Kiosk debacle not black and white

02:42, Oct 17 2012

Several people took issue with a tweet I posted last night in which I argued that while Work & Income's "leaky" information kiosks were the mother of all privacy risks, it might be time to stop putting the boot in.

So let me explain. First up, no-one appears to be arguing that it is not a good idea to have kiosks in Work & Income offices that let jobseekers check for vacancies and apply for work. It ticks all the boxes, helping address the "digital divide".

Those kiosks should not have had free access to files on the Social Development Ministry's corporate network and should probably never have been connected to it at all.

That they did is clearly a case of human error; someone stuffed up.

The ministry appears to have contracted a company with excellent credentials in the field, Dimension Data, to check the security of the kiosks and other systems last year, but has been evasive about what it was told.

Crucially, it has so far refused to say whether the company's report contained recommendations, which if acted on, would have closed the security hole.


That could be - as blogger Keith Ng has speculated - because the report identified significant risks that were ignored by senior managers and the ministry might be hiding that.

But the report will inevitably come to light eventually through the Official Information Act and things are rarely that black and white.

It is perhaps more plausible that the review into the security lapse will find fault with the ministry, but conclude that Dimension Data's report may have not have been properly acted upon because it was not quite that explicit, or was not looked at by senior staff sufficiently removed from the day-to-day running of the project to view its contents objectively - or both.

Japanese-owned Dimension Data is very well qualified to perform security audits having acquired a top Kiwi specialist in the field,, in 2008. But could it have been overly "diplomatic" in presenting negative findings to an important government customer?

This is largely speculation - but if there are useful lessons to be learned from the Winz debacle, one may be that government departments need to make it clear to consultants that no harm will come to them if they "spell out" critical findings and that there is no need to sugar coat them.

The other may be that such independent security audits should at least be eyeballed by a top executive, even if they might not be sufficiently au fait with technology to understand all the details and nuances. It should not be a case of "going through the motions".

It seems implausible that anyone senior at the ministry would have turned a blind eye, had they had the full extent of the risks properly spelt out to them. If they did, they will no doubt suffer the consequences.

The Government's somewhat ham-fisted response to the security lapse has politicised the incident, making it more likely that the planned review will become an exercise in blame distribution.

Internal Affairs Minster Chris Tremain yesterday arranged and then cancelled an interview with Fairfax to discuss whether the incident might impact the target of shifting 70 per cent of 10 common transactions online by 2017, which he had announced in August. When pressed, he indicated through a spokeswoman that any change would be contingent on the outcome of the reviews under way.

It was left to Prime Minister John Key, later in the day, to confirm that he viewed the security lapse as an "isolated" incident that would not affect the target. That was a steadying message the Government should have aimed to get out at least 24 hours earlier.

The contents of the Social Development Ministry's files are so sensitive they could certainly have been used to blackmail or commit fraud, but so far there appears to be no evidence that has in fact happened. That is just as well as the cost and time involved in verifying or (worse) reconstructing the ministry's records from scratch may well be astronomical - and the latter simply impractical.

The plain reality is the Government and the public may just have to assume "no harm done".