We don't know whether the most recent response to this request contains information or not – if you are C Drake please sign in and let everyone know.

Your arrangements with the multinational company Service-Now and their ongoing email failures

We're waiting for C Drake to read recent responses and update the status.

Dear Digital Transformation Agency,

This is a Freedom-of-Information request.

The DTA makes use of the company "ServiceNow", a $216bn market-cap non-sovereign multinational organisation for (at least) the provision of email services, including the delivery of account activation and password-reset one-time emails which contain security codes that expire in 10 minutes. Here is a sample of SMTP headers from one email containing a reset code which expires in 10 minutes (I've removed my real email address):

Received: from outbound91.service-now.com (outbound91.service-now.com [199.91.136.28])
by esmtp.mydomain.com (8.15.2/8.15.2) with ESMTPS id 4457ns0N2024109
(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT)
for <[email address]>; Sun, 5 May 2024 07:49:56 GMT
Received: from relay13.syd100.service-now.com (unknown [10.243.25.53])
by outbound91.service-now.com (Postfix) with ESMTPS id 4F033181218ED
for <[email address]>; Sun, 5 May 2024 00:48:37 -0700 (PDT)
Received: from outbound11.service-now.com (unknown [10.249.128.175])
by fallback-outbound11.service-now.com (Postfix) with ESMTPS id CB16AC029893
for <[email address]>; Sat, 4 May 2024 16:32:11 -0700 (PDT)
Received: from app130035.syd101.service-now.com (app130035.syd101.service-now.com [10.225.130.35])
by outbound11.service-now.com (Postfix) with ESMTPSA id 8770E8266581
for <[email address]>; Sat, 4 May 2024 16:32:06 -0700 (PDT)

Observe:
1. there is an 8-hour delay internally within the "SeciveNow" systems.
2. it ultimately delivers from the IP 199.91.136.28 (which is outside Australia)

Be aware that the FoI act does NOT restrict my questions to "documents" (e.g. "information" encompasses any paper or other material on which there is writing, a mark, figure, or symbol, electronically stored information, maps, plans, drawings, photographs, and any article from which sounds, images, or writing can be produced).

My requests are as follows:-

1. How long has the DTA been aware that emails they send out that contain security codes which expire in 10 minutes, are taking more than 10 minutes to arrive? (e.g. the "electronically stored information" of the DTA showing the first incidences of this email delay issue)

2. The number of times since this issue began that users have reported trouble as a result of these delays, and the number of times support staff responded to victims of this delay, allowing them to bypass this security feature.

3. The documents in connection with the Tender or other procurement process through which ServiceNow (and others) were invited, and ultimately through which it was awarded this business, and the number of other bidders for this business.

4. The number of times ServiceNow has been informed of email-related delivery issues, and the clauses from any contract with ServiceNow (or published beforehand, such as in my item 3 above) in relation to (a) timeliness of email transmissions, and (b) response times to reports of system failures, and (c) compensation arrangements for service failure.

5. The rules by which the DTA must abide in relation to the following:

a) the use of sovereign systems or providers for the handling of certain information, and the list or categories of information that falls under this sovereign requirement.

b) the handling of cyber security issues, such as password reset mechanisms, and user verification requirements for allowing unidentified individuals on phone calls to obtain access to supplier account logins (bypassing verification codes)

6. The budget (financial dollar amount) of the DTA which is allocated for the payment of external service providers, and if it exists, the breakdown of categories within that budget (e.g. hosting, email, design, support, etc) and the amounts for each.

Note that I am deliberately requesting information that is specifically designed to publicly embarrass your department. Our FoI act specifically allows me to do this, and forbids you to withhold answers based on this. Please try to honor the purpose and intent of our FoI act and fully, honestly and truthfully supply the information I request.

Yours faithfully,

C Drake

DTA FOI, Digital Transformation Agency

1 Attachment

OFFICIAL

Good morning, C Drake

Thank you for your FOI request.

I writing to notify you that I will be looking after your request.

Under subsection 15(3), I have an obligation to assist you with the FOI process.

To assist you with your request, I'm wondering if you could please give me a call to discuss.

I just would like to ensure that I understand your request.

In the meantime, I have provided some useful links for your information on the process.

https://www.oaic.gov.au/freedom-of-infor...
https://www.legislation.gov.au/C2004A025...

I look forward to your call.

Thanks

Suzie Sazdanovic
Privacy and FOI Manager
Digital Transformation Agency
suzie.sazdanovic+AEA-dta.gov.au +AHw- dta.gov.au
Ngunnawal Country +AHw- 11 Moore Street, Canberra, ACT 2600
+-61 2 6120 8595

OFFICIAL

show quoted sections

DTA FOI, Digital Transformation Agency

OFFICIAL

Good morning, C Drake

DTA has not received a response to our email of 13 May 2024, and we have
decided to proceed based on our understand of your request.

Below is the Acknowledgement and notice of consultation in response to
your request.

The Digital Transformation Agency (DTA) acknowledges receipt of your
Freedom of Information (FOI) request made 7 May 2024 for:

1. How long has the DTA been aware that emails they send out that contain
security codes which expire in 10 minutes, are taking more than 10 minutes
to arrive? (e.g. the  "electronically stored information" of the DTA
showing the first incidences of this email delay issue)

2. The number of times since this issue began that users have reported
trouble as a result of these delays, and the number of times support staff
responded to victims of this delay, allowing them to bypass this security
feature.

3. The documents in connection with the Tender or other procurement
process through which ServiceNow (and others) were invited, and ultimately
through which it was awarded this business, and the number of other
bidders for this business.

4. The number of times ServiceNow has been informed of email-related
delivery issues, and the clauses from any contract with ServiceNow (or
published beforehand, such as in my item 3 above) in relation to (a)
timeliness of email transmissions, and (b) response times to reports of
system failures, and (c) compensation arrangements for service failure.

5. The rules by which the DTA must abide in relation to the following:

a) the use of sovereign systems or providers for the handling of certain
information, and the list or categories of information that falls under
this sovereign requirement.

b) the handling of cyber security issues, such as password reset
mechanisms, and user verification requirements for allowing unidentified
individuals on phone calls to obtain access to supplier account logins
(bypassing verification codes)

6. The budget (financial dollar amount) of the DTA which is allocated for
the payment of external service providers, and if it exists, the breakdown
of categories within that budget (e.g. hosting, email, design, support,
etc) and the amounts for each.

 Notice of Consultation

DTA has identified information relating to third parties contained within
the requested document. As a result, DTA is required to consult.

Your request covers a document relating to the business, commercial or
financial affairs of an organization. Accordingly, DTA is required to
consult with the organisation concerned before making a decision on the
release of this document.

Section 27 of the FOI Act provides that if a request is made to an agency
for access to a document containing business information organisation, and
it appears to the agency that the organization might reasonably wish to
make a contention that the document is exempt under section 47 (trade
secrets etc), or section 47G (business information) of the FOI Act, then
the agency must not decide to give access to the document unless the
organisation concerned is given a reasonable opportunity to make
submissions in support of their contention, if it is reasonably
practicable to do so.

The DTA will take into account any comments we receive from the
organisation. However, the final decision on whether to grant access to
the document requested rests with DTA.

In accordance with section 15(6) of the FOI Act, the period for processing
your request has been extended by an additional 30 days in order to allow
DTA time to consult with the organisation. The processing period for this
request will now end on 4 July 2024.

Drafts and Duplicates
In making a decision the DTA will exclude draft and duplicate copies, only
including final versions that fit the scope of your request. If you
require this information, please inform us within five days, otherwise
these documents will be deemed irrelevant to your request and removed
under section 22 of the FOI Act.
Please contact me if you wish to discuss your request.
Regards

Suzie Sazdanovic
Privacy and FOI Manager
Digital Transformation Agency
[1][email address] | dta.gov.au
Ngunnawal Country | 11 Moore Street, Canberra, ACT 2600
+61 2 6120 8595

OFFICIAL

OFFICIAL

show quoted sections

We don't know whether the most recent response to this request contains information or not – if you are C Drake please sign in and let everyone know.