The Digital Transformation Agency (DTA) is meant to be the Government’s shining beacon of making things better with technology.
Instead, they have a long list of failures, from paying google to harvest government data, to abandoning cloud storage projects and dumping possibly sensitive source code into the public domain.
You have to ask, if the DTA is meant to be the Government’s leading technology agency but has such a dismal record, what hope do they have of implementing the infamous Digital Identity Bill?
Transcript
[Fechner] I’m happy. No opening statement. Thank you.
All good. Thank you. Senator Roberts, you have the call until 11:00 PM.
[Roberts] Thank you, Chair.
And then I’ll cut you off.
The Digital Transformation Agency has concluded an enterprise deal with Google in respect of Google Analytics 360. The Digital Transformation Agency charges Australian government agency websites for their Google data, which I assume is a cost-recovery exercise. How much are you paying Google for this service? Either 2021 actual or 2022 projected, please.
Thank you for the question, Senator. So the Google Analytics service is actually put in place to ensure that we actually have good information on the utilisation and feedback of government services, so it provides for the continuous improvement of our government activities. I will need to –
[Roberts] So what does it cost?
So we have our Head of Procurement here, Michelle Tuck. Can we take that number to find out what the actual costs are for Google Analytics?
[Tuck] Take it on notice?
Take it on notice.
[Roberts] Thank you. Google can obviously see all the data that you can see. After all, they just sell it back to you. On a normal private website, Google would be able to see identifying information for the website, visitor or entity, being IP address, device identification, sign-in If they are logged into Chrome, etc. Google would then store that data in the data file they already maintain for that entity. Google’s data file does not include names, but it does include locality, age, gender, employment, purchases, interests, travel, search and web history, and much, much more. Are Google adding data about private citizens who use a government website to Google’s own data records?
Senator, I’m happy to seek advice on that, but the actions of Google and those particular activities would be a subject to Google and any prevailing laws.
So, it’s quite easy for them to harvest the data because nothing precludes them from doing so?
Senator, there are aspects of data, so the DTA generally refers to the digital components of these. There are some specific data areas and they’re subject to PM&C, so potentially that question could be referred to PM&C.
Are we able to get them on notice from you?
If it’s an issue for PM&C, Senator, I’d say it would have to go on notice for them.
Thank you. Now let’s change topics to the Federal Government’s style guide. This will interest the chair. Recently the Senate rejected the use of gendered language and sent the style guide back for review. Who instructed the Digital Transformation Agency to de-gender language in the style guide?
Senator, the style guides have actually moved to be the responsibility of the Australian Public Service Commission. You need to refer those questions about the use of the style guide to them.
Thank you. So I’d have to ask them for a hard copy of it?
They’re responsible for the management of the style guides.
Okay. So let’s turn to cloud.gov.au. This was an attempt, as I understand it, to create a single standard for cloud storage of data, including websites across the whole of federal government. Did I get that right?
That was the original intention.
Okay. Original. Okay. This project was shut in 2021. And the source code for this web standard was put into GitHub, which as I understand it is a repository for code, freely accessible, where anyone can download it. Could a hacker learn anything about what could be in use in federal government websites and data servers, based on the information that they can freely obtain and contained in the GitHub files?
So Senator, the purpose of cloud.gov.au was to produce a safe and secure, and freely available to government entities, access to cloud services environments. As that capability has progressed, it was clear that the market was able to provide those services and the intent behind the security has been largely replaced with other components that we have, such as the hosting certification framework, which accredits cloud service providers to make sure that the controls that are in place for those services sit with government, so we have protections about where that data is stored, how does is transit and who has access to it. So cloud.gov.au became redundant from that purpose.
Yeah, I understand that, but apparently the source code for the web standard was put into GitHub where anybody can access it.
Senator, it’s my understanding right now that the services that are used, or used in that function, are all being decommissioned or moved onto alternative platforms.
[Roberts] But they’re already there on GitHub, which anyone can access.
Senator, GitHub is a repository for code services. It’s not necessarily the code service itself. It’s separate. It is actually the description of the language, and if it’s going into those GitHub repositories and it’s open source, meaning it’s freely available, it really is in public domain. Much of GitHub is actually contributed to by other parties other than government and it becomes a community of development services.
So why was this project cancelled?
Simply because of the transition to highly available public cloud services, the high security associated with those things, and the addition of additional controls, such as the hosting certification framework that added specific controls to make sure that government was clear where government data was stored, how it was actually moved, and where that data was being managed by others, including third parties, that it was safe and secure in those locations.
How much did this undelivered project cost across the project life or the arc, I think you call it, from January, 2018 to September, 2021?
Senator, I can take that on notice. So I commenced on October 13th, so it’s a bit before my time for those specifics.
Okay. So, okay, you and I are both scared of the wrath of the Chairman, so we’ll move on. This is not the only terminal outcome of one of Digital Transformation Agency’s programmes. May I reference the whole-of-government platform’s programme, which was retired. Once again, the source code for the six different projects under this programme was put into GitHub for anyone to download, but you’ve explained that. So my question is the same as before. No, you’ve explained that, that doesn’t matter. What was the cost of the whole-of-government platforms programme across its project arc, or life?
Senator, can I take that on notice again?
[Chair] Last question.
[Roberts] We’re getting there, Chair. [Chair] Last Question.
Okay. myGov is a joint venture between Services Australia and the Digital Transformation Agency. The app is proving problematic at best with a rating of 2.4 out of 5, which is on this graph here, so being less than half, that’s a fail by my understanding. We can see a pattern emerging here. Any attempt to modernise and standardise federal government data formats, storage and handling runs into apparently turf wars and gets terminated. Now we have the Digital Identity, and I’m leading into the question, Chair, now we have the Digital Identity, another of the Digital Transformation Agency’s projects, which will be part of life for every Australian. And in many ways it will enable control of many Australians in their lives. So a rating of 2.4 won’t cut it. How long will it take the Digital Transformation Agency to put in place the framework necessary for the Digital Identity to function at 5, not 2.4? How much will that cost, and what are your chances of success?
Senator, I think I’d like to seek a clarification on that. myGov does not currently have an app that’s in the public domain. They’re currently in a private beta for it. There is no myGov app that’s currently available.
Okay. So come to the question, then, there’s a history of failures going on in this area, digital transformation, how long will it take the Digital Transformation Agency to put in place the framework necessary for the Digital Identity to function at a rating of 5 out of 5? How much will that cost, and what are your chances of success?
So Senator, just again, to clarify, the App Store ratings generally rate the particular functions in there. So the Digital Identity is a framework and it allows multiple providers to go through. Part of that framework allows for the government to have a digital identity, and that’s the myGov ID as it currently stands. There is an app associated with that, and that app is simply about ensuring that people can enrol a Digital Identity for the government. Its actual main purpose is to provide access to safe, secure services through government via that identity in place of providing other digital credentials. So, yes, part of the aspect, but also the stepping up of credentials as well, that sits in that space, Senator.
[Roberts] Thank you, Chair.