Features

net.wars: Disproportionate costs

"I'm sorry. That data is not held centrally and could only be obtained at disproportionate cost." It's a nice answer, isn't it?

It's what Treasury minister Paul Boateng said when asked how much money has been wasted on mis-managed IT projects since Labour came to power. As a poster on UK Crypto said this week, how convenient that government can't lay its hands on the numbers when those might be embarrassing.

Of course - and this was part of the point - they wouldn't accept such an answer from one of us. "Produce your decryption key," says the nice policeman. "That information isn't held centrally, and could only be obtained at disproportionate cost." "You want to produce the key, or go to jail?" No, no, you see?

This week saw the Home Office launch two consultations on communications data. The first covers access to communications data under the Regulation of Investigatory Powers Act (RIPA) - this is the revision to the set of proposals to allow everyone from the food safety people to the local parish council to see your data if they wanted to. The second is the voluntary code of practice for data retention under the Anti-Terrorism, Crime and Security Act (ATCS) - this is the bit about what data must be kept.

The good news, at least in regards to the RIPA list, is they seem to have modified the original stance of "everyone gets to see everything and everything must be kept" a bit. Even the Foundation for Information Policy Research said these new consultations sound genuine. On the second one, though, the Home Office has retained its "let's keep everything" stance.

The FIPR notes that the Home Office has not addressed the concerns of the Information Commissioner, the communications industry, or the Parliamentary All-Party Internet Group (whose report was discussed here a couple of months back). But this isn't surprising, really. If you keep everything, you can always modify later the list of people who have access to it. Just shove through the list of whatever people will accept now, and widen it gradually later. After all, as the consultation paper for the code of practice reminds us on the first page, the point is to prevent terrorist attacks like the one on September 11, 2001. Comments are due in by June 3, 2003.

One major sticking point has been the costs of data retention and retrieval. The Home Office still isn't giving much detail about this, saying only that the government is prepared to contribute to communications service providers' "reasonable costs". There may not be a lot of agreement forthcoming on just what "reasonable" means. At the APIG meeting, the Home Office attitude seemed to be, "Oh, come on, it's not possibly going to cost as much as the ISPs say it will." I would like to refer the learned gentlemen to the sentence we began with and propose a trade. You make your data available, which you are elected to do, and we'll see about making ours available. When the time is right. At the appropriate juncture. In due course.

What's absurd about this "oh, it can't cost that much" attitude is that despite Blair's attachment to "joined-up government" these people don't seem to be able to make the connection between their own inability to bring IT projects in on time and under budget to anyone else's inability to do the same thing. The Standish Group, which tracks this sort of thing in its "Chaos" reports, figured in 2000 that only 28 percent of US IT projects succeeded in meeting their deadlines, budgets, and specification. In a way, it's unfortunate that figure isn't lower. If it were, we could shrug about proposals like the "entitlement card" or data retention, and say comfortably, "Well, it will never work, so let them try."

Unfortunately, people are beginning to focus on IT failures - the year 2000 so-called McCartney report made many specific recommendations for making public sector projects work. These include breaking the projects down into manageable pieces (the equivalent, I suppose, of remodelling your house one room at a time), putting in place better project management, better communications, and so on. One of these days, one of these things is going to work.

Of course, one reason projects don't work, for rather subtle values of "work", is that people expect the wrong things from them. Retaining data is not going to prevent terrorism unless someone's sitting there viewing all the data in real time, draws the right conclusions, communications those conclusions to the right people, and the warning gets listened to and promptly acted upon. The likelihood that all five of these items can be made to work at the same time seems vanishingly small. The opposite, in fact, of serendipity as the late Roger Needham often defined it: "Looking for a needle in a haystack and finding the farmer's daughter."

Given the volume of data they're talking about retaining, the most likely is that the farmer's daughter will be proportionately a lot smaller than a needle. But the true social and economic costs will be disproportionate - and they won't be held centrally either.