Experiencing the Citizen-State Interface

by Nick Charney

---

I got a parking ticket this week -- and while it was a simple mistake, rectifying that mistake is almost not worth pursuing. This is one of those stories about the citizen-state interface that we can all sympathize with.

Long story short, last week I had some work done on my car and had a loaner. I have a parking pass for a lot by my work and simply changed my pass to reflect the change in vehicle. No big deal. However, when I got my car back I failed to change the pass back to my actual vehicle so I got a ticket for parking my car in the lot I pay to park it in. Now, mea culpa on not changing it back but the cost of the ticket is almost half the cost of the monthly pass (if I pay early) and more than half the cost if I pay late. So I did what any reasonable person would do and I called the city.

I will say that I was pleased with the wait time (less than 1 minute), however while the person on the other end of the phone was polite, helpful and courteous the solution offered was complete rubbish from a service delivery standpoint. That solution: show up in person to one of the designated sites, get in line, wait, and contest the ticket in person. If I can pay a ticket online, why can't I contest one? The in person requirement in a strong disincentive to contest and an equally strong incentive to pay. Something about this seems amiss, and likely sounds familiar.

That said -- and this ends the 'rant' -- the larger more general question I want to raise is why would governments make it easier to comply (even if erroneously) rather than contest (or correct) a mistake?

Do they not have a duty to ensure that both paths -- across all service offerings -- can be walked just as easily? Shouldn't they be removing barriers that disproportionately benefit the state while leaving those that would more directly benefit the citizen? Isn't good governance is about finding the compromise

After all, if we want people to see the state as more than the common stereotypes portrayed by popular media then we need to continue to improve the citizen-state interface in ways that are demonstrably meaningful to both parties. I suppose this is where user testing comes in. However, the challenge there is that while citizens are constantly user testing the state, the state is infrequently conducting user testing on its citizens.

Getting to nimble, agile, high-performing: making the case for tools

by Dan Monafu

---

(Spoiler alert: this article has a happy ending; I’m writing this in Google Drive.)

I’ve recently moved to a new department. It’s not important which - let’s call it Department X.

Department X ranks pretty low on the list of departments which allow a full suite of productivity tools and cloud-based software, according to an informal comparative analysis on the issue produced mid-last year.

Having worked almost exclusively in Google Drive (for work) for the past 2 years or so, the news that all of a sudden I couldn’t work on the Drive at all was disorienting; I didn’t think it would be one of the hardest aspects of my transition to a new department. In retrospect, it makes sense: everything was on the Drive, from past work and key contacts, to future ideas and plans, to great reference materials (all unclassified information, rest assured).

Once I got to my new work place, I had informally asked some of my Department X colleagues if they could access Google Drive. I was told they know of a few people in the Department that could, having been given exemptions. In some cases, colleagues suggested getting their own exemptions is on their to do lists, but that they dreaded the amount of approvals and hassle it might cause.

Well, I’m writing with pretty good news.

In the spirit of positive policies, to help demystify a process (it can be done!), as well as to help alleviate duplicative efforts, I’m sharing below the steps I took to have Google Drive exempted from the list of restricted sites. It took about a month, and roughly 2-3 hours of my time (cumulative), but it overall wasn’t an onerous process. More than than, I believe I did my part in making a case for access to this tool, on behalf of the policy community.

If we don’t make such requests, IT professionals and senior management won’t know we need them, and won’t necessarily make the process easier. The more requests IT security receive on this (and approve), the more the process will get easier. Who knows, it might eventually become open-by-default, getting us closer to nimble, agile, and high-performing.

Below are three ‘for reference’ pieces on the process: 1) a timeline illustrating the process in detail; 2) a ‘standard lines’ template I successfully used to make the business case for the exemption; 3) yes, there are legitimate risks with using cloud-based tools (and, like everything on the internet, we need to be smart about how we used them); here are some best practices my Department passed along - it’s good stuff to keep in mind.

Let me know how it goes in your department.

Timeline illustrating the process

April 4, 2016: Opened service ticket with the Service Desk

April 11, 2016: Opened new service ticket (this time with the correct group, IT Architecture Security)

April 11, 2016: Received response, which outlined the process (see screengrab below)

April 21, 2016: Received Director-level signed approval

April 25, 2016: Request reviewed by Departmental Security (note: some follow-ups were required regarding the type of information I would be sharing; my answer: everything will be unclassified)

April 26, 2016: Request moved for approval to Director-level Departmental Security

April 27, 2016: Request moved to Shared Services Canada (SSC) for testing; once testing was to be complete, the request was to return to the Departmental Security Office for Director-level approval; the request was then to go back to SSC, who was to whitelist the internet protocol (IP) address, granting approval

April 28, 2016: The request for Google Drive was approved. Note: I had also requested access to Slack.com under the same form. This was denied; with the following reason provided:“While not a threat at the moment, please note www.slack.com was hacked back in Feb 2015 and users’ data was compromised, including mail addresses, usernames, encrypted passwords, and, in some cases, phone numbers and associated Skype IDs. Since then a 2-factor authentication was implemented to their service.”

May 2, 2016: Configuration completed. I could access Google Drive.

‘Standard lines’ business rationale

Website name and/or URL: Google Drive - https://drive.google.com; Slack - www.slack.com

Business rationale and the justification

XXX (name) is the XXX (role) on the XXX (team) within XXX (department). As such, he is required to participate in various working groups and interdepartmental committee meetings that conduct regular business predominantly through the two online productivity platforms mentioned above, Google Drive and Slack.

For example, XXX (name) participates in a weekly call with the XXX (group) – agenda items, as well as all discussion materials, are only shared through Google Drive.

Moreover, that same group has a Slack channel, where important real-time information is exchanged, in particular during quick turnaround requests for input from groups such as XXX (group).

The policy innovation community within the federal government embraces openness, transparency and co-creation as core principles. Use of productivity tools such as Google Drive and Slack is fully supported through TBS directives (see the 2013 Policy on Acceptable Network and Device Use: http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=27122) as well as in principle through aspirational statements and high-level direction given through the Clerk of the Privy Council (e.g. Destination 2020; Blueprint 2020 (www.clerk.gc.ca/eng/feature.asp?pageId=400).

What other risk options/alternatives were considered and/or dismissed as part of this request?

No other options/alternatives were considered given the need to use these particular productivity tools.

What steps will be taken to adopt a lower risk option?

N/A

What is the impact to the Department if the exception is not granted?

The Department will not be able to participate and engage in the work of the groups involved.

The Department’s input in various co-created materials will not be taken into consideration, resulting in potential loss of ability to support core mandate functions.

The Department will not be able to use current best practices (e.g. co-creation) when designing policy, with far-reaching negative consequences (e.g. from loss of productivity, to loss of talent in its workforce, etc.).

Please provide the specific period of time you require the access.

Indefinitely.

IT best-practices when using cloud-based services

As you will be accessing a Personal Network Site, please understand the risks involved with this practice. Once the information leaves our network, it is in the hands of the service provider.  In the case of free services, this risk is increased as the provider typically relies on mining this information to support advertising and other commercial activities. If such a service is used, we recommend the following best cyber security practices:

• Service providers have the option of auto-saving your passwords on their websites. Don’t auto-save your passwords. Always use the two factor authentication on account(s) provided by your service provider.
• Do use hard-to-guess passwords.
• Your approved website(s) has embedded advertisement links. DON’T click on links from an unknown or untrusted source. Cyber attackers often use them to trick you into visiting malicious sites and downloading malware that can be used to steal data and damage networks.
• Remember that information sent over the Internet, via email or from a Personal Network Storage service provider has few privacy protections. Messages/information can be forwarded, be posted on public forums and can remain accessible on the Internet forever.
• Not everything belongs in the Personal Network Storage Cloud. Remove information that does not need to be in in your Personal Network Storage
• Do use good judgement when posting information on social media platforms for both privacy and cyber security reasons.
• DO lock your work device when not in use. This protects data from unauthorized access and use.
• Avoid using public Wi-Fi hotspots.
• Once you have finished, ensure you exit the session properly as leaving the session open can expose hackers to your credentials and account.
• Report any suspected security incidents to your Service Desk.
• Autocomplete is a common feature found on most email software. If your application uses the autocomplete feature, make sure that you are sending information to the right person.
• Ensure that any business information posted/shared has been approved for release, and carefully consider the information you post concerning your job duties.
• Know the classification level of the information being shared and ensure you follow the Classification Guide for Handling Information and Required Safeguards. A reminder that Protected B information MUST be encrypted and sent only to approved recipients.

The Poetry of Public Service

by Nick Charney

---

Sometimes you just have to mix it up a little. Here's a poem by my friend and colleague Lauren Hunter. Enjoy!


Rebel Song to the Public Service

You will not find us where you expect.
You cannot summon us, contain us or will us to conform.
We are difficult, unruly, unpredictable.
But we are here for you,
Even if what we are and what we bring is not what you would think to ask for.

We travel paths you have overlooked and bring back treasures to lay at your feet.
We fall from mountains you avoid to find a safer line for you to climb.
We take hits on the frontline to clear an unobstructed path for you.
We build houses we do not stay to use.

You see, we never set out to create these things for ourselves.
Wild hearts need a calling
And with all roads before us, we have chosen you as our compass.
We strive to do great deeds for you
(Even, and perhaps especially, when you do not ask us to)
Rather than the easier alternative.

For there is no goal more worthy of the rebel soul than freedom,
And freedom is nothing if we only win it for ourselves.

We lay our works and hearts before you,
Edgy and uncouth, disruptive but deeply loyal,
In the service of a greater democracy
Because you are sworn to safeguard it.
We give what we are to you
So you can give everything to it.

Beware that you succeed in taming us.
Making us like you until we are no longer any use to you.
Because what we are is needed.

Without us, you would remain as you are now,
Forever.

We will stay with you
As long as we have the will to keep taking down the fences you put in front of us,
Strength in our legs to get back up when you knock us down.
And when we leave, others will rise up to take our places.

Long after, when the wounds we give each other have healed,
You will call us visionaries and leaders.
You will tell the stories of our rebel deeds with pride, natural as breathing,
As a part of you.

But we would trade all future praise,
For you to see us now
And value us now, as we are.
For a chance to walk this path together.

We are yours,
But we could serve you better
If we didn’t have to spend so much time walking in from the margins,
If we could build great works for you and with you,
Without having to hold one arm up to shield us as we work.

We do not ask for what you fear.
All we want is for you to understand
There are enough barriers to overcome in the service of the greater good
Without those you build to slow us down.

Maybe, just maybe,
You could bring us in from the cold
By giving us a little space by the fire.
Could we not, each of us, learn to do this better
Working together?