When I’m asked to give a talk about or consult on policies around open data I’ve noticed there are a few questions that are most frequently asked:
“How do I assess the risks to the government of doing open data?”
or
“My bosses say that we can only release data if we know people aren’t going to do anything wrong/embarrassing/illegal/bad with it”
I would argue that these question are either flawed in their logic, or have already been largely addressed.
Firstly, it seems problematic to assess the risks of open data, without also assessing the opportunity. Any activity – from walking out my front door to scaling Mount Everest carries with it risks. What needs to be measured are not the risks in isolation but the risks balanced against the opportunity and benefits.
But more importantly, the logic of the question is flawed in another manner. It suggests that the government only take action if every possible negative use can be prevented.
Let’s forget about data for a second – imagine you are building a road. Now ask: “what are the risk’s that someone might misuse this road?” Well… they are significant. People are going to speed and they are going to jay walk. But it gets worse. Someone may rob a bank and then use the road as part of their escape route. Of course, the road will also provide more efficient transportation for 1000s of people, it will reduce costs, improve access, help ambulances save peoples lives and do millions of other things, but people will also misuse it.
However, at no point in any policy discussion in any government has anyone said “we can’t build this road because, hypothetically, someone may speed or use it as an escape route during a robbery.”
And yet, this logic is frequently accepted, or at least goes unchallenged, as appropriate when discussing open data.
The fact is, most governments already have the necessary policy infrastructure for managing the overwhelming majority of risks concerning open data. Your government likely has provisions dealing with privacy – if applied to open data this should address these concerns. Your government likely has provisions for dealing with confidential and security related issues – if applied to open data this should address these concerns. Finally, your government(s) likely has a legal system that outlines what is, and is not legal – when it comes to the use of open data, this legal system is in effect.
If someone gets caught speeding, we have enforcement officials and laws that catch and punish them. The same is true with data. If someone uses it to do something illegal we already have a system in place for addressing that. This is how we manage the risk of misuse. It is seen as acceptable for every part of our life and every aspect of our society. Why not with open data too?
The opportunity, of both roads and data, are significant enough that we build them and share them despite the fact that a small number of people may not use them appropriately. Should we be concerned about those who will misuse them? Absolutely. But do we allow a small amount of misuse to stop us from building roads or sharing data? No. We mitigate the concern.
With open data, I’m happy to report that we already have the infrastructure in place to do just that.
eaves.ca 
It seems to me your objections are a valid response to the second of your sample questions, but not to the first. “How do I assess the risks to the government of doing open data?” is a reasonable question.
You mention that we should not just look at risks but also opportunities/benefits. They need to be weighed together. But the shoe fits the other foot as well. In order to properly evaluate the opportunity we also need to assess the risk.
Certainly, we cannot avoid all risk and “total risk prevention” is not a viable strategy. But that doesn’t mean we should ignore risks. We need to identify and assess risks where possible. This enables us to look for ways to mitigate or otherwise manage risk. It enables us to identify when risks are acceptable and when they outweigh opportunities. As stewards of the public trust, this is important.
Your “public road” analogy is a good one, but I think it misses a relevant differences between public roads and open data. Public roads are not new. People are very familiar with them, the benefits they bring and the accompanying risks of misuse or bad outcomes (e.g. highway fatalities). In most cases they are not newsworthy and, in the rare cases they are, the government is not taken to task for building public roads and enabling the problems. Sharing data is not the same. Governments have been taken to task for sharing data in ways that opponents have said lead to bad outcomes (e.g. misinterpretation of the data). This difference can be managed (communications strategies, etc.) but not if it is not acknowledged.
All of this is not to say that governments shouldn’t open data. I’m with you that the benefits very much outweigh the risks. But if we are going to be successful we need to identify and manage the risks (including consciously accepting some), not dismiss them.
Or so it seems to me.
Open Data isn’t new, in fact this discussion is 3 years old in the US, and led to the Open Government movement itself. Further, there are entire countries like the UK who have opened their data and others are in the process. There are numerous examples of successful releases of public data at the department, muni, state/provincial and federal levels. This truly simple issue get’s blown out of proportion with zero tolerance lawyers, and a culture that typically looks for barriers rather than solutions first. Canada is surrounded by solutions within and externally around the world as well…what we need is leadership that moves forward with eyes wide open and an intent to take action.
I guess new and old are a matter of perspective. To us who work in the web field, 3 years old isn’t new; it’s old. For many senior civil servants (and many members of the public) , 3 years old is still pretty new.
For perspective, public roads have been around for several thousand years now.
But I do agree that we need “leadership that moves forward with eyes wide open and an intent to take action”.
As the guy who asked you the “R” question at one of your recent open data talks to a government audience, I have to clarify my question.
When I said that we in government have to provide decision makers with risk assessments I should have clarified that they are part of documents including opportunity assessments and recommendations. I like the way you’ve laid out the various things in place to deal with possible misuse of open data. I see documents listing risks matched against the things in place to mitigate them.
Pingback: Being Buff: Marketing the social economy » Blog Archive » Open data with David Eaves
The opportunity aspect of risk assessment is too often overlooked – what worries folk is risk understood only in terms of harm, loss, unexpected negative consequences. It’s not solely a problem plaguing questions of open data. I’d argue it’s endemic to how public governance happens these days. Do nothing, nothing at all, unless all adverse effects can be identified and mitigated. Now, that’s not how the ISO guys want people to view risk…they know it’s not a sensible way to view risk (if only because it cuts the guts out of innovation and opportunity). But it is the prevailing interpretation.
Is open data a risk question? Yes. Are knee-jerk run-and-hide responses to suggestions of openess a risk question? You betcha. I think it is also the larger question, and open data is a specific instance of.
Risk assessments in themselves are not determinant to stop anything, it is the political will behind. You could also propose mitigations, advice about potential dangers, plan for closing loopholes, etc. You also balance the seriousness of risk with the probability of it happening.
The problem I see is trying to rely on existing protections in the digital sphere. In our organisation we campaign both for data privacy and data openness and we are finding that we cannot overlook those aspects.
For example, we are starting a campaign in partnership with a grassroots group on genealogy data. Now, insurance companies are looking at using the data to analyse your life expectancy (i. e. if all your ancestors died before 30, chances are you may as well). This seems to be currently legal in UK, so we will need to demand restrictions elsewhere in the same breath as we ask for machine re-use of that data.
Pingback: Public Strategist » Interesting elsewhere – 24 October 2010
Pingback: GoC Web 2.0 wish list for 2011 (Part 1) | blog.DBast.com
Pingback: GoC Web 2.0 wish list for 2011 (Part 1) | GC20.ca Blog (archived)
Pingback: GoC Web 2.0 wish list for 2011 (Part 1)
Pingback: System Scope Test | » A hallowed Eaves takes the scary out of open data at GTEC
Pingback: 政府对开放数据风险的错误解读 : 开放数据中国