Phil Windley's Technometria

« September 2002 | Main | November 2002 »

October 31, 2002

Spam Voicemails

Dave is getting pissed off at all the political spam voicemails: 

I got a voicemail from Rudy Giuliani, urging me to vote for Bill Simon for governor. At first I thought it was my brother imitating Giuliani. I thought to myself. "That's a good imitation." Then I realized it really was the former mayor of NYC, the hero of 9-11. He didn't leave a number for me to call him back at. I'm starting to get pissed at all these political spam voicemails. [Scripting News]

I'm not nearly as upset with the voicemails as I am with all the hang-ups.  The machines are programmed to only leave a message on an answering machine on the theory that people hate talking to machines, but won't mind listening to one on their answering machine.  So, the calling machines hang up if they get a live connection.  Since the number comes through as "unavailable" you don't know who to get mad at when it hangs up.   Diabolical, huh? 

9:29 PM | Comments () | Recommend This | Print This

XML for Justice

Gae Lyn DeLand, the IT Director in Corrections sent me a note about the Department of Justice's XML standards initiative.  The page includes a large (332 pages) and comprehensive Justice and Public Safety XML Data Element Definitions document which I found to be sobering because of its size and complexity.  The document includes a set of general principles which I think are worth reviewing and included in any such effort:

• Any XML specification developed should be guided by the principles put forth by the World Wide Web Consortium (w3c)
• Internal system representation is not constrained by these guiding principles or the associated data element definitions. The information contained in these documents simply provides a baseline for exchange of information.
• XML Specifications shall be over-inclusive by specifying those elements that may be required by fewer than all participants and making those elements optional.
• XML Specifications shall be extensible.
• Wherever possible, previously developed solutions should be adopted or extended.
• International implications of XML specifications should be considered, and international standards shall be used as guides where possible.
• XML specifications shall be broad enough to accommodate jurisdictional differences.
• When operational requirements dictate differences in specificity, mapping from the more specific elements to the less specific elements shall be made available.
• It is the responsibility of each group to insure that all system-specific features are removed prior to transmission to another group.
• Data elements may contain other elements and may even be recursive.
• Certain complex elements are sufficiently independent and driven by group business rules such that they cannot be used by more that one organization. In such cases the shareable simple elements contained within the complex element are defined.
• For every element, a default minimum attribute set will be available for use. These attribute(s) will, for the most part be optional. However, in specific instances (clearly noted in the Data Element Dictionary) they may be required or have default values.
• Data element content length generally will not be restricted in the Data Element Dictionary. However, there may be some elements for which a maxLength parameter is specified. Further, specific implementations can incorporate maxLength-type parameters for other elements into their schema for validation purposes.
• Generic tag names within complex elements are preferred when the data is clearly the same entity (e.g., state may be used to refer to both the state of the postal address and the state of vehicle registration). Generic tag names should be avoided when the meaning is ambiguous (e.g., number should not be used to represent both a phone number and an operator license number; explicit tag names should be used).

One of the areas that I think NASCIO (still on my mind) could offer more assitance to states is by helping to sort out the various XML standards that are being developed and even intaking the lead in developing XML standards in areas where nothing is happening. 

11:23 AM | Comments () | Recommend This | Print This

October 30, 2002

eGovernment via Business Week

This article in Business Week is an interesting read on the current state of eGovernment.  I don't necessarily agree with all of its conclusions or its assumptions about the current state of the art or what's important.  It also takes a typical "Business Week attitude" on government workers which I haven't found to be true.  Still, there's some good points in it. 

1:10 PM | Comments () | Recommend This | Print This

TechnoVolunteers

I read something on John Patrick's weblog this morning that reminded me of an experience I had.  John makes the point that non-profits need IT expertise and discusses his experience with the United Way:

Today started out with a meeting at the United Way of Northern Fairfield County to help think through some strategic issues with regard to their use of information technology. It is a very good feeling to be able to help non-profit organizations and I highly recommend that all of us do so as often as possible. (read more)

I was a delegate to the Republican party convention this year and so was involved in party work in my precinct.    I was appalled at the lack of IT support that the party provided to the precinct workers and how disorganized things were.  Now perhaps that is the consequence of a lack of competition, but I suspect that the Democratic party isn't any better off. 

If you've thought of volunteering in some capacity at a non-profit, a political party, or even your local government, understand that technical expertise is sorely needed.   There's plenty of room for people who want to give something and with technology you can have a huge impact whatever cause you choose to support.    Get out and get involved; you'll feel better. 

8:33 AM | Comments () | Recommend This | Print This

Transition

This morning's opening panel is discussing transition.  At least 22 governors will change this year.  There could be as many as 35, I believe.  When they change most will also change the CIO for the state since that usually an appointed position.  Most CIOs at the conference have never been through an administration transition and so I'm sure this is a topic on the minds of many here.  Each of the panelists has significant experience with multiple governors.  

Charlie Gerhards (CIO, PA) and Carolyn Purcell (CIO, TX) both talk about the enthusiasm that new Governors bring to the job.  Charlie says that most Governor's come in thinking that they'll change 90% of governor and are happy when they leave if they've change 10%.  Carolyn says that every Governor and Legislator who comes into office comes in with the goal of making government efficient and good, but that they all have different approaches and different areas that they emphasize.  Carolyn has survived three Governors, so she probably understands how to get along. 

Quentin Wilson, Acting Commissioner, Missouri Department of Higher Education makes the point that new Governors what action and impact.   He uses the acronym FIRST to describe his approach to satisfying this need for action and impact:  Focus on a few important things. Do things that have Impact.  Governor's want to be Responsive to constituents.  Governors like Speed.  Technology is the tool for making this happen. 

Marlene Lockard, Vice President E-Government Strategy, EzGov (and a former chief of staff to a Governor and transition team leader) makes the point that Governors understand that the campaign is over and that they need to govern and so they're not as quick to clean house as some might think.  She emphasizes the need to demonstrate your expertise to the next Governor if you want to keep the job.  She says to avoid being political and keep lines of communication open with both sides. 

The audieance was asked whether they thought that a CIO should try to stay on or make way for the next administration.  (There's a nifty little audience feedback system at all these NASCIo conferences.) 70% said they thought they should stay on.  I guess its hard to predict how I'd feel if Gov. Leavitt were leaving and I was in a tansition situation, but frankly I can't imagine wanting to do this job for someone else.  Gov. Leavitt has such a keen interest in technology and understands the impact it can have.  That makes this job interesting and worth doing. 

If you're interested in Federal government transitions, the Plum Book offers some interesting insights. 

8:12 AM | Comments () | Recommend This | Print This

October 29, 2002

Pictures from NASCIO Conference

Here are some pictures I took around the conference at break this afternoon.

Clockwise from the upper left are

• Mark Foreman from the Whitehouse who spoke this morning.
• Rock Regan, the current president of NASCIO and CIO from CT.
• Rich Varn (CIO,, IA), Tom Davies (Governing Magazine), Rebecca Heidepriem (CIO, WI), and Mary Barber Reynolds (CIO, IL). 
• Michaela Mezo from Enterasys and Al Cabraloff from Microsoft.

2:28 PM | Comments () | Recommend This | Print This

Innovative Funding, Total Cost of Ownership and ROI

Moderator: Bob Feingold, Chief Information Officer, Governor's Office of Innovation and Technology, State of Colorado
Panelists: Craig L. Johnson, Associate Professor of Public Finance and Policy Analysis, School of Public and Environmental Affairs, Indiana University
Pat O'Donnell, Vice President-Sales and Marketing, Anexsys
Richard Varn, Chief Information Officer, State of Iowa

Pat O'Donnell is talking about various ROI models.  She cites the following issues that make calculating ROI in the public sector less straightforward than it might be in the private sector:

• agencies must serve all constiuents
• agencies must abide by specific legislation and rules 
• eGovernment initiative deliver on both tanglible and intangible policy goals

She is talking about the following methods:

• Net present value model; chief benefit: simple, chief drawback: doesn't account for soft benefits
• Benefit cost analysis: chief benefit: takes into account soft benefits;
• Cost-effectiveness model: CEA=Total Benefit/Net Total Cost

Net present value is not appropriate if the answers to these questions is "no":

• Are benefits and costs predominantly private and social?
• Are the benefits tangible or intangible?
• Can intangible benefits be quantified and agreed upon?

Craig Johnson is speaking on public sector finance models.  Net benefit or consumer surplus is the difference between the cost and what someone would pay.  Apparently is a fairly well understood model of public sector finance.  Consumer surplus can be used to set prices, particularly in G2B solutions.  Craig apparently believe pretty strongly that fees are appropriate in many cases. 

Richard Varn of Iowa has strong ROI program.  Rich makes a few interesting points:

• Technology is about reducing the amount of labor directed at certain activities. 
• Many people end up in jobs they have little preparation for (i.e. training is important)
• If you want savings, you have to change behavior.
• Richard thinks there are eight primary areas of government and seven operational responsibilities (wish I had a link here).

12:12 PM | Comments () | Recommend This | Print This

Roman Goddess

NASCIO, in addition to being an organization of state CIOs is the name of one of the Roman goddesses of birth. 

11:47 AM | Comments () | Recommend This | Print This

In Honor of the GIS Panel

In honor of the GIS panel that I just listened to, I note that the location of this NASCIO conference (Hyatt Regency Station) is N 38 degrees 37.770' W090 degrees 12.556' and 578 feet above sea level.  Here's a map (which I found by typing the hotel's phone number into google; the easiest way I know of to turn a phone number into a geographic information.)

11:19 AM | Comments () | Recommend This | Print This

Schema Controlled XML Editing

Reading Jon Udell's weblog, I ran across the Xopos XML editor.  I clicked on the demo and within minutes was editing XML inside my browser.  I haven't played with it extensively, but what I did do was pretty neat.  The editor is fairly comprehensive; you can edit the content of cells and move them around (subject to the schema) without ever seeing the XML or even knowing what XML is.  It was smart enough to warn me when I left the page with unsaved changed (something I've fussed with in other browser based editors).   If you've got data you want entered or edited in an XML structure, this may be a good tool to look at. 

9:59 AM | Comments () | Recommend This | Print This

GIS and a National Map

I'm in the GIS breakout session.  Kari J. Craun, who is Chief, Mid-Continent Mapping Center, US Geological Survey, and a cartographer by trade is speaking about a national map.  The topological maps that we all know and love are apparently 25 years out of date.  The USGS has a project to produce a "national map" that would be a seamless, continuously updated set of geospatial information built from orthorectified imagery, land cover, elevation, geographic names as well as vector layers for transportation, hydrography, structures, and boundaries. 

One of the drivers is, not surprisingly, homeland security.  Someone who trains on a map in one area (and remember this many not be a piece of paper) and then gets moved to another area to respond to an emergency ought to be able to pick up the map in that area and have it be the same in terms of meta data.  I think homeland security will be the interstate highway system of the new century.  Much will be done under the auspices of homeland security which will ultimately have many other benefits to citizens.  You may not remember, but Eisenhower proposed the interstate highway system as a defense logistics system during the cold war.  Clearly its use and benefits has far surpassed that initial goal. 

9:49 AM | Comments () | Recommend This | Print This

Federal Enterprise Architecture and eGovernment

Mark Forman, Associate Director for Information Technology and E-Government, U.S. Office of Management and Budget is speaking about the use of enterprise architecture in the federal government.  Mark has been very good about working with the states and recognizing that there is a great asset and huge constituency in the state CIO offices. 

One of the tings I like about the federal eGovernment vision is that its not just about 24x7 availability, but also says that it will deliver decision in minutes or hours instead of days or weeks.  I like it for two reasons:

1. It focuses on what citizens really want: quick service, not just availability.
2. It drives business process re-engineering.    

I think that overall we've been pretty good in Utah at understanding this issue, but I don't see it explicitly stated anywhere.

Mark is making the point that we do eGovernment because we live in a world of interdependencies.  This is a good point.  eGovernment is a much deeper concept than just putting a web page up to conduct transactions with citizens: its about the interdependencies.  This is the basic fact that drives the move to cross agency, citizen centric applications.   Mark brings up the example of homeland security.  Homeland security is about interoperability, not just for voice, but for data.  That goes well beyond sending email from first responder to first responder.  It implies getting the right information to the right person at the right time.  Our first responder portal project is right in line with this. 

Some slogans:

• Buy once, use many
• Collect once, use many
• When eGovernment is broken, its visible to everybody

Project SAFECOM is a new mobile data interoperability project that includes voice, but not as a the primary driver.  Mark says that he's gone through several program managers looking for someone who understands the issues.  He says he had to get away from the voice people because they didn't get data, but data people see voice as just another kind of data.  He also had to find a program manager who understood that consensus didn't include lobbyists.  You can only imagine the pressure from companies who see controlling this project as the key to sales to thousands of public safety departments around the country. 

Forman talks about their governance process and how he manages agency IT.  Each agency is evaluated on the following criteria as part of the budget process:

• Modernization blueprint -- enterprise architecture
• Business cases -- Capital planning and investment control done against blueprint
• IT program management
• IT security

Mark's staff is charged with helping each agency get to green on these areas.  His deputy manages this process.  Laggards in security, for example, won't get funds released until the fix is part of the plan and the capital planning process.  The results of the quarterly evaluations against these areas are reported to the Cabinet by the President.  Each agency has a CIO who has to report, by law, to their agency heads.  Part of their overall process is about building cross agency teams since the lines of business that cut across agency lines.  Because there are multiple agencies per line of business, the chief operating officer of the enterprise has to take responsibility for deciding who is to take ownership for fixing a line of business.  Man, does this all sound familiar! 

7:48 AM | Comments () | Recommend This | Print This

October 28, 2002

Information Security Coordination

Matt DeZee from AMS (and a former state CIO) is talking about the desirability of the creation of a center for coordinating information security information among the states.  Apparently there is a plan to do this.  The theory, of course, is that we all see the same kind of attacks and could help each other by cooperating.  He tells the story of getting a report from his CISO that his state was getting scanned and then showing up the next day at a NASCIO event and finding that 4 other CIOs he talked to had had the same scan the day before.  One could argue that there's nothing special about the states and that we should just throw in with other private and public entities. Nancy Wong from the Commerce's Critical Infrastructure Assurance Office says, however, that its common for different industry sectors set up independent efforts and then create bi-lateral agreements to share information so that each office can respond to the unique nature of the sector.     

4:09 PM | Comments () | Recommend This | Print This

NASCIO Blogs

My number two referrer on my blog today is a google search on "nascio blog."  I'm apparently the only one, but there are at least a dozen people looking for them.   I've run into a few people here who read my blog regularly, including other CIOs, but no one who is writing except for me.  As an aside, there's no WiFi access here, so without my Sprint wireless network card, I'd be out of luck.  

3:48 PM | Comments () | Recommend This | Print This

Chartered Projects

I'm listening to the Homeland Security panel:   Robert Clerman is speaking and talked about Gov. Leavitt's role in homepland security.  He specifically talked about "chartered projects" in speaking of Gov Leavitt's proposal.   So, while I get asked over and over again in Utah what a "charter" is, it is apparently getting some traction on a national level. 

3:43 PM | Comments () | Recommend This | Print This

Autonomy: Using Unstructured Data

I was going to go to the session on finance, but ended up not making it because I stopped to spend some time with some folks from Autonomy Systems and by the time I got to the session, it was beyond full.  Oh well, Autonomy was probably more aligned with my interests anyway.   

Autonomy allows one to find information by concept in unstructured data using a combination of "bayesian inference and Shannon's information theory."  Its been a long time since I studied either one of those, so that didn't mean much to me.  I found this document on their site which was much more helpful.    Autonomy is a British company and it shows when you see stuff like this.   I've often joked that British universities couldn't afford computers so they actually studied Computer Science.    

The reason for my initial interest is that Autonomy Systems recently signed a deal with the Office of Homeland Security as reported recently by the Wall Street Journal (and a company press release).  We have a project to create a first responder portal as part of our homeland security project and we need a way link information so that they can see what's relevant, not just by job function or location, but stuff that's related to what they're interested in right now.   My first thought is to throw a Google appliance at the problem, but Google's method of determining relevance may not be relevant in this case.  Something like what Autonomy has to offer might be just the ticket.

The same could be true of indexing internal data as well.  For indexing public data Google's algorithm works pretty well: I'll find interesting what most other people found interesting.  For private data or data that doesn't have a lot of interest but may be very relevant to the current problem, that algorithm doesn't work as well.  Google relies on the fact that there are lots of sites linking to lots of other sites to create relevance data.  That's not necessarily a good basis in some cases. 

Maybe we should do a bake-off: get a Google appliance, an Autonomy DR engine, and any other interesting technologies and run them against our data and study the effectiveness of the results.  I'd bet we could get the companies to donate the systems (maybe not) but we'd have to get a grant or something to pay for the set up, research, etc.   Any takers?

2:13 PM | Comments () | Recommend This | Print This

Statewide Networking for Government and Education Panel

Moderator: Laura Larimer, Chief Information Officer, State of Indiana
Panelists: Shaun Abshere, WiscNet, State of Wisconsin
David King, Indiana Higher Education Telecommunication System
Bill Mitchell, MOREnet, State of Missouri

Shaun Abshere is talking about an organization that I'd never heard of called StateNets.  StateNets is an organization of non-profit and public groups that manage state K-20 networks.  Our own UEN, for which I'm on the steering committee, is a member.  He is giving some impressive composite statistics about the member networks.  Our state uses our education network as our ISP.  This is just one form of cooperation that exists between UEN and the state network managed by ITS that saves costs.  There's probably other avenues we should pursue as well.   

Bill Mitchell is showing a video on Missouri's state education network.  A few things on the technology side that look enviable include smart boards in each class room and one PC for every two students.  The video also shows how technology is being used in the classroom and I think is quite compelling.  It makes the case, through several examples, about how teaching styles can change to one that encourages students to explore the information themselves in ways that they can't in a traditional classroom.  For example, gather data, graph it several ways, and then make a judgment as to which presentation is more meaningful and what conclusions can be reached.  I've seen this in my own children's as I watch them use Google to do homework.  I wish I'd had the web when I was a kid.  I can remember spending hours at the public library trying to find information about electronics and being sorely disappointed. 

Apparently, state education networks are now allowed to join Internet 2 and 25 states have done so.  Utah is not among them even though I know that the University of Utah is a participant.  I wonder why that is?  They are discussing the speed of the network and the kinds of things that it enables in education.  Of course, the other side of that is that it put incredible pressure on the state's internal network to keep up.  I hear, from time to time, laments from UEN steering committee members and others (including the legislature, I'm sure) about the bandwidth increases and the costs of carrying the traffic that results from people using the network.  Its clear to me from watching technology trends that we're really just getting started.  At some point we'll see MP3 file sharing (at least from the bandwidth viewpoint) as a non-issue because students will be sharing DVDs.  Reminds me of when the University of Idaho tried to shut down online interactive games because of the bandwidth it required (at the time Idaho had a 56K line that we shared with Washington State University).  Now, I'm sure interactive games are not even a blip on the network. 

12:22 PM | Comments () | Recommend This | Print This

Privacy: Good and Bad

I did a little reading at lunch in The Transparent Society by David Brin.  Brin sets forth the following and calls it an "accountability matrix:"

1. Tools that help me see what others are up to.	2. Tools that prevent others from seeing what I am up to.
3. Tools that help other see what I am up to.	4. Tools that prevent me from seeing what others are up to.

His contention is that people see boxes (1) and (2) and good and boxes (3) and (4) as bad.  What what society needs is boxes (1) and (3) since that creates accountability.  Further, society should eschew boxes (2) and (4) since that pits citizens against each other in "an arms race of masks, secrets, and indignation. 

12:13 PM | Comments () | Recommend This | Print This

Enterprise Architecture Panel

Moderator: Gerry Wethington, Chief Information Officer, State of Missouri
Panelists: Carey Brown, Information Resources Manager, Kansas Information Technology Office
Theresa Lynn Hadden, Senior Internet Architect, Fairfax County, Virginia
Venkatapathi Puvvada, Chief Technology Officer, Unisys 

Carey Brown talked about the implementation of the Kansas Criminal Justice Information System.  I think the idea was that it was a successful implementation based on an enterprise architecture toolkit, although somehow that point didn't seem to come out in the talk.  Still, the recitation of the project was interesting---if nothing else it emphasizes the nature os projects in the public sector: wide range of clients, wide range of sizes, multiple legacy systems, processes that must keep going, and few resources.  

Theresa Hadden is talking about Fairfax County's efforts in the Information Domain (part of an enterprise architecture).  She says 80% of her data is unstructured (not in databases).  I'm surprised its that low.  They are using a content management system to help manage all this data and moving all HTML pages onto the CMS.  Metadata plays an key role in repurposing unstructured data for other uses.  She wants a call center person to be able to access structured and unstructured data in answering citizen questions.  For example, if someone calls up with a tax question, can the call center people have access to emails that have been sent regarding that citizen's taxes?  This rings some bells with me.  First, we're in the middle of deciding policy questions regarding the status of email as a public document.  Second, I'd love to be able to google my own email.  Wy not my co-worker's email as well---at least that related to work.  That's a big challenge with some interesting payoffs since much of the information we've got is now tied up in email messages that are unavailable as a data source. 

Venkatapathi Puvvada, who goes by "PV". is talking about business architecture and makes the statement that it is the key to business process integration.  Central to this concept is that that we must become citizen centered, not agency centered.  I think this is a concept that is lost sometimes.  Frequently, when we talk about driving IT from "the business" too many think we're talking about agencies.  The problem is that that just perpetuates the old stovepipes.  The federal government found, for example, that there were, on average, 10 cabinet agencies involved in each "line of business" that the federal government is involved in.  That's largely true of the states as well, although the numbers may change.  A good example of where we're overcome this to some degree is criminal justice.  When we view criminal justice as a line of business and then bring agencies to the table who are involved with criminal justice we're getting closer to building a business architecture that is correctly focused.  

10:07 AM | Comments () | Recommend This | Print This

Steve Cooper on Homeland Security

Steve Cooper, from the Office of Homeland Security (OHS), is the keynote speaker this morning.  I blogged his talk at the Western CIO Summit in Breckenridge this summer. 

Steve is discussing the OHS national strategy for homeland security---not necessarily the particulars of the strategy, but how it serves as the primary driver for an enterprise architecture. 

Interstate System for Sharing Information

Steve talks about using the word "interstate" instead of "national" to describe an information sharing infrastructure.  I think its important to remember that the interstate highway system (Steve's analogy) was built by the states with federal dollars to federal specifications.  I think that would work here as well, but the feds need to recognize that.  Steve talks about linking money to

1. Compliance with enterprise architecture
2. Performance metrics
3. Standards

and having state CIO's responsible for these.  I agree. 

Specific Focus Areas

Steve talks about the following focus areas for what his office is working on:

1. Wireless data
2. Public health
3. Geospatial data
4. Pilot projects
   1. 3-6 months duration
   2. less than $1M
   3. cross agency (different functional areas and different levels of government)

[As an aside, I had a much better set of notes on this and accidentally deleted them before they got posted.  One of the few real complaints I have about radio (and one that's not easily addressed except by user vigilance) is that the browser based editor has some quirks---one of them is that if the browser gets sent somewhere else accidentally, the contents of the window are lost.  Oh well...]

9:01 AM | Comments () | Recommend This | Print This

October 27, 2002

Deja Vu All Over Again

We just the part of the meeting that is both interesting and somewhat depressing: each new CIO introduces themselves and discusses the issues that they're facing.  Every CIO here is facing many of the same problems.  What's depressing is that this is the third time I've been through it and each time its the same issues. 

3:20 PM | Comments () | Recommend This | Print This

Public Health Infrastructure

Morris from Dept. of Health and Human Services is talking about IT infrastructure for public health.  In the face of some skepticism (not from this crowd, but others) he quotes a 1902 article from Harper's Weekly:

The actual building of roads devoted to motor cars is not for the near future, in spite of many rumors to that effect...

He envisions a "weather channel" for public health information that would give real time reports on disease similar to the way to we get weather reports.    Most people outside the government would probably be surprised to learn that there isn't a real time public health infrastructure.   

2:06 PM | Comments () | Recommend This | Print This

NASCIO Member Session

I left home this morning at 4am (daylight savings time is my friend) so that I could get to St. Louis in time for the four hour NASCIO member's session this afternoon.  This is a business session that is about NASCIO as an organization whereas the rest of the conference is about issues, technology, policy, etc.  There are about 30 CIO's here. 

After going over the new strategy document, Gerry Wethington (CIO, MO) presented the business plan.  The business plan is a good document that identifies major areas of emphasis and where the dollars will come from for those areas.  This conference is apparently going to be well attended and this finances look pretty good for now. 

One of the pieces of business is the election of the officers for the next year, a process that seems more like common consent that an election.  The executive committee puts forth a slate of candidates and we say "aye." 

We're in the middle of the Washington Update at the moment including topics on federal legislation, budgets, and NASCIO's DC outreach efforts.  We'll hear from Health and Human Services and Homeland Security next.  

1:08 PM | Comments () | Recommend This | Print This

October 25, 2002

Utah County: The Most Wired Place in America?

OK, maybe not the most wired place in a America, but getting pretty cool.  Utah county is the second largest county by population in Utah and just south of Salt Lake.  Utah county is home to Novell and (formerly) Word Perfect and has a large high-tech base.   This morning I had a meeting with representatives from American Fork City, Spanish Fork City, Provo City, and Utah Valley State College about the Utah Valley Community Network.  These three cities and the college have built or are building fiber out to the homes of their citizens and are starting to offer services, at least on a pilot basis.  The services include basics like Internet service and cable, but also the other things you'd like to see such as telephony and video on demand.  There's more...

About 10 months ago, I met with this same group and talked to them about exchange points and the value I see in lot of exchange points.  I think exchange points are one of the most subtle and least understood aspects of the Internet and one of the keys to building networks that provide real value.  As an aside, exchange points become more valuable as more of the network traffic is P2P---an issue I don't think many have written about.  They took my points to heart and have established an exchange point that includes all these entities as well as Utah County and a few others.  Entities like Brigham Young University and Novell will be able to participate through the first tier members.  They buy Internet service at the exchange point and exchange packets with each other.  

So, for example, if you're a student at UVSC living in Spanish Fork (12 miles away) taking a video course your packets stay local rather than going out onto the Internet and being routed through Denver or San Francisco.  UVSC is also piloting a program where employees living in American Fork, say, can have their campus telephone extension ring at their house, if they choose.  Soon companies like Novell will be able to do the same thing.  As another example, they all share a single cable head end and transfer programming to each other via fiber. 

This is how great things happen: a few peopleof people with some vision and a few resources getting together and creating something cool.  I'm sure I'll be writing more about this as it rolls out and they get more experience.  I'm anxious to see projects like Utopia layer on top of this---that will bring in another large segment of the population.

1:14 PM | Comments () | Recommend This | Print This

October 24, 2002

ITC Direction to CIO on IT Strategy

Today the Information Technology Commission directed the CIO to develop a 2-5 page "vision" statement for IT in the State of Utah as a precusor to developing a larger plan.  The doucment is to be presented at the next ITC meeting on Nov. 21st.  I'm planning on the ACIOs providing a great deal of input into this document even though the ITC specifically stated that they would accept a document without agency input at this point. 

I shared the notion of enterprise architecture with the group since I believe ITC is the right body in state government to encourage and endorse an enterprise architecture.  I've distributed both the NASCIO Enterprise Architecture document and the Federal Enterprise Architecture information.   

Kevin Van Ausdal, the DCIO for IT, and I will be attending the semi-annual meeting of NASCIO in St. Louis next week and I'm sure that this topic will be discussed in some detail.   I'll be blogging the conference, so if you're interested in this, stay tuned. 

3:07 PM | Comments () | Recommend This | Print This

October 23, 2002

Executive Appropriations Testimony

In case you didn't get a hand out, here is the text of the testimony that Camille Anthony, Karen Okabe, and I presented at Executive Appropriations yesterday in response to the recent legislative audit.  This whole thing has gotten kind of kafkaesque. 

10:20 PM | Comments () | Recommend This | Print This

October 22, 2002

Round 2.0

I got a few complimentary issues of a magazine called Context recently.  Not a bad 'zine, but I've got too much to read already, so I didn't pay a lot of attention.  Still, an article called "Round 2.0" by Andy Lippman caught my eye.  In speaking of the dot-com boom, he says:

The problem with likening the dot-com boom to the 17th-century Dutch tulip insanity is that, now that the bust has come, many companies think they can go back to sleep. To them, the threat is over: Dot-coms did not generate a New Economy, they did not rewrite the rules of business, life as we know it did not end. The fear that any evanescent new idea would destroy the current mode of operating is past.Wrong. The challenge is not gone. It is just beginning.

To make his point, Andy talks about advertising, telephony, and media distribution.  His point on advertising is that technology like TiVo changes how people watch TV.  If you don't have a TiVo, you may not quite understand.   I don't watch TV anymore, I watch TiVo.   Its more than just being able to fast forward through advertisements.  Its about who controls content, at least who controls when and where its watched.   

6:56 AM | Comments () | Recommend This | Print This

October 18, 2002

Transparency and Metrics

I'm just starting The Transparent Society by David Brin.  I'm only to page 20, but its already fascinating.  The subtitle of the book, intentionally provocative, is "Will technology force us to choose between privacy and freedom?" 

The gist of the first part of the book is that, as a society, we use freedom of information or "information flow" to drive accountability.  Two interesting points from the book so far:

Whenever a conflict arises between privacy and accountability, people demand the former for themselves and the latter for everybody else.

...[T]wo opposing traits that occur in ...modern privacy debates:

A. One party believe that another group is inherently dangerous, and that its potential to do harm is exacerbated by secrecy.  Therefore, accountability must be forced upon that group through enhanced flow of information.

B. The other party argues that some vital good will be threatened by heightened candor, and hence wants the proposed data flow shut down. 

The book points out how entertaining it is to watch groups take these positions alternately on different issues depending on "whose ox is getting gored."   

I've written on transparency before.  I believe its crucial to a proper functioning organization.  Part of my belief in blogging stems from a belief that people ought to know what I'm thinking on issues, even when its not popular.   

Metrics and dashboards are really this same issue.  Metrics shine the light of information onto an organization and provide accountability.  I've challenged ITS to develop metrics to measure its performance and to make them equally available to customers as well as staff.  I challenge agency IT shops to do the same thing.  Measure how you're doing and publish it to the world. 

11:50 AM | Comments () | Recommend This | Print This

October 16, 2002

WSIL is RDF for Web Services

A good article by Tim Appnel called An Introduction to WSIL calls WSIL the RDF for web services.  I've advocated the use of WSIL to advertise the presence of web services at the State.  Its simple and easy to do.  What's more it can be used in conjunction with UDDI if that becomes the prefered method for advertising web services. 

8:23 PM | Comments () | Recommend This | Print This

Tim Oreilly is a Stud

I just ran across Tim's talk on Inventing the Future.  Great stuff. 

4:09 PM | Comments () | Recommend This | Print This

IM Bots

A couple of months ago, I wrote about IM bots because the idea intrigued me and I think it would be a neat way to offer some interactive information on Utah.gov as well as internal applications like help desk.  Joe Heck turned me on to some other resources that are pretty interesting:

• DJ Adams has an article about ChatBot, a Jabber bot written in Perl using the Net::Jabber libraries. 
• Infobot is a daemon that connects to IRC servers and can be customized to conduct various chats.  IRC isn't IM, but its still interesting. 
• An article in The Perl Journal by Kevin Lenzo has a number of links and information about various bots for IRC (again with the IRC). 

I guess before we worry about an IM Bot, we ought to get an enterprise IM solution.  I've seen IRC used to great effect as an enterprise tool and feel like we're missing out by not supporting it more widely.  Not sure where we need to go to get there.  Its hard to drum up interest among a large enough group of people because not many of them use IM.  On the other hand, I'm hesitant to suggest it widely without a secure way for employees to use it in their work.  A classic chicken and egg problem. 

3:37 PM | Comments () | Recommend This | Print This

October 15, 2002

The Truth about Excite\@Home

Recently, there has been much confusion about my previous occupation to the extent that I'm thinking getting my birth certificate changed to Phil Windley, former owner of now defunct Excite\@Home. Some, including the press, have started to question why the State is taking advice from someone who "ran his company into the ground."  For the record, here's a brief synopsis of the facts:

In 1994, I and a partner started a company called Electronic Marketing Services and started an online shopping mall called imall.com.  In 1995 we sold EMS to a company which eventually became iMALL, Inc. 

In 1997, Richard Rosenblatt took over as CEO of iMALL, Inc., determined to turn it into an ecommerce company.  He raised $20 million in private placement capital on the basis of a business plan that Steve Fulling and I drafted in my basement.  As a result, he asked me to leave BYU and come on board as Chief Technology Officer.  Steve was Vice President of Engineering.

Starting in January of 1998 with 3 technical employees, Steve Fulling and I built a technical team that within 18 months numbered nearly 150 people.  We had the money and options to hire the best people available and we did.   We designed, built and operated large n-tier ecommerce applications and learned just what it takes to make these things operate reliably.  

In October 1999, largely on the basis of the technology that iMALL had developed, iMALL, Inc. was bought by Excite\@Home, a large public company, for $425 million. 

Our division, now part of Excite\@Home, went from $4 million in revenue in 1999 to $20 million in revenue in 2000 and was EBIT positive to the tune of $3 million, one of the few profitable divisions in Excite\@Home. In 2000, our team built a full featured ecommerce application in less than three months (on time and under budget) that was reliably serving 50,000 merchants within 6 months.

As part of my activities as a high tech executive in the state, I became acquainted with Governor Leavitt during the year 2000, and in November 2000, he asked me if I was interested in serving as Chief Information Officer.  After many conversations with Rich McKeown, the Governor, and others, I left Excite\@Home in March 2001 to become Chief Information Officer of the State of Utah.  Excite\@Home filed for bankruptcy in September 2001.

So, I wasn't owner, president, or even a little bit in control over Excite\@Home's fate. I wasn't even there when it all ended.   I just worried about our division hitting its numbers and---with the help of a lot of people---we did.  Everytime. Sometime, if you're interested, I'd be happy to fill you in on my take of why Excite\@Home went bankrupt.  Its got plenty of intrigue.

11:21 PM | Comments () | Recommend This | Print This

Standards

This article from the Associated Press (via the Salt Lake Tribune) is about standards.  Surprisingly, it ran on the front page---must have been a slow news day.  Apparently, October 14th was national standards day.  If I'd have known, I'd have baked a cake and worn a costume.  At any rate, the article gives a number of good examples about why standards are important---they are the key to interoperability, a catch phrase these days what with eGovernment and Homeland Security issues. 

9:58 PM | Comments () | Recommend This | Print This

Blogging in Utah

This Salt Lake Tribune article by Mary Malouf is about blogging in general and features several utah bloggers, including me.  Overall, I think the article does a good job of describing the blogging phenomenon and what makes it different.  Mary and I had a fairly lengthy conversation and I have to say she really seemed to get it.  The best thing about the article is that unlike a lot of things printed about me in the paper lately, most everything in it is true!  As an aside, JOHO, the Blog was on the computer screen in the art piece that accompanied the story. 

8:02 PM | Comments () | Recommend This | Print This

October 14, 2002

Utah's IT Plan

Last August, the Governor sent a letter to IT workers in the State outlining his plan and vision for conducting cross-agency eGovernment and IT projects.  In the intervening time, we've conducted meetings, formed groups, gotten Cabinet approvals, and worked through a lot of the details.  I and others have written several times about some of these meetings.  Now, to try to pull some of it together, I've written a white paper on Utah's IT Plan that gives some more detail.  This process will continue to evolve as we work through the issues. 

10:56 PM | Comments () | Recommend This | Print This

ZDNet Article on Open Source

I'm quoted in this article in ZDNet News on open source.  The article probably makes it sound like we're contemplating a move to Linux or OpenOffice here in Utah.  Such is not the case---there are a lot of hurdles to overcome in moving to Linux or OpenOffice.   At this point, I'm more inclined to open source solutions on the server side and, in some cases, clients on the desktop.  Here's what would change my mind:

User demand.  If an agency got tired of paying license fees to Microsoft and wanted to make a move to Linux or OpenOffice, I'd support it.   What would it take to succeed?

• Careful planning 
• Flexibility
• Pilot programs
• Executive management support
• User training (maybe the most important factor)

 

10:07 AM | Comments () | Recommend This | Print This

October 11, 2002

Virtuoso Performance as a Measure of Organizational Maturity

Mary Shaw of Carnegie Mellon University talked about "virtuoso performances" in the engineering world about ten years ago in an effort to define what she meant by engineering.  The idea is this: engineering is a system of processes and procedures where normal people can perform quality work.  Without engineering, you're left to rely on virtuoso performers to accomplish the task.  The problem obviously is that there are a lot fewer virtuoso performers that normal folk. 

Think of it in terms of building a bridge.  Hundreds of years ago, building a bridge was an art practiced by people who did a good job of building bridges but couldn't really tell you how they did it.  Now, we can teach almost any bright person (who has a few math skills) how to design a bridge that won't fall down.  That is engineering. 

As we strive for high availability in our computing services and greater reliability in our process, we will have to build processes that reduce the number heroic measures undertaken by virtuosos.  In fact, I think you could measure the virtuoso performances and heroic feats in an organization and come up with a good feel for the organizations maturity: they're inversely proportional. 

Organizations with immature processes rely almost exclusively on heroic measures to achieve their goals and keep their customers happy.  The problem is that its almost impossible to sustain: there just aren't enough virtuoso performers and they get burnt out.  What's worse, organizations come to rely on rewards to the virtuoso performers as a means of trying to solve problems.  Mature organizations, on the other hand, reply on processes that allow almost any intelligent person to be trained to deliver excellent results reliably. 

I've got nothing against virtuoso performers or rewarding them for their efforts.  We need them and their talent.  I just think we ask too much when we rely on them to sustain our systems in the face of ad hoc procedures and processes.  Its not fair to them and it doesn't keep customers happy. 

Ask yourself how many times your organization has relied on heroic measures in the last three months to keep its clients and customers happy.  What do you think could be done to change the situation and come to rely on a mature process instead? 

1:23 PM | Comments () | Recommend This | Print This

Digital Identity: Where are the People?

At the conclusion of several days of immersion in the world of digital identity, I would ask the question: where are the people?  Here's what I mean:

Most of the companies at Digital ID World don't seem to really care about linking identity to people.  That is, they are content to have an identity with the appropriate attributes attached to it.   Let me give an example: when you present your credentials to a web site to purchase something, they don't care about the meat attached to that identity, only that it has a proper credit card number and an address to which to ship the goods.  The same is true for digital rights management (or, as Doc says: "digital restrictions for monopolies").  Digital rights management is about anything but people. 

For most applications, the question of tying identity to people is relegated to a question of security.    I want my identity secured, so that only I can use it.  That's not an identity problem, its a security problem.  Technology like passwords, smart cards, and biometrics are used to protect identities, which comes down to tying the identity to a particular person. 

Now, consider some applications where we do want to tie identity to a body.   Suppose, for example, that you want to set up a system to serve people with court documents online.   Another example would be closing an online mortgage.  Most of the examples I can come up with have a legal aspect.  We want to tie the identity to a body because later we may need to take that body to court or arrest it on the basis of something that that body did with its identity. 

Notice, as an aside, that digital certificates work very well in these kinds of scenarios, as long as the digital certificate has been carefully issued and protected (neither of which are great assumptions).  

My most extreme thought in this direction is that the courts, at least criminal ones, are, in the abstract, a system for tying identity to a particular body.  If you think of the attributes surrounding a perpetrator as an identity, courts are used to link that identity to a suspect (or body) so that they can be put in jail.  Put that way, linking identity to a body is a very time consuming, expensive, and imperfect proposition in many cases. 

That leads me to a conclusion that I've stated before: government has to be and will be in the identity business.   Governments care more than most about tying identities to bodies than most and will act to ensure that its possible...eventually.  Just don't hold your breath. 

11:36 AM | Comments () | Recommend This | Print This

October 10, 2002

FWIW

For what its worth: according to my GPS, the Hyatt Regency Tech Center is a N 39 degrees, 37.820' W 104 degrees 53.896' and its elevation is 5692 Ft.  And with that, I'm off to the airport. 

5:12 PM | Comments () | Recommend This | Print This

Conference Extracurriculars

Digital ID World is on my list of favorite conferences this year.  I think Phil, Andre and Crew did a great job of putting together a forum that is entertaining, informative, and most importantly, a great place to meet and talk.  I spent the afternoon looking in on the vendor exhibit hall and talking to people.  Here's some of what I saw and heard:

• I talked to Andre Durand (of Jabber fame) about PingID.   PingID has aspirations of being the Visa of the identity world.  Someone needs to do it.  He also envisions services (such as risk scoring) that I think are analogous to the kinds of things FirstData Corp. does in the financial services world. 
• I talked to John Maffei from Microsoft about Passport.  I've avoided signing up for passport myself (even going so far as to refuse to activate the eBook reader on my iPAQ because it required a Passport account).  Still, as I've blogged before, Passport, AOL screenname, and the like represent real ways for utah.gov to connect to some citizens. 
• I stole a t-shirt and packet from ePresence.  Still not sure what they do.  :-)
• I saw a great demo of an enterprise level IM tool from Communicator, Inc.  As I've blogged before, I think IM could be an important tool in the enterprise---I use AOL IM at work all the time---but I would like to see a secure solution that connects to the Utah Master Directory. 
• I talked to Brian Armstrong of OneName about their product.  Still can't say I really get it---lives somewhere above authorization services---but its based on XNS which sounds like something I need to spend some time on. 
• I got a tech-talk from the Netegrity folks about SiteMinder and how it works.  We use it at the state and I now feel like I'm in a better position to make decisions about how and where we use it. 
• Alex Tosheff from St. Paul Venture Capital is a guy I met at lunch.  Great guy---I got some good ideas on home based computing infrastructure from him.  He introduced me to Jothy Rosenberg of GeoTrust.    Jothy and I hit it off on several levels.  First, his company offers a way to sign things with digital signatures without the user ever having to know about the digital signatures.   Reminds me a little of NxLight, a Utah company.  He showed me a demo of their tool which uses personal information gleaned from drivers records and credit records to ask the user questions as a way of establishing identity so that they can issue a one-time use digital signature.  Pretty cool.  On another level, he's also a former Computer Science professor turned business person.  We talked a lot about academics, how business experience could inform our future roles as academicians, and how theory is important for CS students. 

The best part of the conference is often the stuff that happens outside the conference hall and this was no exception.  The Digital ID World folks did a good job on the more social part of the conference and seemed to recognize this as an important feature.  I'm grateful for a fulfilling experience. 

4:30 PM | Comments () | Recommend This | Print This

Digital Right Management

David Weinberger is moderating a panel on digital rights management. 

Denise Howell spoke about the legal aspects of digital rights management.  She made the point that DRM moves the payment to a per-use rather than a per-copy basis and this changes in fundamental ways, the relationship we have with content providers. 

Bala Vishwanath talked about how newspaper companies tried to discourage people reading someone else's newspaper and failed but succeeded, as a business, by adding coupons, etc. to the paper.

Brad Brunell is the director of trusted platform technologies at Microsoft.  He's the guy whose name I didn't get yesterday at lunch.  He takes abuse well.  Probably a job requirement given what he does and who he works for.  Dave is beating him up a little right now.  The question: why now (for DRM)? 

Ken Kingenstein works for Internet2.   Ken makes the point that analog rights management doesn't translate well into the digital world.  He asks how do we enable appropriate access and use instead of how we control access or protect copyrights. 

Dave makes the point that DRM takes away much of the wiggle room that people have traditionally had with respect to copyright law and makes things rigid.  Brad pointed out that we content providers would have the make a policy that allows that.  I think that this conversation ties in with the quote from Dan Geer I posted yesterday:

If the access control matrix eventually scales out of reach. What then? I submit that where the geometric scaling of access control will kill it in the end, accountability stands ready. This is not to say that I like pervasive, universal accountability, per se, but the only reason a free society works is that you can pretty much do anything though if you screw up badly we will find you and make you pay. Accountability is like that, i.e., it is a log processing problem. 

To date we have used accountability and this shifts the problem to one of access control lists.  That's a seismic change and may not be possible (per Geer).  This will force content providers to default to "lock down" and we'll lose the wiggle room we've traditionally enjoyed. 

Ken makes the point that we've enjoyed 4000 years of anonymous reading and he'd hate to see us lose that.  I agree. 

12:09 PM | Comments () | Recommend This | Print This

Privacy and Customers

Martha Rogers (1to1.com) is talking on privacy and customers.  I'm really enjoying the talk.  Here are some thoughts from her:

There are no successful companies without customers, so companies need to:

• get more customers
• keep more customers
• grow them into bigger custormers

Viewing the customer base as an asset, the customer base is the single best measure of the value of the company itself.

Random acts of kindness by customer-fiendly personnel are not the same as customer centricity

If I'm a successful company I need to know something about you that my competitors don't know and use that to do things for you that my competitors can't do.  Going to a competitor requires reinventing the relationship.

Focusing on relationship equity will refocus the company on people.   So, is privacy about compliance or is it about relationships with customers? 

Companies must:

1. Identify customers, individually and adressably.
2. Differentiate them, by value and needs.
3. Interact with them more effectively and efficiently

ITS is in the throes of becoming a customer centric organization.  In the next few weeks they will release a roadmap of how they intend to get there over the next few years.  The issues raised by Martha are just as applicable to an internal service fund as they are for companies.  Further, they are applicable to any service organization, even those that are appropriated. 

11:10 AM | Comments () | Recommend This | Print This

Craig Mundie on Identity

I'm listening to Craig Mundie, CTO for Microsoft, deliver the keynote for today.  He is one of the first speakers here (outside the government session) to talk to the fact that governments will be players in this space and what challenges that presents.  He brings up the problem of trans-jurisdictional and trans-national  identities and mentions that many of these problems have traditionally been solved by legislation (in the case of jurisdictions) or treaties (in the case of sovereign nations.  As I've said over and over---this is a real issue that cannot be ignored.  Government has a way of making sure its not ignored.  We need our legislatures and Congress making these decisions with our help instead of a vacuum.

Craig talked about the benefits of good identity infrastructure and services that accrue from removing blocking issues for efficient information flows:

• inter-agency and inter-government exchange of appropriate policing information against terrorism
• greater health care efficiency with adequate safeguards for privacy
• secure extra nets between companies
• eGovernment services such as passport renewal
• digital rights management of corporate and personal documents

I think most people would not necessarily agree that the last one is a benefit.  Its certainly a benefit for Hollywood, but how does it help me?  Going back to my theme of government, intellectual property rights are not the same as individual rights or even property rights.  In fact, IP is only granted to the extent such granting benefits society as a whole (read the Constitution). 

10:30 AM | Comments () | Recommend This | Print This

Dinner

I had dinner last night with AKM Adam and Jon Udell.   I'd never met either of these gentlemen before, although I felt like I knew Jon well both from his writings from Byte and, more recently, his weblog.  It was great to finally meet hi in person and have an opportunity to talk.  Adam is a Episcopalian minister and professor of divinity at Seabury-Western Theological Seminary.  In some ways that link guided some of our conversation about how a detachable identity (i.e. one that is virtual) changes what a person thinks about themselves. 

An interesting thought occurred to me as we talked: most people who are talking about digital identity care very little about actually attaching that identity to "meat."  They really don't care about the person, just the attributes associated with that identity (like its bank balance).  That is not true for many things that governments care about.  In fact, if you think about it, we have an entire branch of government that is devoted to establishing links between identity and a physical body: the courts.  Trials are largely about proving that a particular physical body has a particular identity (that of the person who committed the crime). 

10:12 AM | Comments () | Recommend This | Print This

October 9, 2002

Jamie Lewis of the Burton Group on Provisioning

Jamie Lewis, CEO of the Burton Group gave a very detailed talk on identity infrastructures.  I wish I had access to an online copy of the slides because they've got a lot of information in them.  One of the things he talked about was provisioning and the security issues surrounding it.  Simplified, the issue comes down to, at least for employee provisioning, making sure that authorizations are tied to roles so that as employees move from job to job within the organization or leave the organization, the access rights that they had before terminate when their role does.  Think of all the information that people still have access to, weeks, months, and years after they leave their job because no one turned off access.  Its one thing to have a policy.  Its another thing to have an architecture that supports the policy and makes it possible.  The Utah Master Directory gets us one step closer to being able to support access control though architecture, but there is much left to do. 

On a related note, Jamie pointed me to a speech by Dan Geer, CTO of @stake on identity where Geer says:

Tacking authorizations onto the assertion of identity is nevertheless a commonplace necessity, but there is an odd "gotcha" there, viz., the irreducible vulnerability of any system to Denial of Service (DOS) attacks is proportional to the amount of labor that system must expend before it can make its authorization decision. Ever more fine grained authorization decisions tend to be more complex, and the denier of service can call upon you to do them over and over. In that sense, authentication decisions, being as they are permanently simpler than authorization decisions, have a durable design advantage.

This leads to the issue of scaling where Geer says:

If the access control matrix eventually scales out of reach. What then? I submit that where the geometric scaling of access control will kill it in the end, accountability stands ready. This is not to say that I like pervasive, universal accountability, per se, but the only reason a free society works is that you can pretty much do anything though if you screw up badly we will find you and make you pay. Accountability is like that, i.e., it is a log processing problem. 

Geer's entire talk is worth reading.  It asks the question of how much time and effort we want to spend authorizing behavior (say of citizens on the utah.gov website) vs. how much effort we should be into policing that behavior and removing rights when the behavior doesn't meet acceptable standards.  Our society does not try to authenticate people and then authorize them to perform certain bahaviors by default, the overhead would be too high.  How does that inform our web site policies? 

3:37 PM | Comments () | Recommend This | Print This

Shiboleth

I went to a panel discussion moderated by Doc Searls on open source issues and identity.  The part I was most interested in was Ken Klingenstein's talk about Shiboleth.  Shiboleth is an interesting word what was used to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce sh, called the word sibboleth. (See -- Judges 12:4).  From the introduction:

Shibboleth is an initiative to develop an open, standards-based solution to the needs for organizations to exchange information about their users in a secure, and privacy-preserving manner. The initiative is facilitated by Internet2 and a group of leading campus middleware architects from member schools and corporate partners. The organizations that may want to exchange information include higher education, their partners, digital content providers, government agencies, etc.

Shiboleth, as I understand it, is open-source, enterprise middleware that manages authorization for users other enterprise services.  Sounds similar to SiteMinder.  I wonder how it compares. 

3:18 PM | Comments () | Recommend This | Print This

Cluetrain Lunch

I had lunch with three of the four authors of the Cluetrain Manifesto.    I'd met Doc Searls before, but not David Weinberger or Chris Locke.  The Palladium d00d from Microsoft was there as well (didn't catch his name), so the conversation revolved around digital rights management to some extent.  I've read the book (Cluetrain) and while I can't say I agree with everything thats in it, I found it thought provoking and would recommend it to anyone who wants to understand how connectedness changes business.  At some point, I think it would be interesting to research the same question with respect to government. 

1:35 PM | Comments () | Recommend This | Print This

My Talk at Digital ID World

I spoke this morning.  I posted my thoughts on this talk earlier.  Here's what I actually said.  I shared the stage with David Temoshok from the GSA.  David is their expert on eAuthentication.    I went through many of the ways that state governments interact with identity, my primary point was that state governments are, for better or worse, going to have something to say about identity in the digital world and that the digital ID community needs to engage with state legislatures to inform, educate, and guide that discussion.  

1:16 PM | Comments () | Recommend This | Print This

GM CTO on Identity

Tony Scott, the CTO of General Motors, is talking about digital identity at GM.  The interesting thing to me is how similar his problem was to the problem we face in Utah today: multiple fragmented systems controlled by dozens of relatiely independent organizations with multiple identity representations for any given customer.  They've solved the problem over the last few years. 

I like that this has enabled me to take my Silverado Pickup to multiple dealerships and have the history of the vehicle maintenance available.  This has to be more efficient for GM and should result in better maintenance for my vehicles.  

Something that I think is lost on many is how this change enabled GM's OnStar service.  OnStar puts a vehicle on the net.  In my opinion, there's a dark side to this.  I'm not all that excited about having a tracking device that rats on me installed in my vehicle.  Seems that its got a lot of upside for GM and limited upside for me (at least with my lifestyle--I don't frequently get a flat tire, lock myself out of my car or forget to change my oil).  I wonder if you can program OnStar to not tell GM information about your car?  

Digital ID brings to the front exactly these kinds of conflicts between benefit and loss of privacy.  We fight the same issues with on-line government services. 

9:52 AM | Comments () | Recommend This | Print This

Public Domain Information

Phil Becker in the opening session just said: "universal networking drives information towards the public domain."  This resonates with something Ray Ozzie said yesterday: "what if all email was public?"  Governments deal with this issue more than other organizations because there is an expectation that government information is public domain by default and private only in specific circumstances.  Powerful forces fight at the interface of these two domains. I do know that having all email public would make most people uncomfortable.    I don't know that anyone has studied the effect of networks on the public nature of government.  Sounds like a good masters thesis for a technically inclined political scientist. 

9:13 AM | Comments () | Recommend This | Print This

Digital ID World

I'm at the Denver Tech Center attending Digital ID World.  I'm speaking this morning on digital identity issues in state government.   I'll post the slides from my talk after I'm done (since I won't be sure what's in the talk until then).  I'll be blogging the conference as I can.    The complete set of posts will be in my ID, Privacy, and Security category.   

Coincidentally, Dave McNamee blogs about his work on our authentication projects today.

8:52 AM | Comments () | Recommend This | Print This

October 8, 2002

Technical Feedback

I was interviewed by a reporter from Network World this afternoon on what I thought was an interesting subject: knowing what technology to apply where and how to get good technical feedback from your staff. 

I think one of the most important things that technical leaders can do to ensure that they get good technical feedback is to be technically literate themselves.  You have to keep up with the technology to make technical decisions.  I think any CIO or IT manager who thinks that they can just make business decisions and leave the technical decisions to the staff is kidding themselves.  I've had plenty of experiences where understanding the technology let me ask better questions which led to a better end result.  

I was asked to name a time when I've received good  technical staff support.  My answer was from the recent past: eREP.  eREP is a multi-million dollar eligibility system that we're building.  It is the largest of our cross-agency enterprise projects.  The technical work on the RFP and subsequent vendor evaluation was superb and left me with a great understanding of what we were doing and why we were doing it.  The eREP team and the support crew from ITS did a outstanding job. 

11:19 PM | Comments () | Recommend This | Print This

October 7, 2002

RSS Tutorial

The Government Information Locator Service (GILS) project of the Utah State Library has a nice tutorual on RSS that shows examples of its use in a variety different scenarios.  They do good work.   

9:08 PM | Comments () | Recommend This | Print This

Web Site Accessibility

An article on Slashdot talks about a lawsuit against Southwest Airlines on the accessibility of their web site for blind users.  I've thought for some time that we need greater emphasis on this issue for utah.gov.    We recently held a set of classes for state web site developers on ADA and Section 508 issues.  That's probably not enough.  I think we need a usability lab and some requirements that all state web sites meet certain minimum standards.  As more and more services are online, we need to ensure that they are as widely available as possible. 

3:32 PM | Comments () | Recommend This | Print This

October 4, 2002

Digital Identity in State Government

I'm trying to get my thoughts organizined for my talk at the Digital ID World conference in Denver on October 9-11th.  Here's what I've been thinking so far:

• Like it or not, states are in the identity business.  We like to claim that we're just in the licensing business, but the truth is that, for better or worse, the state issued driver's license is the gold standard for identification in the physical world. 
• Going one step further, states are also the keepers of vital records such as birth and death certificates.  These documents are a key part of identity since, in an ideal word, there should be a one to one correspondence between an ID and a live person (even if that ID has multiple personas that are manifest in various contexts). 
• These foundation documents are linked to social security numbers (another group of people who vociferously disclaim any ties to identity).  A federal eGov project called eVital is about making the link between vital documents and SSNs more reliable. 
• The federal government is likely to push this role even further.  There is considerable attention being paid to a "national ID card" but my belief is that its not politically practiable.  What is more likely is that Congress will tie federal highway dollars (or some other appropriation to the states) to states adhering to some common standard for issuing drivers license and a common format for the license---maybe even smart cards.  This way they can establish a national ID card and not have to suffer the slings and arrows of privacy advocates fearful of big brother. 
• In addition to being one of the key players in creating identity credentials, state government is also one of the main drivers of the need for identity credientials.  Think about the places where you need ID, many of them are in someway encouraged or mandated by the government.  Government is a large consumer of identity credentials.
• To move government services online, we need ways of authenticating citizens and businesses (ID) and storing authorizations.  Utah is moving toward a citizen directory that would serve as the identity foundation for our online initiatives.  The directory would be opt-in and we've taken steps to protect the data from GRAMA requests (Utah's version of FOIA).   The federal government is also building a directory for its online applications. 
• Things like the Liberty Alliance and Microsoft Passport are more about helping businesses than they are consumers.  Doug Kaye has a great article on his site about this and makes a case for anonymous federated identity.  I think he makes some good points.  Most of the online applications that we're contemplating would work well in such an arrangement.    This isn't the case for federating state online applications however, such as what we're doing with the one-stop business registration. 

Now, to organize all these random thoughts into a talk. 

10:45 AM | Comments () | Recommend This | Print This

The Media Got it Wrong

The Salt Lake Tribune this morning has a story on a "blond extinction hoax."   Seems that the media (including the major outlets like ABC and CNN) got taken by a hoax that claimed a World Health Organization (WHO) study found that true blonds were becoming extinct.  Turns out not one journalist bothered to call WHO.    If you've never dealt much with the media, this may come as a shock to you. It doesn't surprise me.  Since every story that's been written about me (good and bad) has contained major factual errors, I have to believe that most stories contain factual errors.  Journalists are frequently sloppy with the facts, not bothering to investigate or verify them---just reporting on other reports.  They're like everyone else---in a hurry to make a deadline, overloaded with information, and trying to impress their boss.  That's a recipe for errors. 

8:05 AM | Comments () | Recommend This | Print This

October 2, 2002

Emergence and Computational Equivalence

I've been reading "Emergence: The Connected Loves of Ants, Brains, Cities, and Software" by Steven Johnson and "A New Kind of Science" by Stephen Wolfram (almost done with Johnson, just starting Wolfram).  If you're not familiar with them, Johnson discusses how acting on a local scale, on local information produces useful, global patterns.  Ant hills are one example---no one directs the actions of the ants, they have simple rules for responding to local stimuli and yet, produce complex behavior (such as creating graveyards for dead ants or finding and harvesting food sources in a rather systematic manner).  The whole idea has some interesting implications for people who manage societies (we call them governments).    

Cities are another example. The passage that struck me from Johnson follows: 

There are manifest purposes to a city---reasons for being that its citizens are usually aware of: they come for the protection of the walled city, or the open trade of the marketplace.  But cities have a latent purpose as well: to function as information storage and retrieval devices.  Cities were creating user-friendly interfaces thousands of years before anyone ever dreamed of digital computers.  Cities bring minds together and put them into coherent slots.  Cobblers gather near other cobblers, and button makers near other button makers.  Ideas and goods flow readily within these clusters, leading to productive cross-pollination, ensuring that good ideas don't die out in rural isolation.  The power unleashed by this data storage is evident in the earliest large-scale human settlements located on the Sumerian coast and in the Indus Valley, which date back to 3500 B.C.  By some accounts, grain cultivation, the plow, the potter's wheel, the sailboat, the draw loom, copper metallurgy, abstract mathematics, exact astronomical observations, the calendar---all of these inventions appeared within centuries of the original urban populations.  Its possible, even likely, that more isolated groups or individuals had stumbled upon some of those technologies at an earlier date, but they didn't become part of the collective intelligence of civilization until there were cities to store and transmit them. 

This strikes me a great example of what Wolfram is saying in his Principle of Computational Equivalence: that whenever one sees behavior that is not obviously simple---in essentially any system---it can be thought of as computation of equivalent sophistication.  That is, a city is a computational device functioning, in essence, as a superorganism that stores information for much longer periods than any of its constituent parts will last.  Wolfram also states, with respect to the Principle of Computational Equivalence: [O]ther systems will tend to perform computations that are just as sophisticated as those we can do, even with all our mathematics and computers.  And this means that such systems are computationally irreducible---so that in effect the only way to find their behavior is to trace each of their steps, spending about as much computational effort as the systems themselves....it also shows that there is something irreducible that can be achieved by the passage of time.  I find this idea to be intriguing. 

As I read and ponder this, I believe that these ideas have serious implications (going back to the managing society point I made earlier) for things like economic development, education, urban planning, water use, and so on. 

An example in the area of education is distance learning.  Having been a professor, somehow the idea of having students take courses (or, worse, not take courses and just take the exam to prove you "know" the material) has never sat well with me.  The reason is because I feel in my gut that taking the course is only a small part of the value of "going to college."  Going to college is about experience, being part of the academic community.    I believe you miss something vital and important by not "being there" with everyone else, studying in the cafeteria or lobby of the engineering building, and seeing some stupid play on homecoming weekend.  In many important ways, the point of an education is not the degree or even the knowledge---its the journey.  That's what changes you and makes you a different person.

But more to the point, if you believe Johnson and Wolfram, "being there" also change the social fabric of the University and that has consequences well beyond any of our lifetimes---Cambridge and Oxford are 700 years old.    A university is, in the words of Johnson, a "superorganism" or, in the words of Wolfram, a "computation taking place in real time."   If we remove the students from the University, can the organism survive over space and time?  What happens to the computation?  I don't think we know and its probably the great question facing places like Western Governor's University.  A grand experiment to be sure, but do we know enough of what we're trying to do to "program" it correctly---to give it life beyond the vision of the founders? 

As I said, I think you could raise similar questions about many of the things governments are trying to do.  It doesn't mean their wrong, it just means that we need to recognize that just because we've got a network doesn't mean that we can spread everything out without changing them in fundamental ways. 

2:53 PM | Comments () | Recommend This | Print This

October 1, 2002

An Abundance Mentality

Brent Ashley reacted to my post on Jeremy:

Phil Windley, blogging CIO of the State of Utah, admires Jeremy Zawodny's sharing. I do too.

I've noticed with myself though, that my sharing-ness tends to rise and fall with my sense of security. When I've got lots of business and no worries, I'm a veritable sharing phenom, but my willingness to participate and to share has dropped considerably this year since I've been more interested in finding enough paying business to get by.

Brent makes a good point.  Blogging requires what is called an "abundance mentality."  If you don't approach it with the mental attitude that there's plenty to go around, you're less likely to share, which is at the heart of blogging.  The cynical side of me wonders if this might not be blogging's fatal flaw: it requires a fair amount of altruistic behavior. 

On the other hand, I've observed that having an abundance mentality is crucial to a high performance organization.  Leaders don't need to cultivate an abundance mentality to promote blogging, they need to promote an abundance mentality because that how you create an organization that works.  The lack of an abundance mentality leads to an organization that doesn't communicate, doesn't act like a team, and eventually doesn't accomplish very much. 

People without an abundance mentality spend a lot of their time at work angry at their boss, resentful of their co-workers, and feeling like every suggestion of change is an attack on them personally.  Many would say that the environment plays a role there and I whole-heartedly agree that we need to create work environments that foster an abundance mentality, but that doesn't remove the responsibility on each employee to ask themselves why they cash their pay check and whether they're part of the solution or part of the problem. 

6:51 PM | Comments () | Recommend This | Print This

Google Search Appliance and Outsourcing

Infoworld reports that Google has released a bigger, beefier version of their search appliance.   The new search engine extends "the search capabilities to 3 million documents and 150 queries per minute."  We probably don't need 150 queries per minute, but we definitely have that many documents or more.  The new appliance also uses a clustering approach to HA.  This sort of support needs to be added to our web infrastructure platform that McNamee is working on. 

We use an internally developed search engine right now.  Its actually a great piece of work, but we have a tough time keeping up due to all the other work that needs to get done.  I'm often asked if I'm a supporter of outsourcing.  The answer in general is "no."  I think IT is too important to an organization to turn it over lock, stock, and barrel to an outsider.  I'm am, however, in favor of "oursourcing" any internal development that can be replaced by off the shelf purchasing so that those resources can be turned to other important activities.

I learned this lesson the hard way in a prior life when we'd built a large system based on CORBA before application servers were widely used or understood (at least by me).  We spent a lot of time working on distribution code, load balancing, error recovery, threading, etc.    After a while we just retooled the system, bought Weblogic and solved most of our headaches.  In the end, there was no way a handful of guys in my shop could come close to keeping up with the development staff Weblogic had placed on the problem and the price of the software was well worth having my guys working on product development rather than infrastructure tweaking. 

9:59 AM | Comments () | Recommend This | Print This

Zawodny on MySQL, Operating Systems, and Threads

Jeremy Zawodny is the head MySQL guy at Yahoo!. He writes a blog that is very informative on system engineering issues. In this post Jeremy discusses the differences in threading on Linux and FreeBSD and its effect on MySQL. You should note the following:

1. The level of detail that someone putting high performance systems needs to understand about multiple, complex systems and their interactions.
2. The kinds of analysis and tools that he uses.
3. That there isn't a single right answer. There are lots of "it depends" and compromises.

Zawodny is intelligent, dedicated to his craft, and, I'm sure, well compensated. What's more, he's willing to share his insights regularly on his blog. My hat's off to him. 

9:02 AM | Comments () | Recommend This | Print This