City of Victoria to Millennial Families: Go Live In A Shed

On Thursday night last week the Victoria city council approved the latest housing measure in their fight against millennial families - dashing their last hopes for housing affordability. The latest iteration is a policy that council is calling Garden Suites and the city has done a media blitz everywhere from the local newsradio stations to the local newspaper trying to sell Victoria on how great the policy is. On these issues our local media, whom make a considerable amount of the remaining revenue streams off advertising luxury housing, are little more than parrots and don't present more than one side of the argument. In-fact you can read the same sentence word for word across town on the subject, and to read the paper you'd think they solved the housing crisis overnight.

So what are "Garden Suites"? Garden Suites are small backyard buildings, built to an insanely high luxury standard and that are restricted to 400 sq ft and 25% of the rear yard site coverage. They take the place of a legal secondary suite in the home. If you build one of these sheds, you're restricted from also building a legal rental suite in the house. They cannot be strata titled and unlike a legal secondary suite, they do not require parking allocation.

So right now you're probably thinking this sounds like a no-brainer in a city like Victoria that is experiencing an acute housing shortage. This is the council's line, that any housing is good housing, but as I'll explain below, this policy is a disaster for millennial families and housing affordability.

Go Live In A Shed 

Social justice is a key concern in housing, a vibrant city will have a mix of property classes, price points and enough housing to allow for the market to function properly. It will allow new entrants and existing interests to fairly co-exist and thrive together.

To track this issue there are some key statistics:

First is the Demographia Median Multiple. Victoria ranks as the least affordable "smaller housing market" in Canada and is deemed "Severely Unaffordable". In 2016 Its Median Multiple was 8.1 and the median house price was $542,400 with the median income at $67,300.

The second is the rental vacancy rate. Victoria again ranks as one of the worst markets in the country, with a 0.5% vacancy rate. The CMHC universe tracks property for rent and how many rental units were added and created every year. Rent increased by 5.5% last year, but unevenly as existing rentals are capped by legislation at 3.5% annual increases. This means market rents are going up faster than 5.5% for new entrants or persons searching for a new rental unit. The Average rent is (as of Oct 2016) $1620 for a 3br unit in the City of Victoria, but this is not the new entrant rate which is now anecdotally pushing $1800-$2000+ if you review the classified ads. Worse, the City of Victoria actually lost 3br unit numbers in the CMHC universe going from 205 to 189 over the course of a year. You can read the stats for yourself here: 

So why do I brand this policy as telling millennial families to "Go Live In A Shed"? Because if you're a Millennial for whom SFH homeownership is no longer a reasonable expectation, you're now facing a decaying situation for even finding a 3br rental in the region. They're simply being replaced by micro bachelor condos and luxury suites that usually have the preceding title of "junior" or "executive". These are not units in which one should be forced to raise a family, but they happen to make for great speculator investments and second homes for the wealthiest members of our city. Even one of our misguided city councillors decries how he would not be able to re-rent his same rental unit were he to lose the security of his tenancy like so many others do here every day.

A 400 sq ft shed or a 280 sq ft luxury microloft is simply not a reasonable class of housing to be expanding in the City of Victoria. We already have too much of this class of tiny-but-luxury housing, and are actually losing our family-supporting 3br+ units and affordable townhomes as a class of property.

The policy disaster that is Garden Suites

Convinced we have a problem, let us now turn to the solutions the City Council is enacting and how those policies are doing more harm than good.

The Garden Shed policy is, in my opinion, the most brutal affordable housing policy failure since they approved the development permit for the Janion. A lot of people, and certainly the city council, are pushing the idea that microhome policy will create new rental supply and help improve the housing crisis. It wont, and, its not designed to. 

At Thursday's meeting, between my watching my 7 month old son sleep while going off on twitter at the City Councillors and the low income seniors who rallied around a very articulate spokesperson speaking before council -- the councillors were very clearly and vocally warned that this policy would be a disaster for housing affordability by the people who actually need that affordability to live here. After that, 4 homeowners spoke in support of the plan saying how they intended to use their Garden Suites not for rental stock but rather for owner-occupied purposes ranging from a guest suite to a place to stash their priced-out adult children.

The councillors discussed housing agreements, requiring affordability measures and how the new policy will deny the community a voice in rezoning. They eventually settled on not requiring any housing agreements (which would prevent owner-occupied uses) and proceeded without a community consultation requirement. They also did not add a parking requirement. They did however remind that AirBnB'ing these sheds was not a permitted use, though assured the homeowners that they had no reasonable mechanism for enforcing that restriction.

The council's actions and the proponents' stated intentions all lead to only one conclusion -- that these Garden Suites will be not be used for rental stock. They will instead be primarily used to expand existing single family homes -- one proponent even declared how it would save them from tearing down an old home and replacing it with a larger house with a legal secondary suite or a possible upzoning to duplex. 

But lets assume for the moment that some get rented, the rare "mortgage helpers" if you will. These garden suites are priced by the market as luxury accommodations -- typically they're wealthy homeowners who don't live downtown but who would like a place to stay after a night on the town. They're the executive-class workers who instead of commuting back to their Duncan acreages want to stay downtown Monday to Friday and see the kids on the weekend. Or they're rarely rented to the poor unfortunate middle class worker who tries to shove their family of 3 into a bachelor suite, because they have no where else to go and simply cant find another unit at all. In any event, they rent in the pricing range from 1800 to 2000 per month making them one of the most expensive classes of rental property in the entire city on a sq ft basis.

The market effect on SFH prices is even worse. Remember the Median Multiple above? Well, due to the strata titling restriction, the Garden Sheds actually add value to a Single Family home and cannot be separately purchased or owned. Upon resale, they don't save anyone any money on the mortgage, as the market has learned to price-in any potential rental income, and the total price of the house increases by approximately the rental value of the suite on a market-will-bear-pricing basis. You're now a reluctant landlord and looking at more expensive SFH's. 

All this means that the median multiple is made worse when the sheds are built. They will be reported to BC Assessment and increase the value of the property for both tax purposes and resale. There is no free lunch here and housing is priced on a market-will-bear basis -- if the suite adds $2000 a month in rental income, that will be factored into the resale price of the home.

So if it will make the Median Multiple worse why is the City Council allowing it?

First, the homeowners, whom are increasingly becoming known as NIMBY's, love the policy. They can increase the value of their SFH well beyond the cost of building the sheds. Increased property values and a guest house for their visitors, you can even borrow against the equity rise to build them and expect to turn a profit. If you own a SFH in Victoria and aren't considering building one of these things, you must really love mowing your lawn. The established, already-in-the-market crowd gets a massive increase in property value at the expense of new-entrant millennial families. In-fact, just approving the policy will have already sent the value of all SFH's in the city up as they are now all "Garden Suite Zoned and 'shovel-ready'".

Second, it prevents density. The NIMBY's hate density and go on and on at length about how their quaint little town is being destroyed by development. (Never-mind that we're actually losing 3br homes, and that those Millennials who were born here -- like me -- are being priced out by foreign speculators buying up the limited supply of existing housing). The NIMBY's love garden suites as they achieve two primary objectives. They increase the property values and push back on more complicated zoning decisions which change the look and feel of their neighbourhoods.

The Garden Suites are the ideal NIMBY defence to the scourge of upzoning and redevelopment to medium-density townhomes and multi-family apartment buildings. If your goal is to keep 3br units out of this city, the Garden Shed plan is your policy panacea.  

The City Council is clearly working towards supporting these anti-redevelopment voices, but the results are a disaster for millennial families -- a worsening median multiple and a loss of available lands to upzone to multi-family-development. Worse, the increased property values from the sheds makes land assembly for MFD project-development more expensive resulting in more luxury-class projects and fewer market-affordable projects. Families end up forced into 400sq ft units that are not appropriate for raising children. 

It is the housing crisis equivalent of building bridges too low for transit buses to ensure only wealthy car owners are able to live in an area. It purposefully prices out everyone else and its not an accident or unintended. This is a policy choice and one for which council has firmly sided with the existing SFH homeowners. 

Worse still is that with the policy as it is, MFD redevelopment of SFH is actively discouraged. MFD projects need to make huge DCC, Amenity, Land-Lift, Bonus-Density, parking and rezoning restriction contributions which can reach millions of dollars and add 100,000+ to the cost of a new unit built in the City. The Garden Sheds have no such overheads and don't even have to pay their direct costs to city staff and planning time. This is grossly unfair to working millennial families who are expected to pay costs that millionaire SFH homeowners are not required to. 

So what is the solution?

The city needs to abandon this policy -- and it should be easy to do too. They need only watch the first few dozen suites created through the policy to see if they are a) being rented at all and b) if those rents are market-affordable as they claim to intend. When it becomes clear that neither are occurring, the policy should be repealed for the failure that it is.

Next, the City needs to begin a very complex and controversial process of council-initiated rezoning of the low-density zones in the City. With a housing crisis like ours, there is no excuse for having R1 zoning anywhere within the municipal boundaries of the City of Victoria. There is no excuse for having 600+ spot zones which require ludicrously expensive rezoning, and punitive taxes and requirements every time a project comes before council. This will be unpopular with a vocal minority of the population -- those homeowners who have become known as the "grey-haired elite" and who stand to benefit from the Garden Suites....  But nonetheless, it is the only solution to our crisis. We must improve the supply of market-affordable 3br+ homes, MFDs, if we want to maintain the social fabric of Victoria and support a family-compatable community.

We also need to take a long hard look at policies like the Urban Containment Boundary that is regularly used to deny clean water services to the JDF region; and we need to have a critical look at taxpayer-subsidy of luxury homes by council holding down zoning beyond what the market would otherwise allow for. Each lot that is under-zoned is a massive amount of tax dollars the city does not collect and effectively pays as a direct subsidy to the existing landowners. Its time to end this millionaire subsidy and let the market choose the appropriate neighbourhood density.

If I were in the Mayor's chair I could solve this housing crisis within a year simply by changing the policy framework. I would make land in the city much more valuable but reduce the cost per sq ft of housing. Will it push people from aging-in-place in their big SFH luxury homes? You bet. But it will put 10 or more working families in that same space and see the SFH owner leave with a golden parachute.

So to city council I say, stop fighting families, abandon the sheds-as-homes plan, and start taking this crisis seriously. We will fight back at election time.


LetsEncrypt and Apache Macros

If you're like me, you've probably started using LetsEncrypt pretty heavily for your TLS certificate needs. Free, short-lived certificates that have a decent auto-renewal pattern are just a no-brainer when it comes to modern DevOps.

That said, there can be some challenges. While many of you will have moved onto using nginx, Apache still holds a considerable market share for a lot of reasons. I'm still on the Apache stack, and like most good Apache admins, my config files are full of Macros. After all, a VirtualHost config should be a single line and should be enabled with a graceful reload and not a full server stop/start. 

But LetsEncrypt doesn't play nice with Macros, so you've probably started splitting out your configs into something that looks like this: 



    Use SSLDefaults

    Use VirtualHostTemplateMacro

    SSLCertificateFile /etc/letsencrypt/live/

    SSLCertificateKeyFile /etc/letsencrypt/live/

    SSLCertificateChainFile /etc/letsencrypt/live/


This type of thing is sufficient to get the certbot-auto apache plugin working but its really quite terse and less than ideal. One ServerName per file, and you have to reconfigure things after certbot runs the first time, usually involving a full server restart.

There's a better way and this method also helps you keep multiple servers in sync in a load balancing setup. 

The first method is using mod_proxy in the http (not https) site config. First enable mod proxy (probably via a2enmod if you're on Ubuntu) ... and inside a VirtualHost config, you add the following code: 

ProxyPass /.well-known/acme-challenge/

ProxyPassReverse /.well-known/acme-challenge/

You then setup a virtualhost for the internal.letsencrypt subdomain (it doesnt have to be externally reachable)


    DocumentRoot /var/www/html/


    <Directory "/var/www/html/.well-known/acme-challenge">

        Options None

        AllowOverride None

        Require all granted

        AddDefaultCharset off



Then you can use the webroot method of issuing letsencrypt certificates.

certbot-auto certonly --webroot -w /var/www/html -d,

Any http-01 type challenges will hit the proxy and forward over to your subdomain. In this way you can have any endpoint server forward to a box dedicated to LetsEncrypt internally and then rsync out the certs when they're generated. 

If you're using mod_rewrite and the ProxyPass isn't engaging (because your RewriteRule engages first), add  

RewriteCond %{REQUEST_URI} ^/\.well\-known

RewriteRule . - [L] 

To your rules, which will turn them off for the .well-known directory. 

Once this is working you can go back to using Macro's properly without worrying about certbot not understanding how to parse them. 

If you've already generated your certificates, you can update your /etc/letsencrypt/renewal/ configs to properly use the webroot method. (Just look at another domain you generated for example of how to set the configs correctly). You can use --dry-run or --force-renew to test the new config will work on renewal.

After that, to keep them updated, all you need to do is add to your cron.

/usr/local/bin/certbot-auto --no-self-upgrade renew --webroot -w /var/www/html

And then you can just 

/usr/bin/rsync -ar --delete /etc/letsencrypt/./

To sync between app servers. Keeping in mind that with --delete it will delete any files on the otherappserver that don't match the machine you're running the command from. Once you have a script working, you can issue, renew and sync your LetsEncrypt certs centrally.

If you use HAProxy, you can also just forward http requests for .well-known/acme-challenge/ to your new internal webserver.

To make life easier and test everything before running the letsencrypt client, you can also just: 

mkdir -p /var/www/html/.well-known/acme-challenge

echo test > /var/www/html/.well-known/acme-challenge/test.txt  



If you can see the test file, then LetsEncrypt should be able to see the challenge files created there as well. 

Some webserver configs also limit access to dot-files, a typically smart move, but one that can restrict access to the .well-known directory. The following can replace your .dotfiles rules, usually found in apache2.conf

<FilesMatch "^\.(?!well-known)">

    Require all denied


<DirectoryMatch "^\.(?!well-known)|\/\.(?!well-known)">

    Require all denied


Which translated means deny to anything starting with a ., except if it has a negative lookahead to .well-known, in which case the rule doesn't apply. 

Hope thats helpful.

Standing still in a changing world. The fight to keep BC's kids competitive in the age of code.

Before I get started, the usual disclosures. What follows is a personal political opinion and is not speaking on behalf of, or endorsed by, any organization I am associated with. 

The announcement.

If there was a theme to the recent BC Tech Summit, it was the cliche line, "These are not the doors of a billionaire Richard!", a quote from the hit TV show Silicon Valley. The summit, an $850 a ticket meetup for big business and the subsidy sector was seen as a failure by many tech observers.

The presentations varied between the worst qualities of Qualcomm's Born Mobile CES keynote and infomercials for Baron-IT products... and then the Premier's announcement speech talked more about how we should all be chasing the dream of owning a Ferrari, rather than promoting the ideals of a prosperous life involving family and civic duty. It was simultaneously insulting and cringeworthy in so many ways, but mostly it was just counter-productive -- big announcements on corporate welfare, foreign workers, and unicorn-mania all came off as a big screw-you to the revenue-generating and tax-paying small tech businesses and high-technology workers of BC.

There were a couple positive announcements in the mess however:

  1. 1. The BC Developers Exchange (DevX) is experimenting with more open and lightweight procurement models (which I'll cover another day in a separate post as the project launches)
  3. 2. Tech education for kids, and the promise that a mandatory curriculum in "code" will be embedded into the K-12 system.

The former DevX announcement was ignored by the media. I mean really, who in the MSM -- between the layoffs -- is going to take the time to parse what is potentially the largest government procurement shift in generations.

The code-for-kids controversy.

Code for Kids hit the MSM in a big way. Clark promised to educate kids in "code" and the BCTF reps were having none of it. A media storm erupted with comparisons to empty LNG commitments and the teachers were out on the radio slagging the idea. "Not everyone needs to learn to code" was even uttered by a prominent educator. The BC NDP jumped on board and criticized the premier for the announcement. They brought up the digital divide (a real problem, but presented as if every kid in BC was learning by candlelight)... and said it was evidence of why this plan was unfunded and unworkable.

To date, for clarity, the plan is simply this: We're going to teach kids to "code" in the existing K-12 system. Nothing more. Nothing less.

The usage of the word "code" in this context is carefully chosen. It's not synonymous with "programming" or "encypherment", but rather incorporates the same expanded deriviation of the word as you would find in "building code", "code of ethics" or "genetic code". It's a broad term that encapsulates all the foundations of digital literacy, of which programming is a very small, almost insignificant slice -- and thats why its such a buzzword right now.

In reaction to the controversy -- which I can only pin on a fear by teachers that they're all going to lose their jobs to a legion of web developers -- the Education minister put his foot in his mouth saying "You don’t actually have to be sitting in front of a computer to learn coding," .... "There’s lots of different ways to do that."

Now, the Minister isn't wrong, teaching coding has nothing to do with more screen time or the ability to download feature films on school internet backbones -- but as so often happens with statements made by people who actually know what they are talking about... it came off as idiotic and counter-intuitive. The NDP pounced:

"In response to the lack of funding behind the Christy Clark government’s commitment, the Minister of Education actually said, with a straight face, that students don’t need computers to learn computer coding. That is like telling a kid to learn to ride a bike without a bike."

This is where I started to get really grumpy. As an open-source programmer and a community advocate I spend so much of my time giving back and working on these issues -- I've spent years sitting on boards arguing over the structures for community investment programs, organizing Hackathons for kids, writing tech books, engaging in infrastructure research and connecting with civil servants and politicians in this space.

Occasionally we get through to both the politicians and the kids. 

Occasionally we can create millions in funding for non-profits. [Disclosure: I am on the Board of Directors for CIRA]

So to see BCTF and New Democrats pushing back against a long overdue commitment to teach code in our schools is upsetting to me and I suspect to the thousands of other folks trying to work on these key issues of digital literacy. I'm sure for the NDP, partisanship plays into it a bit, but this is not an issue to make a wedge of -- the outcome is simply just too important.

Getting to the bottom of things.

Not satisfied with the suggestion that our kids schools are candle-powered, I filed an FOI request to determine the actual state of affairs. I was trying to get to the bottom of just how many schools have computers and internet access in BC and was hoping to scope out the state of the digital divide. Are we tech-forward? WiFi-fearful? or are the kids really reading dead trees by candlelight?

This isn't my first attempt at tracking down the digital divide -- when the Connecting BC Agreement was launched I went looking for a Broadband Map of BC backbones and the state of our last mile availability. Long story short, the telecoms wouldn't share the information because -- and this is an epic policy failure -- they consider it confidential, proprietary information. Why is it confidential? Because a competitor might connect an area they don't serve!

My FOI request was filed with the province (Education, Premiers Office and MTICS) to have them produce their statistics on the digital divide in BC schools. I suspected the kids weren't out there reading by candlelight, but the extent to which the digital divide affects BC schools should have been illuminating.

The FOI request came back a few days later, well before the 30 days I had expected. It was an easy answer, all schools in BC have access to the Internet, but the number of computers in each school is not tracked by the province. There were no responsive records to the computers-in-schools portion of the request.

School District Autonomy

I was incredulous at the response -- how could the province not know how many computers are in our schools? This seems like basic stuff, and certainly core to any policy objective around digital literacy.

Turns out, there's a really good reason the province doesn't know this data -- the School Districts are autonomous in this regard. They're given a budget and expected to achieve outcomes, but are not otherwise monitored in how they achieve those outcomes. Provincial exams don't kick in until high-school and the province apparently cannot step on the toes of the districts.

There's a key policy change needed here, basic stats about the state of our province's education system should not be out of reach for our provincial ministries. An answer suggesting they don't track basic information should be scandalous, not considered collaborative with the school districts.

State of Computers in our schools.

I went searching on open sources for any evidence of computer levels in BC schools. Between globs of information about how schools, districts and neoluddistic parents had fought against Wifi and technology being introduced into our schools, I managed to find some info about our region.

In the context of reporting about upgrades to the SD63 school district, VicNews' Natalie North reported that there were some 2500 computers in the SD63 school district, and a 'typical school' like Stelley's had about 300 computers connecting to their server. Source.

Far from reading by candlelight, at least in Saanich, our kids have access to technology and should have no problem learning to code -- either in the lab or on the playground.

Unpacking Teaching Kids to "Code"

When the Education Minister says it doesn't take a computer to teach kids to code he's totally right. You don't seat a Kindergarten class in computer lab and tell them to follow along with the instructor. Instead, you upgrade hopscotch to teach computational literacy. A little later, you use a deck of cards to teach conditional logic. In later grades, you reconfigure the math classes to teach Boolean Algebra, De Morgan's laws, and Computational Logic... you teach Bayesian Algorithms, and how to make decisions using probabilities. You teach computational joins and set theory adjacent to existing education in Venn Diagrams. You teach digital citizenry and new media literacy in English class -- kids today don't need to learn formal memo writing, but they sure need to understand how to parse new media, evaluate a body of conflicting information and learn from online sources. They need to know how resume writing has transitioned into portfolio building, digital presence, networking and reputation. None of this has anything to do with screen time. It's about thousands of small changes to existing educational outcomes to create a curriculum supporting digital literacy. It's about teaching foundational understanding of the technology and digital culture that underpins our modern society.

Learning to "code" has nothing to do with learning HTML or JavaScript or any sort of vocational training in Java, C# or Python. If you think teaching code in K-12 exclusively or even majorly involves sitting students in a computer lab or teachers becoming developers, designers or engineers -- frankly you're doing it wrong and simply don't have a clue.

So where does one get started learning "code"? Well, is a good start ... Khan Academy, MediaSmarts, Maker Movement, Mozilla Webmaker, Lego Mindstorms, Raspberry Pi, Arduino, and the list goes on. Don't even think about picking up a book on the programming language of the day.

The gender gap argument

Another criticism heard in opposition is that "code" is the domain of boys, focused on rockets and killer robots. But the reality is that these folks are just wrong. Girls more often outperform boys in digital literacy, and in-fact women even invented the field [see Ada Lovelace et al] -- but somewhere along the line this 'code is for boys' mythos emerged and has had disastrous social consequence. Think "code is for boys" and you need a stereotypical gender-targeted approach to break through the preconceptions? Try these options out...

Hour of Code - Frozen
Adafruit GEMMA V2

More importantly, History Class needs to teach girls about Ada Lovelace.

The curriculum

Teachers are also decrying the lack of a curriculum, but are, of course, also ignoring that if the province pushed one upon them they would be riotous about being told how to do their jobs. The province can set the high-level requirements and be accountable to competitiveness, digital literacy rates, etc... but our educators have to step up in order to implement the new commitments. They have to adapt to a changing world like the rest of us, and without the expectation of add-on funding and formal retraining -- the job is changing, but all our jobs are changing and teachers must adapt as well.

So where can educators find the curriculum? Well, an example can be found here and is a good start, but every community is different and integration into local priorities and learning outcomes will be key.

The money

So I hope I've established that our students are not learning by candlelight, and that learning code is not about spending time in the computer lab. What about the arguments about a lack of funding for this commitment?

I won't wade into the political minefield that is the BCTF vs Province relationship -- there's enough bad blood on both sides of that equation that to pick sides is impossible. One can't even wade into Districts vs the Ministries, after incidents like the OpenStudent debacle or some districts refusing to balance their budgets, the sector is a mess. No one holds the moral high ground.

What I can say is that there is money and resources available, at least in the NGO space. Most members of the Canadian tech sector are now involved in some level of community investment work, telecoms like Telus have massive community investment programs with money firmly aimed at bridging the digital divide. Small businesses are organizing around NGOs and are holding Hackthons and Hour-Of-Code meetups., khan and the like are offering free and open courses and curriculum to use.

So long story short, If you need computers for your school, get in touch -- there's a massive amount of NGO resources trying to help you, both with direct grant-funding and with time and human resources available to teach kids to code.

Why is "code" important / we're not all going to be computer programmers.

The final anti-argument goes something like "we're not all going to be computer programmers so we don't need teach kids to code, thats what college is for"....

We truly are entering the age of code -- not since the industrial revolution will the nature of work have changed as much over the course of a single generation. In the next few decades, if a job can be automated, it will be. If a job is a known commodity, it will be handled by the arbitrage of trade. Robots will self-assemble, reconfigure and create their own processes. Cars will eventually drive themselves. Mining, Biology and Finance will be robotic. Manufacturing and product creation will be bespoke, not institutional, and craft will dominate, spurred by the democratizing influence of technology. Even traditionally offline tradesmen, like mechanics and woodworkers now spend much of their time configuring flow-jet cutting machines, CNC milling machines, laser cutters and the like. Apple Farmers are now relying on tech to water and feed their orchards -- and this, not in some tech-forward experimental field, but found upon Gulf Islands like Gabriola. Traditional media is dying, replaced by new media. Traditional print and TV media personalities fail to achieve the readership of bloggers and Youtube stars -- ask your kids about Bethany Mota, Zoella and PewDiePie -- then take a look at their reach statistics. Podcasts like Serial garner up to a million unique listeners per episode. 

What all this means the language of work will change -- is changed. The ability to learn how to learn without being formally taught will be the most important skill-set for the coming generation. It's hard to explain the pace of this change, and its acceleration, but equipping the students of today for change is going to be the key to future competitiveness. Countries that teach kids "code" will lead the transition to the cognitive economy of tomorrow while countries that don't will find themselves uncompetitive in the new cognitive world.

"Code", therefore is the foundation of the new economy, and our kids better be ready for it. It's time to stop fighting change and pushing back against digital literacy. We must make this commitment a reality for every BC school and every BC student.

Whats wrong with BC's tech investment policy.

First, about me,

I've been in the BC tech sector since my first web design gig in 1998. Born and raised in Victoria, I incorporated my company federally in 2003. In Internet time that makes me older than Facebook -- I've created jobs, both contractors and employee's and i've paid dividends. I've written books on web development, helped to set tech policy and now sit on a couple of elected boards including the Open Data Society of BC, and the Canadian Internet Registration Authority [CIRA] the organization that manages dot-ca and helps to build a better online Canada. 

My corporation, StormTide Digital Studios Inc occupies the 0-4 employee small business sector -- sometimes called freelance web development. My primary business is selling PHP development services to the e-commerce sector. Between myself and a web designer I work with, we handle the e-commerce presence for more than 50 Canadian and American retail operations. Shopify we're not, but we do a respectable business, with a customization and integration ability unmatched in the industry. Want to put a million parts online, and have them index well, work with your dynamics platform and ship from a dozen pick and pack locations? Come talk to me. If you want to sell 30 sku's on the Internet? Go see Shopify. 

Additionally as a twice-elected (members slate) board member at CIRA I am involved with granting of millions of dollars to Canada's not-for-profit tech sector as well as overseeing the administrators of more than 2 million dot-ca domain names.

I write what comes as a personal political opinion, and not representing any organization I am associated with. 

The idiocy of chasing growth.

At some point in my career as an Entrepreneur I came across Dan Pink's "The Surprising Science of Motivation" and it really spoke to me; he talks a lot about mastery and purpose and that is largely what has driven me in business. It's not a forget-the-money proposition, but one that says, money doesn't buy happiness, but mastery and purpose can. 

I pay myself a fair salary from StormTide, somewhere near the tax sweet spot that leaves just enough retained earnings to even out the high's and lows. I get no pension or benefits and I rent a condo in Victoria. I'm no tech billionaire, but I also work 9-5, get the chance to serve on boards, be political and work on amazing projects with no bureaucracy. I get to write books on PHP when publishers come calling. I get to hack on some serious works of public interest like online voting and cybersecurity research. I also do civil rights work, and can be a massive pain in the rear to people who would abuse tech for dystopian means. In short, I might not be a billionaire, but I have mastery and purpose in abundance. 

It is in that lens that I look at the BC tech policy and shake my head. Hard.

Consider a Doctor with a General Practice, your typical family doctor down the road; now consider a society that measured their success by whether they had yet founded a Hospital. Thats basically BC's tech policy today; forget the family practice, the going concern, we're all going to build Hospitals, be billionaires and have scores of people working for us. The archetype to aim for we're told is Bill Gates, Steve Jobs and Mark Zuckerberg. If you're not landing a billion dollar valuation, well, you're not a /real/ player. 

I went looking for the stats today, you can see them here [pdf], and they confirmed what I already knew. 98% of BC businesses are small businesses and 79% of BC businesses have 0-4 employees. That puts my StormTide venture somewhere between tragically mainstream and the winter doldrums. It also means your chance of being a tech billionaire is less likely than you beating Muhammad Ali in a fist fight or scoring the winning touchdown at the Superbowl.

So then, one would expect that BC schools would be doing what they do for doctors, setting expectations of a lifetime of family practice, of careers in noble institutions, in expectation of decent wages and a work/life balance. That they would be aiming expectations for the Mr Cleavers of the world, the wage earner with a home and kids, and the time to see them, rather than suggesting we're all going to be the next Zuckerberg.

But thats not the tech policy. No, the official government policy is that we're all going to be rockstars, and everyone's a special snowflake. Literally, everything is sacrificed on the alter of growth, and those who fly too high like icarus, well, they just couldn't handle the heat. 

Its an idiotic model and one that needs to change.

100 Million in Series A nonsense. 

Today Christy Clark announced she's creating a new public venture fund to the tune of 100 million dollars.  The fund will ostensibly provide Series A funding to politically connected BC startups. They're targeting the Jobs not the Woz. 

I've been around a lot of tech startups for nearly two decades now; my experience teaches me that public money is toxic to startups. I could get into a rant here about SR&ED and such but Ben Fox over at Medium has already penned a great 10 minute read on the topic, entitled BC Startups; The government is not your friend.

Beyond this mess, all real startups are incorporated in Delaware. They call this being VC-ready, and its not optional if you want to play the series funding game. The founders might live in Vancouver sure, but name a successful VC-path company that isn't incorporated in Delaware? Is BC going to invest in Delaware based corporations?

So if the real VC startups are out, the real small business community (the 0-4'ers) are out... who is interested in a pile of BC government cash? No surprise there, its the BC-based government-grant-writing subsidy suckers, the blue chip corporate lobbies parading as tech councils.

BCTIA who was standing next to Clark when this mess was announced, has a wonderfully varied board that mixes between exec's from Telus, the surveillance expert from MDA, and peeps from Electronic Arts -- the progressive firm that helped bring you the high-technology worker designation and the gem that is EA Spouse. Want to know who is looking for 100m in BC's public capital? Well take a gander at the board makeup.

These folks have nothing in common with your typical BC tech business, the small 0-4 sector guys and gals just trying to earn a living in tech; the folks who dream one day to own a house in their hometown and to be able to walk down the city streets without seeing tents setup in the park. More to the point, they've also got nothing to do with BC startups, rather focusing on the Delaware C Corp markets like everyone else in the vulture game. 

Thinking you're going to startup fund 100 million into CCPC's and they're going to become the next Facebook and stay a CCPC paying taxes to the crown? Dream on. Think you can require CCPC? You just killed that startup. 

Think family practices, not hospitals. Horses, not unicorns.

The typical BC Tech Business 

Your typical BC Tech business is an entrepreneur and some contractors loosely setup to do something cool; if they've hired their first real employee (read filled out a TD1), then they're doing well. 

Throw a stone in this town and you'll find 50 of em. They come out to meetups, they're the geogeeks and open hackers, the Open Data kids, the civic developers. They're the designers who meet at the bar on Friday and discuss the latest moronic client to ask them to do work, for free, on spec -- because the clients idea is 'just that good'. They're all profitable, tax paying, and for the most part working off of their revenues -- you wont find convertible notes, venture funding or credit-default swaps in this crew. They're incorporated in Canada, not Delaware. They think a ratchet is tool for working on a car -- and thats a good thing. 

When the Venture crowd moves into town, they immediately suck the oxygen out of the room. They hire up a bunch of developers at 20%-50% over market rates, and build offices with kegerators, automated coffee machines and playground equipment -- the rest of the revenue businesses do their best to keep up, but don't really compete; after-all, they're competing not with the marketplace but with some nebulous pot of cash that has to be spent. The excess should be scandalous, but everyone seems to count it as just the cost of doing business in proximity to unicorns. Don't mind the rent in silicon valley and the social problems gentrification is causing when theres no corresponding increase in affordable housing. 

90% of these venture firms fail in the first few years. A fraction of 1% of the funded 'make it', go public and convert that investor equity into serious cash from Joe Public's retirement account.

The result on the industry is a boom/bust cycle, rapid wage inflation and equally fast deflation; a tragic instability in billable rates, service revenues and the availability of qualified help -- after all, none of this results in a single new qualified programmer being added to the marketplace, and startups don't pay for student tuition. There's no extra worker capacity in this system, and high tech workers already bill salary rates considerably higher than the median income. 

Worse, training a developer is a 20 year proposition, starting from grade-school -- I can count on one hand the number of developers I've met that started programming after graduation. Its not a field you retrain into, its a craft you master -- it would be as if the NBA was looking to create the next great team by investing in training adults to play basketball for the first time. 

You want to train programmers and grow the pool of talent and create good new jobs? You make sure every kid has a computer in the home and free access to the best self-paced learning opportunities outside the school system. You teach kids how to safely talk to strangers, and allow them to hang out on IRC channels and on mailing lists. You identify the difference between social media and internet communities. You kickstart digital literacy, and attack the digital divide.

But thats just the vulture capital model everyone knows and loves. What happens when the SR&ED sapsuckers get involved is even worse. Some ~5 billion in totally unnecessary corporate welfare is poured on the Canadian SR&ED sector each year and tech gets the lions share of it. The program was supposed to increase our innovation pace, but like copyright and patents, it stopped doing that a long time ago. You can read a bit about that here;

Due to the corporate welfare programs, these venture folks are billing a big chunk of their worker's salaries back to Ottawa and are adopting a profit-comes-later attitude. Even the market giants ignore revenue and continue the lie that they're all going to be the 1000x'ers once they finish building market share. Its a killer combination. The fair market rates for services crater. The tech industry calls it disruption, but really its just temporary market instability as no one really expects these companies will ever turn a profit or that the lower prices will become the new normal. There's a world of hurt out there for your typical Canadian family just trying to co-exist with the jerk-tech sector. Consumer's love it for a while, as the low prices seem almost too good to be true. But the catch for governments, is that they really are just that -- too good to be true; every so often, perhaps once per generation, someone invents the printing press or the automated loom and an industry changes forever, but most of the time, its just sock puppets and Superbowl ads.

The market effect is killer, the PHP developer who was previously freelancing for a fair wage is now facing competition from a venture firm who's billing 50% of the developer back to Ottawa and making their payroll through series A funding from the province. That developers now 'disrupting PHP' and giving away development time for 'free'. The whole thing is an unsustainable joke, but with the presence of founder-ratchets, down-round protections and the other 50 tools in the vulture toolkit, theres still lots of profit to be made for the financiers, even when things predictably go off the rails. In fact, while most founders believe they have the greatest investors ever, if there's an unfavourable ratchet in the agreement, chances are your investors are actively working to ensure the next down-round. 

You could call me cynical, but I've seen the cycle more times than I can count. The number of unicorns pushing 10 years old is an exceptionally short list. Whats not a short list is the number of failed startups and bankrupt tech geniuses who made bad business decisions. 

This is a failure architecture, and we need to give up on it already. You're not going to be a unicorn, realize the game, see the matrix, and aim for sustainability, mastery, purpose. Aim for craftsmanship.

The developer exchange.

If there's one light in the BC tech policy pipeline right now its the BC Developers Exchange. Its pretty much under-wraps, but they're developing it in a quasi-open way with public servants working publicly on GitHub, so little gem's are spilling out here and there. 

The idea here is to create some sort of pay-for-pull-request model where civil servants can get the freelance crowd to hack on their project backlogs. Its a solid idea, and it should be supported. 

But there's an issue, it seems to be following the same architecture of the prior Open Data program, in that there's no significant legislative commitment, no big projects to kick it off and no real meaningful funding announced. They're in the singles bar, but afraid to go talk to anyone because well "they've been hurt before". 

Worse, when the freelance crowd has managed to get governments on board (as they did in the openStudent debacle) the Ministries involved have always got cold feet and gone for the IT baron's products. I think they're following the no-one-ever-got-fired-for-buying-ibm model. A convenient defence mechanism that prevents real opportunity from ever taking root. 

IT done like this dies a death pecked to death by ducks and its why the Gov cant stand up a website for anywhere near what it costs in the private sector. 

What they should have done.

My prescription for the BC Tech sector would be to get out of our way. 

- Ease the securities regulations that make Kickstarter and crowdfunding essentially illegal in BC.

- Allow for Social Enterprises to incorporate, and develop an appropriate legislative body around this concept. Kickstarter itself just incorporated as a b-corp, so we're behind the times already.

- Reform the treatment of stock options and shares so that taxes are collected at legitimate liquidity events and not on a calendar basis (remember the JDS uniphase fiasco? The market does.). Folks are happy to pay taxes on legitimately realized gains, but there should never be taxes assessed on purely paper gains. 

- Develop things like flow-through shares and other capital mechanisms that encourage casual investment without the absurdities that come with venture capital type funding. These models actively encourage CCPC's over the Delaware model.

- Eliminate the concept of a qualified investor. The public can be accountable to its own bad investment decisions, and limiting risky investment opportunities to the rich while allowing folks to buy million dollar homes on leverage is totally inconsistent.

- Ban the Double-Irish tax avoidance nonsense. There's no point in seed funding the next Facebook if they're just going to turn around and pay no taxes.

- Get rid of SR&ED credits entirely and instead reduce payroll taxes. Thats 5 billion that could go a long way to eliminating the need for CPP remittances.

- Cancel the 100 million dollar Series A fund and address the reasons BC Tech businesses think government is not their friend.

- Reduce the overhead on maintaining a corporation; My biggest single expense after salaries and computer hardware is accounting and compliance services.

- Open all the things. Open Data, Open Source, Open Government, Open Corporates. Put some real $ behind it. There's a billion dollar civic tech market at the doorstep and it will pass us by for lack of a few peanuts worth of investment to address the cost-recovery problem and a lack of data warranty.

- Kick the Robber Barons out of BC government IT procurement. Learn how to develop in-house capabilities again and how to contract and work collaboratively with a vibrant market of small vendors. Become ready to work with 79% of BC's businesses. The 0-4 employee sector drives this economy. Ditch the warranty/insurance requirements and validate the work in-house like anyone else accepting a pull request on a private sector project.

- Develop a diverse set of programming languages, application servers and technology platforms, reject the Microsoft monoculture. Embrace BYOD. Embrace infrastructure as a service.

- Buy a Raspberry Pi and an Arduino for a kid every now and again.

- Learn how to evangelize BC Tech. Making connections is key to any tech business. Trade missions and other tools that can connect small business with export markets will pay dividends. Exporters aren't all rip+strip+ship. Theres thousands of BC small businesses that export tech services, and they contribute to the GDP, both intra-provincially and internationally.

- Most of all, don't pick winners and losers in the tech sector, ban corporate welfare, grant writing and funding applications for commercial entities. The 0-4 sector is hurt by these actions and they're downright counterproductive to market forces.

At the end of the day, the best tech policy would be one where we don't know there's a tech policy and have no reason to advocate for one. 

Rethink the plan BC. 

The long-term solutions City Council doesnt want to hear on Homelessness

With the Times Colonist reporting that City Council doesn't want to hear about long term solutions to homelessness at their upcoming town hall I thought I'd publish some comment I had been preparing; They're rough, not all workable, but hopefully helps folks to understand some of the issues we have to discuss if we're going to solve this crisis. Repeated bouts of criminalization and "quick fixes" are doomed to failure and waste both the City and advocate's resources on court challenges and needless harassment of our citizens.


In the spirit of truth to power; 


Initiatives to improve market affordability by creating market supply. 

  1. End the CRD urban containment boundary.
  2. Eliminate DCC's that are not directly attributable to a project.

  3. Eliminate new development/business parking requirements.

  4. Eliminate the extortive phrase 'amenity package' from council vocabulary.

  5. Reduce the number of zoning types from 628 zones to a handful representing residential, urban, commercial, and industrial zones.

  6. Eliminate zoning variance and spot zoning practices.

  7. Reduce the tax mill rate on residential units with assessments less than 1 million.

  8. Enact use-it-or-lose-it bylaws that require an occupation or active development permit or face speculation taxes.

  9. Have council set development policy, have staff enforce approval/rejections. End public hearings and council involvement in the approval of every shed built in the city. Return to a concept of strong and well-defined property rights and allow civil courts, not council, to deal with nimby/banana related disputes.

  10. Pay developers a bonus for every unit they create equal to 10% of the new taxes that will be generated for 10 years. (Incentives for creating newly taxable value)

  11. Improve transit options to allow for car-free living and eliminate parking costs.


Initiatives to deal with core causes of homelessness. 

  1. Safe consumption/injection site paired with well-funded rehabilitation programs.

  2. Self-exclusion programs for liquor retailers.

  3. Institutional care options for the most severe mental health issues when related to repeated criminal convictions.

  4. CrASBO (Criminal Related Anti-Social Behaviour Orders) framework for repeat-offender cases of theft, vandalism, intoxication in public, etc. End the revolving door cycle of arrest, release and re-offending for minor crimes.

  5. Greater funding for fiscal self-sufficiency programs. (Education in money management)

  6. Work-Ready programs to ensure everyone has valid identification, a social insurance number, up-to-date tax filings, bank account access, and access to clean clothing and personal hygiene services. Assist with filing bankruptcy and achieving a 'clean-slate' where applicable.

  7. Casual/At-will labour opportunities within the city; work opportunities based on a single days' effort or based upon a unit of production. Can do better than collecting refundable cans. Seek claw-back waivers from welfare programs to allow retention of benefits while doing a minor level of qualified casual work.

  8. Public outreach programs to tell citizens of Victoria not to give to panhandlers, and highlight better donation opportunities for the same charitable $, food banks, our place, etc.

  9. Adopt a case-management approach to each person experiencing homelessness -- tailor personalized solutions and interventions appropriate to each individual. Start with chronic criminal reoffenders.


Initiatives to deal with youth and young-adult homelessness.

  1. Fund more young-adult care options. Too many at-risk children age-out-of-care and are thrown to the streets with no safety net or supports.

  2. Better funding for social work programs for in-home interventions to deal with parental abuse, mental health and addictions issues.

  3. Positive youth opportunities for casual community contribution and paid work.

  4. Create stable and appropriate market housing opportunities for families.

  5. Deal with sources of societal and family marginalization including supports for LGBTIQ youth.

  6. Fund more anti-bullying/harassment programs and support systems for victims of this behaviour.

  7. Better Integrate community policing and restorative justice programs in a way that allows youth to see policing and social workers as friendly and in-partnership rather than always in a disciplinary/negative interaction setting.

  8. Provide better self-learning opportunities for literacy, numeracy, and computer skills. Provide a free and self-paced path to cognitive employment and a dogwood diploma.

  9. Provide free pathways to pardon services for the rehabilitated. Allow young-adults to escape the stigma of their past actions and achieve a 'clean slate' upon which to build.

  10. Ensure there are market housing options that are affordable (30% = $680/mo) of a median individual salary. ($27,200/yr @ 2013)


Initiatives to deal with the symptoms of homelessness

  1. Chattels protection. (Lockers placed throughout the city with time-release locks where homeless can place belongings for a period of time, and with a disclaimed expectation of privacy enforced by user-agreement such that police can search as appropriate)

  2. Post-office box services where homeless can receive mail. An address is core to receiving many government and employment services.

  3. Basic tenting platforms with bike/chattels lockers in city parks experiencing camping. Usage by permit available at homeless shelters and needs tested. Can revoke permits for those who offend the social order (eg public-view drug use, chattels not within tent or locker, etc). To reduce the security/neighbourhood impact, a maximum of 6 individual platforms/acre should be targeted. Tents must be taken down during the day, but may be stored in park lockers. Tents (see red-tent campaign design) would be supplied with the permit and only the approved tents may be used on the platforms.

  4. A public washroom station (including a shower), sharps container and emergency call station placed in every city park.

These are just a few additional ideas, and aren't intended as a replacement for the valuable and needed contributions of affordable & project housing, homelessness supports and councilling services provided by dozens of organizations throughout our town. 

Victoria Amalgamation - Grasshoppers and Ants.

Amalgamation is back in the news today, the polls look supportive, but is data, ignorant of the financial consequences useful or actionable?

I’m a data guy, and when it was suggested that Victoria put a question to voters: “Are you in favour of reducing the number of municipalities in Greater Victoria through amalgamation?”  I thought about the issue and realized I had no information on which to base that decision.

Amalgamation is a super complex subject — Victoria has 13 regional governments plus the CRD, a lot of redundancy and as evidenced by the Sewage issue, problems making decisions that don’t boil down to not-in-my-backyard. Amalgamation could be hugely helpful here, and would tend to bend my thinking to the YES side of the question, but then there’s this nagging question in my head. WHAT WILL IT COST?

I sought to answer that question. I pulled in all the favours from all the data agencies I could think of. Apologies to the Data BC team, and Citizen Services as I requested and FOI’d data from the province — which it turns out they don’t even track. I had a simple question to solve:

What is the financial position of each of the 13 municipalities in Greater Victoria?

Turns out, no one, not even the province can answer that question - and I have the negative FOI response to prove it.

All municipalities are required to submit an annual report to the province, and that includes data about debt, reserves, income, etc… it even has some data on non-financial assets (those things like sewers and roads that municipalities are principally responsible for) … but, and here’s the rub, the data is historical — how much they spent, and how much the spend depreciated. An old city like Victoria with its aging infrastructure looks a lot smaller than it is on paper because so much of the infrastructure was installed in the early 1900’s. So wheres the financial position really sitting? Is the value of a city its assets as classically understood, are its liabilities really just financial instruments, spends and depreciation — or is the liability really the fact that the city has to maintain its infrastructure service level? We cant turn off sewers, water mains, or stop maintaining bridges and roads.

There’s a surprising lack of sophistication in tracking that liability, and it has led to a phenomenon known as ‘borrowing from the pipes’ wherein a municipality defers critical maintenance to pay for politically popular amenities. Its certainly hit the Greater Victoria region, and hit it hard over a number of councils and is generations away from being fixed — this is a long term problem that requires long-term solutions.

I set out to answer that question though, what is the financial position of the 13 regional municipalities? — and I’ve started to get answers, but only via very time consuming FOI requests. No one has studied this, and the poll-accessible public has no idea what this amalgamation thing will cost them.

Amalgamation supporters suggest that studies come after the question — but for me the question is unanswerable. I would support amalgamation if it were a philosophy, but not if my Dads household (Saanich residents) taxes go up, while services go down to cover off municipalities that have failed to maintain their assets.

Aesop’s Fable of the Grasshopper and the Ant come into play here. While the ant dutifully toils all summer to put away food for winter, the grasshoppers just sung and played. When winter came, the grasshoppers were banging at the ants door for food only to be given a hard lesson in planning for the future. This region's municipalities range from ants to grasshoppers.

Not one to take no for an answer, I have begun to FOI the region's municipalities for data on this ‘borrowing from the pipes’ question. City of Victoria was the only municipality to proactively publish the information on their website — and I now have 3 other FOI responses, from Saanich, Esquimalt and Oak Bay.

The data’s up at Google Docs forgive the formatting as its a transitory dataset and will be cleaned up when I’m done.

Here’s the 30 second version; You take the book value from the annual report (what the municipality considers the financial value of the assets in the ground) and divide it by what it will cost to replace when its useful life is up (the replacement cost figure)…. This gives you a ratio — lets call it the McArthur Infrastructure Ratio. This isn’t a perfect measure, and there’s been lots of problems pointed out with it (inflation and appreciation of fixed assets being the biggest issues)… but we can factor out most of these as they are comparable between cities. On a per-city basis the ratio isnt particularly informative, but when compared to its neighbours, it tells a story.

So far the ratios in Victoria break down like this;

City - McArthur Infrastructure Ratio (Book Value : Replacement Cost) [Future Liability R-B]

Saanich - 39% ( $758,105,520 : $1,946,400,000 ) [$1,188,294,480]
Esquimalt - 34% ( $77,312,184 : $219,560,000 ) [$142,247,816]
Victoria - 18% ( $342,756,413 : $1,708,000,000 ) [$1,365,243,587]
Oak Bay - 10% ( $49,548,291 : $485,039,900 ) [$435,491,609]

I’m working on getting all 13 prior to november, but FOI is a slow process.

What this tells us is that Saanich is full of Ants — prudently paying for their infrastructure as it ages and deferring amenities until they can be afforded. Oak Bay, not so much. Lots of happy singing and heel chirping coming from that region. Victoria sits in the middle. Most importantly, there are billions in future infrastructure liability for our next generation.

So with that in mind, what does the Amalgamation question look like? Well, it looks like Saanich residents are going to get a pretty raw deal — they bring over double to the table when compared with Victoria on a financial basis, 4x as much as Oak Bay. They will certainly lose in an amalgamated structure. Oak Bay on the other hand, would do very well financially — and it is this fact that, that I believe is so strongly driving this agenda in the wealthier circles of town.

All of this is to say, its way too early to ask the question: “Are you in favour of reducing the number of municipalities in Greater Victoria through amalgamation?” …. I would instead ask “Do you support committing funding to study the issue of municipal amalgamation?”. That would be the democratic question. Asking for an opinion of an ignorant public is little more than ‘distraction’ and the result isnt useful. Sadly, making a case based on data doesn’t seem to be on the agenda for the pro-amalgamation lobby — and we saw that again today with this poll.

Metadata, privacy, access and the public service.

On May 15, 2014 the OIPC (office of the information and privacy commissioner) released order F14-13 [pdf] denying a Section 43 application (to disregard a FOI request).  Being the data/privacy policy wonk that I am, I tend to read all the orders put out by the OIPC — there’s usually something interesting. This one was really interesting.

Someone had filed a request for the metadata associated with government emails — that is, who emails whom, and when — but excluding the content of those emails. The Open Data community has long mused about filing such a request, as it could be the single most important dataset for understanding how our government works, however, it was always considered extremely audacious to file as the public service was sure to have a strong reaction to an unprecedented level of analysis of their communications. On May 15, I had no idea it had been filed, or that there was even a case before the commissioner.

So, upon seeing the OIPC ruling, I filed an FOI request with Citizens Services (now denied) for the Section 43 application and the supporting documentation, that resulted in the order. I was hoping to learn why the province felt it should ignore this request, and under what justification. I also contacted the privacy commissioner’s office to see if there was any way to become an intervenor on the file and provide an amicus-type opinion for the commissioners consideration.

Through the opendatabc mailing list, I posted the story, and Paul Ramsey came forward and shared that it was his request. For those who don’t know, Paul is a brilliant data geek, having helped build the PostgreSQL database software that powers much of the internet — if anyone has the ability to work with this information, it is he.

Moving ahead 30 days later, I have my FOI answer — records prepared for an officer of the legislature (ie the OIPC) are outside the scope of FOIPPA and my request for the Section 43 application and documentation was denied outright by Citizens Services. The OIPC process wasn’t fruitful either, as the Section 43 matter had already been ruled on and they weren’t sure the file was going to come back to them — so no avenue for comment there. (I’m now told, via Paul, that the request has been denied again subsequent to the Section 43 ruling and has gone back to the commissioner for another round. I’m still hoping to be able to provide comments.)

This issue might be the single most controversial FOI request filed in BC history — and it will set a lasting and groundbreaking precedent. At question is whether the public service is accountable to the public in its metadata records. The public interest in the metadata cannot be understated, nor can the complexity of the access rights in question.

As a comparative however, CSEC, Canada’s signals intelligence agency spends obscene amounts of money analyzing the metadata of foreign governments — under the guise of increasing Canadian economic advantage. Will the FOI legislation, allowing citizens to oversee our own government, be given the same funding and economic priority as say, CSEC spying on Brazil’s government?

A core question is that of whether it is ‘just metadata’? — privacy commissioners have disagreed citing privacy implications, spy agencies have argued its no big deal arguing it has different privacy expectations over say a telephone wiretap, but — and here’s the crucial part — when it comes to transparency of the public service, where there are explicitly waived privacy expectations found in email policy documents and a crucial right of public access, what will the balance be for public service metadata?

In my opinion, this could be the single most valuable dataset ever released under FOI and this request will likely define public sector metadata policy for generations to come.

It is crucial that we get it right.

Setting the record straight on Halifax E-voting.

There is currently a story making the media circuit on electronic voting in the Halifax municipal elections. This is the story of that election and how this information became known, and what remains hidden behind responsible disclosure today.

In September 2012 I learned that Halfiax was going to be using e-voting and that they had been making claims about the security and viability of online voting – and so I reached out to colleagues in the security community to see if anyone had done any security evaluation of this evoting solution. 

The response I got back was that no one had done the research because there were concerns about the climate for this type of research. For example, just watching a voter cast their vote, could be considered an election offence in some jurisdictions. So I decided to do some basic 'right to knock' type research before the election was open rather than investigate during the voting period. I simply checked out the publicly facing voting instructions on the municipal website and visited the website to see what security they were presenting to would-be voters. For example, was it presenting an identity validated EV SSL certificate? I did some other basic security checks that didn’t require anything more than loading the webpage and looking up details in public registries. To my surprise, the voting portal had been setup by the middle of September (presumably for testing), and there were a number of items I found concerning with the implementation I was seeing.

So I wrote it up, and sent it over to CCIRC (The Canadian Cyber Incident Response Centre)... these are the guys responsible for managing cyber threats against critical infrastructure in Canada – and I've worked with them before on similar disclosures (like IN11-003) ... the process is known as “Responsible Disclosure” and gives the government and the vendors the opportunity to address the problem and make the information public once they have done so. Its generally considered impolite to talk about security vulnerabilities before they have been addressed because they can be used by malicious persons before the systems are corrected.

I never heard back from CCIRC, except for a single 'ack'[nowledged] email confirming receipt. I assumed they were still working on the problem – and perhaps they still are today. Fast forward a few months and I'm discussing online security with a local group of individuals and I bring up the Halifax Election as an example of a system I have concerns with. I don't tell anyone what the specific security issues are, and so after that, a local journalist Rob Wipond comes up and asks me for more detail, essentially, for proof – to which I say “I cant tell you that, ask the government and pointed him towards CCIRC” ... little did I know he would, and did.

May arrives and the CCIRC has apparently filled an ATIP request made by Rob Wipond and he sends the result to me for comment. It's mostly redacted, but it does show that they took the issues seriously and contacted the municipality and vendor to get the issues addressed. It says they mitigated some concerns, but not specifically which ones or what the fixes were. The redactions were unsurprising as the information had not otherwise been made public at this time and many of the concerns would have been hard to resolve. We're not talking about a quick software fix, but rather, altering voting instructions and redesigning how the system is implemented.

Rob apparently put together a video and asked the vendor and the municipality for comment. I didn't think much of it, Rob hadn't discovered the details of the security vulnerabilities and was reporting about redacted documents and questionable audits. I'd never shared the vulnerability data with Rob, so he had very little to work with.

Nevertheless the story gets picked up by CBC radio and I hear Rob talking about the issue. You can listen to that here. ... but he's still not got the details, and so I decide to let the story continue along without my input – what can I add if I cant talk about the vulnerabilities. 

Then, everything changes.  The next day CBC has the HRM clerk and the vendor on air to respond to the concerns. ... I was shocked. During the interview the lady from HRM discloses that we're talking about a “Strip Attack”. She reassures the public in no uncertain terms that when asked “Was the election spoofed” she says “Absolutely not.”... I was floored. Not only can they not know this, but they disclosed the type of security vulnerability in play. Then the vendor goes on about things that have nothing to do with these types of attacks like immutable logs and receipts. They call the whole thing hypothetical, never pointing out that its illegal to hack into a live voting system, so no one could give them proof even if they wanted to.

So now that the cat is out of the bag on the “Strip Attack” portion, I can talk about that part of the disclosure. Those in the know call this ex-post discussion. There remains 2 of the 3 areas of concern that are still secret though, and so I wont be talking about those items. 

I've re-scanned the CCIRC disclosure document to remove the redactions around the now-publicly known stripping attack. You can download that document here [PDF].

My final conclusion in the disclosure was:

“The election process in use may present a number of security and privacy challenges that electors may not be sufficiently aware of when deciding to cast their votes online. These vulnerabilities and lack of auditability may affect the perceived validity of the election result for those that did not use the online mechanisms to vote. The online election may need to be suspended in order to address these and other issues not here disclosed.”

I also make clear that “This can be achieved at scale sufficient to draw into question the election result and is difficult, if not impossible to detect as there are limitless network perspectives that could be attacked.”

I was also concerned to hear that they think these types of attacks are hard, and require considerable cost and effort. The reality of course, is that like any computer vulnerability, there are those who discover and publish these techniques (hard) and those who simply use them. (easy) We call the latter “script kiddies” and yes, you can think of them as they are brilliantly portrayed in this Rick Mercer skit.

In this case a SSL stripping attack could have been achievable with a piece of off-the-shelf software called SSLstrip. Its not hard to use, and doesn't require any considerable effort to install. It can be setup at practically any point between the voter and the voting server and could compromise the confidentiality of the voting information. The problem lies in the voting instructions – when users type in “” their browser translates that into and not ... since theres no SSL at the start, the attacker simply makes sure it stays that way. Everything else looks identical to the user, save for a missing s in the url bar and a lock icon that never shows up. But there was also a third party domain in use at the time I did the research – the voter got redirected to a site called whom was previously unknown to the voter. The attacker could simply redirect that user to, a site with SSL setup, https in the url bar and the lock icon lit -- they clone the website and drop the votes on the floor, collect credentials, etc. You'd have to be really on your game to know that is not the same as in your url bar, given you'd never heard of either of them before you visited the website. These type of plain stripping and hybrid stripping/phishing attacks are ridiculously common on the internet today, and are not difficult to achieve and are particularly difficult, if not impossible to detect as no altered traffic ever hits the official servers.

To actively modify the information in transit – like to flip votes, an attacker would use this tool along with a simple shell script to modify parts of the communication between the voter and the voting servers. Contrary to assertions that you'd have to recreate an entirely new voting app, you rather only have to change a few lines in the in-transit data. At most its a few hundred lines of script -- its the kind of thing the smart kid in your high-school computer lab can do. If its done aptly, the voting servers see the users original IP address and a legitimate SSL connection – SSL is only stripped from the voters perspective, and not the servers. In general (and I've not researched this particular solution) ... receipts and voter codes wont save the process as the attacker can see the codes, hide the receipt entirely, hand out receipts for other legit votes (receipt multiplication), or simply include more form fields on the webpage that ask the voter for more information, like their name and address.

To the incredulous question of 'why' anyone would go to that minimal effort, well, all I can say is – we are still talking about a public election? Right? A recount is impossible, and a city council is the prize.

To the other concerns, well, ask CCIRC or HRM if they're willing to make those public too.

ALPR and Digital Civil Rights

Once again my fight for digital civil rights has landed on the front page of the Times Colonist, this time in relation to the ALPR (Automatic License Plate Recognition) surveillance system. I highly recommend reading the commissioner's report, which you can find at

The report goes into great detail about the ALPR program and is derived from a lot of information that our research group has not been able to obtain under the freedom of information access processes -- this despite repeated requests for all documents of all types relating to the ALPR program. (Rob Wipond reports that he currently has 6 complaints before the federal information commissioner)

The report has learned that non-hit data (data including the movement patterns of innocent Canadians) is being acquired and shared outside of the BC jurisdiction. It also makes crystal clear that where local police collect the information, they are in custody of the information and are subject to FIPPA regulations on their handling of that data. This includes not storing and not sharing any data that is, after-scanning and comparison to an on-board hotlist, no longer useful for policing purposes.

The Commissioner's report also reveals a new data point which we were unable to access. Obsolete Hits. These are hits that are valid at some point in the database, but that are no longer valid when the vehicle is scanned. The commissioner's report suggests that these false-hits cannot be shared with the RCMP either. This requirement alone is a huge win for accountability of this program, as it will mandate the review of each and every hit produced by the ALPR system before it is shared with the RCMP or used for secondary purposes. This should return the ALPR system to being a useful convenience tool for police plate scanning, but will remove the dragnet surveillance capability of the system as it will likely necessitate manual review of the data produced.

That said, I was disappointed that the commissioner did not engage in an analysis of the confidence rating of the system as a whole. With accuracy rates claimed in the 70-95% range for ALPR systems more generally, they have the potential to generate tremendous amounts of false, incorrect, information that will be used against people. The commissioner's report gives us two data points that are hugely valuable in this regard however. For every 100 scans, only 1 is a hit. In a 95% accurate scanning system, 5 scans in 100 will be inaccurate. The report also states that 4% of hits are obsolete hits, further reducing the confidence rating of the resulting data produced. A Bayes Theorem Analysis of the overall system's data confidence rating is definitely needed, but will require significant resources and access to do properly. The initial data however, suggests that the system may produce significant volumes of incorrect data, and confidence ratings may be low enough to call into question the entire program, even when only discussing the hit-data context. Certainly ALPR's use as an evidence-generating tool for court-purposes will be easily challenged and investigations that start from ALPR data may be subject to the poisonous tree doctrine in certain jurisdictions.

Overall, I'm thrilled with the report. It validates what I and my colleagues have been saying about police use of surveillance tools and is an incredible study into what these programs actually look like in practice. The data in the other-pointer-vehicle category, as just one example, shows just how broadly these programs are being applied. It also draws into question many previous statements by the authorities on the scope of the ALPR program.

I look forward to Victoria Police and the province fulfilling the report's recommendations on disclosure and access to information. Sunlight is always the best disinfectant.

#PeerJacking - SSL Ecosystem Attacks Against Online Commerce

Responsibly Disclosed to Canadian Cyber Incident Response Centre [CCIRC], Office of the Privacy Commissioner of Canada and Canadian Bankers Association, July 15, 2011. Informs government Public Safety Notice IN11-003 released December 20, 2011. Due to the scope of the issue, vendor notification was performed by CCIRC.

Users of the following libraries should evaluate their software for exposure to IN11-003 (#PeerJacking). Many of these libraries are now patched by the vendors but affected versions will need to be deployed on end-user web servers.

Moneris eSelectPlus 2.03 PHP API
PayPal SDK Soap (MD5: ae8b2b7775e57f305ded00cae27aea10)
PayPal SDK NVP (MD5: 5a5d6696434536e8891ee70d33b551bd)
PayPal WPS ToolKit (MD5: a9e7c4b8055ac07bb3e048eecc3edb14) Library (* Defaults to secure, but affected by configuration instructions. anet_php_sdk-1.1.6)
Google Checkout Sample Code (V 1.3.1 for PHP) (Article Updated April 2, Patched in V.1.3.2 Download Here)
OSCommerce 2.3.1
CiviCRM 4.0.5 (Update Apr 2: Still vulnerable as of V 4.1.1)
Magento 1.5 (Update Apr 2: Vulnerabilities still exist as of version 1.6.2)
UberCart for Drupal (uberdrupal-6.x-1.0-alpha8-core)
Pear Services Twitter. (0.6.3)
Themattharris Oauth (< 0.61) (*Twitter indexed library )
TwitterOAuth (File date: May 18, 2011, *Twitter indexed library

Additionally the following GitHub Search may help identify affected libraries. Here. Instances of CURLOPT_SSL_VERIFYPEER set to false or 0, and instances of CURLOPT_SSL_VERIFYHOST set to 0, 1, or true rather than the value 2, may indicate exposure. PHP ships with secure defaults for these values and thus this is not a vulnerability in PHP or CURL, but entirely contained within library code.

Libraries where these default values are overridden and not correctly set will be vulnerable to man-in-the-middle interception and modification of data in transit by an attacker using a self-signed SSL certificate and off-the-shelf software. Fixes to these libraries usually cannot be deployed centrally by the vendors, and typically must be upgraded individually on all deployed client systems.

Please contact the Canadian Cyber Incident Response Centre for further mitigation information and advice. Thanks to Tamir Israel (CIPPIC) and Christopher Parsons for their assistance in responsibly disclosing this vulnerability.


Subscribe to RSS