funded) criminal hackers would be able to digitally hijack citizens' identities for access to government services - and hence potentially to cause significant identity theft on a scale not seen before.

Given that the new Transformational Government document states the following:

[government identity management solutions] will converge towards biometric identity cards and the National Identity Register. This approach will also consider the practical and legal issues of making wider use of the national insurance number to index citizen records as a transition path towards an identity card.

I'm not comfortable with what on face value appears to be an equation that says joined-up government requires a single, widely known indexation key. We know this is not the case: the UK Government Gateway, which came out of recommendations from PA Consulting, enables a single online credential to be used across all government services - without requiring a single public domain omni-directional identifier. It preserves the existing identity domains that exist in government. The USA has been trying hard to escape from the folly of the widespread use of the Social Security Number (SSN) for completely inappropriate purposes, including its use as a student ID number - inappropriate uses that have caused countless identity thefts and abuse of public services.

I'll reiterate something else from learning from others:

The adoption of a single electronic identifier removes the traditional segmentation that normally provides a bulwark against unlimited compromise of our identity. Perhaps an analogy would paint a clearer picture here. Imagine a ship or submarine that has been carefully designed with a series of water-tight compartments. In the event that part of the vessel is holed and lets in water, that area can be sealed and the damage carefully contained to that one section of the vessel. Without such segmentation, the entire vessel would flood and sink.

This is not to deny that there should be an informed debate about whether some of the existing government identity and information domains need to be correlated more effectively (the most obvious being benefits and taxes) - I wrote on Oct 7 2005 (public sector IT projects and the “blame game”):

Look ahead for example at the type of flexibility we will require in the administration of public sector services in the future. We know that the current idea of a fixed retirement age and associated pensions regime is under enormous pressure. It seems likely that the model will change to one where retirement will happen as a gradual process and over a longer time period than at present. Those of my own generation may well find themselves only semi-retiring at first, maybe drawing part-pensions but still also partly working. The demands this will place on our currently functionally silod systems of taxation, benefits and pensions will be immense if we do not both reform the business processes and the IT systems to support the flexibility that is likely to be required.

Such changes do require us to examine the ways in which information (and identity domains) are structured. But we ignore or break principles that contribute to successful identity systems at our peril. There also seems to be a certain irony in that PA Consulting, who came up with this model that ensures collaboration and joining-up across government services can take place without breaching security domains, now appear to be the main consultancy working on the UK ID Card programme.

I'm not clear why their thinking about identity appears to have changed so dramatically over the past few years - and in a way that seems (from information available in the public domain) to be a retrograde step.

Nov 8 2005, is IT entering the mainstream (... at last)?

Yesterday's FT leader was a good step forwards. It synthesised several points I have made previously on this blog and elsewhere:

the need to recognise that IT project failures are actually business transformation project failures (see public sector IT projects and the “blame game”)
the need for the Government's Transformational Government to enter the mainstream and break outside the trade press (see transformational government)

Referring to a year's delay in the implementation of the new NHS booking system, the FT comments:

... these are management, not IT, failures ... Nothing, however, better illustrates the fact that these huge investments in public service reform are actually about IT enabled change, not IT itself.

This is welcome progress indeed. It would be useful when post-mortems take place in future of "IT project failures" that they examine this wider context, or we'll continue to see lessons failing to be learned and the same mistakes made time and again. I hope the likes of the National Audit Office and the Public Accounts Committee reflect this in any future reviews of where "IT" has succeeded and failed.

Referring to the Transformational Government strategy, the FT goes on:

... the government's slim strategy document last week offers grounds for hope. Since the arrival a year ago of Ian Watmore, the government's chief information officer, the Cabinet Office has ceased to bark (largely unheeded) orders about IT at Whitehall and the wider public sector. A council of chief information officers from across the public sector has been brought together which appears to be turning into a group of people who can help and learn from each other, and want to do so.

With this strong team in place, I believe that IT itself will be more strategically managed and co-ordinated than in the past. The challenge now is to ensure that the management and project processes are also addressed. Let me close with another quote from the FT:

This remains a strategy, not yet a set of results. It will require consistent political, as well as managerial leadership to get these projects treated as business change, not IT. Yet the departure to pensions of John Hutton marks the fifth change in ministerial oversight in a year. His successor needs to grasp what is needed and be around longer. Otherwise more teacups will be broken and more projects will fail.

Nov 7 2005, responsibility and privacy

The recent public comments by Brad Smith are a further indication of the maturing of the IT industry. In case you missed it, on November 3rd, in a speech delivered to the Congressional Internet Caucus, Brad Smith (senior vice president and general counsel for Microsoft), told members that “the time has come” for a strong national standard for privacy protection that will benefit consumers and set clear guidelines for businesses while still allowing commerce to flourish. Brad set out three reasons why he believed this to be necessary:

an increasingly complex patchwork of state, federal and international laws related to data privacy and security
the potential for consumer fears about identity theft and other online dangers to dampen online commerce (and I'd include "online government services" in that area too)
the increasing consumer desire for more control over the collection and use of online and offline personal information

In the context of the wider issue of identity, identity theft, ID cards, privacy and security that we've been debating in this blog and elsewhere, ensuring we have a common approach and a model on which digital identity is based is something responsible technologists have been arguing for some time - witness the laws of identity for example. Brad also went on to comment:

“We’ve seen a spate of legislative activity in the aftermath of several highly publicised data breaches, but for consumers, the reality is still pretty daunting. They do not necessarily have a better experience and in many cases still do not clearly understand how companies are collecting, using and disclosing their personal information in the first place. We have to make this more transparent and manageable for consumers.”

Whilst of course the situation with regard to data protection and privacy is somewhat different in the UK (and indeed the wider EU), these issues are relevant to our discussions of the recently published Transformational Government strategy. We know that the growth and professionalism of online security threats are beginning to impact confidence in the Internet as an information, research, communications and commerce resource. This will impact the drive for online public sector services as much as any others.

Citizens need a way to manage their profiles and activity online and the development of a reliable digital identity system is one part of addressing privacy challenges. Such systems need to have strong privacy protections and simultaneously provide much more citizen control online. Equally, we need to recognise the reality enshrined in the "7 laws" that no one provider or technology will dominate. Identity exists across multiple domains and the authentication information and personal information shared needs to be relevant to the domain and context in which it is used. For example, it is unlikely anyone would want to use a credit card for authenticating themselves when filing their tax returns to government. And in any case, to do so would involve a degree of data sharing between government and the financial industry that would break down the security and privacy domains that currently help ensure any breach of security is limited only to the identity domain in which it occurs.

These are interesting times for identity, security and privacy - and I welcome the increasingly public and responsible way in which the debate is now beginning to happen. It is long overdue.

Nov 6 2005, transformational government

The long-awaited strategy for "Transformational Government" came out this last week. It's positive to see Jim Murphy participating in an online blog at Ideal Government. Along with some other enthusiasts, I posted a few initial thoughts as a contribution to this welcome online interaction, which include the following:

It’s very positive to see an open discussion and dialogue taking place in this way. I’m still reviewing the detail of the document, which overall takes a positive and aspirational tone and approach. It’s good to see a clear marker like this being set down that we can focus on.

A few immediate observations in the interim:

I think it would help make the strategy concrete – and give it some clear outcomes to aim for – if it set out some scenarios (or “a day in the life of”) to illustrate the way public services will be working at various points in the future. This is not only useful to help ensure that the necessary step changes can then be mapped and worked on to deliver those outcomes, but also to help engage a wider audience than the “techie” one in understanding the significance of this strategy and the impact it will have on their lives. This is not just about IT and that message needs to be clearly communicated.

on which point, perhaps we could ask the industry as a whole to temporarily set aside our natural competitive instincts and support the Government in running a few open showcase days where we really show the best highlights of IT-enabled transformation projects that have already happened? This would help open many eyes to the art of the possible and also help the debate include a far wider audience.

to help drive through significant cultural change of the type implied by the strategy, I believe the Civil Service risk/reward model will need changing (based on the recognition that all too often rewards drives behaviours) to help encourage and support the transformation required. So-called “IT projects” are fundamentally major business change projects: and often it is the change programme itself at the root of the problems that can arise.

One key problem we can witness already. I have not seen much (if any) mention of this document in the mainstream media. If we want IT to truly be recognised for the transformational change agent it can be, then it needs to break outside the silos of the technical and trade press. This will be a key test for this document, the strategy that underpins it and the success of its realisation.

One of the reasons I have suggested some kind of cross-industry event to showcase the reality of projects that have brought about transformational change is so that the mainstream media, politicians, senior civil servants and policy-makers and indeed the general public really begin to understand the role that technology could be playing in making the UK the best place to work, learn and live. We need to think in new ways: why not, for example, have interactive exhibits at events such as the Ideal Home Exhibition?

We need to bring alive the ways in which technology can be a great ally in the ongoing reinvention of the UK and our future prosperity. And (as I have made clear before) we should also be responsible enough to point out the shortcomings that technology can have - and the role of our wider society in deciding where, how and for what purposes it is used.

Nov 1 2005, announcing .... "The Public Awareness of Technology"

I've written before about how we need to find new ways of communicating technology issues to a wider audience. Technology surrounds us everywhere and helps to simplify and improve the quality of our lives - but very few people understand what makes it tick. Very few people understand what technology is good for - and equally, what problems it can cause. There needs to be much more informed discussion by society in general - across the media, politicians, policy-makers, the industry itself and the general public. And as technologists we need to raise our game to make that happen - in the same way that the science community has worked hard at improving the quality of understanding about scientific issues and the way they may impact upon our lives.

It is not for technologists alone of course to decide what is "good" and "bad" for us: we need to be part of a wider, more inclusive discussion. And to do that, we need to set aside our jargon, to find a language that can better communicate with others and to stand up and be honest as much about the negative aspects of technology as we are about its positive and beneficial aspects.

So today I want to formally launch this programme with the aim of sparking debate and progress on these issues. My intention is to help ensure we achieve much greater comprehension and discussion of technology issues. Whilst the National ID Cards debate in the UK has become the main point of discussion recently about the need for far better understanding of technology (and how it can be badly or well designed), this is only one part of a much wider debate that now needs to take place.

I'll start today with a simple example aimed to illustrate the types of issues that I would like to move into the mainstream of public debate - in order that better-informed decisions can be taken by society about how we want to use technology. Let's start with RFID tags (RFID stands for Radio Frequency IDentification - see we're back into jargon straight away...). So to quote from Wikipedia:

An RFID tag is a small object that can be attached to or incorporated into a product, animal, or person. RFID tags contain antennas to enable them to receive and respond to radio-frequency queries from an RFID transceiver. Passive tags require no internal power source, whereas active tags require a power source.

So an RFID tag is basically a small radio transmitter with emits a unique identifier. The idea is that these tags will soon be found fixed inside or onto all sorts of things - clothing in shops, food packaging, cargo containers and even items such as our next generation passports. RFID tags can help to remotely detect and track any item onto which they are placed - which is obviously useful for things like stock control, inventory checks, and, with e-passports, validating that the paper contents have not been fraudulently tampered with (and even to help establish that the passport is genuine). So far so good. All potentially positive and beneficial aspects of a new form of technology that could make aspects of our lives easier and help reduce crime, fraud, bureaucracy etc.

But talking at the Global Border Control Technology Summit in London earlier this year, Frank Moss (Deputy Assistant Secretary for Passport Services, U.S. Department Of State) commented:

"Be prepared for surprises. I certainly was when I found out that e-passport chips [RFID tags] could be read at distances well beyond the 10 cm range found in the ICAO specifications. That was only one of the more recent unexpected events I have encountered as we have moved from the concept of biometrics in passports to the reality."

This raised alarming scenarios for the U.S. team. It is not too great a stretch of the imagination to foresee the long-distance broadcasting of passport information being a major security hazard. It would make it possible for example to identify who in a group of tourists possessed a passport of a particular nationality. Given the times in which we live, it is not hard to also imagine terrorist bombs that would detonate when someone of a particular nationality walks past with such a passport in their pocket beaming out their nationality as they go. Of course, with the benefits of this experience during trials, this is hopefully not now likely to happen (in fact, I understand e-passports are likely to contain some kind of "shield" to prevent them being intercepted at a distance in this way). But this example does highlight how technology can have unforeseen side effects. Other issues still remain a concern with RFID technology - for example, in an ideal word e-passports would only respond in the first place to authorised passport readers - not just anyone who happens to have an RFID transceiver. It is this type of topic and information that we need to communicate clearly and honestly so that we can have an open debate and ensure the best possible technology policy and implementation decisions are taken as a result.

I'll be developing a wide range of themes about the good, bad and ugly of technology over coming entries. But for now, let's look at the way Frank Moss chose to finish his presentation:

“I would like to make a plea to those of you in this room who represent biometric vendors. As I asked at the beginning of my remarks, please do not oversell your technology. We are still dealing today, 4 years after 9/11, with the unrealistic promises made by the biometrics industry concerning reliability and scalability. As I said to a senior technologist from one of these vendors, it is much better to “under promise and over deliver.”

Quite. These are not games we are playing here with these systems. To earn respect, the IT industry needs to be shown to be giving good, honest advice - even if sometimes this is advice that the recipient does not want to hear, or which admits to failings in technology as readily as we admit to its good points.

In developing this Public Awareness of Technology initiative, it is not just our communications and language and outreach that needs to be more inclusive, but we should aim to be more open and honest too about the good and the bad of what technology can really achieve. But this is a two-way street of course: in order for technologists to feel capable of talking freely and honestly in this fashion it requires others, particular on the purchaser side, to understand the concept of 'critical friends' - and to react positively to such honesty and to embrace it.

It sounds as if the Passport Services in the U.S. Department of State have learnt this lesson. Hopefully it will be learnt elsewhere too.