Your arrangements with the multinational company Service-Now and their ongoing email failures
Dear Digital Transformation Agency,
This is a Freedom-of-Information request.
The DTA makes use of the company "ServiceNow", a $216bn market-cap non-sovereign multinational organisation for (at least) the provision of email services, including the delivery of account activation and password-reset one-time emails which contain security codes that expire in 10 minutes. Here is a sample of SMTP headers from one email containing a reset code which expires in 10 minutes (I've removed my real email address):
Received: from outbound91.service-now.com (outbound91.service-now.com [199.91.136.28])
by esmtp.mydomain.com (8.15.2/8.15.2) with ESMTPS id 4457ns0N2024109
(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT)
for <[email address]>; Sun, 5 May 2024 07:49:56 GMT
Received: from relay13.syd100.service-now.com (unknown [10.243.25.53])
by outbound91.service-now.com (Postfix) with ESMTPS id 4F033181218ED
for <[email address]>; Sun, 5 May 2024 00:48:37 -0700 (PDT)
Received: from outbound11.service-now.com (unknown [10.249.128.175])
by fallback-outbound11.service-now.com (Postfix) with ESMTPS id CB16AC029893
for <[email address]>; Sat, 4 May 2024 16:32:11 -0700 (PDT)
Received: from app130035.syd101.service-now.com (app130035.syd101.service-now.com [10.225.130.35])
by outbound11.service-now.com (Postfix) with ESMTPSA id 8770E8266581
for <[email address]>; Sat, 4 May 2024 16:32:06 -0700 (PDT)
Observe:
1. there is an 8-hour delay internally within the "SeciveNow" systems.
2. it ultimately delivers from the IP 199.91.136.28 (which is outside Australia)
Be aware that the FoI act does NOT restrict my questions to "documents" (e.g. "information" encompasses any paper or other material on which there is writing, a mark, figure, or symbol, electronically stored information, maps, plans, drawings, photographs, and any article from which sounds, images, or writing can be produced).
My requests are as follows:-
1. How long has the DTA been aware that emails they send out that contain security codes which expire in 10 minutes, are taking more than 10 minutes to arrive? (e.g. the "electronically stored information" of the DTA showing the first incidences of this email delay issue)
2. The number of times since this issue began that users have reported trouble as a result of these delays, and the number of times support staff responded to victims of this delay, allowing them to bypass this security feature.
3. The documents in connection with the Tender or other procurement process through which ServiceNow (and others) were invited, and ultimately through which it was awarded this business, and the number of other bidders for this business.
4. The number of times ServiceNow has been informed of email-related delivery issues, and the clauses from any contract with ServiceNow (or published beforehand, such as in my item 3 above) in relation to (a) timeliness of email transmissions, and (b) response times to reports of system failures, and (c) compensation arrangements for service failure.
5. The rules by which the DTA must abide in relation to the following:
a) the use of sovereign systems or providers for the handling of certain information, and the list or categories of information that falls under this sovereign requirement.
b) the handling of cyber security issues, such as password reset mechanisms, and user verification requirements for allowing unidentified individuals on phone calls to obtain access to supplier account logins (bypassing verification codes)
6. The budget (financial dollar amount) of the DTA which is allocated for the payment of external service providers, and if it exists, the breakdown of categories within that budget (e.g. hosting, email, design, support, etc) and the amounts for each.
Note that I am deliberately requesting information that is specifically designed to publicly embarrass your department. Our FoI act specifically allows me to do this, and forbids you to withhold answers based on this. Please try to honor the purpose and intent of our FoI act and fully, honestly and truthfully supply the information I request.
Yours faithfully,
C Drake
OFFICIAL
Good morning, C Drake
Thank you for your FOI request.
I writing to notify you that I will be looking after your request.
Under subsection 15(3), I have an obligation to assist you with the FOI process.
To assist you with your request, I'm wondering if you could please give me a call to discuss.
I just would like to ensure that I understand your request.
In the meantime, I have provided some useful links for your information on the process.
https://www.oaic.gov.au/freedom-of-infor...
https://www.legislation.gov.au/C2004A025...
I look forward to your call.
Thanks
Suzie Sazdanovic
Privacy and FOI Manager
Digital Transformation Agency
suzie.sazdanovic+AEA-dta.gov.au +AHw- dta.gov.au
Ngunnawal Country +AHw- 11 Moore Street, Canberra, ACT 2600
+-61 2 6120 8595
OFFICIAL
OFFICIAL
Good morning, C Drake
DTA has not received a response to our email of 13 May 2024, and we have
decided to proceed based on our understand of your request.
Below is the Acknowledgement and notice of consultation in response to
your request.
The Digital Transformation Agency (DTA) acknowledges receipt of your
Freedom of Information (FOI) request made 7 May 2024 for:
1. How long has the DTA been aware that emails they send out that contain
security codes which expire in 10 minutes, are taking more than 10 minutes
to arrive? (e.g. the "electronically stored information" of the DTA
showing the first incidences of this email delay issue)
2. The number of times since this issue began that users have reported
trouble as a result of these delays, and the number of times support staff
responded to victims of this delay, allowing them to bypass this security
feature.
3. The documents in connection with the Tender or other procurement
process through which ServiceNow (and others) were invited, and ultimately
through which it was awarded this business, and the number of other
bidders for this business.
4. The number of times ServiceNow has been informed of email-related
delivery issues, and the clauses from any contract with ServiceNow (or
published beforehand, such as in my item 3 above) in relation to (a)
timeliness of email transmissions, and (b) response times to reports of
system failures, and (c) compensation arrangements for service failure.
5. The rules by which the DTA must abide in relation to the following:
a) the use of sovereign systems or providers for the handling of certain
information, and the list or categories of information that falls under
this sovereign requirement.
b) the handling of cyber security issues, such as password reset
mechanisms, and user verification requirements for allowing unidentified
individuals on phone calls to obtain access to supplier account logins
(bypassing verification codes)
6. The budget (financial dollar amount) of the DTA which is allocated for
the payment of external service providers, and if it exists, the breakdown
of categories within that budget (e.g. hosting, email, design, support,
etc) and the amounts for each.
Notice of Consultation
DTA has identified information relating to third parties contained within
the requested document. As a result, DTA is required to consult.
Your request covers a document relating to the business, commercial or
financial affairs of an organization. Accordingly, DTA is required to
consult with the organisation concerned before making a decision on the
release of this document.
Section 27 of the FOI Act provides that if a request is made to an agency
for access to a document containing business information organisation, and
it appears to the agency that the organization might reasonably wish to
make a contention that the document is exempt under section 47 (trade
secrets etc), or section 47G (business information) of the FOI Act, then
the agency must not decide to give access to the document unless the
organisation concerned is given a reasonable opportunity to make
submissions in support of their contention, if it is reasonably
practicable to do so.
The DTA will take into account any comments we receive from the
organisation. However, the final decision on whether to grant access to
the document requested rests with DTA.
In accordance with section 15(6) of the FOI Act, the period for processing
your request has been extended by an additional 30 days in order to allow
DTA time to consult with the organisation. The processing period for this
request will now end on 4 July 2024.
Drafts and Duplicates
In making a decision the DTA will exclude draft and duplicate copies, only
including final versions that fit the scope of your request. If you
require this information, please inform us within five days, otherwise
these documents will be deemed irrelevant to your request and removed
under section 22 of the FOI Act.
Please contact me if you wish to discuss your request.
Regards
Suzie Sazdanovic
Privacy and FOI Manager
Digital Transformation Agency
[1][email address] | dta.gov.au
Ngunnawal Country | 11 Moore Street, Canberra, ACT 2600
+61 2 6120 8595
OFFICIAL
OFFICIAL
OFFICIAL
Dear Mr Drake
DTA is seeking an additional 30 day to process your request under section
15AA.
Reason:
DTA has received an unprecedent number of FOI requests during the same
period we received your request. We have also had illness, which has also
created delays in processing your request.
What have we done to date:
We have identified 15 file and additional 9 documents that possibly relate
to the scope of your request. To date, I have only reviewed 3 of these
files and identified 4 entities that will still require consultation.
We respectfully request that you agree to this request in writing by 4
July 2024.
Please note: DTA will endeavour to try a process your request as quickly
as possible.
Happy to discuss any concerns.
Suzie Sazdanovic
Privacy and FOI Manager
Digital Transformation Agency
[1][email address] | dta.gov.au
Ngunnawal Country | 11 Moore Street, Canberra, ACT 2600
+61 2 6120 8595
OFFICIAL
From: DTA FOI
Sent: Tuesday, June 4, 2024 12:01 PM
To: C Drake <[FOI #11392 email]>
Subject: Acknowledgement and Notice of consultation FOI 0012- Your
arrangements with the multinational company Service-Now and their ongoing
email failures
Good morning, C Drake
DTA has not received a response to our email of 13 May 2024, and we have
decided to proceed based on our understand of your request.
Below is the Acknowledgement and notice of consultation in response to
your request.
The Digital Transformation Agency (DTA) acknowledges receipt of your
Freedom of Information (FOI) request made 7 May 2024 for:
1. How long has the DTA been aware that emails they send out that contain
security codes which expire in 10 minutes, are taking more than 10 minutes
to arrive? (e.g. the "electronically stored information" of the DTA
showing the first incidences of this email delay issue)
2. The number of times since this issue began that users have reported
trouble as a result of these delays, and the number of times support staff
responded to victims of this delay, allowing them to bypass this security
feature.
3. The documents in connection with the Tender or other procurement
process through which ServiceNow (and others) were invited, and ultimately
through which it was awarded this business, and the number of other
bidders for this business.
4. The number of times ServiceNow has been informed of email-related
delivery issues, and the clauses from any contract with ServiceNow (or
published beforehand, such as in my item 3 above) in relation to (a)
timeliness of email transmissions, and (b) response times to reports of
system failures, and (c) compensation arrangements for service failure.
5. The rules by which the DTA must abide in relation to the following:
a) the use of sovereign systems or providers for the handling of certain
information, and the list or categories of information that falls under
this sovereign requirement.
b) the handling of cyber security issues, such as password reset
mechanisms, and user verification requirements for allowing unidentified
individuals on phone calls to obtain access to supplier account logins
(bypassing verification codes)
6. The budget (financial dollar amount) of the DTA which is allocated for
the payment of external service providers, and if it exists, the breakdown
of categories within that budget (e.g. hosting, email, design, support,
etc) and the amounts for each.
Notice of Consultation
DTA has identified information relating to third parties contained within
the requested document. As a result, DTA is required to consult.
Your request covers a document relating to the business, commercial or
financial affairs of an organization. Accordingly, DTA is required to
consult with the organisation concerned before making a decision on the
release of this document.
Section 27 of the FOI Act provides that if a request is made to an agency
for access to a document containing business information organisation, and
it appears to the agency that the organization might reasonably wish to
make a contention that the document is exempt under section 47 (trade
secrets etc), or section 47G (business information) of the FOI Act, then
the agency must not decide to give access to the document unless the
organisation concerned is given a reasonable opportunity to make
submissions in support of their contention, if it is reasonably
practicable to do so.
The DTA will take into account any comments we receive from the
organisation. However, the final decision on whether to grant access to
the document requested rests with DTA.
In accordance with section 15(6) of the FOI Act, the period for processing
your request has been extended by an additional 30 days in order to allow
DTA time to consult with the organisation. The processing period for this
request will now end on 4 July 2024.
Drafts and Duplicates
In making a decision the DTA will exclude draft and duplicate copies, only
including final versions that fit the scope of your request. If you
require this information, please inform us within five days, otherwise
these documents will be deemed irrelevant to your request and removed
under section 22 of the FOI Act.
Please contact me if you wish to discuss your request.
Regards
Suzie Sazdanovic
Privacy and FOI Manager
Digital Transformation Agency
[2][email address] | dta.gov.au
Ngunnawal Country | 11 Moore Street, Canberra, ACT 2600
+61 2 6120 8595
OFFICIAL
OFFICIAL
Good morning, Mr Drake
I hope you are well!
It is with regret that I need to inform you that DTA is now required to
apply for an extension through the Office of The Australian Information
Commission because DTA has not received a response to our email below and
your request is now overdue.
I’ll keep you in the loop of our progress.
Happy to discuss any concerns.
Suzie Sazdanovic
Privacy and FOI Manager
Digital Transformation Agency
[1][email address] | dta.gov.au
Ngunnawal Country | 11 Moore Street, Canberra, ACT 2600
+61 2 6120 8595
OFFICIAL
From: DTA FOI <[DTA request email]>
Sent: Wednesday, July 3, 2024 12:07 PM
To: DTA FOI <[DTA request email]>; 'C Drake'
<[FOI #11392 email]>
Subject: [SEC=OFFICIAL] FOI 0012 Request for extension of time response
required by 4 July 2024.
OFFICIAL
Dear Mr Drake
DTA is seeking an additional 30 day to process your request under section
15AA.
Reason:
DTA has received an unprecedent number of FOI requests during the same
period we received your request. We have also had illness, which has also
created delays in processing your request.
What have we done to date:
We have identified 15 file and additional 9 documents that possibly relate
to the scope of your request. To date, I have only reviewed 3 of these
files and identified 4 entities that will still require consultation.
We respectfully request that you agree to this request in writing by 4
July 2024.
Please note: DTA will endeavour to try a process your request as quickly
as possible.
Happy to discuss any concerns.
Suzie Sazdanovic
Privacy and FOI Manager
Digital Transformation Agency
[2][email address] | dta.gov.au
Ngunnawal Country | 11 Moore Street, Canberra, ACT 2600
+61 2 6120 8595
OFFICIAL
From: DTA FOI
Sent: Tuesday, June 4, 2024 12:01 PM
To: C Drake <[3][FOI #11392 email]>
Subject: Acknowledgement and Notice of consultation FOI 0012- Your
arrangements with the multinational company Service-Now and their ongoing
email failures
Good morning, C Drake
DTA has not received a response to our email of 13 May 2024, and we have
decided to proceed based on our understand of your request.
Below is the Acknowledgement and notice of consultation in response to
your request.
The Digital Transformation Agency (DTA) acknowledges receipt of your
Freedom of Information (FOI) request made 7 May 2024 for:
1. How long has the DTA been aware that emails they send out that contain
security codes which expire in 10 minutes, are taking more than 10 minutes
to arrive? (e.g. the "electronically stored information" of the DTA
showing the first incidences of this email delay issue)
2. The number of times since this issue began that users have reported
trouble as a result of these delays, and the number of times support staff
responded to victims of this delay, allowing them to bypass this security
feature.
3. The documents in connection with the Tender or other procurement
process through which ServiceNow (and others) were invited, and ultimately
through which it was awarded this business, and the number of other
bidders for this business.
4. The number of times ServiceNow has been informed of email-related
delivery issues, and the clauses from any contract with ServiceNow (or
published beforehand, such as in my item 3 above) in relation to (a)
timeliness of email transmissions, and (b) response times to reports of
system failures, and (c) compensation arrangements for service failure.
5. The rules by which the DTA must abide in relation to the following:
a) the use of sovereign systems or providers for the handling of certain
information, and the list or categories of information that falls under
this sovereign requirement.
b) the handling of cyber security issues, such as password reset
mechanisms, and user verification requirements for allowing unidentified
individuals on phone calls to obtain access to supplier account logins
(bypassing verification codes)
6. The budget (financial dollar amount) of the DTA which is allocated for
the payment of external service providers, and if it exists, the breakdown
of categories within that budget (e.g. hosting, email, design, support,
etc) and the amounts for each.
Notice of Consultation
DTA has identified information relating to third parties contained within
the requested document. As a result, DTA is required to consult.
Your request covers a document relating to the business, commercial or
financial affairs of an organization. Accordingly, DTA is required to
consult with the organisation concerned before making a decision on the
release of this document.
Section 27 of the FOI Act provides that if a request is made to an agency
for access to a document containing business information organisation, and
it appears to the agency that the organization might reasonably wish to
make a contention that the document is exempt under section 47 (trade
secrets etc), or section 47G (business information) of the FOI Act, then
the agency must not decide to give access to the document unless the
organisation concerned is given a reasonable opportunity to make
submissions in support of their contention, if it is reasonably
practicable to do so.
The DTA will take into account any comments we receive from the
organisation. However, the final decision on whether to grant access to
the document requested rests with DTA.
In accordance with section 15(6) of the FOI Act, the period for processing
your request has been extended by an additional 30 days in order to allow
DTA time to consult with the organisation. The processing period for this
request will now end on 4 July 2024.
Drafts and Duplicates
In making a decision the DTA will exclude draft and duplicate copies, only
including final versions that fit the scope of your request. If you
require this information, please inform us within five days, otherwise
these documents will be deemed irrelevant to your request and removed
under section 22 of the FOI Act.
Please contact me if you wish to discuss your request.
Regards
Suzie Sazdanovic
Privacy and FOI Manager
Digital Transformation Agency
[4][email address] | dta.gov.au
Ngunnawal Country | 11 Moore Street, Canberra, ACT 2600
+61 2 6120 8595
OFFICIAL
Our reference: RQ24/02715
Agency reference: FOI12/2024
Agency name Digital Transformation Agency
By Email: [DTA request email]
Name C Drake
By Email:
[FOI #11392 email]
Extension of time under s 15AC
Dear Parties,
Please find attached an extension of time decision relating to the above
referenced FOI request.
Regards
[1][IMG] Andriana DeIeso
Review Adviser
Office of the Australian Information Commissioner
GPO Box 5288 Sydney NSW 2001
E [2][email address]
I am available Monday to Wednesday; Tuesday and Wednesday alternate
weeks.
The OAIC acknowledges Traditional Custodians of Country across
Australia and their continuing connection to land, waters and
communities. We pay our respect to First Nations people,
cultures and Elders past and present.
[3]Subscribe to Information Matters
Notice:
The information contained in this email message and any attached files may
be confidential information, and may also be the subject of legal
professional privilege. If you are not the intended recipient any use,
disclosure or copying of this email is unauthorised. If you received this
email in error, please notify the sender by contacting the department's
switchboard on 1300 488 064 during business hours (8:30am - 5pm Canberra
time) and delete all copies of this transmission together with any
attachments.
References
Visible links
1. https://www.oaic.gov.au/
2. mailto:[email address]
3. https://www.oaic.gov.au/engage-with-us/n...