The Halifax Examiner has learned the province will replace the Amanda 7 computer system used to access and process requests for government information.
A tender will go out within the next five months, almost a half-year since the online portal used by journalists and the public to file Freedom of Information requests shut down. Online service has been unavailable since last April, when a government employee mistyped a web address that triggered a download of confidential files.
That led to the discovery of an earlier, mischaracterized “breach” of the website by a teenager that resulted in an avalanche of more than 5,000 files being downloaded onto his computer, followed by a police raid of his home and his arrest. He was not charged but the incidents highlighted the fact the two-year-old computer system was vulnerable to disclosures of both authorized and personal information collected by the province.
“The was a weakness in the original system,” explains Sandra Cascadden, the province’s chief information officer and associate deputy minister for the provinces Internal Services department. “Our concern was not with the disclosure of general information but with private or personal information to which only the individual was entitled.”
Cascadden compares “the architecture of the database” to a two-drawer filing cabinet where the top drawer was locked and the bottom drawer was open. Inside the open drawer were files labelled “public” and “private” — all of which were easily accessed when a FOIPOP applicant tapped the handle of the bottom drawer.
It could be a year from now before a new system is installed and the public again has online access as it did through a feature called MyAccount.
Cascadden says there are many reasons for that staggeringly long wait. She says her staff has “hundreds of projects” to manage and unless another province has recently implemented a state-of-the art Freedom of Information application, her staff or an outside consultant will spend the next four months writing the specs for a Request for Proposals. The government tender process will likely consume another four months.
The Examiner wanted to know why it took from April to October to decide to scrap the current flawed system. Cascadden says the focus was on separating the functions of the Amanda 7 application to ensure civil servants could continue to process the increasing volume (more than 500 new requests for information each year) and increasing complexity of requests since open data portals have made government documents available. Another function which publishes the results of all completed Freedom of Information investigations was moved to another site, found here.
Cascadden says it was only recently her department gave up on trying to resurrect the public’s online access to the Office of information and Privacy Protection.
“When you pull out one piece of a computer application (like moving the disclosure of FOIPOP requests) which is also interconnected to other pieces (such as applying and retrieving information), you aren’t able to tie off all the loose ends. That leaves the system vulnerable,” Cascadden tells The Examiner.
Ironically, before Cascadden knew Amanda 7 was flawed, Internal Services had been considering broadening its use for other government services. In June of this year IS received a consultant’s report from KPMG that looked at how the FOIPOP application was performing.
As reported by Michael Gorman for CBC in August, the KPMG report found “blacked out” or redacted information that “could accidentally be published and/or accessed by an unauthorized user.” KPMG said Unisys wasn’t carrying out “any regular assessments and/or audits” to provide oversight on Amanda despite the money the province was paying it to host and maintain the application.
The $4 million dollars per year the government was paying Unisys to host and maintain the FOIPOP system has dwindled to $120,000, and Unisys now provides only Help Desk support to staff. However, Unisys continues to bill yearly for millions of dollars worth of work to other government departments which run an earlier version of Amanda to provide services such as permits and licences for businesses. Cascadden says there is no plan to replace the Amanda 6 system despite some criticism from auditor general Michael Pickup in 2016.
“AMANDA and its supporting systems have settings that do not fully meet the Province’s IT security standards,” wrote Pickup. “We found weak passwords, weak failed login settings, and other settings, which should be improved.”
A lot of those internal controls have been beefed up, according to Cascadden. Meanwhile, staff with the Office of Information and Privacy will continue to use Amanda 7 to process information requests while members of the public send their requests by Canada Post or deliver them in person to the Information Access and Privacy Services Office on the ninth floor of 5161 George Street. It’s inconvenient, but important, when you consider reports offering advice to government on everything from building new hospitals to running schools or operating jails are off limits unless one challenges the secrecy by applying through the Freedom of Information and Protection of Privacy Act.