Source code for electronic billing system used by Seattle City Light and Seattle Public Utilities

To Whom It May Concern:

Background:

Twice since its implementation, the newly-implemented electronic billing system used by Seattle City Light and Seattle Public Utilities has been found to malfunction in ways that exposed private information from one or more subscribers to one or more other, unauthorized subscriber. The first incident was [reported by][1] Mike Lindblom of Seattle Times and [announced][2] by City of Seattle. The second incident was [reported by][3] Kevin Schofield of Seattle City Council Insight. In an e-mail from Megan Coppersmith at Seattle Department of Information Technology ("DoIT") to Seattle City Council member Kshama Sawant on September 14, 2017, Ms. Coppersmith wrote, "Earlier this week, certain customers were again potentially given access to bills that did not belong to them," stated that DoIT were then "working on further coding that relates to electronic bill generation and online display," and stated that DoIT would "look at ways to enhance [...] third-party coding review processes."

[1]: <http://www.seattletimes.com/seattle-news/politics/city-light-computer-glitch-lets-customers-see-other-users-bills/>
[2]: <http://www.seattle.gov/util/NewBillingSystem/billErrors/index.htm>
[3]: <http://sccinsight.com/2016/09/20/city-still-hiding-last-weeks-privacy-leak-from-affected-customers/>

One way to dramatically enhance third-party review of this systems's source code is to make that source code easily available to the public. For example, I have previously [acquired][4] via public records request and [republished][5] the source code for Seattle Police Department's [Online Reporting][6] application.

[4]: <https://www.muckrock.com/foi/seattle-69/source-code-for-seattle-police-dept-online-police-reports-application-2633/>
[5]: <https://github.com/pmocek/seattle-police-online-reports>
[6]: <https://www.seattle.gov/police/records/>

Request:

Pursuant to RCW Ch. 42.56 (Public Records Act), I hereby request the source code for software used to provide Seattle City Light's and Seattle Public Utilities' "e-billing system" (also known as "NCIS billing").

My preferences for format of the information, which I wish to receive in its native electronic format, from most preferable to least, are as follows:

1. remote access to the revision control system in which the source code is stored (read-only, of course) via Web browser or Subversion, Bazaar, Git, or Mercurial client
2. a copy of the entire repository with all revision history (assuming it is a standard, non-proprietary system such as RCS, CVS, Subversion, Bazaar, Git, or Mercurial)
3. snapshots of the software in the repository which correspond to the version of the software currently deployed and to the latest version committed to the repository

The requested documents will be made available to the general public, and this request is not being made for commercial purposes.

In the event that there are fees, I would be grateful if you would inform me of the total charges in advance of fulfilling my request. I would prefer the request filled electronically, by e-mail attachment if available or CD-ROM if not.

Thank you in advance for your anticipated cooperation in this matter. I look forward to receiving your response to this request within 5 business days, as the statute requires.

Sincerely,

Phil Mocek

Dear Ms. Glundberrg-Prossor:

I received on September 27 your acknowledgment of my request of September 21, 2016, for SPL/SPU electronic billing system source code. In it, you stated that you are "reviewing [my] request" and that you will "be back in contact with [me] on or around October 7, 2016." Would you please explain the continued delay?

You have already had more than one week to review my simple request. I asked for clearly-defined electronic records of which your colleague Ms . Coppershith recently acknowledged to council member Sawant the existence and ready availability. The entirety of my request comprised less than 500 words. A person of average reading ability could review the request dozens of times in an hour. I cannot imagine why multiple weeks of review would be required.

Absent further information, it appears that you are in violation of [RCW 42.56.520][1], which requires prompt responses to requests for public records, allowing for delay of more than five business days only under specific circumstances. You did not indicate with your acknowledgement of my request and notification of delay that the additional time is needed in order for you to clarify the intent of the request, for you to locate and assemble the information requested, for you to notify third persons or agencies affected by the request, or for you to determine whether any of the information requested is exempt and that a denial should be made as to all or part of the request.

[1]: <http://app.leg.wa.gov/RCW/default.aspx?cite=42.56.520>

The records I requested are directly related to a matter of immediate public concern. The longer your agency continues to use the computer software derived from this record without first identifying and remedying flaws in it, the longer the public are at risk of further violations of privacy. As a computer software developer, I am confident that the sooner third parties are able to review the source code, the sooner remaining flaws can be identified. Given enough eyeballs, all bugs are shallow. Unexplained delays in publication of these records are likely to be interpreted as attempts by your agency to continue to cover-up mistakes made by your staff that put the public at risk. Further secrecy will likely serve only to exacerbate the problem.

Cordially,
Phil Mocek

Dear Ms. Glundberrg-Prossor:

One week has passed since I requested explanation for your agency's continued delay of processing my request of September 21. During that time, I have received neither the records I requested nor any contact regarding this matter.

Your agency publicly acknowledged that the records exist and that you intend to have outside parties review them. Even if you are unable to provide access to the revision control system in which they are maintained (I do this at my job, providing read-only access to contractors and employees in external business units, and it takes me about a minute to accomplish), copying the entire repository to a ZIP file and attaching it to e-mail or copying it to a CD-ROM and putting it in the mail would take a few minutes.

Please explain the hold-up.

Cordially,
Phil Mocek

Dear Ms. Kristen Glundberg-Prossor:

I received your e-mail of October 6, 2016, regarding the request for public records I made of your agency on September 21. In your message, you wrote, "We have determined that Seattle City Light is the owner of these records." I do not know what it means to own records, but if there is any owner of public records, I believe that it is the public.

Does your agency, Seattle Department of Information Technology, have access to the records I requested--source code for software now in use by Seattle Public Utilities and Seattle City Light?

Cordially,
Phil Mocek

Dear Ms. Kristen Glundberg-Prossor:

I have not received any response to my e-mail of October 7, 2016, to you. In that message, I asked if your agency, Seattle Department of Information Technology, has access to the records I requested on September 21--the source code for software now in use by Seattle Public Utilities and by Seattle City Light. Can you please inform me of whether or not this is the case?

Cordially,
Phil Mocek

Dear Ms. Irwin,

Prior to your brief note of November 1, I have received no contact from anyone at the city regarding my request of September 21 since yours on October 14.

Notably, I have received no response to my message October 7 or followup on October 17, wherein I asked if Seattle Department of Information Technology has access to the records I requested on September 21--the source code for software now in use by Seattle Public Utilities and by Seattle City Light.

Despite the requirement imposed by [RCW 42.56.520][1], which requires prompt responses to requests for public records, allowing for delay of more than five business days only under specific circumstances, I have received no indication that the continued delay (more than six weeks have now passed) is needed in order for you to clarify the intent of my request, for you to locate and assemble the information requested, for you to notify third persons or agencies affected by the request, or for you to determine whether any of the information requested is exempt and that a denial should be made as to all or part of the request.

[1]: <http://app.leg.wa.gov/RCW/default.aspx?cite=42.56.520>

Please advise.

Cordially,
Phil Mocek

Please let us know if the communication below should be directed to another entity.

Thank you very much for your help.
________
Dear Sir or Madam:

I appeal.

I have not received the records, or the URL on your website at which they are published, or notification that you need more time, or notification that the records are exempt, or notification that the records do not exist.

In an e-mail on December 8, Melissa Skelton wrote of an invoice. I received no invoice from you. Perhaps you sent it to the wrong address. I have provided only one method of contact, and that is the e-mail address from which you received the request and with which we have communicated since I placed my request almost three months ago. If you sent an invoice elsewhere, I did not receive it. Further, I do not know what you would be invoicing for. I requested electronic records, the cost of providing which is negligible if you are able to do so electronically, as is the norm with computer software source code. If for some reason you are unable to do so, I requested that they be sent on CDROM. You are months behind legal obligation under the PRA, so cancelling a request over $1 of media and $0.65 of postage seems a bit silly.

Cordially,
Phil Mocek

Dear sir or madam,

I appeal.

Nearly eight months sine receiving my request, you provided only three shell scripts. Surely these do not comprise the source code for the publicly-funded multi-million-dollar billing system for which I requested source code.

You provided the records not in their native electronic format (in a revision control system repository with change history and other metadata), not even in a usable format (e.g., plain text files representing a point-in-time snapshot of the code base), but in PDFs with mis-sized end-of-line wrapping. The poor formatting makes these difficult for a human to read. The fact that the original records were rendered to PDF means that the public cannot use standard computer software development utilities like text editors, static code analyis utilities, compilers and interpreters, etc. to review the source code for this software the creation of which we commissioned.

Within the tiny portion of the system's source code that you did provide, you redacted a portion of the name of one or more directories (i.e., "folders") upon which the scripts operate (values of DATA_DIR, doc1jobpath, doc1reportpath, etc.), claiming a PRA exemption that is not relevant and explaining that redaction bafflingly as "log-in, user ID, and password information to a secure network". Based on my own familiarity with shell scripts after decades of reading and writing them in my professional capacity, I can see that this information is not what you claim it to be.

Cordially,
Phil Mocek