LOL, I've heard some bad stuff about the OneGov team, but this is great.
The government started an initiative, later backed out in nearly every aspect of "openness" and hired some Fraunhofer FOKUS people (federal research institute) do code something.
They used a huge JEE app-server as foundation for their work, have not a single test and neither a documentation. When they launched a couple of months ago, their production server went down for 2 days besides their research in "cloud computing" which does Fraunhofer as well. (=> https://govdata.de sources at https://github.com/fraunhoferfokus/opendata-platform)
So, congrats to UK. You're doing it right. Please continue this work and put more stress on incompetent and lazy political actors and "research factories" in other countries, e.g. Germany.
Thoroughly good digital service, especially like the API for sharing content.
I wonder if it's a coincidence that this project appears to be blossoming while almost every large project I saw that was outsource either massively underachieved or was just buried after huge loses (schoolsweb for example).
We were bought in because we knew how to do something, but we won the bid because we simply could do it cheaper than anyone else.
Where it went wrong though, was that even though we knew what to do, once engaged the client insisted on how it would be done and meddled with every part of it.
And the next big failure was our part... our project management team let the client change the requirements frequently even though we told them in no uncertain terms that we were moving from the stated goal and that what was now being asked would not work.
The project management team expanded to deal with the stream of change requests and meddling, and the devs got bogged down with change requests rather than actually driving the project to the project goals.
Finally the project ran out of cash, and what was delivered fitted no-ones needs. It was horrible.
I think the greatest thing that the gov.uk team have been able to achieve is finding the ability to say no when it needed to be said, and to dictate how it should be done right rather than permitting meddling.
It's no surprise that #1 is "Start with needs", and it's less of a surprise that they've had to clarify this is the end user's needs and not the needs of anyone in government.
well done folks - you're leading the world!
- I know Government projects get a lot of flak, rightly or wrongly but they always seemed to be awarded to companies like Capgemini who would spend £100's of millions achieving much less. I could be wrong.
I really hope that because this is associated with the cabinet office other teams elsewhere in govt. can draw encouragement from this team and use it as an example.
Excellent to see the source open and hosted on github. Such code is rarely made publicly despite it not being confidential.
Will the govt. sit up and notice that small focused team with a remit can deliver. Or will the next system change mean a complicated procurment process for a large consultancy who will hive the work off shore to the cheapest sub-contractor and deliver nothing but spend millions of tax payers pounds.
In other words, they hired the wrong guys.
Liam Maxwell and folks at GDS are hitting all the right notes so far.
"And the award goes to boring.com! Government website beats off 100 others to be named world's best design" http://www.dailymail.co.uk/news/article-2310191/And-award-go...
One thing to note is the Open Source software, in guidance handed to all government departments, should be preferred over proprietary software. (link in here somewhere http://www.oss4gov.org/policy_activism)
In addition the "G-Cloud" - a online catalog of pre-vetted service providers, has 80% SMEs on it and a govt buyer can simply sign up online for a Saas service there and then with a govt credit card, legally
I feel that Open Source in government will have serious network effects globally, so getting this right now for the UK could lead to a very long tail / virtuous circle for UK devs in the future.
> Government should only do what only government can do.
uh, what?
Why does gov.uk, a site all about allowing the British public to interact with the British government, use google analytics?
You are shipping all the data about all my interactions with my government off to a third party in another country. Another country that we know has not got the same legal data protection requirements, and one which has now been exposed as having massive internal spying problems.
And no, telling me "google aren't allowed to use the data" and then opening an outsourced helpdesk ticket with another US based company does not cut it.
> If someone else is doing it — link to it. If we can provide resources (like APIs) that will help other people build things — do that. We should concentrate on the irreducible core.
However, again IMHO, tracking casual web use is a different class of data to my interactions with my government, and I very much resent those being sent to foreign companies and (by inference) foreign powers, however benign and friendly our relationship is.
Assuming they listen to your suggestion and act on it as you suggest, it seems the only option open to them is to design their own in-house (In UK for that matter) version of Google Analytics to do their own analysis. Regardless of the cost and time this would add to the project, it's unlikely that it would be anywhere as good as Google's offering.
The other, more likely, option would be to decide it's too expensive to implement a different, more complicated, solution; so they don't bother. They don't get the feedback and analysis on how to improve their services and the customer experience declines until you're back where you started with a poorly designed product offering hard-to-find information and people are posting angry comments on HackerNews about how bad gov.uk is and how they would never run a start-up like that... I'm almost certain someone would say "Why don't they use google analytics to improve things, like everyone else".
Instead, we need to be applauding a massive operation like Gov.uk for taking a dose of reality and thinking, "we're not doing anything amazingly special here, we're providing people with a quick way to check their council tax, or bin collection dates, or maybe pay their car tax. let's just get the job done as best we can."
They could just install Mint on their own servers. Problem solved.
That's not what I want from my government.
--edit-- I also didn't make any suggestions, I would have accepted a reasonable explanation of the legal and technological measures that were in place to protect my data from rampant proliferation through US corporate and government systems.
Instead I got (and this is a direct quote) "We don't allow Google to use or share our analytics data.", and a zendesk reference number. Fobbed off, basically.
And with the zendesk link, now my actual communication with a UK government team is being processed in the bay area.
This is unacceptable.
--edit 2-- Somehow other large UK web-based institutions manage without GA as well. The BBC for instance. Perhaps they could talk to each other.
Yes, yes, yes. The only time we should consider these attitudes is when real keep it from everyone security matters (you know MI5 style security, not pentest security)
And frankly my view on that is now: want to keep a secret? Keep it away from computers.
They wrote back with a non-answer missing the point that they are voluntarily leaking crime victims' metadata to a US advertising company.
A site the size of gov.uk or crimestoppers.org.uk really cannot claim that they don't know how to switch to something like Piwik and keep the visitor data in-house and private.
Before you start the lynch mob, ask yourself this: what on earth can one do with non-person-identifiable data stored on a server?
"Next on BBC - Terrorist organisation finds out too many British people forget to update their MOTs"
That's not what I want from my government.
Be very very fortunate you can even get a somewhat usable site, much less a very user friendly site. There are citizens of the other nations that would kill for easier access to public information.
If you read the first point, it says "Start with needs". They need to be relevant and appear in Google. Google Analytics is simply a tool that helps them do that.
This website purports to be about data. But is it? Seems like lots of rambling about presentation of data.
A true open data initiative would start by providing an ftp link.
People can argue all day about how to present data. That's not about data. That's about something else.
First, just give us the data. Raw. In an open format (e.g. plain text). From there it can be massaged into a gazillion possibilities. Many people have many different visions of those possibilities.
Open data starts with providing the data. Not a lecture about "principles".
First, give us the data. Raw. Open format.
How do we know it's non-person-identifiable? It's certainly clear that the analytics data comes from a set IP address, and when correlated with all the other data that big G collect from all over the web, who knows what can come out of it.
>> Be very very fortunate you can even get a somewhat usable site, much less a very user friendly site.
1. It's not just an information site. 2. Why should Google (and by extension the US government) be informed that I'm looking up (for instance) legal advice, business law or anything else?
Again, this is my interactions with my government being published to another nation.
--edit-- removed accusations of laziness, I'm sure the gov.uk folks aren't that.
No, it's an American company, subject to the whims of the US government.
>> Google has servers and offices in the UK.
Sure does. I have no idea where they process the data though and I doubt the gov.uk folks have. If they did have a guarantee that the data wasn't ever going to leave the UK then maybe they could say so?
>> If you read the first point, it says "Start with needs". They need to be relevant and appear in Google. Google Analytics is simply a tool that helps them do that.
Err, no, google analytics records and transmits site interaction data.
I think that before Snowden most people, myself included, would have thought not using google analytics for the above reasons was paranoia.
Now, I think that all digital data should be treated as public and until we change the law to have a public / private demarcation, we need to accept it and deal.
(I see this as a pollution issue, until we get a clean air act, everyone will walk around with cloths across their mouths)
edit: little less troll like:
We have no framework for digital privacy, and until we see an emergent consensus there will not be one. Here, on this site, we have informed, reasonable people disagree on fundamental definitions of online privacy. So the first step here is to ask, "privacy in the US is based on two things, actions in ones own home are protected by default, and written communications between yourself and others are protected, and publishing is an explicit act"
What do those things now mean in a world of mobile phones, internet and metadata?
We have no framework for digital privacy, and until we see an emergent consensus there will not be one.
Here, on this site, we have informed, reasonable people disagree on fundamental definitions of online privacy.
I am unsure where to begin.
Pretending it's a non-issue and not addressing concerns AND then using an overseas helpdesk service, such that now not only are analytics being sent to the US, but actual communication between a UK citizen and the UK government.
But particularly the latter half.
>> I think that before Snowden most people, myself included, would have thought not using google analytics for the above reasons was paranoia.
Most people haven't been paying much attention then.
>>Now, I think that all digital data should be treated as public and until we change the law to have a public / private demarcation, we need to accept it and deal.
Cool, if that's your attitude to this. Some of us would prefer to prevent our government being complicit wherever possible. They may already be in breech of various regulations and I do intend to be in contact with the ICO soon.
We already have data protection frameworks in the UK and at the EU level. I would like to see them adhered to in spirit, and I would also like to know that someone involved in the gov.uk has at least given this a moment's thought.
They're more and more part of everyone's life and not everyone is of the mindset that it doesn't matter if corporations and governments get to look at every little detail of their online interaction. Car tax, criminal law, the weekly shop at tesco.com ... all going to the profilers.
I know this is happening. I know how to stop some of it. But everyone else?
Personally, as someone who left the UK in the 90's for silicon valley, I'm blown away that the UK government has even heard of the internet, let alone built a decent digital service.
Google analytics for a publicly facing government website is akin to someone watching you walk physically into a public municipality.
I'm glad you're happy to publish all the details of your interactions with government services to an advertising company in another country with far less in the way of data protection law.
I'm not.
Actually it's not even equivalent then. It's more like them recording the conversation you have with the public services folk. And you haven't actually gone there, just called on the phone.
As a proportion of the whole development cost, using either an EU based analytics service or in-house server shouldn't really be significant.
But even before that I'd like to have some indication that someone has actually thought about what they're doing, rather than just stuffed in GA because that's what you do in the private sector.
[1] https://developers.google.com/analytics/devguides/collection...
Even then, the companies aren't really rewarded for doing a good job. They're rewarded for doing a minimal job that barely meets the requirements and using as much money as they can.
That being said, this:
> Even then, the companies aren't really rewarded for doing a good job. They're rewarded for doing a minimal job that barely meets the requirements and using as much money as they can.
...is certainly an issue, especially, as is often the case, where reimbursement is based on hours and the contract amount is a limit, so that the incentive is to assure that as many hours are consumed as possible up to the limit.
Or are you saying instead that you should impose your own personal choice on everyone else?
I'd like an answer to this too from the .gov.uk team.
Ironically enough, their service design manual (which is excelllent and a fantastic resource) has a very good section on analytics tools [1]. Some quotes:
"When deciding which analytics tool is most appropriate for your service, you should consider the following...who owns the data (it should be your organisation!)
Does the solution meet the EU privacy directive and the European Commission’s Directive on Data Protection?
- where is collected data held?
- do data centres meet EU/British data security standards?
- how long is data held for?
- what will happen to the data on termination of the contract- can you export it?
- what access your vendors employees have to your data"
Did they evaluate Google Analytics based on these guidelines?
[1]https://www.gov.uk/service-manual/making-software/analytics-...
The full list of topics in the service design manual https://www.gov.uk/service-manual/browse
They're working on releasing more, plus APIs, etc. It takes time.
Just because I know how to block analytics doesn't mean everyone else has a clue they even exist, nor that we should allow our government to export data about us in this way.
My view is that the spirit of the law needs to be codified for a new world, and it is healthier to have that clear (and so open for debate) than to say someone is violating my idea of what the law should be.,
My starter for 10:
* Privacy is merely a politeness, and does not actually "exist". The expectations of privacy are the expectation for data to not be exploited without our consent.
* All digital communications and associated metadata are made in a public domain, and should have very limited expectations of privacy.
* If digital communication is encrypted, or marked as anonymous, then it should be legally viewed as having an expectatin of privacy and similar penalties applied for interfering with that as with post.
* Any monitoring of digital activity that can be linked to an individual human must be publically acknowledged by the monitoring organisation and the data released / published unless the individual has given consent for identifying data to be stored and processed to that organisation.
Its a thought in progress.
Privacy is the things anyone can work out by looking at me, secrecy is the stuff I actively hide.
The cost of breaching privacy on mass scale has dropped simply because now everyone publishes everything about themselves.
Breaching secrecy is still a manual intensive effort as it eve has been.
This is where we depart. Just because it is a public network does not mean that people somehow naturally consent to monitoring by anyone and everyone, nor that they should have to consent to this stuff. The telephone network is a good example of public and private infrastructure in which one still has the expectation of privacy.
>> If digital communication is encrypted, or marked as anonymous
And what if someone, mostly without notifying us, loads a script into our browser that tracks everything we do and reports back to mother?
This is not a case of people marking data private, nor is it 'digital communication' this is intrusion.
That's your disconnect with reality.
Why should we accept that the government will report everything about it's own citizens to anyone they feel like?
Because it makes it easier for a few web developers? Is that really a good enough reason?
This is where I'm really failing to understand your logic. Your activity is very different from what you converse. If I fill out a web form and that data gets logged, fine, I can see how privacy may be an issue. Unless someone can correct me, Google analytics does not have that capability, it only tracks how you navigate.
If I walk around a public library and check out 6 books and someone follows me around watching me look at 6 books, then again I ask "so what?"
Amazon
Google (and any service under it)
eBay
?
None of them, however, is the UK government unnecessarily leaking details of my interactions across borders.
I'd love to read it.
>> If I walk around a public library and check out 6 books and someone follows me around watching me look at 6 books, then again I ask "so what?"
They compile a dossier on you, including everything you read, all of the shops you go to, food you like. They sell this data to whoever wants it and leak it out the back door to overseas government agencies.
But I guess you've nothing to hide from anyone eh? Good for you.
But that's the point I think he's trying to make: Why is this an issue? If I open up a page on the site that say tells me what the VAT rate is and that gets timestamped and sent to google, why should it matter?
The site is purely for information. They could - as you say - get wind of the fact that I want to apply for a new passport. So what? That (at least in my mind) isn't a privacy issue.
Well, not really, it directs you to portals for various services.
>> They could - as you say - get wind of the fact that I want to apply for a new passport. So what? That (at least in my mind) isn't a privacy issue.
I think it is and I would be upset about (for instance) my library browsing habits being supplied to people as well, particularly if they were based in places with far less in the way of data protection law.
You may as well say "Why would anyone care about PRISM? Who cares who knows I call my mom every week?", yet it's the biggest story around at the moment.
The fact is that the web is not anonymous in its nature. If I browse to a random site I've never heard of, how do I know they aren't using a third party image? If they are, then my IP/Location will be broadcast to that third party.
Well I think they probably have a tremendous budget, and a variety of FOSS or third party (but running in-house) solutions have been mentioned in comments here, that could likely do the job.
>> The fact is that the web is not anonymous in its nature.
It's not really about anonymity though, it's about who the government is (deliberately) sharing data with or leaking data too. I'm not asking for anonymity in who I intend to interact with (UK government services), I'm asking them to think about who they share that data with.
>> If I browse to a random site I've never heard of, how do I know they aren't using a third party image? If they are, then my IP/Location will be broadcast to that third party.
When it is a page run by one's own government, one can have different expectations and even ask for things to be changed not to leak such data. Or at least ask if they've thought about it.
However this is also why I tend to block things like social media buttons, I have no desire for FB or Google to be informed every time I read ... well just about anything online these days.