It has been an intense few months digging through the security failings of the UK Government’s websites and trying to responsibly disclose them. It culminated with a week of blog posts exposing the vulnerabilities - and an award winning hackathon project.
So what has been the reaction?
Privately, I've been contacted by people within the Civil Service who are working hard to make things better. I wouldn't exactly say they're overjoyed with what happened - but they're certainly pleased that external people are highlighting the problems.
I've sent highly detailed reports to people who should be responsible for these flaws. On the main, they've been very happy to receive them.
I've had one or two "interesting" conversations with people who think that I should leave well enough alone. They fear giving up power to central government. That's a legitimate concern, but when a site owner has demonstrated their inability to perform basic website security, I think it is reasonable to expect them to surrender responsibility to those who are more capable.
I am convinced that some sections of the state are treating this as a serious problem. They are working hard to make things better - it will take a long time, as is to be expected with a large organisation, but a change has started.
The coverage has been fairly widespread - although not as I had expected. It's always temping to assume that other people understand the narrative vision you're tyring to accomplish. I thought that the abandoned websites would get more traction than it did - in the end it was the spoof Michael Gove post which really grabbed the public imagination.
Here are a selection of news sites that I've found talking about the stories.
And the Daily Mail. Although I won't be linking to them!
One frequent comment I got was that I should avoid putting political commentary in my technical blog posts.
- It weakens the argument.
- Some people will be reluctant to share the post.
- My political analysis isn't as well developed as my technical analysis.
- I risk alienating the people who are likely to help.
I see the validity in those arguments. There is certainly a risk that people dismiss the problem because I highlight a specific political opinion. That's a risk I'm happy to take. It is simply impossible to address these issues without exploring the underlying reasons why they have occurred.
I am a political person. The actions our politicians take do affect me. I am aware that my politics are probably not the same as yours, dear reader - but I see no valid reason not to include my political thoughts on blogs which involve politicians and the government.
It's not enough to point out that the Emperor has no clothes - I have to point out that his advisers are in the pay of fraudulent tailors and that his policies have directly lead to this disastrous situation. To do otherwise would do a disservice to the argument. We cannot analyse a problem without determining its cause and, when the government is failing to protect its websites, we must look at the political causes.
Politics is the art of making public choices, and we do not make an issue less political by denying that there are choices involved.
Technology is not neutral. Service design is not neutral. Decisions about priorities and resources are not neutral. There are some important questions facing the future government – any future government – about where digital goes next.
[T]hose debates are intrinsically political, because digital is political.
I'm sure I will be returning to this subject in the future. For now, I'm happy to leave it in the hands of those fine people within the state who I know are working hard to resolve this situation.
We have an opportunity to fix this mess - and I like to think that I've played a small part in the process.
Thank you for reading, I hope you have found it useful.