Tomorrow morning I will be testifying before the full House Oversight and Government Reform Committee about the Sunlight Foundation's work to liberate federal spending data and experience in developing databases and tools for tracking spending. The hearing, entitled "Achieving Transparency and Accountability in Federal Spending," will be the second opportunity for me to discuss the Sunlight Foundation's Clearspending report where we identified nearly $1.3 trillion in misreported federal spending. The two hour hearing should be live-streamed on the committee website and will start at 9:30 am in Rayburn 2154.

It is an exciting time to continue this important conversation as just today there were two new federal spending developments. The House Oversight Chair Darrell Issa (R-CA) introduced a major piece of transparency legislation that would transform how we track federal spending and identify waste, fraud and abuse. You can read more about the bill from a blog post by Daniel Schuman, Sunlight's policy counsel. The White House also issued an executive order today that will put Vice President Biden in charge of an 11-member oversight board — very similar to the Recovery and Accountability Transparency Board — to address federal agency waste and fraud.

The entirety of my remarks appear below:

6-14-11 - Written Testimony of Ellen Miller before the Committee on House Oversight and Government Reform

Yesterday the government’s Federal Awardee Performance and Integrity Information System (FAPIIS) came online. This is something we’ve been looking forward to for a while. It’s easy to find horror stories about the mismanagement of contracts; this isn’t surprising when you consider the disorganized constellation of contractor oversight databases that exists, many of which aren’t open to the public. Getting FAPIIS online should be a step toward fixing that problem. Yesterday government took that step.

POGO has some thoughts about it that are certainly worth your time. But we can’t help chiming in as well. In short: this site is terrible. As one colleague said, “This might be the worst website I’ve ever seen.”

This is at least debatable. Contracting databases are part of the world of procurement, procurement is heavily influenced by the Defense Department, and DoD has a proud heritage of producing websites so ugly that they make you want to claw out your eyes. So FAPIIS has company. But if this was just a question of aesthetics, we wouldn’t be complaining.

Assuming you’re using one of the few web browsers in which the site works at all (Chrome and Safari users are out of luck), the experience is off-putting from the start, as users are warned that their use of the site may be monitored, surveilled, or otherwise spied upon (you don’t necessarily surrender your right to speak privately to your priest by using the website, though—thanks for clearing that up, guys!). Perhaps this is why their (arguably superfluous) SSL certificate is utterly broken. But let’s click past the security warnings and proceed.

Here’s the next screen. It contains a captcha.

Let’s be clear: the use of a captcha to gate government data is outrageous. Government should be making its data more accessible and more machine-readable. Captchas are designed to interfere with automated tools that facilitate malicious acts. But downloading government data is decidedly not a malicious act. Why are we trying to limit machines’ ability to use this data?

But our irritation with the captcha is softened a bit by how laughably inept its implementation is. It’s made of black and white text, unrotated, unskewed, superimposed on the same black and white grid every time. Here’s a stab at how you’d beat it:

1. Subtract grid
2. Flip every white pixel that’s bordered by 2 or more black pixels to black
3. Identify columns of all-white pixels and slice the image by them
4. Crop the resulting slices, then recombine
5. OCR

You could probably get this done using a stock PHP distribution in about an afternoon. But you don’t need to, because even this pathetic level of security isn’t properly implemented! Instead the human-readable text is sent to the client as a SHA1 hash in a hidden field. That hash is compared to the hash of what the user enters for the captcha code. So a scraper can just ignore the captcha and resend a solved hash for every request — it’ll work just fine¹. They didn’t even salt the hash. Whoever wrote this has absolutely no idea how to implement a secure system.

After the captcha, things start to get really weird, with radio buttons with onclick handlers being used as hyperlinks. It’s unclear to me whether the programmers responsible for this interface had ever actually used the web or simply had it described to them. Either way, whoever built this should be embarrassed. Whoever managed the project should be embarrassed. Whoever signed off on delivery should be embarrassed! But we haven’t even gotten to the worst part yet.

That’s because while all of the above will be embarrassing to any developer who takes pride in his or her craft, the quality of a government website is ultimately less important than the data it exposes. And there is no FAPIIS data in FAPIIS. Not yet, anyway. Such data exists, mind you. But the decision was made not to include any historical data when FAPIIS went public. Presumably the contractors who did a bad job, and who were reported for doing so, are concerned that people might look at those reports and get the impression that, uh, they did a bad job. Others may be concerned that the database could cast them in a bad light and raise uncomfortable questions. That government caved in to the demands of these vendors — vendors who are supposed to be serving government! — can only be described as an act of craven capitulation. We’ve FOIAed for this data, and if we’re lucky, perhaps we’ll even get it. But it ought to be online right now.

As a matter of principle, it’s good to see government opening closed databases, and Congress deserves credit for deciding to open this one. But what has followed that decision deserves only whatever the smallest quantity of plaudits is that’s still distinguishable from zero. I hope that the site removes the captcha, offers bulk downloads, and fills up with useful, unsanitized data. But whoever built this travesty deserves to have an entry in FAPIIS of their own.

1: You do need to update the JSESSIONID cookie and get a fresh value for the org.apache.struts.taglib.html.TOKEN hidden variable, but this is easy enough to do.

Cross-posted from the Sunlight Labs blog

This morning I testified before the House Committee on Oversight and Government Reform's Subcommittee on Technology and Information Policy about the failures of government to make rhetoric meet reality. The Sunlight Foundation has been excited about the new promises of data transparency, but sometimes the results are nowhere near the accuracy and completeness necessary for the data to be useful for the public.

Sunlight's Clearspending analysis found that nearly $1.3 trillion of federal spending as reported on USASpending.gov was inaccurate. While there have been some improvements, little to no progress has been made to address the fundamental flaws in the data quality. Correcting the very complicated system of federal reporting for government spending is an enormous task. It has to be done because without it there is no hope for accountability.

In order to fulfill the promise of the Open Government Directive and move forward to meaningful spending disclosure I offered a number of recommendations to the committee. These include unique identifiers for government contracts and grants, publicly available hierarchical identifiers for recipients to follow interconnected entities and timely bulk access to all data.

A video of the hearing should be available shortly on the committee's website and the entirety of my remarks appear below:

Written Testimony of Ellen Miller before the Committee on House Oversight and Government Reform