Your arrangements with the multinational company Service-Now and their ongoing email failures
Dear Digital Transformation Agency,
This is a Freedom-of-Information request.
The DTA makes use of the company "ServiceNow", a $216bn market-cap non-sovereign multinational organisation for (at least) the provision of email services, including the delivery of account activation and password-reset one-time emails which contain security codes that expire in 10 minutes. Here is a sample of SMTP headers from one email containing a reset code which expires in 10 minutes (I've removed my real email address):
Received: from outbound91.service-now.com (outbound91.service-now.com [199.91.136.28])
by esmtp.mydomain.com (8.15.2/8.15.2) with ESMTPS id 4457ns0N2024109
(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT)
for <[email address]>; Sun, 5 May 2024 07:49:56 GMT
Received: from relay13.syd100.service-now.com (unknown [10.243.25.53])
by outbound91.service-now.com (Postfix) with ESMTPS id 4F033181218ED
for <[email address]>; Sun, 5 May 2024 00:48:37 -0700 (PDT)
Received: from outbound11.service-now.com (unknown [10.249.128.175])
by fallback-outbound11.service-now.com (Postfix) with ESMTPS id CB16AC029893
for <[email address]>; Sat, 4 May 2024 16:32:11 -0700 (PDT)
Received: from app130035.syd101.service-now.com (app130035.syd101.service-now.com [10.225.130.35])
by outbound11.service-now.com (Postfix) with ESMTPSA id 8770E8266581
for <[email address]>; Sat, 4 May 2024 16:32:06 -0700 (PDT)
Observe:
1. there is an 8-hour delay internally within the "SeciveNow" systems.
2. it ultimately delivers from the IP 199.91.136.28 (which is outside Australia)
Be aware that the FoI act does NOT restrict my questions to "documents" (e.g. "information" encompasses any paper or other material on which there is writing, a mark, figure, or symbol, electronically stored information, maps, plans, drawings, photographs, and any article from which sounds, images, or writing can be produced).
My requests are as follows:-
1. How long has the DTA been aware that emails they send out that contain security codes which expire in 10 minutes, are taking more than 10 minutes to arrive? (e.g. the "electronically stored information" of the DTA showing the first incidences of this email delay issue)
2. The number of times since this issue began that users have reported trouble as a result of these delays, and the number of times support staff responded to victims of this delay, allowing them to bypass this security feature.
3. The documents in connection with the Tender or other procurement process through which ServiceNow (and others) were invited, and ultimately through which it was awarded this business, and the number of other bidders for this business.
4. The number of times ServiceNow has been informed of email-related delivery issues, and the clauses from any contract with ServiceNow (or published beforehand, such as in my item 3 above) in relation to (a) timeliness of email transmissions, and (b) response times to reports of system failures, and (c) compensation arrangements for service failure.
5. The rules by which the DTA must abide in relation to the following:
a) the use of sovereign systems or providers for the handling of certain information, and the list or categories of information that falls under this sovereign requirement.
b) the handling of cyber security issues, such as password reset mechanisms, and user verification requirements for allowing unidentified individuals on phone calls to obtain access to supplier account logins (bypassing verification codes)
6. The budget (financial dollar amount) of the DTA which is allocated for the payment of external service providers, and if it exists, the breakdown of categories within that budget (e.g. hosting, email, design, support, etc) and the amounts for each.
Note that I am deliberately requesting information that is specifically designed to publicly embarrass your department. Our FoI act specifically allows me to do this, and forbids you to withhold answers based on this. Please try to honor the purpose and intent of our FoI act and fully, honestly and truthfully supply the information I request.
Yours faithfully,
C Drake
OFFICIAL
Good morning, C Drake
Thank you for your FOI request.
I writing to notify you that I will be looking after your request.
Under subsection 15(3), I have an obligation to assist you with the FOI process.
To assist you with your request, I'm wondering if you could please give me a call to discuss.
I just would like to ensure that I understand your request.
In the meantime, I have provided some useful links for your information on the process.
https://www.oaic.gov.au/freedom-of-infor...
https://www.legislation.gov.au/C2004A025...
I look forward to your call.
Thanks
Suzie Sazdanovic
Privacy and FOI Manager
Digital Transformation Agency
suzie.sazdanovic+AEA-dta.gov.au +AHw- dta.gov.au
Ngunnawal Country +AHw- 11 Moore Street, Canberra, ACT 2600
+-61 2 6120 8595
OFFICIAL
-----Original Message-----
From: C Drake +ADw-foi+-request-11392-862945f4+AEA-righttoknow.org.au+AD4-
Sent: Tuesday, May 7, 2024 10:15 AM
To: DTA FOI +ADw-foi+AEA-dta.gov.au+AD4-
Subject: Freedom of Information request - Your arrangements with the multinational company Service-Now and their ongoing email failures
Be careful with this message
External email. Do not click links or open attachments unless you recognise the sender and know the content is safe.
Dear Digital Transformation Agency,
This is a Freedom-of-Information request.
The DTA makes use of the company +ACI-ServiceNow+ACI-, a +ACQ-216bn market-cap non-sovereign multinational organisation for (at least) the provision of email services, including the delivery of account activation and password-reset one-time emails which contain security codes that expire in 10 minutes. Here is a sample of SMTP headers from one email containing a reset code which expires in 10 minutes (I've removed my real email address):
Received: from outbound91.service-now.com (outbound91.service-now.com +AFs-199.91.136.28+AF0-)
by esmtp.mydomain.com (8.15.2/8.15.2) with ESMTPS id 4457ns0N2024109
(version+AD0-TLSv1.3 cipher+AD0-TLS+AF8-AES+AF8-256+AF8-GCM+AF8-SHA384 bits+AD0-256 verify+AD0-NOT)
for +ADw-me+AEA-mydomain.com+AD4AOw- Sun, 5 May 2024 07:49:56 GMT
Received: from relay13.syd100.service-now.com (unknown +AFs-10.243.25.53+AF0-)
by outbound91.service-now.com (Postfix) with ESMTPS id 4F033181218ED
for +ADw-me+AEA-mydomain.com+AD4AOw- Sun, 5 May 2024 00:48:37 -0700 (PDT)
Received: from outbound11.service-now.com (unknown +AFs-10.249.128.175+AF0-)
by fallback-outbound11.service-now.com (Postfix) with ESMTPS id CB16AC029893
for +ADw-me+AEA-mydomain.com+AD4AOw- Sat, 4 May 2024 16:32:11 -0700 (PDT)
Received: from app130035.syd101.service-now.com (app130035.syd101.service-now.com +AFs-10.225.130.35+AF0-)
by outbound11.service-now.com (Postfix) with ESMTPSA id 8770E8266581
for +ADw-me+AEA-mydomain.com+AD4AOw- Sat, 4 May 2024 16:32:06 -0700 (PDT)
Observe:
1. there is an 8-hour delay internally within the +ACI-SeciveNow+ACI- systems.
2. it ultimately delivers from the IP 199.91.136.28 (which is outside Australia)
Be aware that the FoI act does NOT restrict my questions to +ACI-documents+ACI- (e.g. +ACI-information+ACI- encompasses any paper or other material on which there is writing, a mark, figure, or symbol, electronically stored information, maps, plans, drawings, photographs, and any article from which sounds, images, or writing can be produced).
My requests are as follows:-
1. How long has the DTA been aware that emails they send out that contain security codes which expire in 10 minutes, are taking more than 10 minutes to arrive? (e.g. the +ACI-electronically stored information+ACI- of the DTA showing the first incidences of this email delay issue)
2. The number of times since this issue began that users have reported trouble as a result of these delays, and the number of times support staff responded to victims of this delay, allowing them to bypass this security feature.
3. The documents in connection with the Tender or other procurement process through which ServiceNow (and others) were invited, and ultimately through which it was awarded this business, and the number of other bidders for this business.
4. The number of times ServiceNow has been informed of email-related delivery issues, and the clauses from any contract with ServiceNow (or published beforehand, such as in my item 3 above) in relation to (a) timeliness of email transmissions, and (b) response times to reports of system failures, and (c) compensation arrangements for service failure.
5. The rules by which the DTA must abide in relation to the following:
a) the use of sovereign systems or providers for the handling of certain information, and the list or categories of information that falls under this sovereign requirement.
b) the handling of cyber security issues, such as password reset mechanisms, and user verification requirements for allowing unidentified individuals on phone calls to obtain access to supplier account logins (bypassing verification codes)
6. The budget (financial dollar amount) of the DTA which is allocated for the payment of external service providers, and if it exists, the breakdown of categories within that budget (e.g. hosting, email, design, support, etc) and the amounts for each.
Note that I am deliberately requesting information that is specifically designed to publicly embarrass your department. Our FoI act specifically allows me to do this, and forbids you to withhold answers based on this. Please try to honor the purpose and intent of our FoI act and fully, honestly and truthfully supply the information I request.
Yours faithfully,
C Drake
-------------------------------------------------------------------
Please use this email address for all replies to this request:
foi+-request-11392-862945f4+AEA-righttoknow.org.au
Is foi+AEA-dta.gov.au the wrong address for Freedom of Information requests to Digital Transformation Agency? If so, please contact us using this form:
https://www.righttoknow.org.au/change+AF...
This request has been made by an individual using Right to Know. This message and any reply that you make will be published on the internet. More information on how Right to Know works can be found at:
https://www.righttoknow.org.au/help/offi...
Please note that in some cases publication of requests and responses will be delayed.
If you find this service useful as an FOI officer, please ask your web manager to link to us from your organisation's FOI page.
-------------------------------------------------------------------
OFFICIAL
Good morning, C Drake
DTA has not received a response to our email of 13 May 2024, and we have
decided to proceed based on our understand of your request.
Below is the Acknowledgement and notice of consultation in response to
your request.
The Digital Transformation Agency (DTA) acknowledges receipt of your
Freedom of Information (FOI) request made 7 May 2024 for:
1. How long has the DTA been aware that emails they send out that contain
security codes which expire in 10 minutes, are taking more than 10 minutes
to arrive? (e.g. the "electronically stored information" of the DTA
showing the first incidences of this email delay issue)
2. The number of times since this issue began that users have reported
trouble as a result of these delays, and the number of times support staff
responded to victims of this delay, allowing them to bypass this security
feature.
3. The documents in connection with the Tender or other procurement
process through which ServiceNow (and others) were invited, and ultimately
through which it was awarded this business, and the number of other
bidders for this business.
4. The number of times ServiceNow has been informed of email-related
delivery issues, and the clauses from any contract with ServiceNow (or
published beforehand, such as in my item 3 above) in relation to (a)
timeliness of email transmissions, and (b) response times to reports of
system failures, and (c) compensation arrangements for service failure.
5. The rules by which the DTA must abide in relation to the following:
a) the use of sovereign systems or providers for the handling of certain
information, and the list or categories of information that falls under
this sovereign requirement.
b) the handling of cyber security issues, such as password reset
mechanisms, and user verification requirements for allowing unidentified
individuals on phone calls to obtain access to supplier account logins
(bypassing verification codes)
6. The budget (financial dollar amount) of the DTA which is allocated for
the payment of external service providers, and if it exists, the breakdown
of categories within that budget (e.g. hosting, email, design, support,
etc) and the amounts for each.
Notice of Consultation
DTA has identified information relating to third parties contained within
the requested document. As a result, DTA is required to consult.
Your request covers a document relating to the business, commercial or
financial affairs of an organization. Accordingly, DTA is required to
consult with the organisation concerned before making a decision on the
release of this document.
Section 27 of the FOI Act provides that if a request is made to an agency
for access to a document containing business information organisation, and
it appears to the agency that the organization might reasonably wish to
make a contention that the document is exempt under section 47 (trade
secrets etc), or section 47G (business information) of the FOI Act, then
the agency must not decide to give access to the document unless the
organisation concerned is given a reasonable opportunity to make
submissions in support of their contention, if it is reasonably
practicable to do so.
The DTA will take into account any comments we receive from the
organisation. However, the final decision on whether to grant access to
the document requested rests with DTA.
In accordance with section 15(6) of the FOI Act, the period for processing
your request has been extended by an additional 30 days in order to allow
DTA time to consult with the organisation. The processing period for this
request will now end on 4 July 2024.
Drafts and Duplicates
In making a decision the DTA will exclude draft and duplicate copies, only
including final versions that fit the scope of your request. If you
require this information, please inform us within five days, otherwise
these documents will be deemed irrelevant to your request and removed
under section 22 of the FOI Act.
Please contact me if you wish to discuss your request.
Regards
Suzie Sazdanovic
Privacy and FOI Manager
Digital Transformation Agency
[1][email address] | dta.gov.au
Ngunnawal Country | 11 Moore Street, Canberra, ACT 2600
+61 2 6120 8595
OFFICIAL
OFFICIAL
-----Original Message-----
From: DTA FOI
Sent: Monday, May 13, 2024 9:20 AM
To: C Drake <[2][FOI #11392 email]>; DTA FOI
<[3][DTA request email]>
Subject: RE: Freedom of Information request - Your arrangements with the
multinational company Service-Now and their ongoing email failures
Good morning, C Drake
Thank you for your FOI request.
I writing to notify you that I will be looking after your request.
Under subsection 15(3), I have an obligation to assist you with the FOI
process.
To assist you with your request, I'm wondering if you could please give me
a call to discuss.
I just would like to ensure that I understand your request.
In the meantime, I have provided some useful links for your information on
the process.
[4]https://www.oaic.gov.au/freedom-of-infor...
[5]https://www.legislation.gov.au/C2004A025...
I look forward to your call.
Thanks
Suzie Sazdanovic
Privacy and FOI Manager
Digital Transformation Agency
[6][email address] | dta.gov.au Ngunnawal Country | 11 Moore
Street, Canberra, ACT 2600
+61 2 6120 8595
-----Original Message-----
From: C Drake <[7][FOI #11392 email]>
Sent: Tuesday, May 7, 2024 10:15 AM
To: DTA FOI <[8][DTA request email]>
Subject: Freedom of Information request - Your arrangements with the
multinational company Service-Now and their ongoing email failures
Be careful with this message
External email. Do not click links or open attachments unless you
recognise the sender and know the content is safe.
Dear Digital Transformation Agency,
This is a Freedom-of-Information request.
The DTA makes use of the company "ServiceNow", a $216bn market-cap
non-sovereign multinational organisation for (at least) the provision of
email services, including the delivery of account activation and
password-reset one-time emails which contain security codes that expire in
10 minutes. Here is a sample of SMTP headers from one email containing a
reset code which expires in 10 minutes (I've removed my real email
address):
Received: from outbound91.service-now.com (outbound91.service-now.com
[199.91.136.28])
by esmtp.mydomain.com (8.15.2/8.15.2) with ESMTPS id
4457ns0N2024109
(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256
verify=NOT)
for <[9][email address]>; Sun, 5 May 2024 07:49:56 GMT
Received: from relay13.syd100.service-now.com (unknown [10.243.25.53])
by outbound91.service-now.com (Postfix) with ESMTPS id
4F033181218ED
for <[10][email address]>; Sun, 5 May 2024 00:48:37 -0700 (PDT)
Received: from outbound11.service-now.com (unknown [10.249.128.175])
by fallback-outbound11.service-now.com (Postfix) with ESMTPS id
CB16AC029893
for <[11][email address]>; Sat, 4 May 2024 16:32:11 -0700 (PDT)
Received: from app130035.syd101.service-now.com
(app130035.syd101.service-now.com [10.225.130.35])
by outbound11.service-now.com (Postfix) with ESMTPSA id
8770E8266581
for <[12][email address]>; Sat, 4 May 2024 16:32:06 -0700 (PDT)
Observe:
1. there is an 8-hour delay internally within the "SeciveNow" systems.
2. it ultimately delivers from the IP 199.91.136.28 (which is outside
Australia)
Be aware that the FoI act does NOT restrict my questions to "documents"
(e.g. "information" encompasses any paper or other material on which there
is writing, a mark, figure, or symbol, electronically stored information,
maps, plans, drawings, photographs, and any article from which sounds,
images, or writing can be produced).
My requests are as follows:-
1. How long has the DTA been aware that emails they send out that contain
security codes which expire in 10 minutes, are taking more than 10 minutes
to arrive? (e.g. the "electronically stored information" of the DTA
showing the first incidences of this email delay issue)
2. The number of times since this issue began that users have reported
trouble as a result of these delays, and the number of times support staff
responded to victims of this delay, allowing them to bypass this security
feature.
3. The documents in connection with the Tender or other procurement
process through which ServiceNow (and others) were invited, and ultimately
through which it was awarded this business, and the number of other
bidders for this business.
4. The number of times ServiceNow has been informed of email-related
delivery issues, and the clauses from any contract with ServiceNow (or
published beforehand, such as in my item 3 above) in relation to (a)
timeliness of email transmissions, and (b) response times to reports of
system failures, and (c) compensation arrangements for service failure.
5. The rules by which the DTA must abide in relation to the following:
a) the use of sovereign systems or providers for the handling of certain
information, and the list or categories of information that falls under
this sovereign requirement.
b) the handling of cyber security issues, such as password reset
mechanisms, and user verification requirements for allowing unidentified
individuals on phone calls to obtain access to supplier account logins
(bypassing verification codes)
6. The budget (financial dollar amount) of the DTA which is allocated for
the payment of external service providers, and if it exists, the breakdown
of categories within that budget (e.g. hosting, email, design, support,
etc) and the amounts for each.
Note that I am deliberately requesting information that is specifically
designed to publicly embarrass your department. Our FoI act specifically
allows me to do this, and forbids you to withhold answers based on this.
Please try to honor the purpose and intent of our FoI act and fully,
honestly and truthfully supply the information I request.
Yours faithfully,
C Drake
-------------------------------------------------------------------
Please use this email address for all replies to this request:
[13][FOI #11392 email]
Is [14][DTA request email] the wrong address for Freedom of Information
requests to Digital Transformation Agency? If so, please contact us using
this form:
[15]https://www.righttoknow.org.au/change_re...
This request has been made by an individual using Right to Know. This
message and any reply that you make will be published on the internet.
More information on how Right to Know works can be found at:
[16]https://www.righttoknow.org.au/help/offi...
Please note that in some cases publication of requests and responses will
be delayed.
If you find this service useful as an FOI officer, please ask your web
manager to link to us from your organisation's FOI page.
-------------------------------------------------------------------
______________________________________________________________________
IMPORTANT: This message, and any attachments to it, contains information
that is confidential and may also be the subject of legal professional or
other privilege. If you are not the intended recipient of this message,
you
must not review, copy, disseminate or disclose its contents to any other
party or take action in reliance of any material contained within it. If
you
have received this message in error, please notify the sender immediately
by
return email informing them of the mistake and delete all copies of the
message from your computer system.
______________________________________________________________________
References
Visible links
1. mailto:[email address]
2. mailto:[FOI #11392 email]
3. mailto:[DTA request email]
4. https://www.oaic.gov.au/freedom-of-infor...
5. https://www.legislation.gov.au/C2004A025...
6. mailto:[email address]
7. mailto:[FOI #11392 email]
8. mailto:[DTA request email]
9. mailto:[email address]
10. mailto:[email address]
11. mailto:[email address]
12. mailto:[email address]
13. mailto:[FOI #11392 email]
14. mailto:[DTA request email]
15. https://www.righttoknow.org.au/change_re...
16. https://www.righttoknow.org.au/help/offi...
OFFICIAL
Dear Mr Drake
DTA is seeking an additional 30 day to process your request under section
15AA.
Reason:
DTA has received an unprecedent number of FOI requests during the same
period we received your request. We have also had illness, which has also
created delays in processing your request.
What have we done to date:
We have identified 15 file and additional 9 documents that possibly relate
to the scope of your request. To date, I have only reviewed 3 of these
files and identified 4 entities that will still require consultation.
We respectfully request that you agree to this request in writing by 4
July 2024.
Please note: DTA will endeavour to try a process your request as quickly
as possible.
Happy to discuss any concerns.
Suzie Sazdanovic
Privacy and FOI Manager
Digital Transformation Agency
[1][email address] | dta.gov.au
Ngunnawal Country | 11 Moore Street, Canberra, ACT 2600
+61 2 6120 8595
OFFICIAL
From: DTA FOI
Sent: Tuesday, June 4, 2024 12:01 PM
To: C Drake <[FOI #11392 email]>
Subject: Acknowledgement and Notice of consultation FOI 0012- Your
arrangements with the multinational company Service-Now and their ongoing
email failures
Good morning, C Drake
DTA has not received a response to our email of 13 May 2024, and we have
decided to proceed based on our understand of your request.
Below is the Acknowledgement and notice of consultation in response to
your request.
The Digital Transformation Agency (DTA) acknowledges receipt of your
Freedom of Information (FOI) request made 7 May 2024 for:
1. How long has the DTA been aware that emails they send out that contain
security codes which expire in 10 minutes, are taking more than 10 minutes
to arrive? (e.g. the "electronically stored information" of the DTA
showing the first incidences of this email delay issue)
2. The number of times since this issue began that users have reported
trouble as a result of these delays, and the number of times support staff
responded to victims of this delay, allowing them to bypass this security
feature.
3. The documents in connection with the Tender or other procurement
process through which ServiceNow (and others) were invited, and ultimately
through which it was awarded this business, and the number of other
bidders for this business.
4. The number of times ServiceNow has been informed of email-related
delivery issues, and the clauses from any contract with ServiceNow (or
published beforehand, such as in my item 3 above) in relation to (a)
timeliness of email transmissions, and (b) response times to reports of
system failures, and (c) compensation arrangements for service failure.
5. The rules by which the DTA must abide in relation to the following:
a) the use of sovereign systems or providers for the handling of certain
information, and the list or categories of information that falls under
this sovereign requirement.
b) the handling of cyber security issues, such as password reset
mechanisms, and user verification requirements for allowing unidentified
individuals on phone calls to obtain access to supplier account logins
(bypassing verification codes)
6. The budget (financial dollar amount) of the DTA which is allocated for
the payment of external service providers, and if it exists, the breakdown
of categories within that budget (e.g. hosting, email, design, support,
etc) and the amounts for each.
Notice of Consultation
DTA has identified information relating to third parties contained within
the requested document. As a result, DTA is required to consult.
Your request covers a document relating to the business, commercial or
financial affairs of an organization. Accordingly, DTA is required to
consult with the organisation concerned before making a decision on the
release of this document.
Section 27 of the FOI Act provides that if a request is made to an agency
for access to a document containing business information organisation, and
it appears to the agency that the organization might reasonably wish to
make a contention that the document is exempt under section 47 (trade
secrets etc), or section 47G (business information) of the FOI Act, then
the agency must not decide to give access to the document unless the
organisation concerned is given a reasonable opportunity to make
submissions in support of their contention, if it is reasonably
practicable to do so.
The DTA will take into account any comments we receive from the
organisation. However, the final decision on whether to grant access to
the document requested rests with DTA.
In accordance with section 15(6) of the FOI Act, the period for processing
your request has been extended by an additional 30 days in order to allow
DTA time to consult with the organisation. The processing period for this
request will now end on 4 July 2024.
Drafts and Duplicates
In making a decision the DTA will exclude draft and duplicate copies, only
including final versions that fit the scope of your request. If you
require this information, please inform us within five days, otherwise
these documents will be deemed irrelevant to your request and removed
under section 22 of the FOI Act.
Please contact me if you wish to discuss your request.
Regards
Suzie Sazdanovic
Privacy and FOI Manager
Digital Transformation Agency
[2][email address] | dta.gov.au
Ngunnawal Country | 11 Moore Street, Canberra, ACT 2600
+61 2 6120 8595
OFFICIAL
-----Original Message-----
From: DTA FOI
Sent: Monday, May 13, 2024 9:20 AM
To: C Drake <[3][FOI #11392 email]>; DTA FOI
<[4][DTA request email]>
Subject: RE: Freedom of Information request - Your arrangements with the
multinational company Service-Now and their ongoing email failures
Good morning, C Drake
Thank you for your FOI request.
I writing to notify you that I will be looking after your request.
Under subsection 15(3), I have an obligation to assist you with the FOI
process.
To assist you with your request, I'm wondering if you could please give me
a call to discuss.
I just would like to ensure that I understand your request.
In the meantime, I have provided some useful links for your information on
the process.
[5]https://www.oaic.gov.au/freedom-of-infor...
[6]https://www.legislation.gov.au/C2004A025...
I look forward to your call.
Thanks
Suzie Sazdanovic
Privacy and FOI Manager
Digital Transformation Agency
[7][email address] | dta.gov.au Ngunnawal Country | 11 Moore
Street, Canberra, ACT 2600
+61 2 6120 8595
-----Original Message-----
From: C Drake <[8][FOI #11392 email]>
Sent: Tuesday, May 7, 2024 10:15 AM
To: DTA FOI <[9][DTA request email]>
Subject: Freedom of Information request - Your arrangements with the
multinational company Service-Now and their ongoing email failures
Be careful with this message
External email. Do not click links or open attachments unless you
recognise the sender and know the content is safe.
Dear Digital Transformation Agency,
This is a Freedom-of-Information request.
The DTA makes use of the company "ServiceNow", a $216bn market-cap
non-sovereign multinational organisation for (at least) the provision of
email services, including the delivery of account activation and
password-reset one-time emails which contain security codes that expire in
10 minutes. Here is a sample of SMTP headers from one email containing a
reset code which expires in 10 minutes (I've removed my real email
address):
Received: from outbound91.service-now.com (outbound91.service-now.com
[199.91.136.28])
by esmtp.mydomain.com (8.15.2/8.15.2) with ESMTPS id
4457ns0N2024109
(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256
verify=NOT)
for <[10][email address]>; Sun, 5 May 2024 07:49:56 GMT
Received: from relay13.syd100.service-now.com (unknown [10.243.25.53])
by outbound91.service-now.com (Postfix) with ESMTPS id
4F033181218ED
for <[11][email address]>; Sun, 5 May 2024 00:48:37 -0700 (PDT)
Received: from outbound11.service-now.com (unknown [10.249.128.175])
by fallback-outbound11.service-now.com (Postfix) with ESMTPS id
CB16AC029893
for <[12][email address]>; Sat, 4 May 2024 16:32:11 -0700 (PDT)
Received: from app130035.syd101.service-now.com
(app130035.syd101.service-now.com [10.225.130.35])
by outbound11.service-now.com (Postfix) with ESMTPSA id
8770E8266581
for <[13][email address]>; Sat, 4 May 2024 16:32:06 -0700 (PDT)
Observe:
1. there is an 8-hour delay internally within the "SeciveNow" systems.
2. it ultimately delivers from the IP 199.91.136.28 (which is outside
Australia)
Be aware that the FoI act does NOT restrict my questions to "documents"
(e.g. "information" encompasses any paper or other material on which there
is writing, a mark, figure, or symbol, electronically stored information,
maps, plans, drawings, photographs, and any article from which sounds,
images, or writing can be produced).
My requests are as follows:-
1. How long has the DTA been aware that emails they send out that contain
security codes which expire in 10 minutes, are taking more than 10 minutes
to arrive? (e.g. the "electronically stored information" of the DTA
showing the first incidences of this email delay issue)
2. The number of times since this issue began that users have reported
trouble as a result of these delays, and the number of times support staff
responded to victims of this delay, allowing them to bypass this security
feature.
3. The documents in connection with the Tender or other procurement
process through which ServiceNow (and others) were invited, and ultimately
through which it was awarded this business, and the number of other
bidders for this business.
4. The number of times ServiceNow has been informed of email-related
delivery issues, and the clauses from any contract with ServiceNow (or
published beforehand, such as in my item 3 above) in relation to (a)
timeliness of email transmissions, and (b) response times to reports of
system failures, and (c) compensation arrangements for service failure.
5. The rules by which the DTA must abide in relation to the following:
a) the use of sovereign systems or providers for the handling of certain
information, and the list or categories of information that falls under
this sovereign requirement.
b) the handling of cyber security issues, such as password reset
mechanisms, and user verification requirements for allowing unidentified
individuals on phone calls to obtain access to supplier account logins
(bypassing verification codes)
6. The budget (financial dollar amount) of the DTA which is allocated for
the payment of external service providers, and if it exists, the breakdown
of categories within that budget (e.g. hosting, email, design, support,
etc) and the amounts for each.
Note that I am deliberately requesting information that is specifically
designed to publicly embarrass your department. Our FoI act specifically
allows me to do this, and forbids you to withhold answers based on this.
Please try to honor the purpose and intent of our FoI act and fully,
honestly and truthfully supply the information I request.
Yours faithfully,
C Drake
-------------------------------------------------------------------
Please use this email address for all replies to this request:
[14][FOI #11392 email]
Is [15][DTA request email] the wrong address for Freedom of Information
requests to Digital Transformation Agency? If so, please contact us using
this form:
[16]https://www.righttoknow.org.au/change_re...
This request has been made by an individual using Right to Know. This
message and any reply that you make will be published on the internet.
More information on how Right to Know works can be found at:
[17]https://www.righttoknow.org.au/help/offi...
Please note that in some cases publication of requests and responses will
be delayed.
If you find this service useful as an FOI officer, please ask your web
manager to link to us from your organisation's FOI page.
-------------------------------------------------------------------
______________________________________________________________________
IMPORTANT: This message, and any attachments to it, contains information
that is confidential and may also be the subject of legal professional or
other privilege. If you are not the intended recipient of this message,
you
must not review, copy, disseminate or disclose its contents to any other
party or take action in reliance of any material contained within it. If
you
have received this message in error, please notify the sender immediately
by
return email informing them of the mistake and delete all copies of the
message from your computer system.
______________________________________________________________________
References
Visible links
1. mailto:[email address]
2. mailto:[email address]
3. mailto:[FOI #11392 email]
4. mailto:[DTA request email]
5. https://www.oaic.gov.au/freedom-of-infor...
6. https://www.legislation.gov.au/C2004A025...
7. mailto:[email address]
8. mailto:[FOI #11392 email]
9. mailto:[DTA request email]
10. mailto:[email address]
11. mailto:[email address]
12. mailto:[email address]
13. mailto:[email address]
14. mailto:[FOI #11392 email]
15. mailto:[DTA request email]
16. https://www.righttoknow.org.au/change_re...
17. https://www.righttoknow.org.au/help/offi...
OFFICIAL
Good morning, Mr Drake
I hope you are well!
It is with regret that I need to inform you that DTA is now required to
apply for an extension through the Office of The Australian Information
Commission because DTA has not received a response to our email below and
your request is now overdue.
I’ll keep you in the loop of our progress.
Happy to discuss any concerns.
Suzie Sazdanovic
Privacy and FOI Manager
Digital Transformation Agency
[1][email address] | dta.gov.au
Ngunnawal Country | 11 Moore Street, Canberra, ACT 2600
+61 2 6120 8595
OFFICIAL
From: DTA FOI <[DTA request email]>
Sent: Wednesday, July 3, 2024 12:07 PM
To: DTA FOI <[DTA request email]>; 'C Drake'
<[FOI #11392 email]>
Subject: [SEC=OFFICIAL] FOI 0012 Request for extension of time response
required by 4 July 2024.
OFFICIAL
Dear Mr Drake
DTA is seeking an additional 30 day to process your request under section
15AA.
Reason:
DTA has received an unprecedent number of FOI requests during the same
period we received your request. We have also had illness, which has also
created delays in processing your request.
What have we done to date:
We have identified 15 file and additional 9 documents that possibly relate
to the scope of your request. To date, I have only reviewed 3 of these
files and identified 4 entities that will still require consultation.
We respectfully request that you agree to this request in writing by 4
July 2024.
Please note: DTA will endeavour to try a process your request as quickly
as possible.
Happy to discuss any concerns.
Suzie Sazdanovic
Privacy and FOI Manager
Digital Transformation Agency
[2][email address] | dta.gov.au
Ngunnawal Country | 11 Moore Street, Canberra, ACT 2600
+61 2 6120 8595
OFFICIAL
From: DTA FOI
Sent: Tuesday, June 4, 2024 12:01 PM
To: C Drake <[3][FOI #11392 email]>
Subject: Acknowledgement and Notice of consultation FOI 0012- Your
arrangements with the multinational company Service-Now and their ongoing
email failures
Good morning, C Drake
DTA has not received a response to our email of 13 May 2024, and we have
decided to proceed based on our understand of your request.
Below is the Acknowledgement and notice of consultation in response to
your request.
The Digital Transformation Agency (DTA) acknowledges receipt of your
Freedom of Information (FOI) request made 7 May 2024 for:
1. How long has the DTA been aware that emails they send out that contain
security codes which expire in 10 minutes, are taking more than 10 minutes
to arrive? (e.g. the "electronically stored information" of the DTA
showing the first incidences of this email delay issue)
2. The number of times since this issue began that users have reported
trouble as a result of these delays, and the number of times support staff
responded to victims of this delay, allowing them to bypass this security
feature.
3. The documents in connection with the Tender or other procurement
process through which ServiceNow (and others) were invited, and ultimately
through which it was awarded this business, and the number of other
bidders for this business.
4. The number of times ServiceNow has been informed of email-related
delivery issues, and the clauses from any contract with ServiceNow (or
published beforehand, such as in my item 3 above) in relation to (a)
timeliness of email transmissions, and (b) response times to reports of
system failures, and (c) compensation arrangements for service failure.
5. The rules by which the DTA must abide in relation to the following:
a) the use of sovereign systems or providers for the handling of certain
information, and the list or categories of information that falls under
this sovereign requirement.
b) the handling of cyber security issues, such as password reset
mechanisms, and user verification requirements for allowing unidentified
individuals on phone calls to obtain access to supplier account logins
(bypassing verification codes)
6. The budget (financial dollar amount) of the DTA which is allocated for
the payment of external service providers, and if it exists, the breakdown
of categories within that budget (e.g. hosting, email, design, support,
etc) and the amounts for each.
Notice of Consultation
DTA has identified information relating to third parties contained within
the requested document. As a result, DTA is required to consult.
Your request covers a document relating to the business, commercial or
financial affairs of an organization. Accordingly, DTA is required to
consult with the organisation concerned before making a decision on the
release of this document.
Section 27 of the FOI Act provides that if a request is made to an agency
for access to a document containing business information organisation, and
it appears to the agency that the organization might reasonably wish to
make a contention that the document is exempt under section 47 (trade
secrets etc), or section 47G (business information) of the FOI Act, then
the agency must not decide to give access to the document unless the
organisation concerned is given a reasonable opportunity to make
submissions in support of their contention, if it is reasonably
practicable to do so.
The DTA will take into account any comments we receive from the
organisation. However, the final decision on whether to grant access to
the document requested rests with DTA.
In accordance with section 15(6) of the FOI Act, the period for processing
your request has been extended by an additional 30 days in order to allow
DTA time to consult with the organisation. The processing period for this
request will now end on 4 July 2024.
Drafts and Duplicates
In making a decision the DTA will exclude draft and duplicate copies, only
including final versions that fit the scope of your request. If you
require this information, please inform us within five days, otherwise
these documents will be deemed irrelevant to your request and removed
under section 22 of the FOI Act.
Please contact me if you wish to discuss your request.
Regards
Suzie Sazdanovic
Privacy and FOI Manager
Digital Transformation Agency
[4][email address] | dta.gov.au
Ngunnawal Country | 11 Moore Street, Canberra, ACT 2600
+61 2 6120 8595
OFFICIAL
-----Original Message-----
From: DTA FOI
Sent: Monday, May 13, 2024 9:20 AM
To: C Drake <[5][FOI #11392 email]>; DTA FOI
<[6][DTA request email]>
Subject: RE: Freedom of Information request - Your arrangements with the
multinational company Service-Now and their ongoing email failures
Good morning, C Drake
Thank you for your FOI request.
I writing to notify you that I will be looking after your request.
Under subsection 15(3), I have an obligation to assist you with the FOI
process.
To assist you with your request, I'm wondering if you could please give me
a call to discuss.
I just would like to ensure that I understand your request.
In the meantime, I have provided some useful links for your information on
the process.
[7]https://www.oaic.gov.au/freedom-of-infor...
[8]https://www.legislation.gov.au/C2004A025...
I look forward to your call.
Thanks
Suzie Sazdanovic
Privacy and FOI Manager
Digital Transformation Agency
[9][email address] | dta.gov.au Ngunnawal Country | 11 Moore
Street, Canberra, ACT 2600
+61 2 6120 8595
-----Original Message-----
From: C Drake <[10][FOI #11392 email]>
Sent: Tuesday, May 7, 2024 10:15 AM
To: DTA FOI <[11][DTA request email]>
Subject: Freedom of Information request - Your arrangements with the
multinational company Service-Now and their ongoing email failures
Be careful with this message
External email. Do not click links or open attachments unless you
recognise the sender and know the content is safe.
Dear Digital Transformation Agency,
This is a Freedom-of-Information request.
The DTA makes use of the company "ServiceNow", a $216bn market-cap
non-sovereign multinational organisation for (at least) the provision of
email services, including the delivery of account activation and
password-reset one-time emails which contain security codes that expire in
10 minutes. Here is a sample of SMTP headers from one email containing a
reset code which expires in 10 minutes (I've removed my real email
address):
Received: from outbound91.service-now.com (outbound91.service-now.com
[199.91.136.28])
by esmtp.mydomain.com (8.15.2/8.15.2) with ESMTPS id
4457ns0N2024109
(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256
verify=NOT)
for <[12][email address]>; Sun, 5 May 2024 07:49:56 GMT
Received: from relay13.syd100.service-now.com (unknown [10.243.25.53])
by outbound91.service-now.com (Postfix) with ESMTPS id
4F033181218ED
for <[13][email address]>; Sun, 5 May 2024 00:48:37 -0700 (PDT)
Received: from outbound11.service-now.com (unknown [10.249.128.175])
by fallback-outbound11.service-now.com (Postfix) with ESMTPS id
CB16AC029893
for <[14][email address]>; Sat, 4 May 2024 16:32:11 -0700 (PDT)
Received: from app130035.syd101.service-now.com
(app130035.syd101.service-now.com [10.225.130.35])
by outbound11.service-now.com (Postfix) with ESMTPSA id
8770E8266581
for <[15][email address]>; Sat, 4 May 2024 16:32:06 -0700 (PDT)
Observe:
1. there is an 8-hour delay internally within the "SeciveNow" systems.
2. it ultimately delivers from the IP 199.91.136.28 (which is outside
Australia)
Be aware that the FoI act does NOT restrict my questions to "documents"
(e.g. "information" encompasses any paper or other material on which there
is writing, a mark, figure, or symbol, electronically stored information,
maps, plans, drawings, photographs, and any article from which sounds,
images, or writing can be produced).
My requests are as follows:-
1. How long has the DTA been aware that emails they send out that contain
security codes which expire in 10 minutes, are taking more than 10 minutes
to arrive? (e.g. the "electronically stored information" of the DTA
showing the first incidences of this email delay issue)
2. The number of times since this issue began that users have reported
trouble as a result of these delays, and the number of times support staff
responded to victims of this delay, allowing them to bypass this security
feature.
3. The documents in connection with the Tender or other procurement
process through which ServiceNow (and others) were invited, and ultimately
through which it was awarded this business, and the number of other
bidders for this business.
4. The number of times ServiceNow has been informed of email-related
delivery issues, and the clauses from any contract with ServiceNow (or
published beforehand, such as in my item 3 above) in relation to (a)
timeliness of email transmissions, and (b) response times to reports of
system failures, and (c) compensation arrangements for service failure.
5. The rules by which the DTA must abide in relation to the following:
a) the use of sovereign systems or providers for the handling of certain
information, and the list or categories of information that falls under
this sovereign requirement.
b) the handling of cyber security issues, such as password reset
mechanisms, and user verification requirements for allowing unidentified
individuals on phone calls to obtain access to supplier account logins
(bypassing verification codes)
6. The budget (financial dollar amount) of the DTA which is allocated for
the payment of external service providers, and if it exists, the breakdown
of categories within that budget (e.g. hosting, email, design, support,
etc) and the amounts for each.
Note that I am deliberately requesting information that is specifically
designed to publicly embarrass your department. Our FoI act specifically
allows me to do this, and forbids you to withhold answers based on this.
Please try to honor the purpose and intent of our FoI act and fully,
honestly and truthfully supply the information I request.
Yours faithfully,
C Drake
-------------------------------------------------------------------
Please use this email address for all replies to this request:
[16][FOI #11392 email]
Is [17][DTA request email] the wrong address for Freedom of Information
requests to Digital Transformation Agency? If so, please contact us using
this form:
[18]https://www.righttoknow.org.au/change_re...
This request has been made by an individual using Right to Know. This
message and any reply that you make will be published on the internet.
More information on how Right to Know works can be found at:
[19]https://www.righttoknow.org.au/help/offi...
Please note that in some cases publication of requests and responses will
be delayed.
If you find this service useful as an FOI officer, please ask your web
manager to link to us from your organisation's FOI page.
-------------------------------------------------------------------
______________________________________________________________________
IMPORTANT: This message, and any attachments to it, contains information
that is confidential and may also be the subject of legal professional or
other privilege. If you are not the intended recipient of this message,
you
must not review, copy, disseminate or disclose its contents to any other
party or take action in reliance of any material contained within it. If
you
have received this message in error, please notify the sender immediately
by
return email informing them of the mistake and delete all copies of the
message from your computer system.
______________________________________________________________________
References
Visible links
1. mailto:[email address]
2. mailto:[email address]
3. mailto:[FOI #11392 email]
4. mailto:[email address]
5. mailto:[FOI #11392 email]
6. mailto:[DTA request email]
7. https://www.oaic.gov.au/freedom-of-infor...
8. https://www.legislation.gov.au/C2004A025...
9. mailto:[email address]
10. mailto:[FOI #11392 email]
11. mailto:[DTA request email]
12. mailto:[email address]
13. mailto:[email address]
14. mailto:[email address]
15. mailto:[email address]
16. mailto:[FOI #11392 email]
17. mailto:[DTA request email]
18. https://www.righttoknow.org.au/change_re...
19. https://www.righttoknow.org.au/help/offi...
Our reference: RQ24/02715
Agency reference: FOI12/2024
Agency name Digital Transformation Agency
By Email: [DTA request email]
Name C Drake
By Email:
[FOI #11392 email]
Extension of time under s 15AC
Dear Parties,
Please find attached an extension of time decision relating to the above
referenced FOI request.
Regards
[1][IMG] Andriana DeIeso
Review Adviser
Office of the Australian Information Commissioner
GPO Box 5288 Sydney NSW 2001
E [2][email address]
I am available Monday to Wednesday; Tuesday and Wednesday alternate
weeks.
The OAIC acknowledges Traditional Custodians of Country across
Australia and their continuing connection to land, waters and
communities. We pay our respect to First Nations people,
cultures and Elders past and present.
[3]Subscribe to Information Matters
Notice:
The information contained in this email message and any attached files may
be confidential information, and may also be the subject of legal
professional privilege. If you are not the intended recipient any use,
disclosure or copying of this email is unauthorised. If you received this
email in error, please notify the sender by contacting the department's
switchboard on 1300 488 064 during business hours (8:30am - 5pm Canberra
time) and delete all copies of this transmission together with any
attachments.
References
Visible links
1. https://www.oaic.gov.au/
2. mailto:[email address]
3. https://www.oaic.gov.au/engage-with-us/n...
OFFICIAL
Dear C Drake
Please find enclosed the decision in response to your request.
If you have any questions, please don't hesitate to contact me directly.
Thanks
Suzie Sazdanovic
Privacy and FOI Manager
Digital Transformation Agency
suzie.sazdanovic+AEA-dta.gov.au +AHw- dta.gov.au
Ngunnawal Country +AHw- 11 Moore Street, Canberra, ACT 2600
+-61 2 6120 8595
OFFICIAL
-----Original Message-----
From: C Drake +ADw-foi+-request-11392-862945f4+AEA-righttoknow.org.au+AD4-
Sent: Tuesday, May 7, 2024 10:15 AM
To: DTA FOI +ADw-foi+AEA-dta.gov.au+AD4-
Subject: Freedom of Information request - Your arrangements with the multinational company Service-Now and their ongoing email failures
Be careful with this message
External email. Do not click links or open attachments unless you recognise the sender and know the content is safe.
Dear Digital Transformation Agency,
This is a Freedom-of-Information request.
The DTA makes use of the company +ACI-ServiceNow+ACI-, a +ACQ-216bn market-cap non-sovereign multinational organisation for (at least) the provision of email services, including the delivery of account activation and password-reset one-time emails which contain security codes that expire in 10 minutes. Here is a sample of SMTP headers from one email containing a reset code which expires in 10 minutes (I've removed my real email address):
Received: from outbound91.service-now.com (outbound91.service-now.com +AFs-199.91.136.28+AF0-)
by esmtp.mydomain.com (8.15.2/8.15.2) with ESMTPS id 4457ns0N2024109
(version+AD0-TLSv1.3 cipher+AD0-TLS+AF8-AES+AF8-256+AF8-GCM+AF8-SHA384 bits+AD0-256 verify+AD0-NOT)
for +ADw-me+AEA-mydomain.com+AD4AOw- Sun, 5 May 2024 07:49:56 GMT
Received: from relay13.syd100.service-now.com (unknown +AFs-10.243.25.53+AF0-)
by outbound91.service-now.com (Postfix) with ESMTPS id 4F033181218ED
for +ADw-me+AEA-mydomain.com+AD4AOw- Sun, 5 May 2024 00:48:37 -0700 (PDT)
Received: from outbound11.service-now.com (unknown +AFs-10.249.128.175+AF0-)
by fallback-outbound11.service-now.com (Postfix) with ESMTPS id CB16AC029893
for +ADw-me+AEA-mydomain.com+AD4AOw- Sat, 4 May 2024 16:32:11 -0700 (PDT)
Received: from app130035.syd101.service-now.com (app130035.syd101.service-now.com +AFs-10.225.130.35+AF0-)
by outbound11.service-now.com (Postfix) with ESMTPSA id 8770E8266581
for +ADw-me+AEA-mydomain.com+AD4AOw- Sat, 4 May 2024 16:32:06 -0700 (PDT)
Observe:
1. there is an 8-hour delay internally within the +ACI-SeciveNow+ACI- systems.
2. it ultimately delivers from the IP 199.91.136.28 (which is outside Australia)
Be aware that the FoI act does NOT restrict my questions to +ACI-documents+ACI- (e.g. +ACI-information+ACI- encompasses any paper or other material on which there is writing, a mark, figure, or symbol, electronically stored information, maps, plans, drawings, photographs, and any article from which sounds, images, or writing can be produced).
My requests are as follows:-
1. How long has the DTA been aware that emails they send out that contain security codes which expire in 10 minutes, are taking more than 10 minutes to arrive? (e.g. the +ACI-electronically stored information+ACI- of the DTA showing the first incidences of this email delay issue)
2. The number of times since this issue began that users have reported trouble as a result of these delays, and the number of times support staff responded to victims of this delay, allowing them to bypass this security feature.
3. The documents in connection with the Tender or other procurement process through which ServiceNow (and others) were invited, and ultimately through which it was awarded this business, and the number of other bidders for this business.
4. The number of times ServiceNow has been informed of email-related delivery issues, and the clauses from any contract with ServiceNow (or published beforehand, such as in my item 3 above) in relation to (a) timeliness of email transmissions, and (b) response times to reports of system failures, and (c) compensation arrangements for service failure.
5. The rules by which the DTA must abide in relation to the following:
a) the use of sovereign systems or providers for the handling of certain information, and the list or categories of information that falls under this sovereign requirement.
b) the handling of cyber security issues, such as password reset mechanisms, and user verification requirements for allowing unidentified individuals on phone calls to obtain access to supplier account logins (bypassing verification codes)
6. The budget (financial dollar amount) of the DTA which is allocated for the payment of external service providers, and if it exists, the breakdown of categories within that budget (e.g. hosting, email, design, support, etc) and the amounts for each.
Note that I am deliberately requesting information that is specifically designed to publicly embarrass your department. Our FoI act specifically allows me to do this, and forbids you to withhold answers based on this. Please try to honor the purpose and intent of our FoI act and fully, honestly and truthfully supply the information I request.
Yours faithfully,
C Drake
-------------------------------------------------------------------
Please use this email address for all replies to this request:
foi+-request-11392-862945f4+AEA-righttoknow.org.au
Is foi+AEA-dta.gov.au the wrong address for Freedom of Information requests to Digital Transformation Agency? If so, please contact us using this form:
https://www.righttoknow.org.au/change+AF...
This request has been made by an individual using Right to Know. This message and any reply that you make will be published on the internet. More information on how Right to Know works can be found at:
https://www.righttoknow.org.au/help/offi...
Please note that in some cases publication of requests and responses will be delayed.
If you find this service useful as an FOI officer, please ask your web manager to link to us from your organisation's FOI page.
-------------------------------------------------------------------