Source code for electronic billing system used by Seattle City Light and Seattle Public Utilities

Phil Mocek filed this request with the Department of Information Technology of Seattle, WA.

It is a clone of this request.

Tracking # C006308-102816
Status
Completed

Communications

From: Phil Mocek

To Whom It May Concern:

Background:

Twice since its implementation, the newly-implemented electronic billing system used by Seattle City Light and Seattle Public Utilities has been found to malfunction in ways that exposed private information from one or more subscribers to one or more other, unauthorized subscriber. The first incident was [reported by][1] Mike Lindblom of Seattle Times and [announced][2] by City of Seattle. The second incident was [reported by][3] Kevin Schofield of Seattle City Council Insight. In an e-mail from Megan Coppersmith at Seattle Department of Information Technology ("DoIT") to Seattle City Council member Kshama Sawant on September 14, 2017, Ms. Coppersmith wrote, "Earlier this week, certain customers were again potentially given access to bills that did not belong to them," stated that DoIT were then "working on further coding that relates to electronic bill generation and online display," and stated that DoIT would "look at ways to enhance [...] third-party coding review processes."

[1]: <http://www.seattletimes.com/seattle-news/politics/city-light-computer-glitch-lets-customers-see-other-users-bills/>
[2]: <http://www.seattle.gov/util/NewBillingSystem/billErrors/index.htm>
[3]: <http://sccinsight.com/2016/09/20/city-still-hiding-last-weeks-privacy-leak-from-affected-customers/>

One way to dramatically enhance third-party review of this systems's source code is to make that source code easily available to the public. For example, I have previously [acquired][4] via public records request and [republished][5] the source code for Seattle Police Department's [Online Reporting][6] application.

[4]: <https://www.muckrock.com/foi/seattle-69/source-code-for-seattle-police-dept-online-police-reports-application-2633/>
[5]: <https://github.com/pmocek/seattle-police-online-reports>
[6]: <https://www.seattle.gov/police/records/>

Request:

Pursuant to RCW Ch. 42.56 (Public Records Act), I hereby request the source code for software used to provide Seattle City Light's and Seattle Public Utilities' "e-billing system" (also known as "NCIS billing").

My preferences for format of the information, which I wish to receive in its native electronic format, from most preferable to least, are as follows:

1. remote access to the revision control system in which the source code is stored (read-only, of course) via Web browser or Subversion, Bazaar, Git, or Mercurial client
2. a copy of the entire repository with all revision history (assuming it is a standard, non-proprietary system such as RCS, CVS, Subversion, Bazaar, Git, or Mercurial)
3. snapshots of the software in the repository which correspond to the version of the software currently deployed and to the latest version committed to the repository

The requested documents will be made available to the general public, and this request is not being made for commercial purposes.

In the event that there are fees, I would be grateful if you would inform me of the total charges in advance of fulfilling my request. I would prefer the request filled electronically, by e-mail attachment if available or CD-ROM if not.

Thank you in advance for your anticipated cooperation in this matter. I look forward to receiving your response to this request within 5 business days, as the statute requires.

Sincerely,

Phil Mocek

From: Glundberg-Prossor, Kristen

Dear Mr. Mocek:
Thank you for contacting the City of Seattle. This acknowledges receipt of your public-disclosure request of September 21, 2016 for source code for software used to provide Seattle City Light's and Seattle Public Utilities' e-billing system. Seattle Information and Technology is currently reviewing your request and will be back in contact with you on or around October 7, 2016.

Sincerely,

Kristen Glundberg-Prossor
Strategic Advisor/PDO
SEATTLE INFORMATION TECHNOLOGY
T: 206.386.0049 | kristen.glundberg-prossor@seattle.gov<mailto:kristen.glundberg-prossor@seattle.gov>

TECHNOLOGY SOLUTIONS FOR THE CITY AND PUBLIC WE SERVE

From: Phil Mocek

Dear Ms. Glundberrg-Prossor:

I received on September 27 your acknowledgment of my request of September 21, 2016, for SPL/SPU electronic billing system source code. In it, you stated that you are "reviewing [my] request" and that you will "be back in contact with [me] on or around October 7, 2016." Would you please explain the continued delay?

You have already had more than one week to review my simple request. I asked for clearly-defined electronic records of which your colleague Ms . Coppershith recently acknowledged to council member Sawant the existence and ready availability. The entirety of my request comprised less than 500 words. A person of average reading ability could review the request dozens of times in an hour. I cannot imagine why multiple weeks of review would be required.

Absent further information, it appears that you are in violation of [RCW 42.56.520][1], which requires prompt responses to requests for public records, allowing for delay of more than five business days only under specific circumstances. You did not indicate with your acknowledgement of my request and notification of delay that the additional time is needed in order for you to clarify the intent of the request, for you to locate and assemble the information requested, for you to notify third persons or agencies affected by the request, or for you to determine whether any of the information requested is exempt and that a denial should be made as to all or part of the request.

[1]: <http://app.leg.wa.gov/RCW/default.aspx?cite=42.56.520>

The records I requested are directly related to a matter of immediate public concern. The longer your agency continues to use the computer software derived from this record without first identifying and remedying flaws in it, the longer the public are at risk of further violations of privacy. As a computer software developer, I am confident that the sooner third parties are able to review the source code, the sooner remaining flaws can be identified. Given enough eyeballs, all bugs are shallow. Unexplained delays in publication of these records are likely to be interpreted as attempts by your agency to continue to cover-up mistakes made by your staff that put the public at risk. Further secrecy will likely serve only to exacerbate the problem.

Cordially,
Phil Mocek

From: Phil Mocek

Dear Ms. Glundberrg-Prossor:

One week has passed since I requested explanation for your agency's continued delay of processing my request of September 21. During that time, I have received neither the records I requested nor any contact regarding this matter.

Your agency publicly acknowledged that the records exist and that you intend to have outside parties review them. Even if you are unable to provide access to the revision control system in which they are maintained (I do this at my job, providing read-only access to contractors and employees in external business units, and it takes me about a minute to accomplish), copying the entire repository to a ZIP file and attaching it to e-mail or copying it to a CD-ROM and putting it in the mail would take a few minutes.

Please explain the hold-up.

Cordially,
Phil Mocek

From: Glundberg-Prossor, Kristen

Dear Mr. Mocek,
I apologize for the delay. We have determined that Seattle City Light is the owner of these records because NCIS is a Seattle City Light project. NCIS will not be transferred to Seattle IT until after it's stabilization phase in 2017. Given that, SCL and Stacy Irwin will be facilitating this public disclosure request. Thank you for your patience in this matter.

Sincerely,

Kristen Glundberg-Prossor
Strategic Advisor/PDO
SEATTLE INFORMATION TECHNOLOGY
T: 206.386.0049 | kristen.glundberg-prossor@seattle.gov<mailto:kristen.glundberg-prossor@seattle.gov>

TECHNOLOGY SOLUTIONS FOR THE CITY AND PUBLIC WE SERVE

From: Phil Mocek

Dear Ms. Kristen Glundberg-Prossor:

I received your e-mail of October 6, 2016, regarding the request for public records I made of your agency on September 21. In your message, you wrote, "We have determined that Seattle City Light is the owner of these records." I do not know what it means to own records, but if there is any owner of public records, I believe that it is the public.

Does your agency, Seattle Department of Information Technology, have access to the records I requested--source code for software now in use by Seattle Public Utilities and Seattle City Light?

Cordially,
Phil Mocek

From: SCL_CityLight_PDR

Dear Mr. Mocek,

This request has been transferred from the Seattle Department of Technology to Seattle City Light. I just received this request yesterday and will need some time to do some research. I will get back to you sometime next week when I have more information for you.

Thank you for your patience.

Stacy

STACY IRWIN | PUBLIC DISCLOSURE OFFICER
CUSTOMER SERVICE, COMMUNICATIONS & REGULATORY AFFAIRS
[cid:image002.png@01D052AC.192A9CE0]
Stacy.irwin @ seattle.gov
TEL (206) 684-7998

From: SCL_CityLight_PDR

Dear Mr. Mocek,

I am following up to the email I sent you last week regarding your public disclosure request.

I interrupt your request to be for "source code for the NCIS billing system used by City Light and Seattle Public Utilities." Please let me know if this is not correct.

I have done some further research and estimate I can get responsive materials to you around October 28, 2016.

Please let me know if you have any other questions.

Sincerely,

STACY IRWIN | PUBLIC DISCLOSURE OFFICER
CUSTOMER SERVICE, COMMUNICATIONS & REGULATORY AFFAIRS

Stacy.irwin @ seattle.gov
TEL (206) 684-7998

From: Phil Mocek

Dear Ms. Kristen Glundberg-Prossor:

I have not received any response to my e-mail of October 7, 2016, to you. In that message, I asked if your agency, Seattle Department of Information Technology, has access to the records I requested on September 21--the source code for software now in use by Seattle Public Utilities and by Seattle City Light. Can you please inform me of whether or not this is the case?

Cordially,
Phil Mocek

From: City of Seattle Public Records Request Center

Dear Phil Mocek,
Welcome to the City of Seattle Public Records Request Center. Your request was received on October 28, 2016 and given the reference number C006308-102816. You will see this number in the title of any communications about this request. (https://www.seattle.gov/public-records/public-records-request-center) Your login ID is: muckrock@mycusthelp.net.  You will hear from a Public Disclosure Officer within five business days regarding the status of your request. Please visit the City of Seattle Public Records Request Center where you can manage your profile and access your request. If a Public Disclosure Officer submitted your public disclosure request into the PRRC on your behalf, please login and complete your new user account by following these steps: Access the Public Records Request Center (https://www.seattle.gov/public-records/public-records-request-center) Select 'Forgot my Password' Enter your 'Login ID' (email address) A temporary password will be sent to you via email Login with the temporary password You will be asked to create a new password
You may now visit the PRRC 'My Records Request Center' anytime! (https://www.seattle.gov/public-records/public-records-request-center)

From: SCL_CityLight_PDR

Dear Mr. Mocek,

Please see below. I sent you an update to your request yesterday.

Please let me know if you have any other questions, or if you did not receive the update I sent you yesterday.

Sincerely,

STACY IRWIN | PARALEGAL
CUSTOMER SERVICE, COMMUNICATIONS & REGULATORY AFFAIRS
[cid:image002.png@01D052AC.192A9CE0]
Stacy.irwin @ seattle.gov
TEL (206) 684-7998

From: Phil Mocek

Dear Ms. Irwin,

Prior to your brief note of November 1, I have received no contact from anyone at the city regarding my request of September 21 since yours on October 14.

Notably, I have received no response to my message October 7 or followup on October 17, wherein I asked if Seattle Department of Information Technology has access to the records I requested on September 21--the source code for software now in use by Seattle Public Utilities and by Seattle City Light.

Despite the requirement imposed by [RCW 42.56.520][1], which requires prompt responses to requests for public records, allowing for delay of more than five business days only under specific circumstances, I have received no indication that the continued delay (more than six weeks have now passed) is needed in order for you to clarify the intent of my request, for you to locate and assemble the information requested, for you to notify third persons or agencies affected by the request, or for you to determine whether any of the information requested is exempt and that a denial should be made as to all or part of the request.

[1]: <http://app.leg.wa.gov/RCW/default.aspx?cite=42.56.520>

Please advise.

Cordially,
Phil Mocek

From: City of Seattle Public Records Request Center

Hello,
Unfortunately the E-mail you sent the City of Seattle is not associated with a records request in our Public Records Request Center and we are unable to route or post your message. If you altered the subject line of the E-mail, please note that doing that will cause this issue. Please return to the City of Seattle Public Records Request Center where you can update any existing request(s). Please use the Public Records Request Center on Seattle.gov where you can manage your profile, submit record requests, track your request status, receive and send messages, make payments, view frequently asked questions, and download your records.
Subject: RE: Public Records Request: Source code for electronic billing system used by Seattle City Light and Seattle Public Utilities Body:

From: SCL_CityLight_PDR

Dear Mr. Mocek,

I am writing you in regards to your public disclosure request for:

"The source code for software used to provide Seattle City Light's and Seattle Public Utilities' "e-billing system" (also known as "NCIS billing")."

I entered your request into our Public Records Request Center portal on October 28, 2016. Today I sent you an invoice for your records and I just want to verify that you received it.

Your request number is C006308-102816. Please use the following link to access your request:

http://www.seattle.gov/public-records/public-records-request-center

Please let me know if you experience any difficulties accessing your request.

Sincerely,

STACY IRWIN | PARALEGAL
CUSTOMER SERVICE, COMMUNICATIONS & REGULATORY AFFAIRS
[cid:image002.png@01D052AC.192A9CE0]
Stacy.irwin @ seattle.gov
TEL (206) 684-7998

From: City of Seattle Public Records Request Center

Dear , Forgot your password? We have created a new temporary password for you. Here is your login ID and temporary password. Please enter your temporary password on the Public Records Request Center.  We will then ask you to enter a new password of your choice. Once you have successfully logged in, you will continue directly to the request page. City of Seattle If you have any questions, please don’t hesitate to call the Customer Service Bureau at (206) 684-2489 (CITY) voice or (TTY) 7-1-1.
Please add seattle@mycusthelp.net to your E-mail contacts/address book to ensure delivery of the record center E-mails to your Inbox.
This is an auto-generated email and has originated from an unmonitored email account. Please DO NOT REPLY.

From: SCL_CityLight_PDR

Dear Mr. Mocek,

More than 30 days have passed since you were invoiced for records responsive to your public disclosure request for NCIS Source Code. Stacy Irwin invoiced you for the records through the City of Seattle's Public Records Request Center on November 4, 2016. Ms. Irwin also separately emailed you as attached on November 4, 2016.

Your request is considered abandoned, and we are closing your request.

Melissa

MELISSA SKELTON
CUSTOMER SERVICE, COMMUNICATIONS & REGULATORY AFFAIRS
[cid:image001.png@01D1109F.C8520D00]
melissa.skelton@ seattle.gov
TEL (206) 684-3179

______
Retrieved from attachment:

Dear Mr. Mocek,

I am writing you in regards to your public disclosure request for:

“The source code for software used to provide Seattle City Light's and Seattle Public Utilities' "e-billing system" (also known as "NCIS billing").”

I entered your request into our Public Records Request Center portal on October 28, 2016. Today I sent you an invoice for your records and I just want to verify that you received it.

Your request number is C006308-102816. Please use the following link to access your request:

http://www.seattle.gov/public-records/public-records-request-center

Please let me know if you experience any difficulties accessing your request.

Sincerely,

STACY IRWIN | PARALEGAL
CUSTOMER SERVICE, COMMUNICATIONS & REGULATORY AFFAIRS

cid:image002.png@01D052AC.192A9CE0
Stacy.irwin @ seattle.gov
TEL (206) 684-7998

From: City of Seattle Public Records Request Center

Dear , Forgot your password? We have created a new temporary password for you. Here is your login ID and temporary password. Please enter your temporary password on the Public Records Request Center.  We will then ask you to enter a new password of your choice. Once you have successfully logged in, you will continue directly to the request page. City of Seattle If you have any questions, please don’t hesitate to call the Customer Service Bureau at (206) 684-2489 (CITY) voice or (TTY) 7-1-1.
Please add seattle@mycusthelp.net to your E-mail contacts/address book to ensure delivery of the record center E-mails to your Inbox.
This is an auto-generated email and has originated from an unmonitored email account. Please DO NOT REPLY.

From: MuckRock

Please let us know if the communication below should be directed to another entity.

Thank you very much for your help.
________
Dear Sir or Madam:

I appeal.

I have not received the records, or the URL on your website at which they are published, or notification that you need more time, or notification that the records are exempt, or notification that the records do not exist.

In an e-mail on December 8, Melissa Skelton wrote of an invoice. I received no invoice from you. Perhaps you sent it to the wrong address. I have provided only one method of contact, and that is the e-mail address from which you received the request and with which we have communicated since I placed my request almost three months ago. If you sent an invoice elsewhere, I did not receive it. Further, I do not know what you would be invoicing for. I requested electronic records, the cost of providing which is negligible if you are able to do so electronically, as is the norm with computer software source code. If for some reason you are unable to do so, I requested that they be sent on CDROM. You are months behind legal obligation under the PRA, so cancelling a request over $1 of media and $0.65 of postage seems a bit silly.

Cordially,
Phil Mocek

From: Cantrell, Matt F

Dear Mr. Mocek,

After our recent email conversation in which you informed me that you have not accessed your Public Records Request Center (PRRC) account, I reviewed your previous requests submitted to Seattle City Light and saw that records had been uploaded in response to a past request from you but never downloaded. As a courtesy, I am waiving the fee normally associated with these records and providing the responsive records via email.

Sincerely,

MATT CANTRELL | ASSISTANT PUBLIC DISCLOSURE OFFICER
CUSTOMER SERVICE, COMMUNICATIONS & REGULATORY AFFAIRS
[cid:image001.png@01D1109F.C8520D00]
matt.cantrell@ seattle.gov
TEL (206) 684-7998

From: Phil Mocek

Dear sir or madam,

I appeal.

Nearly eight months sine receiving my request, you provided only three shell scripts. Surely these do not comprise the source code for the publicly-funded multi-million-dollar billing system for which I requested source code.

You provided the records not in their native electronic format (in a revision control system repository with change history and other metadata), not even in a usable format (e.g., plain text files representing a point-in-time snapshot of the code base), but in PDFs with mis-sized end-of-line wrapping. The poor formatting makes these difficult for a human to read. The fact that the original records were rendered to PDF means that the public cannot use standard computer software development utilities like text editors, static code analyis utilities, compilers and interpreters, etc. to review the source code for this software the creation of which we commissioned.

Within the tiny portion of the system's source code that you did provide, you redacted a portion of the name of one or more directories (i.e., "folders") upon which the scripts operate (values of DATA_DIR, doc1jobpath, doc1reportpath, etc.), claiming a PRA exemption that is not relevant and explaining that redaction bafflingly as "log-in, user ID, and password information to a secure network". Based on my own familiarity with shell scripts after decades of reading and writing them in my professional capacity, I can see that this information is not what you claim it to be.

Cordially,
Phil Mocek

From: Doherty, Mary

Hello Mr. Mocek,

On Friday, June 16, 2017 I received a letter from you stating that you appeal Seattle City Light's response to your public records request for the following records:
"the source code for software used to provide Seattle City Light's and Seattle Public Utilities' "e-billing system" (also known as "NCIS billing")"
I will review your appeal and have a response to you by June 30, 2017. Thank you.

Mary K. Doherty
Legal Affairs Advisor, Seattle City Light
June 19, 2017

From: Doherty, Mary

Hello Mr. Mocek

I am currently working on your appeal that I received on June 16, 2017. However, due to employee availability issues, I have not completed my review. I will have a response to you by July 7, 2017. Thank you.

Mary K. Doherty
Public Disclosure Officer, Seattle City Light

From: Cantrell, Matt F

Dear Mr. Mocek,

Please see the attached final decision to your May 23, 2017 appeal. Your appeal was reviewed and decided upon by City Light's Public Disclosure Officer Mary Doherty.

We have attached the three scripts previously sent to you, but in an electronic format as you requested. Please note that sections of the scripts which reveal certain server names and file paths are exempt from disclosure under RCW 42.56.420(4) as disclosure may increase risk to the confidentiality, integrity, or availability of agency security, information technology infrastructure, or assets. These sections have been replaced with the word "REDACTED".

With this email, your appeal of the response to your public disclosure request C006308 has been decided and is now complete.

Sincerely,

MATT CANTRELL | ASSISTANT PUBLIC DISCLOSURE OFFICER
CUSTOMER SERVICE, COMMUNICATIONS & REGULATORY AFFAIRS
[cid:image001.jpg@01D2CAF8.E5A76A20]
Matt.Cantrell @ seattle.gov
TEL (206) 684-7998
The nation's greenest utility<http://www.seattle.gov/light/greenest/?utm_source=nationsgreenest.org&utm_medium=redirect&utm_campaign=NationsGreenestRedirect> | LinkedIn<https://www.linkedin.com/company/seattle-city-light> | Facebook<https://www.facebook.com/SeattleCityLight>

Files

pages

Close