Integrity Framework – “The Hidden Power of Integrity and Access to Vast Increases in Performance”

A few months ago I attended a talk entitled “The Hidden Power of Integrity and Access to Vast Increases in Performance” by Michael Jensen of the Harvard Business School.  I was interested because I knew Michael Jensen from when I did my MBA at the Simon Graduate School of Business that University of Rochester. (Actually, I knew of him is more like it.  I was a plebian MBA student.  He was an academic superstar.)  He is an interesting and eclectic guy – and was one of the founders of Agency Theory which, if you’ve studied Accounting or Finance, you probably know about.  Since he was going to be giving a lecture on Integrity at UBC, I thought it would be interesting to hear what he had to say.

His lecture was a pleasant surprise.  He wasn’t talking about integrity in the context of ethics (i.e. good or bad), but rather he was talking about integrity as something being “whole” or “complete”.  He argued that a system, organization or person cannot achieve their full potential unless they have integrity in this sense.  And then he went on to explain that being in integrity means to “honor your word”.  And he provided simple definitions for what is meant by “giving your word” and what is meant by “honoring” your word.  I was expecting a talk on integrity from an ethical perspective, but instead he provided objective definitions of an integrity framework that could be put to work immediately – and to great effect.  Ethics should include this form of integrity, but integrity is so much more than ethics, and is really a prerequisite for full organizational effectiveness.

I encourage you to learn more about Michael Jensen’s integrity framework.   You might start by reading the following article from SSRN “Integrity: Without It Nothing Works”.  If this resonates with you, take the time to watch a video of the lecture from March 26th: “The Hidden Power of Integrity and Access to Vast Increases in Performance”.  (Unfortunately, the lecture is nearly two hours long – but it is interesting, and will definitely be time better spent than watching Mad Men or Game of Thrones).  The slides from his lecture can be found here.

Anyway, Mr. Jensen’s simple and straightforward integrity framework is a breath of fresh air.  I hope you are enticed by it as much as I have been.

Sale of Goods Act in British Columbia: You call the shots, not your cell phone provider

The BC Sale of Goods Act (SOGA):

If you live in British Columbia, Canada consider yourself lucky.  BC has (probably) the strongest consumer protection legislation in North America.  I am not a lawyer, but learning about BC’s “Sale of Goods Act” was an epiphany to me.  I’ve used it successfully many times.  You should know about it so that you can benefit from it also.  You can find the act at the following link (the relevant sections are 16, 17, 18, and 20): http://www.bclaws.ca/EPLibraries/bclaws_new/document/ID/freeside/00_96410_01.  Let’s call it the “SOGA”.

[Please note that when the act discusses a “condition” of a sale, it means this: A “condition” of a contract is an essential term of a contract.  A breach of a condition by either party leads to a discharge of the contract.  If the seller (i.e. the person who you bought, say, a cell phone from) breaches the contract, then the buyer can ask the court to restore them to their pre-contract position (i.e. get their money back from the seller and discharge they buyer from any further obligations). If a “condition” is breached by the seller, then it is up to the buyer of the goods as to the remedy, not the seller.  So you can elect to return the goods for a full refund.  (A “warranty” means that you are entitled to compensation for damages/loss, but not a full refund).  So as you might imagine, conditions of a sale are very important and powerful.]

Section 17 of the SOGA says that the goods much match their description, e.g. if you purchase something from a catalogue.  I used this clause successfully once when I purchased a textbook.  It was shrink wrapped and the description on the back of the book touted the “companion web site”.  As it turns out, it was a new edition of the book and the companion web site was not available.  So a few weeks into the course I returned the book for an older edition.  I explained that the goods didn’t match the description.   This can be a powerful clause.

Section 18 says 3 important things:

  1. Fitness for purpose is a condition of the sale:  If you describe your purpose and rely on the seller for their recommendation, it is a condition that the goods will meet that purpose.  Otherwise you can return the goods for a full refund.  What this means is that you shouldn’t go into a store and tell them you want a particular model of a product (e.g. power tool, cell phone, bicycle, skis, computer, or whatever).  Rather, you should tell them what your need is and rely on their recommendation.  If you buy it based on that recommendation and the product doesn’t meet the need you stated, then the condition of the sale was breached according to the SOGA.  You as the buyer can demand a full refund.
  2. Goods are of merchantable quality is a condition of the sale:  If you get a “lemon”, a condition of the sale has been breached.  Obviously subjective, but can be quite powerful. I would ask for a full refund and cite the SOGA.
  3. Goods will be durable for a reasonable period of time. This is a condition of the sale.  Reasonable period can be a bit subjective, but is helpfully defined for you when you are offered an extended warranty.  Personally, I think that 3 years is a “reasonable period of time” for a cell phone to last if I purchase it on a 3 year contract.  And just because a TV comes with a 1-year warranty, it doesn’t mean that 1 year is the “reasonable period of time” for it to last under normal use.  I find that the inevitable offer of an extended warranty is a good time to discuss how long something will last with the salesperson.  There will probably be a lot of arm-waving and backtracking if you ask them in response to their suggestion of a thee year warranty on your TV:  “But won’t this TV last for at least two or three years?”.  The salesperson will generally say “yes, but …”.  Write their name on the receipt and make sure to mention their name when you take the store to small claims court because your TV died on day 366 and they refused to replace it or refund your money.

Section 20 of the SOGA says that these rights cannot be waived via a disclaimer, unless they are used goods or goods used primarily for business purposes.  So be careful of disclaimers on used goods or goods you purchase for a business.  But otherwise you have superhuman immunity to those silly disclaimers they put on receipts or mention when you purchase the goods,  e.g. “not responsible for …”, “exchanges only”, “no returns if clothes worn by purchaser”, etc.

Oh, and another interesting point about the SOGA.  It applies to the seller, not the manufacturer.  So you should never have to deal with the manufacturer to assert your rights – only the seller who you purchased the goods from.

So if you decide to exercise your rights under the SOGA, act confidently (but not arrogantly) and talk to the salespeople first.  They probably won’t know what to do and will try to get you to go away.  Ask for the manager at that point.  If you still get no joy, then ask how to contact their legal department.  Write them a letter citing the SOGA and you are likely to succeed in getting a refund and/or replacement of the goods (your choice).  If not, don’t be afraid to use small claims court.  You are likely to win, and the seller will have to pay your costs when you do (about $100 to file a Small Claim).  Small Claims court in BC can be used for claims up to $25,000 and is intended for just this sort of dispute.

A real-life example:

I recently had a problem with a cell phone which developed a camera flaw – dust under the lense which would obviously require disassembly to resolve.  This happened 2 months after I bought it.   I took the phone back to where I bought it.  After examining it, they agreed that it was not something a customer could not fix on their own.  They told me I would have to take the phone to a service center elsewhere in the city and pay an $80 deposit, at which point they would send the phone to the manufacturer for diagnosis and repair. I told them that I did not want to do this.  The phone was defective.  I had used it normally and carefully.  I told them that I would like them to simply replace the phone.  They said that my only recourse was to go to the service center, put down $80, and wait to hear what the manufacturer had to say.  I didn’t like this, and felt that it was time to use the SOGA.  I told them that I had the right to demand a full refund of everything I paid for the phone, and to be freed from the contract going forward.  I’m sure they thought I was crazy.  And, honestly, I didn’t expect the salesperson to play ball.  I asked to speak with their manager, but there was no manager available.   So I asked them for details about how to contact their legal department.  They told me to phone the customer service number.  the customer service line stonewalled me.  So I looked up the corporate headquarters address and addressed the following letter to the legal department at that address:

To Whom It May Concern:

I purchased a Samsung Galaxy Note II cellphone at the XXXXXXX store at XXXX West 4th Vancouver on December 8, 2012. The camera has developed a flaw. On Saturday, February 16th I went to the store and they agreed that it is flawed and is not something a customer could repair. I told them that I want to return the phone for a full refund, as is my right under the BC Sale of Goods Act (see http://www.bclaws.ca/EPLibraries/bclaws_new/document/ID/freeside/00_96410_01). The woman at the store said that my only recourse is to return the phone to the manufacturer via your customer service centre (and pay an $80 deposit on doing so). I disagree, and since I habitually shop with knowledge of my rights under the BC Sale of Goods Act, I would like to discuss the issue with your legal department.

Therefore, please contact me at the number shown below to discuss resolution of this issue.  I would like to hear from you in the next day or two in order to avoid having to pursue the issue via the Small Claims Court of British Columbia.

I also sent the same letter directly to the store where I bought the phone.  While waiting for a reply, I prepared the paperwork to make a claim in the BC Small Claims Court.  Within a week I heard back from the store where I bought the phone.  The manager grudgingly told me that he was told to replace my phone with a new phone.  By rights, I believe I could have insisted on a full refund and a discharge from by obligation under the contract.  But I generally like the phone and figure that if it develops a problem within the original 3-year term I can always use the SOGA again.  So I agreed and the problem is solved.

Note:  If the phone was not defective, or was not used in a way that it was intended I probably wouldn’t have had a leg to stand on.  E.g. if there was moisture damage or if the screen cracked because I dropped the phone.

The moral of the story:  

You have very strong rights under the SOGA, and you should not be afraid to exercise those rights.  Do not be bullied by sellers if you are in the right.

 [Note:  If you are a lawyer and feel that I’ve gotten any of this wrong, please send me an email pointing out my mistake.]

Password diversity

A friend’s email was hacked recently.  I received an email with a single cryptic web link in it, and the title of the message was deceptively misleading.  Also, the email was CC’ed to many people.  All of these are obvious signs that the email account of the sender was hacked.  Here’s the email I sent the person after phoning to tell them about the problem.  It highlights one of my biggest concerns:  password diversity.

“As I told you on the phone a few minutes ago, it appears as if your email account has been hacked.

I’ve attached a PDF of the email which was sent from your account.  I recommend you change the password on your account immediately.  Use something that is eight characters or longer, and contains upper case letters, lower case letters, number, and special characters.   E.g. “Argo=BestPic.2013”

The other problem if someone has figured out your password is that you probably use the same password for different accounts.  So you should assume that those accounts have been compromised also.  Put different passwords on those accounts.

I know this is a pain in the a–.  But I contend that the biggest problem to security in this new on-line world we all participate in is a lack of password diversity.  If someone gets a password, they’ll try to use it everywhere else where they think you’ll be doing things on the internet:  Internet banking, Library accounts, University accounts, Facebook, Linkedin, Google, etc., etc.

Even if you use a strong password (as recommended above), there are some web sites and services that have security flaws that might enable someone to get at the cleartext passwords.  The only protection against that type of thing is to have different passwords everywhere you sign up for something on the internet.  For instance, I have an account with a service called “Evernote”.  Last week it was revealed that 500,000 Evernote accounts were hacked and passwords were potentially revealed to hackers.  Because my password on Evernote was unique, I didn’t worry.  I just visited Evernote and changed my password.  None of my other on-line accounts would have been compromised.”

Please note:

  1. I phoned the person as soon as I realized there was a problem.  They will want to know, and they should know if their email is hacked so they can deal with it poste haste.
  2. I explained the simplest procedure, i.e. to change the password — and to use a strong password.
  3. I explained the importance of password diversity.

(I forgot to tell my friend not to click on the link in any such email received.  In this case I think she’s smart enough to know not to do that.)

Don’t fret over the amount of email hacking that is occurring.  Do something about it.

 

Some observations about the Jenkins Report and SR&ED…

It seems that the Harper government is about to introduce tax-regime changes based on last year’s Jenkins report (see http://bit.ly/qMhEpY). It’s important for governments to question government largesse and the effectiveness of its expenditures. But as stated previously in this blog, SR&ED may not be the most efficient way of stimulating R&D, but it does help create jobs in Canada and it does keep technology companies in Canada.  In fact, I’ve seen it reverse the tide of outsourcing for some companies.. It all reminds me of Winston Churchill’s statement about Democracy:  “Democrasy is the worst form of government, except for all those other forms that have been tried from time to time”.  It ain’t perfect, but without SR&ED it is almost certain that a large chunk of our technology industry would disappear.

The problem I see with SR&ED has largely been the enforcement (or lack thereof) and the complex, oblique and ambiguous rules surrounding the program. It just lends itself to exploitation the way it is being administered at present.

The changes proposed to SR&ED by the Jenkins report don’t seem all that bad: Base it more on labour costs; increase the rates (I like that part); reduce the amount of refundable credits (will surely encourage profitability); and make the pre-review process more of a pre-approval process. This all seems quite reasonable.

They should also create some more “bright lines” in the rules. For instance: If they’re going to make the credit primarily labour-hours-based, they should prescribe that time records be kept, plain and simple. No exceptions. Currently, you are supposed to have good supporting evidence, preferably in the form of time records, but they don’t prescribe the nature of the data to be kept in those time records (and believe me there is a lot of latitude in this area). And if you don’t have good time records, they will often let you hobble together other information to support the time claimed – but that often ends up being an “allocation” based on questionable methodologies. It seems to me that it would be virtually costless to always insist on seeing the time records, and to check that they at least meet some basic characteristics before approving a claim. That would save probably $3,000,000 of the approximately $3,500,000 the government spends on SR&ED each year. And who could reasonably argue against such a rule? The beneficiaries? Hardly. It is other peoples’ money after all.

More about patent madness

Interestingly, right after my previous diatribe I sat down to read the latest economist and saw this article about the problems with the US patent system: http://www.economist.com/node/21526370. Then, lo and behold, the most recent Wired magazine has an article about my former employer (Kodak) being forced to become a patent troll: http://www.wired.com/epicenter/2011/08/patent-game-kodak. It’s the laws & patent system, it’s not the companies taking advantage of it that are the problem. (Arggghhh… And maybe if Kodak hadn’t shelved their prototype digital camera in favour of the crappy Kodak Disc camera in the early 80s, Rochester would be a compelling place to live again.)

2011: The year insanity trumped innovation.

2011 might be remembered for a lot of things, but to me it’s the year that the world finally woke up to the mess with the US patent system — to which many of the other country’s patent systems are of secondary importance.  (And when I say “woke up”, I don’t mean “woke up and solved“. ) Anyway, here’s the problem:  Granting patents for questionable & intangible ideas to people/organizations that didn’t really “invent” those ideas, combined with a legal system that is way in over its head trying to assess the validity of such patents has led to an economy based on faux-IP rather than true innovation.   It means that we’re not manufacturing as much and we’re not creating as much value from real and important innovation.  This is all just the opposite of what patents are supposed to do.

Gary Yurkovich recently posted the following comment on LinkedIn:  “Remember when Apple was innovative with good products? Now it competes best in courtroom. http://zd.net/pcGm0j“.  True, but while patent-litigation over innovation seems to be the trend (see http://www.economist.com/node/21525096 ), I don’t blame Apple. The patent system is broken, not Apple. It’s the ease with which one can now patent things like blatantly obvious software implementations that is the problem (i.e. vague “innovations” that should never be patentable), and Apple is just reacting rationally.

Apple actually innovates better than most: Eg.where’s the competition for ipad when the likes of HP quit at the 1st sign of heavy sailing? That’s Leo Apotheker trying to turn HP into the next SAP and is a very sad development (whither manufacturing?). It truly angers me, having cut my teeth on DEC which was eventually bought Compaq, which was eventually bought by HP, which … has given up the fight.

 

 

 

SR&ED: Flawed, but worthwhile

I read with interest Saturday’s story in the Globe and Mail entitled “Flawed R&D scheme costs taxpayers billions” by Barry McKenna (see http://www.theglobeandmail.com/report-on-business/flawed-rd-scheme-costs-taxpayers-billions/article1939418/).  One of the things my company does is SR&ED consulting — helping companies determine if they have SR&ED-eligible projects, helping them document their projects in order to apply for SR&ED credits, and helping them establish processes to tap into SR&ED tax credits when SR&ED-eligible work is performed in the future.

The funny thing is, I agree with much of what Mr. McKenna says in Saturday’s article, but I still believe the SR&ED program is worthwhile.  Is it flawed?  Yes.  Show me a tax program that isn’t.   Interestingly, it is not uncommon to question government incentive  programs like SR&ED, no matter what country you’re in.  Yesterday’s Oregonian newspaper, for instance, had an article questioning Oregon’s green energy incentives (see http://blog.oregonlive.com/politics_impact/print.html?entry=/2011/03/how_many_jobs_from_oregons_gre.html).

 

I don’t know if SR&ED fully meets its implied social objective of increasing R&D in Canada.  But I do know it helps retain and increase employment in the technology sector.  One of my clients,for instance, was doing really innovative R&D, but he was using offshore resources to do much of it.  I explained that if he used employees here instead, he would be able to tap into SR&ED tax credits that might enable him to grow the business entirely within Canada.  As a result he has hired two new employees in Canada and has opened an office here as well.  He expects to hire three more in Canada — changing his mix so that instead of having 1 or 2 employees here and 4 overseas, he will have six in Canada and one or two overseas.

Another client would almost certainly have closed their doors in 2009 due to the recent financial crisis.  Most of their customers were in the US and their business virtually dried up by the beginning of 2009.  Instead, they downsized a bit, focused on R&D, obtained SR&ED credits as a result, and are coming out of the recession with a stronger product portfolio.  They are a stronger company now.  They and their employees are thriving in Canada and are paying taxes.  The alternative?  I hate to think about it:  All of those jobs overseas?  Many of the employees on EI?  Loss of a truly innovative technology company?

Oh, and please note that other countries are using R&D tax credits to create or retain industries and jobs.   The USA, Mexico, Australia, France, China, India and others all provide generous credits.  (See http://www.scitax.com/pdf/Scitax.International.RD.Tax.Credit.Survey.Table.pdf).  Just to state the obvious here:  It’s hard enough to compete in the global economy, and I appreciate the fact that our government helps us do that.

So, what’s the problem?  I think that Mr. McKenna’s article was correct about the unscrupulous use of SR&ED credits by companies that don’t deserve them.  They are taking advantage of the subjectiveness of the assessment process and of the lack of resources at the CRA to more thoroughly examine every case.

There is little I can do about that other than to make sure that I only assist companies that have valid claims and who are willing to do the work needed to fully document them.  When they do that, I’ll go to the mat with the CRA for them to make sure their legitimate claims succeed.

 

 

 

SR&ED Creativity… Just Be Careful

I came across the following blog post recently: “SREDing Sweat Equity”.   It describes a maneuver to use SR&ED to enable paying yourself a salary during the early stages of your company’s development.  Part of my work at Axxiton Consulting involves helping companies to maximize SR&ED claims by identifying eligible projects & activities, analyzing and documenting projects & activities to claim for SR&ED, and establishing processes to help assure repeatable success.  So I found the aforementioned blog post interesting.  But I have the following observations:

The proposed maneuver is quite interesting.  SR&ED is a great program, and I’ve seen some companies survive the economic downturn solely due to SR&ED — it literally kept the lights on so that the companies survived until the the economy recovered.  However, companies need to make sure they don’t see SR&ED as an entitlement.  They still need to demonstrate technological advancement.  It must be credible and documented. And they need to be aware of the rules – both for claiming SR&ED credits and for paying their employees.

SR&ED can help keep the lights on during an economic downturn

The first problem I see with the proposed maneuver is this:  Specified employees (i.e. a person who owns 10% or more of company or who does not deal at arm’s length w/the company) can only claim up to 75% of the time (and presumably salary) for which they were directly involved in SR&ED for the Prescribed Proxy Amount (PPA) top-up when computing SR&ED.   That reduces the SR&ED-eligible expenditures in the example from $70K to $52.5K for the PPA.  Max SR&ED credits for the $70K salary will therefore be about $43K in Ontario.

Steve & Steve

Another problem is that an entrepreneur is unlikely to expend 100% of their time on SR&ED activities.  In fact, companies that claim all of their principals’ time as being for SR&ED might trigger increased scrutiny of their SR&ED claim as a result. If you do so one year, you can’t count on getting away with it every year.  Be careful here:  If you mysteriously claim exactly 100% on SR&ED activities year after year, someone’s going to decide to take a more careful look (even if you claim 90% and deem it to be 100% under the “all or substantially all” rule).   Be realistic.  As a founder, some of the time you spend on your company will be for bizdev, financing, admin, etc..

Another important point is this:  Suppose you do pay yourself with an IOU, the company must still withhold and pay remittances for personal tax, CPP and EI.  In the blog’s example, using 2011 tax rates, that would be $15,180 in tax and $6,323 for EI and CPP.  That’s $21,503 you need to come up with in cold, hard cash to pay the government while you’re waiting for the SR&ED cheque to arrive.  I believe you can wait up to 180 days into the subsequent fiscal year to pay the salary if it is a bonus, but there are two problems here:  First, bonuses to specified employees will be scrutinized by the CRA to make sure they are not based on profits.  Bonuses paid on profits to specified employees can’t be included in your SR&ED claim.  Second, you don’t know how long it will take to process your SR&ED claim, nor do you know how much of your SR&ED claim will be accepted by the CRA.

IOU

So… now you’re in a situation where you’ve paid salary via an IOU of $70K.  You’ll net about $21.5K in cash (SR&ED claim = $43K, Remittances paid to Receiver General = $21.5K).  That assumes that the entire SR&ED claim will be approved.  And you hope it will be approved in a timely manner so that you aren’t out of pocket $21.5K while you wait for the $43K cheque to arrive.

Just be aware of the risks.  Don’t file frivolous SR&ED claims.  Claim legitimate SR&ED.  Document, document, document!  The best damned thing you can do is to methodically record your time spent each day, and that of your employees.  Always have supporting documents for your claim. (See http://bit.ly/aSsSh6 for my thoughts on this point).

Danger Will Robinson: National “Infrastructure as a Service”

Danger Will RobinsonI was in New Zealand recently, and saw the following article in the New Zealand Herald: “Govt in $2b shake-up of data systems”.  As I read the article, the hairs on the back of my neck went up.  New Zealand hopes to move a significant portion of their Information and Communications Technology (ICT) infrastructure into the cloud.  They call it “Infrastructure as a Service.”  It’s supposed to save money.

New Zealand is a wonderful country, and they have much to be proud of.  They dug themselves out of a significant fiscal crisis in the 1980s – and are not afraid to take innovative and/or draconian measures to address their problems.  The article points out that “Once it is up and running, the Government would be one of the first in the world to adopt an Infrastructure as a Service model.”  Bad, bad idea.

The first time I visited there, I took a picture similar to the one shown above of a geothermal power generation plant and told people that it proved NZ was where the clouds were made!  This is ironic, because one of NZ’s big failures in my opinion was their privatization of the electricity grid.  It is my understanding that Kiwis pay more than 3 times what we pay for electricity, despite having an abundance of hydroelectric and geothermal power available.  The irony today is that a national government-wide cloud strategy may not save money (as the electricity-grid-privatization was supposed to do), but may cost far more than expected.  Furthermore, there is a very real danger that it could cripple the ability of the government to deliver services, and could even threaten NZ’s national sovereignty.

I love cloud computing.  It works.  It saves money.  The promise is that the costs of cloud-based services grow only as the organization’s needs grow and don’t require significant capital investment up front.  You don’t need a large IT staff.  There is protection against obsolescence.  Etc., etc..  But Cloud Computing is not for every organization, and those that adopt it need to understand the risks and true costs involved.

False Economies

I believe that there are often false economies with moving services into the cloud.   If not done correctly, cloud based computing can be like payday loans or rent-to-own services.  I saw one medium-sized organization replace its far-from-perfect time keeping system with a cloud-based CRM system:  $50/month per seat – they replaced a suboptimal system that cost them almost nothing with a different suboptimal solution that cost them about $75K per year.  Then they needed to purchase data conversion services, consulting services and training services from the vendor before it was all up and running.  Those up-front costs were in the $75K-$100K range.

Another thing to keep in mind is that IT projects of any sort typically run over budget and over schedule.  This problem seems to be worse the larger the organization involved.  Governments are notoriously bad about this (probably because they’re spending other peoples’ money).  I’m sure the vendors who bid on this project will spin a pretty good yarn, but for some reason I don’t trust Microsoft, Oracle, IBM, Google, SAP, NetSuite, Amazon, or others to necessarily get it right the first time.  After all, New Zealand would be the first country in the world to attempt to put virtually their entire government IT infrastructure into the cloud.  There is no precedent.

Continuity of Services

Someone once said “the bigger they are, the harder they fall.”  I think that was meant to encourage a small competitor to take on a large competitor.  But in the context of enterprise-wide, or nation-wide cloud computing it takes on a whole new meaning:  Imagine if no government employee could use email, access word-processing documents or spreadsheets.  If that happened for even just a few minutes, it would be devastating.  If it happened for an hour, a day or a week, it would be akin to an earthquake shutting down the entire federal government.

The security of a single ICT cloud-based provider (as opposed to the patchwork of relatively independent systems that probably exists today) should be considered.  A single undiversified system will be more vulnerable to malicious attacks or systemic failures.  Cloud-based systems can be accessed via the global internet, and don’t require physical access to the systems.  This can be addressed via technologies like geolocation and by using sophisticated authorization, access, and directory services – but such technologies create management and user headaches all their own, and often create incentives for employees or external users to short-circuit them. (Think of users that write-down their passwords because the system forced them to change them frequently, or people who install free VPN solutions like hotspotshield to work around geographical internet restrictions).

The problem is that the host system (i.e. the cloud-based ICT) is enormous and a vulnerability can affect the entire infrastructure.  Conventional (non-cloud-based) systems are inherently compartmentalized and heterogeneous.  This isn’t always good, but does help to prevent system-wide failures.  For some reason, the picture of a virtual “Death Star” comes to mind when I think of a nation-wide cloud solution… The bigger they are, the harder they fall.

Sovereignty and Security

New Zealand is not generally in the rest of the world’s crosshairs, but its government does have a duty to protect the country’s sovereignty and to protect its citizens against terrorists, enemy governments and industrial espionage.  Clearly, a system that can be accessed relatively easily via the global internet poses a problem in this respect.  I’m sure that New Zealand will take precautions, but I’m skeptical that they will ever be sufficient with a cloud-based solution – especially for the first country in the world to put virtually their entire government IT infrastructure into the cloud.

This is no idle concern:  Recently it appears that Israel, the US, Germany and Britain colluded to prevent Iran from developing nuclear weapons by using the Stuxnet worm to damage Iran’s centrifuges used for refining nuclear material.  There is evidence that China hijacked about 15% of the world’s internet traffic last April.  There is also suspicion that North Korea has launched a series of experimental cyber-attacks in the past few years against South Korea and the US (interestingly this an asymmetric capability on North Korea’s part, since they have little infrastructure of their own that can be cyber-attacked).  Russia, or at least organized crime based in Russia, is well known for conducting denial of service attacks against other countries that get in its way.  Every country should take this type of threat seriously for its economic, military and civil security.

Another problem with sovereignty is where the data is kept.  I’m sure that New Zealand will take measures to keep the cloud-based data within their own borders.  But if they don’t, the data might be subject to eavesdropping by the US under the Patriot Act, or under similar legal regimens in other countries.  If data is stored in other countries, or even transits other countries as part of the global internet, it will be subject to such snooping and there will be little New Zealand can do about it.  I don’t hesitate for a second to think that China, the US, Russia, Israel, Britain and other countries will use such data for industrial and national espionage activities.

Privacy,  Data Security, Government Abuse

By definition, data is stored outside of the organization when using a cloud-based infrastructure.  New Zealand has strict privacy laws, and I submit that a cloud-based infrastructure will endanger the privacy of peoples’ data:  Economic data, financial data, taxation data, medical data, legal data, vital statistics data, military data, and many other types of data are gathered and controlled by governments.  Part of the unexpected costs of developing a cloud-based infrastructure will be related to protecting the privacy and security of data.  I believe that no matter how hard they try, the government will not succeed in protecting the privacy of citizens’ data in a cloud-based infrastructure of this magnitude.  There will not be physical compartmentalization of data as you get with conventional IT infrastructures.  The cloud-based infrastructure will be a Wikileaks delight!  I wasn’t born yesterday:  I know that there are many safeguards that can be used – but I’ve also been on the inside of many organizations and have seen the damage that disgruntled or greedy employees can wreak, or the danger of unforeseen technological threats.

A final concern I have is that of government abuse.  I believe that the New Zealand government is benevolent, and does not intend to exploit the centrality of the data for any nefarious purpose.  But governments, politicians, law enforcement agents and civil servants sometimes yield to temptation and use powers given to them for unethical and amoral purposes.  Or they “extend” their powers after data is centralized or gathered for seemingly innocent purposes (think of the possible abuses of the Patriot Act in the US for instance).  I think it was Otter from the movie Animal House who put it best:  “You f—ed up, you trusted us!”.Animal House

Use common sense:  Don’t do it

New Zealand currently has an RFP out for its $2b “Infrastructure as a Service” project (see http://www.gets.govt.nz, GETS Ref #31944).  It’s a great country, and I really hope they demonstrate common sense and avoid this debacle.  I don’t have a dog in the fight, but would really like them to perform euthanasia on the idea now.  If they don’t, they should try it on one or two departments first.  Isn’t that the idea behind cloud computing anyway:  Only bite off as much as you can chew?

Government Incentive Programs

Assistance with Canadian Government Incentive Programs, e.g. SR&ED and IRAP:

  • NRC Industrial Research Assistance Programs (IRAP)
    • Identify candidate projects / programs
    • Work with technical staff and write IRAP grant proposals
    • Assistance with ongoing administration to meet reporting requirements
    • Youth-grant applications and reporting