Letter to Parliamentary Committee on Gov. IT projects

Letter below has been submitted to the Temporary Committee on Government IT. This document is a translation from the Dutch original.

Dear Members of the Committee on ICT ,

On June 1st, 2012 I was invited by your predecessors to contribute to the expert meeting of the Parliamentary Working Group on ICT projects in government. The written submission that I made at that time is here, including a video of those hearings (in Dutch).

As an IT architect but also as a concerned citizen, I have been actively involved with the IT policy of the government since 2002, focusing on the areas of electronic health records, security and open standards / open source software. On the latter issue I was the initiator of the 2002 Parliamentary 'Motion Vendrik' that advocated greater independence from dominant software suppliers. Last year I also served as a technical expert on the Committee of Minister Plasterk who advised on the (im)possibilities of electronic support for the electoral process.

Although this motion Vendrik from 2002 was translated into the Heemskerk Action Plan in 2007, this policy was quietly killed in 2010/11 by the lobbying power of large software vendors and the U.S. government. Even the Court-of-Audit was pressured to *not* ask certain questions in its 2011 report on the policy. Since 2002, the Netherlands has spent about 60-90 billion on foreign software, for which in many cases free, equally good or better alternatives are available. Their use is, however, actively hindered by both the Ministries of Education and Interior, as well as the VNG supported by the lobbying apparatus of major suppliers and the U.S. government.

This despite Justice Minister Donner's 2004 letter to Parliament in response to the Motion Vendrik where he admitted that:

  • the government's dependence on Microsoft was very great;
  • that this was a problem ;
  • and that by introducing open standards and the use of open source that could be solved.

This dependence has since become much greater and more than one billion Euro was spent on Microsoft licenses over the last decade. That money would have paid for 10,000 man-years of expertise to migrate away from Microsoft products. A large part of the money spent would have remained in the Dutch economy and returned to the state through tax and VAT. Not that 10,000 man-years would have been needed. The Municipality of Ede did it against the odds for a fraction of the cost and now saves 92 % on software expenses (and 25% on overall budget). The rest of the government has yet to take steps. Why is an important question.

In addition to the huge amounts of money involved (the VAT ends up mostly in the Irish exchequer due to inter-EU trade to Irish headquarters of IT companies), it has also become clear in recent months thanks to Edward Snowden in particular that U.S. software is deployed as espionage infrastructure . This has practical implications. For example, the current semi-privatised infrastructure of the national Electronic Health Records system has been put under technical management of an American company and therefore falls under the Patriot Act. But the Windows PCs ( which are de facto mandatory in secondary schools) and Gmail accounts (which are necessary to follow a University course) are part of the global spy network. Similarly with the iPhones that some of you might use, about which NSA internal documents boast of the 100% success rate in automated monitoring at zero dollars cost per device.

All this means that even if IT projects according to any definition 'succeed operationally' these often still violate the basic rights of millions of Dutch citizens (article 12 NL - Constitution, Art 8 ECHR , Art 12 UNDHR). Examples include electronic heatth records, transportation smart cards and many information processing systems of governments that have been outsourced on foreign soil and/or to foreign companies (such as the database of fingerprints that for many years has been linked to the issue of passports).

Both the EU and the Dutch government have been aware of this problem since the summer of 2001, yet nothing has since been done in the Netherlands to ensure the privacy of citizens or the data security of Dutch public and private institutions. Indeed, much has been done by the government which has greatly exacerbated this problem.

The above points, in my view, mean that a purely 'operational ' approach to project success simply does not cover all the obligations of a democratic government in its role as guardian of the rights of its citizens.

This past weekend, I have viewed the first five videos of hearings and was most impressed by the contribution of Mr. Swier Jan Miedema. He seemed to be the only person genuinely committed to getting to the heart of the problems and saying out loud what he thought (although Prof . Verhoef also make quite a few wise points). The most compelling aspect of his testimony was the obvious fear of specifically naming a commercial party. This seems to confirm what many in the Dutch IT world know: companies like Centric abuse their dominant position in local government for short-term gain including the exclusion of anyone who is a threat to those gains (here another example).

That an IT professional of such seniority has to beat around the bush with a trembling voice is typical of the situation in the 'market' for public ICT. Institutionalized corruption and abuse of power is more associated with a developing country than a democracy.

In the conversations with both Mr. Miedema and other experts several members of the committee asked several times if these people could not suggest what would 'solve' all this. As if the problem was something that could be fixed with some trick. It is worryingly obvious that (two years and 8-12 billion after the start of the Commission) there is still the idea these problems can be solved by changing project-management methodology. Based on my experience, I believe that the problem is much more fundamental. I strongly urge you to look much more widely and more deeply at the problem and to not exclude your own role as parliamentarians in this. No questions or solutions should be taboo. Even if thereby the significant economic interests of above mentioned suppliers or the job security of groups of officials/civil servants must be called into question.

Both Mr. Miedema and Prof. Verhoef expressed the view that everything that happens can be broadly explained by the incompetence that exists in both the government and its suppliers. There are however, limits to the incompetence theory. Somewhere in the process the prolonged and appalling scale of wasting money, endangering the cyber security of the Netherlands and violating the privacy of millions of Dutch citizens has been allowed (or at least not considered an important subject). The fact that the Commission itself over the last 2 + years can spend a couple of hours a week on a problem that costs hundreds of millions of Euros monthly might also be an indication of some inexplicable non-priority. There are many officials, businesses, cybercriminals and intelligence services abroad that greatly benefit from the status quo. Look especially at those who do not come to your hearings.

In the 21st century laws are made reality by software. So it no longer befits a democracy to hand over control of that software to (often foreign) commercial parties. Executive parts of government must be accountable to you ultimately and without control over the technology that underpins their work this accountability is simply not possible.

Obviously I am willing to explain myself further as to above matters.

With kind Regards,

Arjen Kamphuis

June 9th 2014: In The other IT of another Europe I commemorate one year of the Snowden/NSA scandal by describing a scenario in wich other choices were made, choices that are still open to us today...