technology

What does ‘system update required’ say about Labour’s IT?

As part of the ‘drains up’ undertaken after the 2019 General Election, a coalition calling itself Labour Together undertook a review of what went wrong and as part of that review commissioned an organisation called the “common knowledge co-op” to look at Labour’s IT and its management. They produced a report called “System update required”. (original | mirror ) What did it say? I think this is important, but like so many learning opportunities that challenge power and the bad behaviour of the powerful it seems to me to be dramatically under-valued.

When I first read it, I was outraged. I hoped to summarise it in a sensationalist fashion to see if I could interest someone who might pick it and make things better. What I have written is not that exciting and I suspect little will change because the Party doesn’t have the knowledge and experience and today is led by people who care more about their control and position within the Party than they do in winning an election and becoming a government. I mean they’d be happy to be in Government but it’s more important to them that they control the Party.

In summary, the report says, portfolio management was unacceptably poor and not accountable to the highest levels of management although they too didn’t have clue. There weren’t enough IT staff and the more numerous IT management layer wasn’t good enough. The report makes no mention of ‘requirements management’, nor of any benefits analysis tools to allow an understanding the effectiveness of the software applications provided. Labour’s voter ID/GOTV software is no longer the best. Local adoption of the IT tools is low, partly because of poor commitment to training, partly due to a high turnover of local activists and partly because the Labour machine didn’t care.

In more detail,

Portfolio management of the applications was unacceptably poor i.e. there was no strategic ownership of the portfolio or its elements and the owning divisions and their heads did what they wanted including damaging the capability of other parts of the organisation. Much of this is down to dreadful talent management and probably factionalism. Factionalism will have impacted both staff selection, IT priority management and funding programmes. The report makes no comment on the effectiveness of the “requirements management” process nor how the role of “senior user” in the project teams was undertaken.
There weren’t enough software engineering staff. The management were unable to scale the organisation appropriately as the 2019 election began; they had failed to do so for the Euro-elections. The contractor culture and poor management experience has led to poor documentation. The lack of documentation also inhibits user adoption and training and staff take-on. No effort was made to leverage Labour’s talented membership in systems development.
Labour no longer^[1] has leadership in the doorstep/campaigning apps and these, it would seem, are no longer considered competitive advantage; many progressive parties use either open source or third party programs to do this work. (I argue elsewhere and frequently, including below, that one should only build software where the organisation’s functionality is unique and gives competitive advantage).
Local i.e. CLP digital adoption is weakest where it’s needed. Data quality i.e. the contact rate is correlated with party membership and strength. Famously, when David Miliband stood down from South Shields the contact rate was alleged to be under 5%; the Party has been much more careful about releasing the information since then. Many of the IT tools are not used by local parties. Some/many regional staff were not appointed for their IT (or even campaigning) skills.

That’s the end of the summary, you can skip more of my précis by going to the Gaps & Lessons section of this post.

Tools and portfolio management

Labour’s tools are designed as point solutions to single problems and the ‘ownership’ of these systems is/was allocated across at least three divisional heads. There is no single IT strategy and the Heads of Department often refused to co-operate with each other. An attempt was made to the extent that a consultant produced a report to bring these competing managements into alignment, but this failed due to senior management fear of the power of fiefdoms. This envisaged a strong central IT function. This was compounded by an inappropriate appointment to a Director of IT^[2] who might have been expected to make this work but didn’t. While applications were owned divisionally, staff were not. There are/were too many managers with no clear chain of command on a decision.

The managerial contention led to frequent circumstances where constituencies and regional staff were denied access to critical tools for campaigning or permissions delayed and deadlines missed in some cases by holidays taken by key staff members. The report documents unprofessional interpersonal rivalries as the motivation for some of these delays.

At best the Labour Party’s compliance with the GDPR is often an excuse/reason for deny people access to the tools. This has led to an ineffective design and use of the tools.

IT staffing cadre and sourcing

There have never been enough development staff, in the summer of 2019, between the Euro-elections and the run-up to the general election, there was one software engineer. i.e. the Labour party had one developer responsible for 7 tools accountable to three divisions. The report recommends that a cadre of 7 would be more appropriate. The staff shortage and the use of contractors has led to inadequate documentation, which inhibits maintenance; both bug fixes and new functionality are too slow to arrive. The lack of documentation also inhibits user adoption and training.

The take-on of temporary staff for the 2019 election was too slow and inhibited by the previous hiring freeze. Tg=he Director of IT also left the organisation during the elction campaign; this can’t have helped scale the organisation to what was needed. This financial policy i.e. the hiring freeze and the delayed staff take-on almost certainly affected the result.

The 2019 campaign failed to take account of and use the vast pool of talented volunteers, unlike in 2017. This is exacerbated or due to the Party’s paranoia for control and secrecy. The code is, at least, held in git repos but volunteers are not given access. There may be good reasons why not, theft of code, or misuse and theft of data. The report recommends and I agree that more should be done to energise and utilise the skills and experience of Labour’s membership. They identify that code developed to leverage Labour’s unique advantage of motivating a large number of volunteers cannot be stolen.

Adoption

Digital adoption is weakest where it’s needed. The answer to this is training and an open source/train the trainer culture, and documentation that works. (I say, that an all members bugs database is needed, an effective trouble ticketing system with time to fix service levels i.e. effective incident and problem management and help desk functions. The long term inadequacy of Organise, a tool being replaced by an off the shelf package is unacceptable. (I write about the data protection risks of a broken membership system elsewhere on this blog.))

Gaps and Lessons

The party needs an IT Governance policy/strategy and needs someone to drive it and ensure it’s useful and meets the Party’s needs. It needs sponsorship from the NEC. I would adopt COBIT as it avoids inventing one, people that understand it are easy to find and I have seen it work exceptionally effectively. One of its central tools that will help Labour and any other organisation is the mantra, Plan, Do, Check, Adjust, where plans are written down. All projects and operational processes need to be approved and checked against the planned benefits. This doesn’t happen in the Labour Party.

Making the point that they had a divided management structure and more managers than coders is cute, accurate but easy. What is the ideal ratio between developers and their managers, operations staff (and their managers) and policy people including Governance, Compliance and Regulation and procurement/finance people? This will vary according to a number of factors, maybe those I explored in Software Programme Management on LinkedIn. i.e. it will depend on the importance of the system, its planned volatility, the maturity of the code and base technology but I am certain that having zero GCR people can’t work. (see also this article on Linkedin by me).

Reading the report makes me ask if the tools i.e applications Labour has, are the tools we need. What no-one questions is whether the tools are the right tools? I had not heard of Turnout, and while I had heard of Impact, no-one in our CLP is interested in using it. We do what we’ve always done. No-one is asking how effective is doorstep work? Let’s remember that Leave won that campaign without one!

Each project needs a business case that states the expected business benefit and each project needs to be evaluated to ensure that it still delivers as expected. (If possible they should be tested if only on paper, against the second best alternative.)

The development/acquisition strategies must take into account the skills market available, not just in the short term, but also longer term. The use of highly adopted technology will allow an ease of recruitment of staff and volunteers. The most important application of this principle/guidline maybe in applying it to a single UI borrowing or implementing common implementations or metaphors. It maybe that android is the most common user interface in use amongst Labour’s members and supporters; whatever is the case, Labour should not be investing in UI design. Despite this, I believe that stopping the use of Nationbuilder^[3] may have been a mistake, it had funnel management capability and potentially allow the encouragement of supporters or even voters to become more engaged; it was designed to act as a volunteer management engagement package. It does not meet my, “buy what people use” slogan.

Labour, well everyone really should only build for competitive advantage, no-one should adopt and change^[4]. For instance we no longer^[5] have leadership in the doorstep/campaigning apps and these are no longer considered competitive advantage; many progressive parties use open source or third party programs to do this work.

Labour needs to develop as if open source so that user authored applications can be easily incorporated.

Recommendations

I now try to briefly explain their recommendations although their words are admirably brief. They recommend slimming down the number of managers^[6] and having a single plan^[7] which is shared and understood and committed to.

They recommend hiring more staff, most importantly software engineers who can make the code better. They have some weak words on having a strategy and say nothing on requirements management.
They state that a Digital Roadmap is required which is generally available.
There should be a collaboration capability to allow collaboration by the broader membership, for bug fixes and even user authored apps.
They recommend that Labour de-commit from Experian and build an alternative system based on local knowledge for voter id and social media targeting.
Ensure everyone that needs it is trained that documentation is available and trouble ticketing works and is transparent.
That appropriate access permissions are granted; this would involve a roles and responsibilities register.
A common casework tool for all our public officials might be sensible so the Party can track issues although there are data protection issues here. They propose that contact creator becomes real time to avoid over contacting supporters.
They recommend broader GDPR training; in my view a complete rewrite, the policy is designed for control and neither compliance nor operational effectiveness are considered.
An availability tool should be made available so all potential users know what to expect.

[1] There’s a couple of citations in this para on P16.

[2] See page 10/11 of the report.

[3] This product charges on the basis of the database size, I wonder how much this was the motivation for leaving it rather than a skills shortage, reliability and a weakness in meeting its business case.

[4] https://www.linkedin.com/pulse/software-programme-management-david-levy/

[5] There’s a couple of citations in this para on P16.

[6] The redundancy programme did not achieve this goal.

[7]This was clearly not the case in 2017. …

Evaluating Risk

I found some old notes on classifying and evaluating risk and have put them on my LinkedIn blog. How does one work out the importance and value of a risk and how much to spend on mitigation. Some of this article repeats what was said in the previous article. …

Some thoughts on IS programme management

I wrote a note on information systems programme evaluation and management on my linkedin blog. It considers business value vs reliance and observes that this technique permits the management of software products to have different governance policies, that measuring competitive advantage is hard, that IT strategy must be aware of business strategy which will drive the build vs. buy decision together with other project management decisions. Importantly it decries the practice of buying and adapting a software package. These ideas were first taught to me by Dan Remenyi. …

More consequences of Labour’s cyberbreach

The Labour Party can’t issue the ballots for their internal elections; they claim it’s a consequence of the cyber-breach last October.

The Party seems to have attempted to create a replacement membership database by updating its mail manager system and presumably adjusting the feeds although much of the functionality previously offered is no longer available and the feed from the financial system is now days or weeks out of date. We should note that the membership self administration tool is also now not available. The mail manager is obviously from observation slowly dying. It is known to be inaccurate; there are errors in terms of who it considers to be a member, their addresses, and their payment status.

The Party plans to replace this recovered system with an off the shelf package[1] from Microsoft. At the moment we are advised that it is unlikely that local party role holders will get access to this until next year.

Until then we have to use a known to be inaccurate database. From observing, presumably NEC authorised actions, it seems to be considered accurate enough to select councillor candidates and run trigger ballots. Procedure Secretaries have been told that they may not override the membership system even when variances are well known and provable. I question that this is legal in it breaches the duty to be accurate and not to automatically profile people.

What seems to be forgotten that is data protection rests on seven principles, Lawfulness, fairness and transparency · Purpose limitation · Data minimisation · Accuracy · Storage limitation · Integrity and confidentiality. Often too much or too little attention is paid to integrity and confidentiality and issues such as lawfulness, fairness, transparency and accuracy are forgotten.

They are running selections and triggers on data known to be inaccurate. This isn’t right.

This has taken 9 months to get here. While culpability for the breach may be questionable, not having a recovery plan and or not funding it is the fault of the Labour Party and thus its NEC. CEO’s have been fired for less.

Why was there no recovery plan? Did they do vendor due diligence on the member centre hosting provider, did they keep it up to date? Is there a risk register? Has the NEC or the risk committee approved the mitigations? In fact, what is the NEC doing about IT Risk? Is there a DPIA on reusing the mail system? Is there a DPIA on reusing the SAR Tool? Is there a DPIA on using the social media scanners they use? When will we get a data protection capability that protects members data from bad actors rather than from themselves?

Nine months failing to recover is shameful and unprofessional. NEC members should be asking why it has come to this and determine if they, through their inaction, are in fact culpable.

[1] This I consider to be wise, although they will need additional software modules to support Labour’s unique processes, such as donation monitoring. Although it seems they plan to customise the UI 🙁 …

A note on Data Protection Officers

Data Protection Officers roles were revised by GDPR and the member state implementations. Here is a reminder for those that need it.

Article 37 states that a processor or controller requires a DPO if it is a public authority, if it requires regular sys systematic monitoring of data subjects on a large scale or if it processes special data.

A DPO may work for multiple companies, but Article 38 requires the DPO to be adequately resourced and supported.

The DPO must be appointed on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks specified in the GDPR Article 39.

Article 38 states that the DPO must be involved in in all issues which relate to the protection of personal data, be properly resourced to perform their duties and to maintain their professional expertise, not receive instructions on the conduct of their duties, not be dismissed for doing their job, and report to the highest levels of management.

The tasks of the role are defined in Article 39, the job is to advise the highest levels of management on their obligations, to monitor compliance including the assignment of responsibilities, training and operations’ audits, to assist and monitor the data privacy impact assessments, to cooperate and act as a contact point for the supervisory body, in the UK, the ICO.

I have used the EU text as the source of my summary and is reproduced overleaf/below ...

This post was originally posted at linkedin.

The 7 Principles

When evaluating Data Protection laws and enforcement appetite, one sometimes needs to refer to the 7 principles. These were agreed by the OECD in 1980 and I summarise them below.

Notice, Data subjects should be given notice when their data is being collected.
Purpose, Data should only be used for the purpose stated
Consent, Data should not be disclosed without the data subject’s consent
Security, Collected data should be kept secure from potential abuses
Disclosure, Data subjects should be informed as to who is collecting their data
Access, Data subjects should be allowed to access their data and make corrections to any inaccurate data.
Accountability, Data subjects should have a method available to them to hold data collectors accountable to the above principles.

Europe’s privacy laws are constructed by building legislative infrastructure based on treaties and then the creation of law. This diagram below shows the time line of European infrastructure (above the line) and law (below the line), it was made in a year or so ago and thus does not have the UK’s departure from the EU, nor the assignment of “Adequacy” by the Commission.

While much focus today is on the EU’s GDPR, the principles that underpin it, are more broadly accepted than that law, and in some areas, the GDPR maybe found wanting.

This blog post originally appeared on my LinkedIn blog. …

On Cyber-security

I posted a note on cyber security on my linkedin blog. I post some pointers on the standards and controls needed to defend against a cyberattack and implement “adequate technical and organisational” protection. It looks and links at the NIST cyber-security framework and lists some of the necesary controls to implement a reasonable defence and prove “adequate technical and organisational” controls. If you do what I suggest badly, you might get away with it, if you do it well, you might stop and or recover from attacks. …

Software Piracy and supply

This is interesting. From the Register, an article called, “Software piracy pushes companies to be more competitive, study claims • The Register“, sub-titled, irreverently as ever, “So, do copy that floppy?”

The article is written by, Wendy Bradley, assistant professor of strategy, entrepreneurship, and business economics at Southern Methodist University’s Cox School of Business, and Julian Kolev, an economist at the United States Patent and Trademark Office. The article describes their methodology, and links to their paper. They define the launching of Bittorent as a shock and examine the intellectual property development of vulnerable companies to that shock.

“When comparing the IP strategies of software firms at risk of piracy (the treatment group) against those of not-at-risk firms (the control group), we find that our treatment group significantly increases its innovative activity after the piracy shock in terms of R&D expenditures and granted copyright, trademark, and patent applications,”
Bradley & Kolev – Software Piracy and IP Management Practices: Strategic Responses to Product-Market Imitation (August 2021)

Interestingly it seems, that Entertainment software companies behave differently. although the academic work done, as quoted in the article does not suggest that piracy reduces the supply of content.

Basically the big software firms use their superior cost structures, achieved by size and source code ownership to increase the rate of innovation to keep their customers coming to them. The entertainment companies don’t. I don’t think they look at the size and cost of investment into regulatory barriers to entry, both buying the laws they want, and pursuing newly created malefactors.

Bradley, Wendy and Kolev, Julian, Software Piracy and IP Management Practices: Strategic Responses to Product-Market Imitation (August 2021). USPTO Economic Working Paper No. 2021-3, Available at SSRN: https://ssrn.com/abstract=3912074 or http://dx.doi.org/10.2139/ssrn.3912074 …

Wiping the phone at the Treasury

I wrote a piece on the Guardian story about the Treasury losing the Perm Sec’s texts and posted it on linkedin. One particularly disturbing feature of this story may be that messages from David Cameron about Greensill Capital have been lost. On the linkedin blog, I looked at the story from an IT Security and employment law point of view rather than looking at the political corruption angle. I suggest that for an organisation with a public record, FoI or compliance liability that SMS and whatsapp or any messaging product without central logging should not be used. I suggest that wiping the phone instead of a password reset especially when the device has not been lost might be a bit extreme. I hint that peer to peer messaging without a super user is also inappropriate.

I argue that this is a symptom of the growing contempt that politicians and now it seems bureaucrats have for their record keeping responsibilities which are mandate by statute law. It is likely that the use of personal IT i.e. phones and emails if not laptops/workstations is becoming endemic destroying and designed to destroy audit trails of behaviour. I note and have commented elsewhere on the failure to pass the email & records relating to Johnson’s decisions with respect to Jennifer Arcuri’s trade missions and grants.

I note that such behaviour if undertaken by more junior staff would probably involve disciplinary action. I have dealt with cases where people have been investigated under the disciplinary policy for misuse of their personal IT in the office and also for the destruction or unauthorised amendment to business records. These have usually been considered gross misconduct cases which can lead to dismissal, but most of my members are blue collar workers.

With respect to the Treasury, I wonder if the texts have been truly lost, if they have, it’s either a policy failure, i.e. a failure of the control design or a deliberate breach. Someone should be accountable, just as they should at the GLA. The irony here i.e. at the Treasury is that it looks like the responsible person for either of these failures is the same person. The Permanent Secretary is meant to be a check on the, certainly, financial probity of ministers and occupy an important role in implementing a segregation of duties and avoiding toxic combinations. These controls are designed to stop fraud and corruption. These ones seem to have failed. …

More nonsense on Bitcoin

The Indy reports on Bailey of the Bank on Bitcoin, who warns, “Cryptocurrency has ‘no intrinsic value’ and investors will ‘lose all your money’, says Bank of England chief” I add, “Bitcoin only works because the ‘proof of work’ is so expensive and time consuming; and its also destructive of the environment due to its useless power consumption. (It’s also very slow, doing 700 TPS, that’s not enough for a business, let alone an economy.) …

« Previous