If anyone from gov.uk is reading this, do you fancy answering the question I posed when the site was launched but never received an adequate answer to?
Why does gov.uk, a site all about allowing the British public to interact with the British government, use google analytics?
You are shipping all the data about all my interactions with my government off to a third party in another country. Another country that we know has not got the same legal data protection requirements, and one which has now been exposed as having massive internal spying problems.
And no, telling me "google aren't allowed to use the data" and then opening an outsourced helpdesk ticket with another US based company does not cut it.
Unfortunately it's attitudes like this that usually end up making Government projects so eye-wateringly expensive.
Assuming they listen to your suggestion and act on it as you suggest, it seems the only option open to them is to design their own in-house (In UK for that matter) version of Google Analytics to do their own analysis. Regardless of the cost and time this would add to the project, it's unlikely that it would be anywhere as good as Google's offering.
The other, more likely, option would be to decide it's too expensive to implement a different, more complicated, solution; so they don't bother. They don't get the feedback and analysis on how to improve their services and the customer experience declines until you're back where you started with a poorly designed product offering hard-to-find information and people are posting angry comments on HackerNews about how bad gov.uk is and how they would never run a start-up like that... I'm almost certain someone would say "Why don't they use google analytics to improve things, like everyone else".
Instead, we need to be applauding a massive operation like Gov.uk for taking a dose of reality and thinking, "we're not doing anything amazingly special here, we're providing people with a quick way to check their council tax, or bin collection dates, or maybe pay their car tax. let's just get the job done as best we can."
I'm sorry what? F*ck privacy, this way is more expedient? Is that what you're saying in effect?
That's not what I want from my government.
--edit-- I also didn't make any suggestions, I would have accepted a reasonable explanation of the legal and technological measures that were in place to protect my data from rampant proliferation through US corporate and government systems.
Instead I got (and this is a direct quote) "We don't allow Google to use or share our analytics data.", and a zendesk reference number. Fobbed off, basically.
And with the zendesk link, now my actual communication with a UK government team is being processed in the bay area.
This is unacceptable.
--edit 2-- Somehow other large UK web-based institutions manage without GA as well. The BBC for instance. Perhaps they could talk to each other.
Before you start the lynch mob, ask yourself this: what on earth can one do with non-person-identifiable data stored on a server?
"Next on BBC - Terrorist organisation finds out too many British people forget to update their MOTs"
That's not what I want from my government.
Be very very fortunate you can even get a somewhat usable site, much less a very user friendly site. There are citizens of the other nations that would kill for easier access to public information.
Someone in another country, not subject to the same laws about how that sort of data is collected and used.
Actually it's not even equivalent then. It's more like them recording the conversation you have with the public services folk. And you haven't actually gone there, just called on the phone.
This is where I'm really failing to understand your logic. Your activity is very different from what you converse. If I fill out a web form and that data gets logged, fine, I can see how privacy may be an issue. Unless someone can correct me, Google analytics does not have that capability, it only tracks how you navigate.
If I walk around a public library and check out 6 books and someone follows me around watching me look at 6 books, then again I ask "so what?"
In the largely broken analogy, you might phone the DVLA, ask to speak to a certain department (driver licenses, vehicle tax), then perform a specific task (apply for a new license). This maps to your navigation around the pages. Previously you would not really expect a third party in another country to be informed you were doing this, and I don't think it's necessary now.
>> If I walk around a public library and check out 6 books and someone follows me around watching me look at 6 books, then again I ask "so what?"
They compile a dossier on you, including everything you read, all of the shops you go to, food you like. They sell this data to whoever wants it and leak it out the back door to overseas government agencies.
But I guess you've nothing to hide from anyone eh? Good for you.
>In the largely broken analogy, you might phone the DVLA, ask to speak to a certain department (driver licenses, vehicle tax), then perform a specific task (apply for a new license). This maps to your navigation around the pages. Previously you would not really expect a third party in another country to be informed you were doing this, and I don't think it's necessary now.
But that's the point I think he's trying to make: Why is this an issue? If I open up a page on the site that say tells me what the VAT rate is and that gets timestamped and sent to google, why should it matter?
The site is purely for information. They could - as you say - get wind of the fact that I want to apply for a new passport. So what? That (at least in my mind) isn't a privacy issue.
Well, not really, it directs you to portals for various services.
>> They could - as you say - get wind of the fact that I want to apply for a new passport. So what? That (at least in my mind) isn't a privacy issue.
I think it is and I would be upset about (for instance) my library browsing habits being supplied to people as well, particularly if they were based in places with far less in the way of data protection law.
You may as well say "Why would anyone care about PRISM? Who cares who knows I call my mom every week?", yet it's the biggest story around at the moment.
I certainly understand where you are coming from, I just think that the issue of having this data supplied to Google isn't really that important to warrant spending a tremendous amount of the budget to do an in house system.
The fact is that the web is not anonymous in its nature. If I browse to a random site I've never heard of, how do I know they aren't using a third party image? If they are, then my IP/Location will be broadcast to that third party.
>> I just think that the issue of having this data supplied to Google isn't really that important to warrant spending a tremendous amount of the budget to do an in house system.
Well I think they probably have a tremendous budget, and a variety of FOSS or third party (but running in-house) solutions have been mentioned in comments here, that could likely do the job.
>> The fact is that the web is not anonymous in its nature.
It's not really about anonymity though, it's about who the government is (deliberately) sharing data with or leaking data too. I'm not asking for anonymity in who I intend to interact with (UK government services), I'm asking them to think about who they share that data with.
>> If I browse to a random site I've never heard of, how do I know they aren't using a third party image? If they are, then my IP/Location will be broadcast to that third party.
When it is a page run by one's own government, one can have different expectations and even ask for things to be changed not to leak such data. Or at least ask if they've thought about it.
However this is also why I tend to block things like social media buttons, I have no desire for FB or Google to be informed every time I read ... well just about anything online these days.
>> Before you start the lynch mob, ask yourself this: what on earth can one do with non-person-identifiable data stored on a server?
How do we know it's non-person-identifiable? It's certainly clear that the analytics data comes from a set IP address, and when correlated with all the other data that big G collect from all over the web, who knows what can come out of it.
>> Be very very fortunate you can even get a somewhat usable site, much less a very user friendly site.
1. It's not just an information site.
2. Why should Google (and by extension the US government) be informed that I'm looking up (for instance) legal advice, business law or anything else?
Again, this is my interactions with my government being published to another nation.
--edit-- removed accusations of laziness, I'm sure the gov.uk folks aren't that.
Right, so because we haven't got a full and complete legal framework and associated consensus driven moral framework in this area, we should just relax and give up on the whole idea?
We already have data protection frameworks in the UK and at the EU level. I would like to see them adhered to in spirit, and I would also like to know that someone involved in the gov.uk has at least given this a moment's thought.
Clearly not give up. But we should have at least a clear idea of where we want the debate to go to. You say you want the DPA adhered to in spirit - great. It is adhered to in the letter of the law, and there are many interpretations of the spirit of that law.
My view is that the spirit of the law needs to be codified for a new world, and it is healthier to have that clear (and so open for debate) than to say someone is violating my idea of what the law should be.,
My starter for 10:
* Privacy is merely a politeness, and does not actually "exist". The expectations of privacy are the expectation for data to not be exploited without our consent.
* All digital communications and associated metadata are made in a public domain, and should have very limited expectations of privacy.
* If digital communication is encrypted, or marked as anonymous, then it should be legally viewed as having an expectatin of privacy and similar penalties applied for interfering with that as with post.
* Any monitoring of digital activity that can be linked to an individual human must be publically acknowledged by the monitoring organisation and the data released / published unless the individual has given consent for identifying data to be stored and processed to that organisation.
>> All digital communications and associated metadata are made in a public domain, and should have very limited expectations of privacy.
This is where we depart. Just because it is a public network does not mean that people somehow naturally consent to monitoring by anyone and everyone, nor that they should have to consent to this stuff. The telephone network is a good example of public and private infrastructure in which one still has the expectation of privacy.
>> If digital communication is encrypted, or marked as anonymous
And what if someone, mostly without notifying us, loads a script into our browser that tracks everything we do and reports back to mother?
This is not a case of people marking data private, nor is it 'digital communication' this is intrusion.
Which part is unacceptable - the fobbing off part, or the some data gets sent to a country that tortures people, spies on all its citizens indiscriminately and has not signed up to common international treaties.
I think that before Snowden most people, myself included, would have thought not using google analytics for the above reasons was paranoia.
Now, I think that all digital data should be treated as public and until we change the law to have a public / private demarcation, we need to accept it and deal.
(I see this as a pollution issue, until we get a clean air act, everyone will walk around with cloths across their mouths)
edit: little less troll like:
We have no framework for digital privacy, and until we see an emergent consensus there will not be one.
Here, on this site, we have informed, reasonable people disagree on fundamental definitions of online privacy.
So the first step here is to ask, "privacy in the US is based on two things, actions in ones own home are protected by default, and written communications between yourself and others are protected, and publishing is an explicit act"
What do those things now mean in a world of mobile phones, internet and metadata?
Pretending it's a non-issue and not addressing concerns AND then using an overseas helpdesk service, such that now not only are analytics being sent to the US, but actual communication between a UK citizen and the UK government.
But particularly the latter half.
>> I think that before Snowden most people, myself included, would have thought not using google analytics for the above reasons was paranoia.
Most people haven't been paying much attention then.
>>Now, I think that all digital data should be treated as public and until we change the law to have a public / private demarcation, we need to accept it and deal.
Cool, if that's your attitude to this. Some of us would prefer to prevent our government being complicit wherever possible. They may already be in breech of various regulations and I do intend to be in contact with the ICO soon.
This just sounds like a paranoid rant. If you have a problem with it, either don't visit the site or block the analytics. The reason they are using it is pretty obvious, like everyone else that builds digital services, they want to look at how it gets used. It is a non issue, that's not pretending, it's just putting on a rational hat and taking off the silly rhetoric of paranoia.
Personally, as someone who left the UK in the 90's for silicon valley, I'm blown away that the UK government has even heard of the internet, let alone built a decent digital service.
>> It is a non issue, that's not pretending, it's just putting on a rational hat and taking off the silly rhetoric of paranoia.
I'm glad you're happy to publish all the details of your interactions with government services to an advertising company in another country with far less in the way of data protection law.
I'm saying I'd like to know what sort of privacy analysis was done here, whether it's in compliance with EU and UK privacy and data laws, and whether it's a good idea at all.
Just because I know how to block analytics doesn't mean everyone else has a clue they even exist, nor that we should allow our government to export data about us in this way.
As a proportion of the whole development cost, using either an EU based analytics service or in-house server shouldn't really be significant.
But even before that I'd like to have some indication that someone has actually thought about what they're doing, rather than just stuffed in GA because that's what you do in the private sector.
Yes, yes, yes. The only time we should consider these attitudes is when real keep it from everyone security matters (you know MI5 style security, not pentest security)
And frankly my view on that is now: want to keep a secret? Keep it away from computers.
What if I don't want everyone in the world to know everything about what I do with a computer?
They're more and more part of everyone's life and not everyone is of the mindset that it doesn't matter if corporations and governments get to look at every little detail of their online interaction. Car tax, criminal law, the weekly shop at tesco.com ... all going to the profilers.
I know this is happening. I know how to stop some of it. But everyone else?
It is for these same reasons that I contacted Crimestoppers UK and asked them about their use of Google Analytics, especially on a site that is for 'anonymous' crime reporting.
They wrote back with a non-answer missing the point that they are voluntarily leaking crime victims' metadata to a US advertising company.
A site the size of gov.uk or crimestoppers.org.uk really cannot claim that they don't know how to switch to something like Piwik and keep the visitor data in-house and private.
"Why does gov.uk, a site all about allowing the British public to interact with the British government, use google analytics?"
I'd like an answer to this too from the .gov.uk team.
Ironically enough, their service design manual (which is excelllent and a fantastic resource) has a very good section on analytics tools [1]. Some quotes:
"When deciding which analytics tool is most appropriate for your service, you should consider the following...who owns the data (it should be your organisation!)
Does the solution meet the EU privacy directive and the European Commission’s Directive on Data Protection?
- where is collected data held?
- do data centres meet EU/British data security standards?
- how long is data held for?
- what will happen to the data on termination of the contract- can you export it?
- what access your vendors employees have to your data"
Did they evaluate Google Analytics based on these guidelines?
My only issue with that is that you have to trust google to do it. The info is still transmitted (even if only in the form of the initial request to download ga.js) so we only have their word on the matter.
Yes it has, and the sharing of site-visitor data with google on sites all over the web is something to be concerned about IMHO.
However, again IMHO, tracking casual web use is a different class of data to my interactions with my government, and I very much resent those being sent to foreign companies and (by inference) foreign powers, however benign and friendly our relationship is.
Let's not forget. Google is an international company, not "foreign". Google has servers and offices in the UK.
If you read the first point, it says "Start with needs". They need to be relevant and appear in Google. Google Analytics is simply a tool that helps them do that.
>> Let's not forget. Google is an international company, not "foreign".
No, it's an American company, subject to the whims of the US government.
>> Google has servers and offices in the UK.
Sure does. I have no idea where they process the data though and I doubt the gov.uk folks have. If they did have a guarantee that the data wasn't ever going to leave the UK then maybe they could say so?
>> If you read the first point, it says "Start with needs". They need to be relevant and appear in Google. Google Analytics is simply a tool that helps them do that.
Err, no, google analytics records and transmits site interaction data.
Massive kudos to whoever it is in a position of authority, be a politician or a senior civil servant for allowing a modern dev team to grow and cultivate a culture that works. Too many people in authority are motivated by fear of failure, blame apportioning and self-interest meaning their aversion to risk is so high, nothing happens, so nothing goes wrong.
I really hope that because this is associated with the cabinet office other teams elsewhere in govt. can draw encouragement from this team and use it as an example.
Excellent to see the source open and hosted on github. Such code is rarely made publicly despite it not being confidential.
Will the govt. sit up and notice that small focused team with a remit can deliver. Or will the next system change mean a complicated procurment process for a large consultancy who will hive the work off shore to the cheapest sub-contractor and deliver nothing but spend millions of tax payers pounds.
@liammax and @MTBracken (twitter) are "UK CTO" and director GDS, and currently the leading lights in this one.
One thing to note is the Open Source software, in guidance handed to all government departments, should be preferred over proprietary software. (link in here somewhere http://www.oss4gov.org/policy_activism)
In addition the "G-Cloud" - a online catalog of pre-vetted service providers, has 80% SMEs on it and a govt buyer can simply sign up online for a Saas service there and then with a govt credit card, legally
I feel that Open Source in government will have serious network effects globally, so getting this right now for the UK could lead to a very long tail / virtuous circle for UK devs in the future.
Awesome stuff which makes me sad: Here in Germany OpenData and Open Government is really bad.
The government started an initiative, later backed out in nearly every aspect of "openness" and hired some Fraunhofer FOKUS people (federal research institute) do code something.
They used a huge JEE app-server as foundation for their work, have not a single test and neither a documentation. When they launched a couple of months ago, their production server went down for 2 days besides their research in "cloud computing" which does Fraunhofer as well. (=> https://govdata.de sources at https://github.com/fraunhoferfokus/opendata-platform)
So, congrats to UK. You're doing it right. Please continue this work and put more stress on incompetent and lazy political actors and "research factories" in other countries, e.g. Germany.
J2EE ecosystem and the Open Source ecosystems have little overlap - if that is your first choice, it is likely your sympathies for all other decisions, technical, methodological and organisational, will not be in line with common practise in the OSS world.
In other words, they hired the wrong guys.
Liam Maxwell and folks at GDS are hitting all the right notes so far.
Having worked close to the department for education in the past it's refreshing to see a strategy that was implemented by employing smart people and giving them enough rope to actually do what was needed, rather than outsourcing to one of big suppliers (the DfE has been far too close to Capita over the last decade or so) and letting them bleed the pot dry with project management and consultancy fees (at one Capita run front-line strategy project that shut down not so many years ago the developers were allowed to quit as full time employees and instantly start back as contractors earning roughly three times as much).
I wonder if it's a coincidence that this project appears to be blossoming while almost every large project I saw that was outsource either massively underachieved or was just buried after huge loses (schoolsweb for example).
I've been part of a large consulting bid for work, and part of the team that executed it. It was horrible.
We were bought in because we knew how to do something, but we won the bid because we simply could do it cheaper than anyone else.
Where it went wrong though, was that even though we knew what to do, once engaged the client insisted on how it would be done and meddled with every part of it.
And the next big failure was our part... our project management team let the client change the requirements frequently even though we told them in no uncertain terms that we were moving from the stated goal and that what was now being asked would not work.
The project management team expanded to deal with the stream of change requests and meddling, and the devs got bogged down with change requests rather than actually driving the project to the project goals.
Finally the project ran out of cash, and what was delivered fitted no-ones needs. It was horrible.
I think the greatest thing that the gov.uk team have been able to achieve is finding the ability to say no when it needed to be said, and to dictate how it should be done right rather than permitting meddling.
It's no surprise that #1 is "Start with needs", and it's less of a surprise that they've had to clarify this is the end user's needs and not the needs of anyone in government.
It's agonizing to me that some of these government bids (my experience is in the US state of California) are required to take the lowest bid that meets the requirements unless they can clearly justify using a more expensive one. Of course, if they put out a general request they would end up with a terrible product, so they tailor their request to the company they want to hire.
Even then, the companies aren't really rewarded for doing a good job. They're rewarded for doing a minimal job that barely meets the requirements and using as much money as they can.
In my experience in the State of California -- mostly from the government side -- the rule is that there are, for each contract put to bid, rating factors and criteria established upfront and you must hire the contractor that scores the highest on those rating factors. That's not usually equivalent to taking the lowest bid.
That being said, this:
> Even then, the companies aren't really rewarded for doing a good job. They're rewarded for doing a minimal job that barely meets the requirements and using as much money as they can.
...is certainly an issue, especially, as is often the case, where reimbursement is based on hours and the contract amount is a limit, so that the incentive is to assure that as many hours are consumed as possible up to the limit.
These guys are doing an incredible job. Liam Maxwell is smart and has a background in startups. I got the privilege of listening to him speak a couple months ago. Wrote up the experience here: http://peebs.org/2013/03/29/evening-united-kingdom-cto/
Been exploring the gov.uk site, and I'm very very impressed. Unlike the Manchester.gov site[1], there's an excellent information density yet a very lightweight feel. Maybe it's my preference for text-based designs over icon-based ones, but I feel like I can find what I need incredibly quickly.
This website purports to be about data. But is it? Seems like lots of rambling about presentation of data.
A true open data initiative would start by providing an ftp link.
People can argue all day about how to present data. That's not about data. That's about something else.
First, just give us the data. Raw. In an open format (e.g. plain text). From there it can be massaged into a gazillion possibilities. Many people have many different visions of those possibilities.
Open data starts with providing the data. Not a lecture about "principles".
If you had continued to read the rest of that paragraph, you would have seen this:
> If someone else is doing it — link to it. If we can provide resources (like APIs) that will help other people build things — do that. We should concentrate on the irreducible core.
I had continued reading it, and I maintain that single sentences must make (at least logical) sense by themselves. This is marketing jargon trash, and should not be encouraged in a web standards document!
Can anyone with some knowledge of the GDS explain how they seem to be doing such a good job? It just seems impossible that someone somewhere in Government got something right for a change and brought this team in and let them get on with it.
- I know Government projects get a lot of flak, rightly or wrongly but they always seemed to be awarded to companies like Capgemini who would spend £100's of millions achieving much less. I could be wrong.
They have been allowed to just link to the old government websites for lots of things so they didn't have to create a feature complete drop in for the old site(s). I think this has made it much easier easy to make a nice looking site.
I'm not connected with anyone who works on gov.uk but I've been a huge fan of what is going on over there for some time. In my view it is without a shadow of a doubt the best digital government team in the world. They've assembled a massively talented team who are knocking it out of the park week after week. It's rare to see this anywhere never mind a bloody government agency!
It's nice to see a government organisation actually taking design seriously for once. I imagine (having never worked in that kind of environment) that stuff like design committees and massive processes to get small tweaks through can't be that nice.
Gov.uk is an excellent example to follow in e-government. Here in Portugal the last few years we've had great advances in it, but what we got is still laughably bad in comparison to this.
What.. Are these government sites? Those do not look like such as they are too clean and positive. Are you sure they're just not a victim of very stylish hacker?
They are indeed Government sites! GOV.UK itself is looked after by the Government Digital Service (GDS). A brief history is available on the GDS blog: http://digital.cabinetoffice.gov.uk/about/. It's also different in that it's coded in the open. Most of the code behind GOV.UK is on public Github repositories: https://github.com/alphagov.
Why does gov.uk, a site all about allowing the British public to interact with the British government, use google analytics?
You are shipping all the data about all my interactions with my government off to a third party in another country. Another country that we know has not got the same legal data protection requirements, and one which has now been exposed as having massive internal spying problems.
And no, telling me "google aren't allowed to use the data" and then opening an outsourced helpdesk ticket with another US based company does not cut it.