Conversation with Jeanette Hofmann and Kuo-Wei Wu
-
-
-
-
-
Jeanette HofmannI'm political scientist. I've been doing Internet research in Germany since the early 1990s. I've done many different things. Standard development, my first project was on IPv6, I looked at what engineers argue about.
-
-
Jeanette HofmannThen I did a long stint in ICANN. I was a candidate of the global elections in 2000. Then I did IGF, that's where I met Kuo-Wei.
-
-
Jeanette HofmannYeah. I did all these things, and over the last 10 years, I've done more research again. I'm interested in digitalization and democracy, that's my field.
-
Jeanette HofmannWhat I've been doing now in my sabbatical is spend a month in Singapore and one here -- here I do five weeks -- to understand how they are related, digitalization and democracy. It is very interesting to see also the difference between the two countries.
-
-
-
Jeanette HofmannI'm glad that I can interview you. My first introductory question was, what are your main achievements in this term, of the government? What's the outcome that you are proud of?
-
-
Audrey TangCountering the pandemic, of course, is not my effort. It is a collective effort with all the Taiwanese citizens and the Central Epidemic Command Center.
-
Audrey TangThat being said, because Taiwan had a previous exposure to SARS, in the SARS times, we didn't have the IC-card-based universal health care card. We were still using those paper cards with six boxes in it. It's very easy to compare the analog response [laughs] to SARS and the digital response to COVID-19 this time around.
-
Audrey TangWe can quite safely say that digitalization made it possible to have both the economic prosperity and the public safety at the same time. Whereas in jurisdictions without digital state capacity and civic capacity, they have to choose between one or the other -- either economy at the cost of health or health, lockdowns, at the cost of economy.
-
Audrey TangSolving this dilemma through digital participation, that has been the main interest from abroad to our pandemic experience in the past few years.
-
Jeanette HofmannWhen I've been asking people over the last months, what are the major digital issues in this country, one of the things they come up with is data protection and the big data breach you had last year.
-
-
-
-
-
-
Jeanette HofmannWhat is the role of your ministry in that problem, because you don't have data protection as an area of competence, have you?
-
Audrey TangWe're in charge of the data protection for the e-commerce vendors. We are the competent authority if that particular vendor is operating both in the incoming and the service they deliver in cyberspace.
-
Audrey TangFor example, Airbnb would not be our purview, but if it's online NFT store or something [laughs] that's more like our purview because the goods and service they deliver is not anchored to something that is physical, so what we call just e-shopping sites, general stores online. That is our competence authority's purview.
-
-
-
-
Audrey TangThat was my position since 2014. We had a consultation, 2016, and the general consensus was that we need to have a single DPA. Then later on, GDPR negotiations started, so the council, the NDC, in charge of the GDPR negotiation, took the Personal Data Protection Act interpretation authority from the Ministry of Justice to the NDC. Then, the NDC became our privacy office, so to speak.
-
Audrey TangThe goal was always for it to be an incubator so that the NDC can incubate a truly independent DPA at some point. The NDC is interesting because the minister is also an at-large minister or minister without portfolio. The NDC is more horizontal, in the sense that it doesn't have one single interest, but rather it looks after multiple interests. I'm also a councilor of the NDC, many minsters are.
-
Audrey TangAside from being not independent, like the term is not guaranteed and so on, it is more well-placed than other ministries to be this privacy office. Now NDC is, as I mentioned, an incubator. They're aiming for some time next year, to establish the independent DPA for real.
-
-
Audrey TangWhen we designed the data protection acts and so on, it is at the same time as the moda's preparation. There was in one initial version that the DPA would be an independent commission under the Ministry of Digital Affairs. That version was not accepted by many academic experts.
-
-
Audrey TangExactly, because although maybe the term would be fixed and the personnel will be independent, the budget is not.
-
-
Audrey TangIf the so-called independent DPA would be still relying on the Ministry of Digital Affairs to defend the budget, then it will not fully satisfy the GDPR constraints. It would be like Singapore because that's the Singaporean model. They have an independent commission within a ministry, instead of as part of the cabinet.
-
-
Audrey TangIt's an interesting question. Because I was, in 2014-16, always advocating for full-independent DPA, so of course I could be making that argument. Of course, I endorsed that argument. On the other hand, though, at that time, after I learned, after the Lunar New Year, that I'm tapped to become the Minister of moda...
-
-
Audrey TangIt's difficult because then I will have to sign...For example, I think the DPA is an essential complement to moda and it should be founded at the same time, which was my actual position, but then the legislature has already said that the moda needs to happen first and then the independent DPA.
-
Jeanette HofmannWhy? Is there a technical reason for having them not founded at the same time?
-
Audrey TangI know. Everybody think it makes more sense to found them at the same time because otherwise, we're in a weird place.
-
Audrey TangWe will have to do the technical support to the NDC, that is like an actual DPA, but we're not independent at all. We don't have the legitimacy to do such decisions. Then we'll find ourselves in a quite difficult place. We already know that during the preparation times.
-
Audrey TangOn the other hand, we cannot tell the legislation that something that you have passed, the executive branch will delay the implementation until you also pass the other legislation, because that is not how separation of concerns works. It is not the administration's place to boycott the legislation to say, "Unless you pass all, we don't implement any of them."
-
-
Audrey TangThey often do, maybe, but not in Taiwan. In a sense, we're given the mandate to start the DPA preparation, but not the mandate to present to the legislation the founding acts of the DPA. That work is now, again, in the cabinet, prepared by the National Development Council.
-
Jeanette HofmannAnother question regarding DPA. Will it be a small one, will it be a big one? Will it have any power? Does it also, that public administration is part of its scope, or is it...?
-
Audrey TangIt is. It will be the competent authority for the Personal Data Protection Act, for the PDPA. The PDPA already has government and non-government entities as its scope. The question you're asking is, essentially saying, with the new Independent DPA, only take half of the PDPA and the other half still in the NDC, that's not possible.
-
Audrey TangLegally it's not possible, unless we separate the PDPA into two acts, but nobody has brought that up. No, I don't think so.
-
-
Audrey TangThe NDC is now preparing the founding act. That is for the NDC to decide. Once it has a more comprehensive, that is to say, governmental and non-governmental scope, we can look at nearby jurisdictions like Korea or Japan to nail the rough size.
-
Jeanette HofmannBecause often they're understaffed. In many countries in Europe, they're understaffed. That's a way of weakening data protection by making implementation and controls difficult. For example, the most famous case is Ireland.
-
Jeanette HofmannHave you heard about that? The GDPR is seriously hampered by the fact that Ireland is responsible for everything concerning Google, Microsoft, Facebook, etc. because their European branch is always located in Ireland.
-
-
Jeanette HofmannThat is an issue, and I wonder whether something similar could happen here that it's too small to actually do a proper job. That's why I'm asking.
-
Audrey TangAt the end of the day, it would be the legislature. For example, in our case, we proposed certain mandates of moda, but then the legislature added the Administration for Digital Industries. Literally, one-third of our staff is added by the legislators.
-
Audrey TangThe legislature may extend its scope or it may remove part of its scope. Because the founding act has not yet been deliberated by the legislature. I will not speculate, but both directions are possible.
-
Audrey TangIf the four major parties all feel that we need a really strong DPA, then they may give it the same kind of staff as, for example, the National Communication Commission. On the other hand, if not then maybe they will remove part of the mandates that the NDC sends. It is difficult to say at this point.
-
Jeanette HofmannSpeaking of commissions, as far as I know, there was a debate here whether digital affairs should have the form of a ministry or rather be a commision. What was your view in this debate?
-
Audrey TangIt depends on whether we hold that kind of licensing power that the NCC, the National Communication Commission has over, say TV stations.
-
Audrey TangIn Taiwan, usually, if you want to do something that is very, very top-down like licensed highly regulated industries, then usually takes a form of commission. The financial supervisory commission, for example, handles the licensing of banks.
-
Audrey TangThe Commission of Fair Trade, the Central Election Commission, of course, [laughs] and many things that needs a very high degree of regulatory power usually take the form of a commission.
-
Audrey TangThen the ministry is usually seen as something that's more executive. That is to say, it implements things. It still has a competent authority on a few management stuff, but it is less seen as a very highly regulated body.
-
Audrey TangIt then depends on whether the digital competency need to assume the regulatory power of the National Communication Commission, Internet, especially broadcasting media management and regulation.
-
Audrey TangThat's to say whether the digital competent authority should be a competent authority for the European equivalent would be the Digital Service Act. If the digital competency assumed the role of the DSA competent authority, then many think it should be a commission. If we don't, then that's still within the NCC. Then maybe we should be a ministry.
-
Jeanette HofmannBecause what I heard is that commission in the logic of Taiwanese ministries and government would be more cross-cutting issues.
-
-
-
Audrey TangYeah, but that's not a problem. Although I'm a minister of moda, I am still within the cabinet system, the governmental Chief Information Officer. Using my cabinet's CIO role, I can still get other ministry of CIO to report and convene and so on.
-
Audrey TangIt's not like being a minister deprive me of this cross-cutting issue, especially information, and cybersecurity. On the other hand, I think the choice of a ministry instead of commission is to make sure that the NCC still retains all these very highly regulated takedown powers, so to speak.
-
Jeanette HofmannYou would say that for you it made more sense to run a ministry, or to create and run a ministry than have digital affair organized as a commission?
-
-
-
Audrey TangYes. It's a tradeoff. Because if it's the digital commission, then the NCC will end up becoming just maybe a third-level content panel. The NCC would disappear basically. The moda will be actually the NCC. We'll just call it the national digital commission, or something.
-
Audrey TangIt would be like the NCC expanding to assume cybersecurity and platform economy powers. In that sense that will work. On the other hand, if the decision as it's ultimately the result is that NCC still retains full cabinet-level commission power, especially DSA-like stuff. Then, of course, it makes more sense for the Ministry of Digital Affairs to be a ministry.
-
Jeanette HofmannSpeaking of DSA, it seems to evolve into global blueprint in various countries, projecting ideas, hopes...
-
-
-
Audrey TangI think the DSA builds up on a strong GDPR, like universal rights framework. I like this framework. The DSA is not just by itself. It also has this interoperability sibling called the DMA. It's not just accountability, it's also interoperability. It's built within a different act.
-
Audrey TangOf course, on top of which there's also the data governance act, resilience act, and so on. DSA is a part of a puzzle, of which the more competition-oriented arm of it...
-
-
Audrey TangYes, the DMA is the competition-related arm of it, whereas the DSA provides the accountability that is required for these huge global platforms to work with the society. Now, without this foundational act that is the GDPR, I don't think anything like the DMA or the DSA can function standalone.
-
Jeanette HofmannThe DSA does not only increase accountability and transparency of platforms, it also needs to address disinformation. There's a lot of criticism with regard to that part.
-
Jeanette HofmannWhat is your take? People here talk a lot about disinformation. What do you think the government should do with regard to that?
-
Audrey TangMy stance has always been that disinformation is a symptom. It's not the cause of antisocial media. Disinformation is what you see as a symptom of the media being antisocial rather than pro-social. It's a function of the media environment, not a function of...
-
Audrey TangI see it more like a pandemic. It mutates, it gets more toxic, it spreads from people to people. People involuntarily cough, that's to say, press Retweet. It's not by itself any single piece of disinformation, any more than a single piece of a variant of a virus responsible for the pandemic.
-
Audrey TangWe all know that vaccines, cure and NPI plus good social norms is a comprehensive package in order to counter this. To say, "Let's just do takedowns," will be just like, "Let's just do lockdowns." Of course, they work to a degree, [laughs] but once it's at a community-spread level, it doesn't work anymore.
-
-
-
-
Audrey TangYes. The thing is that if you only have lockdowns at your arsenal, and you do that habitually, then it would just be like the PRC, at one time, had a zero-COVID mandate that is basically built up on lockdowns, very fine-grained lockdowns.
-
Audrey TangIt would just be like saying zero-hate in social media by takedowns, simply banning retweet in general, or simply saying, "Just take down anything that resembled the word civil society."
-
Audrey TangOf course, you can achieve something with this playbook, but the problem is that the foundation of democracy, which is to say truth-telling, [laughs] journalism, goes with it. I don't think it's a good cost to pay, is what I'm saying.
-
-
-
-
-
-
-
Jeanette HofmannThat's independent. Now let's put it that way, if you were advising the NCC, would you advise them to adopt or not to adopt the DSA?
-
-
-
Audrey TangI would first say that we need, including the GDPR, the foundational trust to independent bodies. I would also say that the contextualizing services -- I have in mind the international fact-checking network, the Community Notes in Twitter -- that is far better than lockdowns or takedowns when it comes to get the antibody of the mind, the awareness, the media competence of citizens.
-
Audrey TangI would also say that journalism, including civic journalism, is the actual antidote.
-
-
Audrey TangOnce everyone practiced journalism, then we all have antibodies, and there's no room for disinformation to grow.
-
Jeanette HofmannI rather thought that if journalism would work better in this country had a higher quality, then disinformation wouldn't have that kind of effect.
-
Audrey TangExactly. Instead of addressing the symptom, we should address the root cause, which is a shortage of journalistic capacity, in both traditional media but also civic media.
-
Audrey TangOnce journalism is empowered enough so that this journalistic work, the work with integrity and authenticity, spreads faster, have a higher basic reproduction number than this information, then we don't have to even think about take-downs.
-
Jeanette HofmannWould you say that, as a minister in this country, that is part of your responsibility to...?
-
Audrey TangYes, to co-prosper with journalism. Although, as I mentioned, because we're administering now, we don't have any take-down or censorship power. That's squarely in the NCC. We are in charge of the co-prospering with the media, especially journalism.
-
Audrey TangI've made it one of my three top priority this year, to ensure that Google now has a Digital News Co-prosperity Fund, which all journalists can apply to digitally transform themselves. Meta is working on a plan also. For both of them to commit to add more investment to contextualizing services, to more real-time media competence strategies, that is one of the three most important.
-
Jeanette HofmannCynics would say that is spreading short of giving money to bad journalism, to make them earn more money with bad outcomes. How do you make sure that it goes into qualified journalists?
-
Audrey TangThen it's a governance question. The DTA, the Digital Transformation Association, by Chen Jen-ran, JR, and friends, the burden is on them to establish a transparent governance mechanism, in order to make sure that bad journalism doesn't get extra money.
-
-
-
-
-
Jeanette HofmannI thought, after listening to a few fact-checkers here, that it would be good to have a code of conduct for media companies, with teeth, having someone checking that they also follow through. What do you think of that?
-
Audrey TangThis makes perfect sense. Our work, up to making it transparent, like who is responding to which request and who is not, that is within our purview. What we cannot do is that we cannot, like the NCC, say that, "Oh, you don't get this TV channel anymore," because that's NCC's purview.
-
Audrey TangWhat we are doing is, essentially, like AI explainability, [laughs] to explain what's happening, to open up the tools, so that people can see which disinformation is going viral, which is now the most dominant string, so to speak.
-
Audrey TangTo work with cybersecurity companies, such as Whoscall or Gogolook, or Trend Micro, so that they are tapped into these anti-scam and malware frameworks, to reduce the latency from one party recognizing a threat to everybody else recognizing this threat. That's our job.
-
Jeanette HofmannMost people probably say that disinformation is mainly of Chinese origin, and others say there is a lot coming also from domestic sources. Do you have any...?
-
-
-
-
-
Audrey TangWe know, of course, that the packets traveled from outside of our jurisdiction, through submarine cables, to Taiwan. Of course, we know that.
-
-
Audrey TangAs long as they are not cut by fishing vessels or cargo ships, [laughs] in which case, they probably traveled through satellite.
-
Audrey TangAnyway, my point is, of course, the attribution only works up to the point of this submarine cable connection. Beyond which, how many Tor nodes it run through, I don't think anyone can say the attribution. We know it's non-domestic. Often in our press release, we say, "Oh, this DDoS comes from extra-jurisdictional sources," because that's the extent we know.
-
-
Audrey TangYeah, that it's not domestic. Because if it's domestic, we know both the source and the origin and the destination IP but if it's trouble from outside, we don't.
-
Jeanette HofmannBecause some people say that also religious groups use now disinformation as a weapon, and then they become normalized that all groups use now.
-
-
-
-
Kuo-Wei WuYou should categorize what kind of disinformation we are talking about. Some kind of disinformation might be it's just like and you'll say it's a symptom. For somebody, disinformation is not symptom. Actually, it's a...
-
-
-
-
Jeanette HofmannYeah, I know. That's why we distinguish between misinformation and disinformation. That is an important distinction, I think.
-
-
-
-
-
Audrey TangYeah, but my point is that disinformation when using that definition is entirely at a behavior-and-content level definition. You're asking an actor-level attribution, but these two are not the same level.
-
Audrey TangWe know that there are coordinated inauthentic behavior, that we know, but whether it is being paid or subsidized or somehow influenced by any particular actor that attributes themselves to a state-backed action, that is a much harder attribution to make.
-
Jeanette HofmannYeah, it is, but I wonder it makes a difference politically. Whether you can just say blame China.
-
Audrey TangIn the case of fishing, or cargo vessel it's easier to identify the ship's origin.
-
Jeanette HofmannThat's true, although not always easy either as we see with Nord Stream at the moment.
-
Audrey TangWith satellite technology, to identify a sea cable cutting ship is not science fiction.
-
-
Audrey TangOn the other hand, if you have a viral disinformation, it probably has been AB-tested in many close groups already. Maybe the payment is just to identify the one that is going to go viral anyway, and then just pay to amplify that. These unknown actors may not even know each other. Unlike ships at sea, this correlation is much harder to identify.
-
Jeanette HofmannLet's talk about open data. That is an important mission here of this ministry. Some people say it actually needs a legal framework, to do this well.
-
-
-
-
Jeanette HofmannI looked a bit on the Internet and there were people complaining about the fact that it's often not clear when data are updated and how often they are updated when you look at the data set.
-
Audrey TangThere are regulations, of course, concerning data quality and data pipelines and so on. The real difficulty here, and the reason why many people say that it requires an act instead of just regulations, is when it concerns demand-side data.
-
Audrey TangFor supply-side data, not many people complain about, for example, when we say all these places that masks available. Those places have these air quality measurements. The other places have running water and so on, or earthquake advanced prediction means. Not many people complain about the data quality, but many people do complain about demand-side data.
-
Audrey TangFor example, many people would like to know based on the signal data of the major telecommunication carriers, how many people are living in a village. This is not supply-side data. This is not what the government know intuitively as part of doing our work.
-
Audrey TangAs for counter-pandemic measures, I think in Germany also in many jurisdictions, signal data from telecoms when processed in a thoroughly anonymous non-identifiable way, is considered a public good for counter-pandemic.
-
Audrey TangThis is exactly why, in addition to the data governance act, which contains a relative weak paragraph on data altruism, which is not sufficient to compel the demand side telecoms to hand out their data, because it's entirely voluntary.
-
Audrey TangThey do so they just are the markers at the end it doesn't really work. There is now cause for a new data act that will essentially compel the telecoms and so on that host demand-side data to provide in a non-identifiable agreeable form where sufficient amount of public benefit can be established.
-
Audrey TangThe people you talk to, many of them say, or micro weather data or many other data that is currently under this constraint, is then worth investment and even forced contract-signing with these industrial players. We are not talking about open government data anymore. We're talking about open data, like a data altruism with certain level of enforcement.
-
-
Jeanette HofmannYour Telco industry, are they happy with that when there will be mandatory provisions asking them to?
-
-
-
Audrey TangWell, we've seen many international examples. One thought is to make it available only after a time period, so they can still sell early access. Then after that, they don't earn much anymore anyway, in which case they should become open data.
-
Audrey TangWe tried that quite successfully with the real-time inventory in the frozen food in the major farmers' market in Taiwan. Because if they release it on the same day, they lose a lot of money because they cannot arbitrage.
-
Audrey TangIf it's aleady done for the day, it's a post-trade. Then after a few days, once you release that it doesn't really matter anymore to the traders. Maybe, open data with a timeline is a compromise position between the demand side people and the supply side people.
-
Jeanette HofmannIs there also an issue of protection, say data protection, and how you balance the two?
-
Audrey TangOf course, we're all talking about NPDs. None of these data I'm talking about is personal data. We use a different term in our ministry for that. For raw data, we say 資料, but for non-personal data, we say 數據, as in statistics. Processed data that has no privacy risks.
-
Jeanette HofmannYes and no. In the long run, when you deal with big data, it's more and more difficult to distinguish non-personal and personal data.
-
-
Jeanette HofmannWe used examples with transport data, that when you count people and when you go to the urban fringe of cities, it's less and less people who use that. Then there are moments where they intersect personal data and non-personal data.
-
Audrey TangThat's a solved problem. Nowadays you can, for example, use entirely synthetic data with differential privacy, so that it has the same statistical properties but none of which is real. You can do Open Algorithm, in which you submit a code, then we run the data and just give you the statistics. Now with zero-knowledge tools, we've got more.
-
Jeanette HofmannYeah, It's doable, but the question is, are these practices, are they mandatory, are they defined somewhere?
-
Audrey TangThat's why we need an independent DPA because when we run our projects, of course, we say it's mandatory. We are not the competent authority for most of those data projects. We can say with some certainty, if you do it this way, you get our funding.
-
Audrey TangThe truth is that neither we or even the NDC can say we ban the use of old k-anonymizers, because at the end of the day, the competent authority, like the transport data, will be the Ministry of Transportation. Only with an independent DPA can harmonize these requirements.
-
Jeanette HofmannDo you also observe that proposal of a data act on the EU level, have you looked at that?
-
-
-
-
Jeanette HofmannI'm not sure if it will ever see light of the day, that's still unclear, but to make it mandatory also for the private sector to share data it gathered?
-
Audrey TangFor us, it's the only reason why we need to go to the legislation because then it would be expansion of state power. If it's just about data quality in the government, we can solve it with regulation. If it's concerning the private sector, for the service of public good of course, then if we do that by a regulation, that violates the legal reservation principle.
-
-
-
-
-
-
-
Audrey TangIn Taiwan, we deliberately chose a translation for data altruism as 公益, public good, instead of 利他, for the good of others. The reason why is that, we already saw the comparative weakness of the data altruism organization outcome in the EU.
-
Audrey TangWe are already thinking about the full data act when we set up the moda, and the Department of Plural Innovations is set up to assume many different ways. Within the Plural Innovation Department in the moda, there are, for example, the section on open data, the section on MyData, which is voluntary use of my personal data stored in any place.
-
Audrey TangThere's also section for data altruism, there's also the section for data capacity empowerment of the civil society. All these represent, which is why it's called Plural Innovation, represent different data reuse models.
-
-
-
-
Audrey TangOf course. Our department is at Shinkong. You can of course interview the D.G. or her deputy.
-
-
Jeanette HofmannAnother issue I'd like to mention is the eID project. Could you tell me a bit more about the state of things in this...?
-
Audrey TangOf course. We use TW FidO, which is the mobile version of the eID, practically every day, to sign official documents. It combines the standardized FIDO2 authentication protocol and the standardized PKCS digital signing protocol. It's very useful.
-
Audrey TangNow, prior to the introduction of the TW FidO, there was also an IC-card-based form factor, called as Citizen Digital Certificate, the CDC, unrelated to pandemic. CDC card is not super popular in Taiwan.
-
Audrey TangThe Minister of Interior, at one time, thought we can make it more popular if we just make sure that the paper-based plastic card and the Citizen Digital Certificate if we just merge them, tape them together, and do the same card.
-
Audrey TangOf course, they say, if people don't want to use the IC chip, they can still get the same governmental services. The main goal is just to get more people using this Citizen Digital Certificate.
-
-
-
-
Audrey TangA couple of things. First is that Electronic Signatures Act in Taiwan, unlike, say, in Estonia, gives the freedom to the person receiving the signature to accept or reject electronic signature at will. You can say, "I accept this DocuSign this moment," the next moment you say, "No, just handwriting."
-
Audrey TangIn many EU states, that's not possible. Once you say you start accepting electronic signature, you cannot unsay that. You will have to then accept eIDAS and other European blockchain, or whatever that you have adopted. You may take some time to prepare yourself for it, but once you join, you cannot say, "From tomorrow, on paper only." That's not legal even.
-
Audrey TangIn Taiwan, because our Digital Signatures Act is quite dated, that is possible. To implement the CDC card possesses a risk that if the competent authority suddenly is saying, "No, paper only," then all this investment in infrastructure is for naught.
-
-
-
-
Audrey TangI would strongly prefer an Independent DPA Act to be in the legislation before we reform any of those acts. Because otherwise, there is a key clause in these acts that is still filled by the Ministry of Interior or other ministry that issue this. That is to say, the personal data protection authority.
-
Audrey TangThat was the civil society's consensus when the new eID was being deliberated in the National Academy, which I also participated. I said quite publicly when I was in the National Academy deliberation, that I also support the independent DPA being one of the key cornerstones before we introduce anything like that.
-
-
-
Jeanette HofmannThat was my question, has it changed in one way or another, the relationship?
-
Audrey TangThe cybersecurity domain, which I only started processing full-time since the cyberattack last August, [laughs] that is much harder to make it truly grassroots.
-
Audrey TangThe need for, I would just say national-security-related secrecy is unlike the other things like platform economy or open data or things like that. Because in platform economy or open data, I just say, everything I know the civil society also know. We're radically transparent that way.
-
Audrey TangIn cybersecurity, oftentimes it's, just as Kuo-Wei said, sometimes it's an intentional attack in the gray zone, highly coordinated with their military. Just publishing this part would be misleading, without also publishing PLA movements. I don't think the Minister of National Defense would like it very much if we publish all PLA movements to the public.
-
Audrey TangThis is a fundamental dilemma between participation for safety and participation for progress. Participation for progress can move fast and they won't break things, but participation for safety requires a lot of deliberation.
-
Jeanette HofmannGenerally, the relationship hasn't changed. Because I heard that there is also more criticism now, that you face some criticism.
-
-
-
Audrey TangYes. I don't think people criticize me when it comes to, for example, delivering good e-service that's going to get everyone NT $6,000 in a few weeks now. It's about e-service stuff. I don't think just because I'm the moda minister, I don't think any criticize me because of that, but on the cybersecurity, yes.
-
Jeanette HofmannI think my last question concerns, actually your indicators of success. How do you measure your own success as a minister?
-
Audrey TangOf course, the safety (administration for cyber security), the progress (administration for digital industries), and participation (departments in the moda proper) have different KPIs. For example, in cybersecurity, you would like to measure by the incidents discovered sufficiently mitigate the zero trust architecture reform and so on.
-
Audrey TangIn the progress part, you would like to participate more fully to international FIDO, W3C, and so on, making this international e-commerce more fair to different jurisdictions to solve the complication, because of the lack of zero-knowledge technology. The personal data attributions in the APAC alone, I think thousands and thousands of incompatible regulations.
-
Audrey TangTo streamline that would be of course a great KPI. In the departments related to data and e-services, of course, we subscribe to the public idea where we don't do one shot, like handing people $6,000 NT system.
-
Audrey TangRather build it as a public infrastructure, so that all municipalities and even people abroad like X-ROD or DR folks can learn from our foundations. To strengthen not just the safety, but also the convenience of things.
-
Audrey TangWhen you ask me my personal KPI, it's none of these three. It is to increase the overlap of the participation, safety, and progress. The more that we can instead of seeing things as a trilemma, we have to choose between those three different parts.
-
Audrey TangThe more that we can navigate this narrow corridor to find the co-creative solutions that take care of all of the safety, participation, and progress concerns. Then that would be a success. If at the end of my term, people generally think, "Oh, you have to make a trade-off, one side must lose," then I would have failed as a minister.
-
Jeanette HofmannThat is still a bit vague, to say to have than being more in harmony with each other or technical...
-
Audrey TangYou've just given me a couple of examples. You've just said like personal data, if you do it more and more then sooner or later there will be privacy breaches and so on.
-
Audrey TangI must say, that is the kind of KPI that I'm giving myself and that I can give convincing results that says, "No, this dilemma doesn't exist anymore."
-
-
-
-
-
-
-
-
-
-
-
-
Jeanette HofmannNo. I'm leaving on the 25th of March, but I could also do later. If per face-to-face meeting is not doable in the next couple of days, I could also do a Zoom meeting.
-
Audrey TangThe thing is, we're pretty sure that pretty soon the founding of the Independent DP Act will be ready. The answer you're going to get after that is not the same as before that.
-
-
Audrey TangYes. Once the IDPA is ready, not just the Plural Innovation, but you may also want to interview the NDC preparatory office. Because then there will be a ministry that's not me in charge of the Independent DPA founding. Many of your questions is better answered by that ministry.
-
Jeanette HofmannHow would I organize that once I'm back in Berlin? Could I do Zoom meetings with them?
-
Audrey TangI think we still prefer Google Meet or something because Zoom has not yet promised to function when all these so many cables are cut. [laughs] Maybe set up a Google Meet. For Plural Innovation, we can make introductions.
-
Audrey TangFor the IDPA, once the preparation office is ready, I can personally ask that minister, whether they would like to accept your interview, but the decision because it's independent, it's up to them.
-
-
-
-
-
-
-
Jeanette HofmannOur data protection officer came to some agreement with them, so since then we can use it. Because our public service that was an issue there with how we would use.
-
-
Jeanette HofmannWe had in German ministries, incompatible streaming services they would not allow to use the other one. During the pandemic, there were some ministries using the Cisco one, and another one...
-
-
-
-
-
-
Jeanette HofmannYeah, but that depends always on the ministry. That would be in the ministry of commerce, but ministry of justice used a different one. They could not communicate with each other for a while.
-
Audrey TangHopefully with the DMA, in just a couple of years, you can call into any Zoom meeting with Google Meet, because it's one of the key interoperable clauses.
-
-
-
-
-
Jeanette HofmannWe use that also, in one of the research institutes where I am. We use only open-source stuff there and Matrix is one of them that we use.
-
-
-
Audrey TangWe use Rocket.Chat too. Rocket.Chat is now being converted into a Matrix frontend. That is the end goal of DMA, that you have many different programs, but they all talk to each other just like email.
-
-
-
-
Audrey Tang...interface problem for also disinformation, because a lot of disinformation is piggybacking on this network effect of social media apps.
-
Audrey TangWith the DMA, you say, any interface, just like podcasts and emails, can look at the short videos produced on any other platform, then the platform's coercive control or surveillance capitalism is much less, because if I learn it's surveillance capitalist, then I just switch to Element/Matrix or whatever, but I still enjoy the same content feed.
-
Jeanette HofmannIt often doesn't work. In Singapore, everybody uses WhatsApp. There are so many alternatives, but they just don't switch. In Germany, lots of people switched from WhatsApp to Signal or to Telegram. You never know. You cannot ask people to...
-
Audrey TangThe point I'm making is, with the DMA interoperability, it doesn't matter then. Whomever using whichever software will be able to appear in your contact, and you can just send messages, not caring about the email program they're using.
-
Audrey TangThe same would be for the short messages and eventually, video conferencing. When I say solving at the root, I mean something like that.
-
Jeanette HofmannI do understand that. There's another question that I wanted to ask, and I forgot, I heard that your ministry had problems getting enough staff and that you share a problem with German administration, that the rules for hiring people goes back to very ancient Japanese...
-
-
-
Audrey TangThe initial thought during the formation of moda last year was to solve it with one-year contracts. I would say that, for the Administration for Cyber Security, it didn't quite work out that way.
-
-
Audrey TangThe reason why is that the salary range for one-year hires is still capped so that it can only get half of my salary. All the good cybersecurity people, not even senior ones, good junior ones, enjoy at least deputy minister salary nowadays. The senior ones all enjoy higher salary than the minister. It's not possible to retain them with one-year contracts.
-
Audrey TangWe solved that for real, last month, by establishing the National Institute of Cyber Security, the NICS, which is operating our labor law and not the Public Service Act. This institute, when it does, for example, cybersecurity audits, by law, because they passed the background check, they act as a public body.
-
Audrey TangBy this idea, we set our salary range for researchers and engineers to peg on the median income of cybersecurity practitioners in telecom and financial industries.
-
Jeanette HofmannYou could do that, you have the latitude to do that because you created a new organization for them?
-
Audrey TangThey are not public servants. Many public servant one-year contract positions ends up moving to the NICS, after NICS founded, because otherwise they will recruit someone, and after a while, the financial or the telecom industry would just poach them because they are now passed the background check, and therefore, worth more [laughs] in those highly-regulated industries.
-
Audrey TangBy pegging the NICS salary to the median, then we don't lose people by default. Now, the counter problem to this is then for the people who remain in the public service. What's the incentive for them to remain in the public service? Do they get also some extra payment, or do they just quit their job and become a NICS contractor or a NICS employee, for that matter?
-
Audrey TangBecause our labor law is pretty good in the regard of protection, there's no at-will firing or things like that, so they don't lose much by switching from a public sector position to the NICS position. The fix here, the solution here, is just to figure out how to add back the compensation for the people who nevertheless stay in the public sector. We're still working on that.
-
Jeanette HofmannBecause it turned out in Germany that we were never good at hiring engineers, therefore we outsourced a lot of engineering tasks, but didn't have the skills in the ministries to assess the quality of the work being outsourced. I heard that this is also a problem with money.
-
Audrey TangThere's that. There's also that, just because it's contracted out, it doesn't mean that you don't retain the architecting vision of what needs to be done. If you contract out, especially the initial planning capacities, then you're constrained by whatever technical solutions that your contractors have.
-
Audrey TangThen, when new technologies come, Web3 or AI or whatever, you end up getting last-century solutions.
-
-
-
Audrey TangWe think we've got some solutions to that, regulation-wise. That's probably the most important thing, internal organization-wise, in moda. It's not to solve any particular problem quickly, but to solve it in a way that it's reusable in the future.
-
Jeanette HofmannAs you said, you keep the architecting, architectural vision in your ministry, that would be then by non-engineer people, or would it be by engineers willing to accept...?
-
-
-
Audrey TangWwe're working on the compensation plan for that. It goes into a lot of detail. In Taiwan, a new ministry can choose between getting most of its personnel as technical personnel, operation or administration personnel.
-
Audrey TangIn Taiwan, there is a special profession in public sector called economic development, 經建職系, which is somewhat like the administration, in that it does planning and strategy. It is also somewhat technical, in the sense that you have to be an architect of mechanism design.
-
Audrey TangThis economic architect line of work applies to many policy planners in the digital ministry. Although that profession came from a non-digital background, we were able to re-purpose this to serve our purpose.
-
Audrey TangWhereas in many other ministries, you see comprehensive planning, 綜規, in moda all the sections are called strategy, 策略. In Plural Innovations, you have this inclusive strategy section 共融策略科 or the department of digital strategy 數位策略司.
-
Audrey TangThe idea is that they would be able to bridge between engineering and planning, because they can fuse them into one position, and then the compensation is also better.
-
-
-
-
-
發布單位:數位發展部
建立日期:2023-03-13
更新日期:2023-03-30