Raising Hell: Cracking COVIDSafe: Part 3: Standard Issue
In which we are confronted with the limits of FOI laws...
Who was responsible for calling the shots on the production of the COVIDSafe contact tracing app? When were these decision made? What were the ideas that informed them? These were all questions I had hoped to answer by reading the DTA’s emails only the agency was going to charge me $750 for the privilege.
I thought my FOI application had been simple enough:
To be fair to the DTA, I had asked for a lot of material and I expected most searches would turn up nothing. Asking for any emails regarding COVIDSafe from Randall Brugeaud or Dr Anthony Vlasic was a longshot, as they likely had assistants and there were other, unnamed, points of contact who handled logistical matters. Still, the correspondence between the DTA and BCG promised to shed light on how and why critical decisions were made, either in the apps creation or when the company’s contract was extended. Item number six was also of particular interest for what it may reveal the level of understanding the developers had about the technology they were working with.
There a strong public interest in this material owing to the way a government tech-project had been so heavily outsourced — a decision that was not unusual given current trends. A 2017 report by the Australian National Audit Office (ANAO) found BCG alone had raked in $77 million under the Abbott and Turnbull governments, though this was a fraction of the total $47 billion those administrations had spent peeling of tasks and handing them over to the private sector.
When the figure was first reported, its size was so alarming — for comparison Turkmenistan in 2018 reported a GDP figure of USD $40.76 billion — a parliamentary inquiry was called on the issue. Over the course of its short lifespan, that body would hear how there was no real tracking mechanism for work outsourced to the private sector. A separate submission from the Department of Prime Minister and Cabinet explained how an ideological cap on public service sector hiring that was designed to “shrink government”, ended up making it more expensive for the government to bring on new staff.
Speaking specifically about management consultancies, the submission said:
“A large percentage of suppliers of Management Advisory and Information Technology services market themselves as providers of “Consultancy Services”. The challenge for agencies is to ensure that sufficient processes and systems are implemented to ensure that all consultancy procurements are reviewed in line with the Department of Finance guidance, and are reported accurately on AusTender. This will be a particular challenge for small agencies.”
The inquiry, however, would never go on to issue a final report as it shutdown with parliament ahead of the 2019 federal election and would never be booted back up.
In many ways that election would prove significant in the creation of the COVIDSafe app. The pandemic may not have happened yet, but federal Labor went into that electoral contest with management consultancies like BCG in their sights. Among their list of promises was a commitment to wind back the outsourcing of public services — particularly to consultancies — to the tune of $2.6 billion. If these firms were worried, in the end it would prove a false alarm. When the Coalition government was re-elected, this time under Scott Morrison, the consulting industry celebrated.
Since then, the current iteration of the Coalition has let rip. Another report by ANAO — that has since had its funding cut at the 2020 budget — found in March this year that $64.5 billion had been handed out to the private sector in 2018-2019, including $1 billion in contracts for IT support. More significantly, the same report found half the money had been been given away without any sort of competitive tendering process, meaning a small group of incumbents dominated:
“It remains common for a relatively small proportion of suppliers on a panel to be awarded the majority of contract value when the panel is accessed. There are also indications that some panels are being accessed after their reported end date.”
The dominant wisdom within governments — conservative governments in particular — holds outsourcing saves money by making these services lean. An appearance by DTA’s own Randall Brugeaud before a senate estimates committee in late October 2020 offers a working demonstration of how this thinking fed into the creation of the COVIDSafe contact tracing app:
In short: the DTA had only twelve people working in the team that built COVIDSafe, forcing it to contract in BCG and its subsidiaries to pick up the slack.
It is not an original insight to say this is bad practices. Over in the UK, critics have pointed out the ever-increasing reliance on outsourcing encourages a form of rentier capitalism by setting up a perverse incentive for the private companies vying for each contract. Because these companies think of each new contract as an individual asset, the most prized people within these organisations are those who can obtain new government contracts — not those who actually deliver them.
Moving from the private to public, the issue with outsourcing goes beyond the usual conversations about waste and the delivery of lower-quality public services over time. Every layer of government activity shaved off and outsourced made it that much more difficult to find out who made decisions and how those decisions were made by pushing those activities beyond the reach of disclosure regimes like Freedom of Information.
COVIDSafe provides a good working demonstration of this. When the app’s existence was first announced the DTA refused to release any information — especially the name of the company developing the software — to the media. It was only when all the decisions that mattered had been made that the public learned the detail. At that point, it was no longer possible to influence the outcome. Even now, with the app having fallen to history, privatisation and outsourcing limits what questions may get answered in public to, more or less, a pre-prepared list of talking points.
Unlike government agencies, private corporations are not subject to Freedom of Information and are often protected under disclosure regimes where they contracted in to do work for governments. During third party negotiations, a company will usually find some basis to shoot down an uncomfortable application. One Administrative Appeals Tribunal decision from 2015 shows how. When an application was made to get hold of software used by the Australian Electoral Commission to count votes was refused, the Tribunal set a troubling precedent. Even though there may have been a real public interest in knowing how the votes that underpinned Australian democracy were actually being counted, it came down hard in defence of the company’s commercial interest:
“The Tribunal is satisfied that the evidence establishes a potential for the diminution in commercial value of Easycount to the Respondent as owner of it, if disclosure of it were required. The possibility of it arising is not irrational or absurd and it is tangible because Dr Tridgell accepted that there were benefits to seeing the software and although he and other reputable software competitors, may not use it, some others might well do
Further, he agreed that even if it was not copied and used by him and others like him, he would benefit from seeing it for its “road map”. The necessary inference from this is that although not directly copied, it would allow application of some tangible benefit to work he or others in the industry did. This necessarily in our view diminishes the value of the software because it reduces a competitive edge that the Respondent currently has.”
What became known as the Cordover decision set a precedent that has since worked to stop even basic software being released — a situation made worse by the overuse of confidentiality clauses in government contracts. The Auditor-General has consistently tracked the use of these clauses across regular reports. While things have been getting better — with just 3 percent of contracts in 2015 found to rely on confidentiality clauses — among those contracts sampled, only 19 percent were reported correctly by AusTender and 48 per cent still had inappropriate or pointless confidentiality clauses inserted into their terms.
It’s at this point outsourcing and privatisation veers to the anti-democratic. Governments are not perfect, but built into their operations are systems for public disclosure and means for the average person to have an input into the decisions that affect their lives. Where there is enough political will, it becomes possible to review a department’s work, fault-find and fix a mistake with a degree of certainty.
Outside a leak from a company employee or a court case, bringing in a private company is an excellent way for a politician or bureaucrat to shift the risk of bad press. Handed off to a third party contractor, the public is left with a few lines of marketing copy and promises from a company official that any problem has already been addressed by the time its been discovered — assuming anyone even acknowledges there is an issue in the first place.
Firms like BCG are keenly aware of the environment of their operating environment. In their account of what happened during the scandal with ANU, the company pointed to “client confidentiality” to explain why they had “reminded” their employee to be careful about what they said about the app in public. Secret keeping, after all, is all part of the consultants service — as they were only to happy to acknowledge. When I contacted the company, I had threw in an additional question about confidentiality agreements. The spokesperson responded with the rhetorical equivalent of a shrug: “confidentiality clauses are a standard requirement of the Australian Government procurement panel arrangements under which we were engaged.”
Everything I had learned at this point provided a certain context to that $750 bill I had from the DTA to obtain documents.
Having consulted people who know about these things, I put together a simple plan: pay the deposit to keep the application running and as soon as I had a receipt for transfer, send through a follow-up email appealing the charge.
Over a weekend, I wrote a six-page letter asking for an internal review of the decision to slog me for access. There I outlined — with some precision — why I thought the charge should be waived or substantially lowered. Along the way I made a series of arguments relying on the provisions of The Freedom of Information Act 1992 (Cth) and The FOI Guidelines. I had two points: 1) on the information available the decision was wrongly made and 2) the charge should have been waived or lowered on public interest grounds. To support this, I relied on a number of authorities:
Section 29: That lays out the rules around applying charges.
Section 29(5): That says a charge may be waived or lowered in cases of (a) financial hardship or (b) public interest grounds.
Paragraphs [4.5]-[4.7]: These outline how a charge should, on balance, be levied and provide support for saying that the decision to impose a charge is a matter of choice by the department and should not be used as a deterrent to access the documents.
Justin Warren and Department of Human Services (Freedom of information)  AICmr 16 (1 February 2018).
I cited paragraph  of this decision to show I could pay the deposit on the charge to allow the application to proceed while also asking for an Internal Review of the decision. I later cited another paragraph from this decision to support my point that charges are purely discretionary and don’t have to be applied:
The FOI Guidelines explain that the decision to impose a charge is discretionary. A charge should be accurate, should fairly reflect the work involved in providing access to documents on request and must not be used to unnecessarily delay access or discourage an applicant from exercising the right of access conferred by the FOI Act.
Justin Warren and Department of Human Services (No 2) (Freedom of information)  AICmr 17 (1 February 2018).
I cited this case for this paragraph laying out what is considered a reasonable time to spend considering different types of documents:
In previous IC review decisions, it has generally been accepted that between 30 seconds per page, to five minutes per page is a reasonable estimate of the time required for an agency to assess and edit documents, except where the documents contain a substantial amount of sensitive information.
When I was done, I printed the letter as a PDF, attached it and sent it off. Then I waited — though it wouldn’t be long before decisions started coming back on my other applications. These would — thankfully — prove far less stressful and far more fun to think about, mostly because they involved the nation’s intelligence community.
Cracking COVIDSafe is a feature series made in association with Electronic Frontiers Australia. It aims to highlight the importance of Freedom of Information as an essential tool for holding government to account while helping to teach people about the process so they can do it themselves.
The journalism published by Raising Hell will always be free and open to the public, but feature series like these are only made possible by the generous subscribers who pay to support my work. Your money goes towards helping me pay my bills and covering the cost of FOI applications, books and other research materials. If you like what you see share, retweet or tell a friend. Every little bit helps.