Raising Hell: Cracking COVIDSafe: Part 7: "Ongoing Continuous Performance Management"
In which we ask to speak to the manager and call time...
It had been a blissful few months since I had to think deeply about the COVIDSafe contact tracing app — and then came the headline: the government has spent roughly $6.8 million to date building a contact tracing app that had only found 17 unique cases, with $100,000 more being siphoned off each month in hosting costs.
The last I left it, the feds had been working hard to block every attempt I made to obtain documents through Freedom of Information (FOI) that might show how state health authorities had been using the much vaunted app. When it came down to it, South Australia delivered and we learned that the multi-million dollar tool that was meant to cure the pandemic was apparently of such little help, the state didn’t even have a complete draft of the operating instructions on file.
Then came the senate estimates hearing last month where DTA chief Randall Brugeaud appeared to give an update on where things stood. In short, the app had entered a holding pattern. According to Brugeaud it had so far cost the government $6,745,322.31, inclusive of GST. Of this, $5,844,182.51 had gone towards building the thing, and $901,139.80 was being spent to keep it alive. Each month another $100,000 was chucked on the tab to cover hosting costs.
When challenged about whether that was good value for money, given that the app had found just 17 unique cases of Covid-19 in New South Wales, Brugeaud said he didn’t have the numbers for other states because it was against the law for him to know:
“There has been a variety of evidence provided in different committees in relation to the use of the app. It was very much a choice for each jurisdiction as to how extensively they made use of the app. The 17 we talked about was the number we have been provided by NSW Health. Minister Hazzard made reference to that. There is the potential for many more cases to have been identified, but we don't have information on usage. It is explicitly prevented under the legislation for us to be able to see that.”
On top of this basic update on the current state of play, there had been several small developments in my ongoing war of attrition with the DTA. Towards the end of 2020 I had put in several FOI requests in an effort to unpick other aspects of the development. Most of these were just fishing exercises and came back with nothing useful:
A request I put in on 5 October 2020 for the “email(s), meeting minutes or briefing documents” used by any employee of the DTA to outline or brief the Boston Consulting Group (BCG) and Ionize in their work was refused on the grounds the documents were covered by a confidentiality clause.
I had put in another request on 9 October 2020 asking for a list of all third parties consulted as part of processing FOI 199/2020 and a copy of any contemporaneous notes, emails or other summaries that may establish what that advice was in order to determine whether material was “relevant” or “not relevant”. This too was refused on the basis the documents did not exist or would breach the confidentiality agreement.
An application on 4 December 2020 for the results of testing performed of the Google-Apple API framework. A partial release was granted on the basis the document had already been released under FOI.
On 20 November 2020, however, I asked for a copy of the Key Performance Indicators (KPIs) or those parts of the contract with BCG that contained the KPIs, for work performed on the COVIDSafe contact tracing app. I did this for a couple of reasons. The first was to get a sense for what the companies who were contracted in had actually been required to do for their money. The second reason was tactical. If it was possible to identify the section of the contract that contained them, it may then be possible to argue that release of a portion of the document would not violate the confidentiality of the entire document.
The answer that came back was interesting:
In other words, there was no metric to assess the performance of BCG during development and it was enough that their guy turned up consistently and attended meetings. It seems that along as the work got done, the contract was satisfied — a detail which raised a few questions about the agency’s repeated insistence before the senate that it was happy with the firm’s performance. Not once, it is worth remembering, did the agency’s head honchos explain how they arrived at that conclusion.
But Wait, There’s More
A few months later, on 15 March 2021, yet another twist came with a letter to my inbox announcing the agency was backing down. At the very beginning, the impetus for this entire series was a $753.13 charge the DTA wanted to slug me for access to documents that may shed light on the proper use of public money. Even when I challenged this, arguing the agency should waive the fee on public interest grounds, the agency stuck to its guns, demanding $721.93 for what ended up being three documents.
To get around it, Electronic Frontiers Australia graciously fronted me the money to keep the application on foot and over the course of 2020, I appealed the decision right on up to the Office of the Australian Information Commissioner (OAIC). At that point I simply figured it would be years before I saw a result, so you can imagine my surprise when the DTA said they would had the money.
Their reasons for this were fairly succinct:
Naturally, I had questions. Mostly: what the hell?
Not being familiar with this part of the process, I consulted those who knew better and the consensus seemed to be that, when faced with the prospect of a formal review, the agency had backed down. To anyone looking on, it was pretty clear they had been using the charge as a deterrent. Before any official decision could be made, which would inevitably lead to a published decision somewhere that would make for bad optics, they took the chance to give me a refund. Once I accepted, it meant, at least in the eyes of the law, the original decision had never been made.
Naturally I took their money, immediately handed it back to Electronic Frontiers Australia and filed a complaint with the OAIC.
The End?
With it likely to be a year or two before the outcome of this process is known, this will be the final instalment of CrackingCOVIDSafe. Between my other commitments, I’ve begun work on a few other projects and I’m ready to take a stab at something new. Any new updates will be incorporated into the regular newsletter and announced on my Twitter feed.
To close out this series, I feel it is worth offering some general thoughts and observations about COVIDSafe. This series has been about teaching people to use Freedom of Information and pulling apart the construction of the app, but I also think it has revealed something much deeper about how our present government operates. Looking closely at the “machine that built the machine” has offered a window into a parallel world. What we find is a government and bureaucracy resentful of even basic notions of transparency and democratic participation in the creation of public goods, dominated by an uncritical faith in technology’s ability to solve everything from climate change to sexual consent, and totally in thrall to a globe-trotting caste of consultancies whose basic business model is to bleed public purse.
From the beginning I said I did not believe anyone involved with the creation of the app had deliberately set out to mislead or rort the system. I stand by that statement. The failure of the app to punch through owes much to positive thinking — of the smile or die variety — as it does to the self-organising nature of the whole screw up.
What we have is a project where responsibility had been distributed across an array of competing institutions with bad incentives and internal controls that offered individual participants nothing but positive reinforcement right up to the moment the app went public. Once it went live, the only thing that mattered was the optics. With so many prestigious careers on the line, there was no way anyone was going to admit the app billed as a solution to the pandemic was a dud.
Based on information obtained both on and off the record, I can guarantee those directly involved with the development process believed both that they did a great job and also have no real idea what they are talking about — and why would they think anything different? There were no noticable screw ups along the way. There were instead a series of discrete tasks, mostly carried out by low-level employees across several separate institutions who had no top-level view of the entire project. Meanwhile, their very well-paid senior managers, upon having drawn up the contracts, really only had to sit back and check in once in a while to make sure there was something to deliver by deadline. Job done.
This is hard to parse for those of us on the outside who have been looking for some form of logic. It is hard to shake the belief someone on the inside “must have known”, but then what we’ve seen in CrackingCOVIDSafe is the extent the entire project was set up to blur responsibility. No one knew because the whole show was set up to stop any one person knowing.
All of this only underscores both the importance of and the limits to FOI laws as a tool for public inquiry. As a government tech project, COVIDSafe has been cloaked in a layer of secrecy that is, as we have learned, entirely unnecessary. Had it not been, the outcome would have been very different. This is what makes FOI a critical tool that levels the asymmetry between the public and various layers of government — yet it only goes so far. Thanks to a legislative failure to refine FOI laws to better pierce the secrecy of the corporate world whenever it contracts in to run a public service, any overly status-conscious government can shield itself from scrutiny through outsourcing, strategic use of confidentiality clauses and by relying on the bureaucracy to gum up the works.
Left unchecked, there is little else that could be more corrosive to public faith in government institutions — though the response among those of us who care about such things should not be to give up, but rather to double down. We should care about this stuff, and we should demand better, especially as what happened with COVIDSafe now appears to be happening with the vaccine rollout. We need to be asking more questions, filing more FOI applications and making more demands of those who claim to represent us.
This series, as a rough how-to guide (or in some cases, a how-not-to) for those who want to start making their own FOI applications, has been my way of helping to encourage this. Down the track, I plan to run similar projects thanks to the ongoing support of my generous subscribers. There are also organisations working in this area and pushing for reform like Electronic Frontiers Australia, OpenAustralia Foundation’s RightToKnow and Transparency International. I would encourage others to seek out their work and support them where possible as the only way any of this changes is if we keep pushing, together.
Cracking COVIDSafe is a feature series made in association with Electronic Frontiers Australia. It aims to highlight the importance of Freedom of Information as an essential tool for holding government to account while helping to teach people about the process so they can do it themselves.
The journalism published by Raising Hell will always be free and open to the public, but feature series like these are only made possible by the generous subscribers who pay to support my work. Your money goes towards helping me pay my bills and covering the cost of FOI applications, books and other research materials. If you like what you see share, retweet or tell a friend. Every little bit helps.