Monday, September 29, 2014

Is government paying enough attention to privacy in its mobile apps?

Australian internet usage has just reached a tipping point, with more Aussies accessing the internet via their smartphones and tablets than via laptops and desktop computers.

This has been reflected in web usage statistics, with several agencies I talk to reporting that they now receive more of their website traffic from mobile devices than from desktop and laptop computers - particularly when excluding their own staff from the statistics.

There have also now been over 500 mobile apps designed, commissioned or reused by Australian government agencies and councils to deliver information, access services and report issues, including 69 apps from Federal agencies80 from Victorian government agencies22 from Queensland government agencies and many from local councils around the country.

There's even a few notable games, such as the ABS's Run That Town and Victoria's MetroTrains Dumb Ways to Die.

As a result there's an increasing need for agencies to pay attention to how they design mobile apps to ensure they meet appropriate accessibility and privacy standards.

The latter part of this, privacy, was the subject of a recent study and guide from the Office of the Australian Information Commissioner (OAIC) - Mobile privacy: A better practice guide for mobile app developers.

The guide reported that privacy was a key consideration for citizens, with a 2013 study by the OAIC finding that 62 per cent of Australians opt not to use smartphone apps because of concerns about the way personal information would be used.

The guide also mentioned a similar study in the US by the Pew Research Centre in 2013 that found that 51 per cent of teenage app users had avoided certain apps over privacy concerns, and over a quarter had uninstalled an app because it was collecting personal information they did not wish to share.

Now that's all fine when Australian governments are designing apps properly.

However the OAIC took part in an international 'sweep' on mobile app privacy back in May. As part of this the OAIC examined 53 popular free iOS apps, with a focus on apps produced by or on behalf of Australian businesses AND Australian Government agencies.

The OAIC found that a significant number of these mobile apps did not meet Australian privacy law requirements.

‘Of particular concern was that almost 70% of the apps we looked at failed to provide the user with a privacy policy or terms and conditions that addressed privacy prior to the app being downloaded’, Mr Pilgrim said.

The OAIC also found that almost 25% of the apps examined did not appear to have privacy communications tailored for a small screen.

Only 15% of the Australian-developed apps the OAIC examined provided a clear explanation of how they would collect, use and disclose personal information, with the most ‘privacy friendly’ apps offering brief, easy to understand explanations of what the app would and would not collect and use based on a user granting permission.

I'm sure the OAIC has privately fed back information to agencies on how their apps failed to meet Australian privacy and actions are underway to rectify this.

Other agencies and councils that have developed, are developing or have partnered with commercial mobile apps also need to be aware of the risks they are taking on if they don't adequately meet Australian privacy law.

Under the updated law that came into effect earlier this year, penalties for government agencies and corporations range up to a million dollars - making the omission of a privacy statement or use of user data without clear permission quite an expensive proposition.

Hopefully agencies are aware of the OAIC's report and are ensuring that user privacy is taken into account within their mobile apps.

If not, I hope we see some high profile examples to ensure that other agencies change their behaviour.

Read full post...

Thursday, September 25, 2014

Civic hackers, government's hidden allies - an interview with Mark Headd of Accelera

This is the fifth in a series of interviews I'm doing as part of Delib Australia's media partnership with CeBIT in support of GovInnovate. I'll also be livetweeting and blogging the conference on 25-27 November.

For some people helping government use technology to better serve the public is their job, for others it’s their passion.

Mark Headd is firmly in the latter category.

Mark began his career as a government professional with a Masters in Public Administration working in New York’s state government in the late 1990s.

He fell into the technology sphere by accident, becoming interested in the burgeoning internet and how it was impacting society and government.

After stints as a policy advisor to the Delaware State Governor and then the state’s CIO Mark left government to start a new career as a programmer.

He taught himself how to code and worked as a software engineer for ten years.

Then, in around 2008, Mark came across Apps for Democracy, entered and won a prize and was hooked.

The competition reinvigorated his interest in government and how to leverage the skills and passion of people outside it to help.

He went to work for Code for America as Director of Government Relations, assisting governments to craft open data and civic participation policies and advocating for civic innovation.

Then Mark went back inside, working as the Chief Data Officer of the City of Philadelphia, developing and implementing an open data and government transparency plan for the city.

His latest move was earlier this year, to Accela, where he currently works as a Technical Evangelist, working with civic hackers to help governments improve how they operate and govern.

Mark told me that his biggest learning from the civic hacking movement in the United States was that there are lots of people out there who are interested, talented and want to help.

“They want to help because they care about their communities, not necessarily because they love particular governments. The sheer number of people willing and able to help is often surprising to public servants.”

Mark said that technology development and adoption are often difficult in government, “we are increasingly reaching a point where governments will implement technology in different ways.”

He cited the example of Healthcare.com in the US, where after a disastrous launch the President reached out to the private sector to help.

Mark says that governments often find that in the civic hacking community they have a hidden partner they’re not be aware of outside of government.

“However to take advantage of this governments must handle data a little differently, engage a little differently”.

Mark says that “it’s never been easier to make software or work with data, so more people are looking to government for access to these to help.”

In Mark’s experience, accessing this outside help shouldn’t be left to the technology or ICT teams, “these types of units tend to be internally facing, focused on serving the needs of other parts of government. There’s often not a lot of experience in these groups for engaging with external individuals and groups.”

He says that the first thing a government needs to do to get out of its own way was to involve people experiencedin external engagement.

“Engaging with civic hackers is simply engaging with a different cohort of citizens.”

Mark does believe there are some risks that governments need to mitigate when engaging these groups, but they aren’t insurmountable.

“There’s always the risk that a partnership won’t go well. However governments already have lots of risks that they have sound frameworks for managing.”

He said that the risk he most often heard was “how to we ensure we don’t release data that we shouldn’t release”.

To do this, Mark says, ask other governments what they’ve released and their experience of what is most used.”

There’s already agencies releasing data around the world, so the best way to mitigate a data risk is to find out what others have done and use their lessons learnt.”

He said that governments need to think about what data they want to make available and have used.

“Start with data that is already public but is malformed –such as in a PDF report or other format difficult to reuse. Once an agency has experience in these areas and infrastructure built to support it, move on to other data.”

In Mark’s view releasing data isn’t the end goal, “I believe that governments need to start thinking about their role in the civic technology chain.”

“If you ask a government IT employee they often self-identify as a builder, they build things that people use.”

“Governments need to realise that their role is changing. They will build less and become a platform, a steward, of the data that other people use to build things for the public.”

This sounds like a big shift, but as Mark pointed out, it’s no bigger than what we’ve already seen in the last ten years.

“If you had described to a government official ten years ago that it would be impossible to deliver services to the public or do their job as a public servant without the internet, they would have laughed at you and not believed it.”

“We’re in the same boat today – when you tell a public official that they won’t be building services for the public, instead releasing the data that allows others to build those services, many simply don’t believe it.”

Mark believes political leadership is important to foster open data and what lies beyond it.

“Politicians need to realise that people are going to get the data someway, somehow, so it is better to use it as an engagement tool and to build trust than to try and lock it down.”

He believes media criticism of government activities is going to happen anyway and that the potential for innovation and economic development far outweigh the short-term risk of people criticizing government.

“All around the world we see governments making announcements that they are committing to the open data movement. We also need clear measures to evaluate whether they are meeting their own commitments, something we can count.”

Alongside open data Mark believes that there’s room for discussing government procurement processes, particularly for buying and developing software.

“The Healthcare.gov issue occurred at a time when websites were easier to build than ever before. It was a real eye opener for people that the most powerful government in the world couldn’t do what a group of kids in tight jeans could do.”

“So we’re now having a really interesting discussion about how government could procure and develop software better.”

Mark says that we’re still in the early days for civic hacking and governments need to be prepared for a far more engaged future.

“Look at an event like GovHack, which has grown enormously over the last few years. We know events like this are going to continue to grow and they are going to want more data.”

What governments can do to prepared for that is to think about what data they can release and what can they do to leverage the interest to their own benefit.”

“That’s a huge opportunity for government. Let’s use the months before the next GovHack to figure out what data people want and use it to get some benefit for agencies and the public. How can government participate as a full partner?”

He identified there was a trend towards more specific hack events, on topics such as health and transport.

“This is a really good way for governments to get more focused participation on topics of concern to them.”

“The products and end results coming out of these events are very tangible to public officials, such as a transport app. I’m literally been at events where teams will present a finished product and government officials will say I get it now, I understand.”

He believes that as more of these targeted events are held, we’ll reach a tipping point where people running operational units in agencies understand how products and services can be derived from the data their agencies hold.

Mark said he was looking forward to presenting atGovInnovate to share some of the US’s experience with open data and civic hacking.

“I don’t know if people in Australia are aware of what is happening at state and local levels in the US. That’s where a lot of the really innovative work is happening.”

You’ll be able to hear more from Mark at GovInnovate on 25-27 November in Canberra.

Read full post...

Wednesday, September 24, 2014

Infographic: Australian government agencies and councils have now sent 2 million tweets and have 3.9 million followers

I've been tracking the active Twitter accounts of Australian government agencies and councils for over four years now.

In February 2013 I reported that the number of tweets by government agencies and councils had reached one million in January of that year, and eleven months laters in November 2013 I reported that the number of tweets had exceeded 1.5 million.

At the time I predicted that it would take a shorter time to reach two million tweets from 1.5 million than the eleven months it took to reach 1.5 million from one million. I then predicted that the two million tweets level would be reached around 2014.

I was half right. It was faster to reach two million tweets - taking only ten months - however by my count it wasn't reached until this month, September 2014.

Given I'm sure I've missed a few active accounts, and I excluded deleted and decommissioned ones, I'm comfortable with a two month margin of error.

Many of the numbers numbers have more than doubled since January 2013. Agencies are tweeting three times as frequently and the total number of followers has increased 2.22 times.

To celebrate the occasion, I've created an infographic of the key numbers (below), as I did at the one million milestone (compare it with the one million tweet infographic, which is here).

You can view my raw figures and analysis in my Google spreadsheet and I'll provide more information and analysis in coming weeks.



Read full post...

Tuesday, September 23, 2014

What penalties are there for agencies and individuals who breach government security and accessibility policies for websites and online channels?

I regularly hear stories from people in government agencies and councils about how their organisation isn't meeting mandated security and accessibility requirements for their websites and broader online presence.

Often this is because there's insufficient time, money or a lack of understanding of the mandated requirements by either the business owners or the vendor doing the work. I still remember an experienced developer at a web development company claiming that in his ten years of working on government websites he'd never understood that accessibility was a legal requirement.

Sometimes I can understand and accept these reasons. 

Ministers set deadlines, as do real world events, this can constrain the full process of testing the security and accessibility of a website. 

Equally some campaigns are spread across different channels, and the budget allocated to online doesn't always allow for the best possible outcomes - or there's some 'bling' requested by senior management that eats the budget of the project very quickly. Again these can make it difficult to find the money to do any necessary testing and adjustment. 

In a few cases I get told that security or accessibility was simply "not important" to senior management, the business owner or the ICT team/vendors doing the work. 

These cases I could never condone, and it did affect my public service career when I stood up to senior people who held this attitude - even when I 'won' the point and was able to ensure websites were delivered to government-mandated minimum requirements.

This last group still worries me - and I've heard several new stories in the last month along the same line.

The fact these people are still around is disheartening, and raises a major question for me:

What penalties exist for agencies or individuals who deliberately go against the government's mandated policies and standards for websites, on topics such as security and accessibility?

I'm not aware of any public servant ever being investigated, sanctioned, retrained, demoted, moved or sacked after making a decision to ignore or water down website requirements.

In fact I can recall a few times where they were promoted and rewarded for their work in delivering outcomes cost-effectively and quickly.

Of course there's potential legal ramifications for ignoring both security and accessibility requirements - however it is generally the agency that takes on this risk, rather than the individual who exposed them to it.

In some cases the individual may not even have been the business owner, or has moved on to a different role, even a different agency.

This type of behaviour is generally picked up and addressed when an individual breaches finance, procurement or HR guidelines.

I'd like to see the same apply for websites - the front door of the modern government.

Whether a federal agency or local council, you serve citizens through your online presence, and putting them at security risk, or creating sites that a significant proportion of your audience can't access by not meeting mandated standards and policies is simply not on.

Read full post...

Monday, September 22, 2014

Aboriginal and Torres Strait Islanders are more likely to use Facebook than the general Australian population

I've witnessed indigenous communications teams in government agencies dismiss the use of social media in indigenous engagement out of a belief that indigenous Australians prefer face-to-face communication and that those in remote communities had significant access issues to the Internet.

While these two views may be true, it's good to see some actual research on the topic by the McNair Ingenuity Research Institute.

As reported by SBS and in BandT, the Institute surveyed four-hundred Aboriginal and Torres Strait Islanders nationally on their media habits.

The results found that Facebook use by this group was twenty per cent higher than the national population average.

Lead Survey Researcher Matt Balogh said that typically across Australia 42 per cent of the adult population had a Facebook account, whereas 68 per cent of Aboriginal and Torres Strait Islanders living in metropolitan areas of the capital cities used Facebook.

In regional towns, 61 per cent of Indigenous Australians used Facebook and in remote communities it fell to 44 per cent - still above the national population average.

Due to poor access to desktop computers and broadband, the research found that most remote users relied on mobile devices for Facebook access. As a result, Balogh said to BandT, “Indigenous Australians living in remote areas are having a completely different experience of social networks and the Internet than mainstream Australia”.

So if you're engaging with Indigenous Australian audiences, don't dismiss social media.

The research is ongoing, so expect more insights in coming years.

Read full post...