GDS weighs in on the NHS's decision to retreat from Open Source

Within the UK's Civil Service you occasionally hear the expression "being invited to a meeting without biscuits". It implies a rather frosty discussion without any of the polite niceties of a normal meeting0. In general though, even when people have severe disagreements, it is rare for tempers to fray. It is even rarer for those internal disagreements to spill over into public.

Which is what makes GDS's latest guidance so surprising. At the start of the month, NHS England made the bizarre and irresponsible decision to close all their Open Source repositories due to unfounded fears of AI hacking1. Lots of people within the NHS were outraged. As were many outside - with this petition against the move gathering over 2,000 signatures.

Within other parts of government there was also alarm. Although I no longer work for Government Digital Service, I was contacted by several concerned people there who remembered all my work on Open Source. The brilliant team in Whitechapel have now published their guidance "AI, open code and vulnerability risk in the public sector".

It is brutal.

They utterly repudiate the NHS's stance and forensically eviscerate it. I'll let you read the whole thing, but here are a few choice excerpts:

Recent public reporting about organisations restricting access to public repositories due to AI-enabled code analysis illustrates how quickly leaders may reach for blanket closure in response to uncertainty.

Basically, non-technical managers need to stop over-reacting.

Private repositories can create a false sense of security.

I think that's the crux of the argument. Closing code doesn't solve the underlying problems.

Making code private is not an appropriate mitigation for lack of ownership, patching capability, or operational assurance, so systems that cannot be safely maintained should be remediated or retired.

If you are so concerned about the poor security of your systems, you should shut them down completely to mitigate the threat.

Closure can become a one-way door.

As I said to the BMJ, "nothing lasts longer than a temporary fix".

Where code has been developed in the open, making a repository private later may not remove access for a capable adversary as popular repositories are often mirrored or forked

Indeed. A friend of mine has already archived all of the NHS's repositories. You can see the ones they've tried to hide.

But the killer blow, I think, is this:

Moving code from public to private as a substitute for investment in secure-by-design delivery, ownership and remediation is a warning sign because it reduces sharing and scrutiny, can slow coordinated improvement across government and suppliers, and does not remove the underlying weaknesses in a running service.

Exactly! Coding in the open has been shown time and again to produce high quality and secure work. The looming threat of AI vulnerability scanners doesn't change that - security is a shared responsibility. Technical teams need to be well enough resourced to create secure systems; hiding code is as reliable as papering over structural cracks.

GDS was created was to be a strong centre with vast technology expertise. This was to counter the frankly shoddy approach to tech in other departments. Back then, a Service Assessment was a way for a department to prove that they were actually capable of designing, launching, and managing a complex IT project.

Most departments have become significantly better at the development and running of these sorts of projects, so the raison d'etre of GDS has somewhat waned. Departments feel more confident in running off on their own. Usually I'd celebrate that - it's important that GDS doesn't become a bottleneck and that the talent is distributed throughout the whole Civil Service.

But NHS England has always been a bit of a weird one. One of the reasons NHSX was created2 was to ensure that the health service had strong expertise in technology and its deployment. As the Head of Open Technology there, I helped craft the policies which embedded Open Source and Open Standards within it3.

I don't know what discussions have taken place within NHS England - although I looking forward to receiving a response to my FOI request. It looks to me like a small group within NHS England have received a report showing some potential vulnerabilities discovered by Mythos. Rather than following their own internal guidance, they've over-reacted and slapped a blanket ban on coding in the open.

I fervently hope that this new guidance will encourage DHSC to bring NHS England into line with best practice. If not, perhaps GDS ought to reassert itself as the technical authority with power to veto a department's incomprehensible decisions?

A quarter of a century of open educational technology

https://werd.io/a-quarter-of-a-century-of-open-educational-technology/

UK Government Kicks Out Palantir

The UK Government, for all its faults, is pretty good at publishing contracts it has awarded. That's why I get depressed when I see rage-bait nonsense about how companies have been award "Top Secret" deals.

Right now you can go to https://www.contractsfinder.service.gov.uk and search for whichever bête noire has you riled up. You might want to argue that the company is corrupt, incompetent, or overpriced - but you can't argue that its contract is secret. There's no conspiracy. There's no secrecy. There's not even "beware of the leopard" shenanigans. It's all out in the open0.

The Government says who it paying money to.

But, of course, there are some things the Government can't say. It's rare for them to publicly disagree with a supplier, or call out how crappy they were. They need to maintain cordial relations with people1. They don't want to scare off new suppliers who can't risk being publicly humiliated. When contracts are cancelled or ended, it is usually done quietly.

So you need to learn to read between the lines.

Let's take this excellent blog post from the Ministry of Housing Communities and Local Government2

"From emergency to sustainability: creating Share Homes for Ukraine data".

It's exactly the sort of blog post that some Civil Servants excel at writing. It clearly sets out how an ambitious and technically challenging project was delivered, why it is important, and who it benefits.

The blog post describes how the team…

exited our contract with our supplier.

And that:

Moving to this in-house model is already saving MHCLG millions of pounds a year in running costs.

They show user feedback for their new system saying:

It’s easier to navigate than the previous system

Of course, what they don't say is who supplied the previous system which was so costly and hard to use.

It was, of course, Palantir.

The original contract (CPD4124104) wasn't secret - although it was mired in some controversy as an urgent exemption to normal procurement rules3.

In 2023, the National Audit Office reported on the scheme - including Palanitr's software. They said:

The initial arrangement was put in place to help get the scheme up and running quickly. Consequently, the system did not undergo the usual research and testing that would be involved for the roll-out of a new digital system. There were initial issues such as the way it presented duplicated application data received from Home Office systems, and confusion from local authorities as to how to engage with the main data system.

How bad was Palantir's software? I've sent in a Freedom of Information request to find out. But we can tell that it was bad enough to convince MHCLG to rewrite it themselves.

A lean Civil Service may not have the in-house capability to rapidly create a new service. But, as their blog post shows, when given suitable resources Civil Servants can often outperform the private sector. More importantly, the new software is under the Ministry's direct control. This open source code is a triumph for sovereign technology.

MHCLG have shown the door to Palantir. They've built something better, easier to use, and cheaper.

I don't want to oversell this as the first victory in the war against this abominable company - but I hope where MHCLG leads, others will follow.

You can read more about this story on BBC News.

Some browsers check what site you're on and render the page differently. Yup, you read that right.

TikTok gets special treatment. So does Netflix. Instagram. Even SeatGuru.

Safari and Firefox both do this. Chrome doesn't. There's a reason for that... Read on.

https://denodell.com/blog/browsers-treat-big-sites-differently?utm_source=mastodon&utm_medium=social&utm_campaign=browser_quirks_post

Lol. Lmao. From @fediversereport

https://connectedplaces.online/reports/fr162-eu-regulation-wont-save-open-social-networks/