-
Shall I introduce myself, or shall I just start with my question?
-
Of course.
-
You introduce your first.
-
Just a short introduction for all of us. [laughs]
-
I’m political scientist. I’ve been doing Internet research in Germany since the early 1990s. I’ve done many different things. Standard development, my first project was on IPv6, I looked at what engineers argue about.
-
You did? IPv6?
-
Then I did a long stint in ICANN. I was a candidate of the global elections in 2000. Then I did IGF, that’s where I met Kuo-Wei.
-
2003…
-
Yeah. I did all these things, and over the last 10 years, I’ve done more research again. I’m interested in digitalization and democracy, that’s my field.
-
What I’ve been doing now in my sabbatical is spend a month in Singapore and one here – here I do five weeks – to understand how they are related, digitalization and democracy. It is very interesting to see also the difference between the two countries.
-
[laughs]
-
Definitely.
-
I’m glad that I can interview you. My first introductory question was, what are your main achievements in this term, of the government? What’s the outcome that you are proud of?
-
That we’re not wearing mask anymore. [laughs]
-
Countering the pandemic, of course, is not my effort. It is a collective effort with all the Taiwanese citizens and the Central Epidemic Command Center.
-
That being said, because Taiwan had a previous exposure to SARS, in the SARS times, we didn’t have the IC-card-based universal health care card. We were still using those paper cards with six boxes in it. It’s very easy to compare the analog response [laughs] to SARS and the digital response to COVID-19 this time around.
-
We can quite safely say that digitalization made it possible to have both the economic prosperity and the public safety at the same time. Whereas in jurisdictions without digital state capacity and civic capacity, they have to choose between one or the other – either economy at the cost of health or health, lockdowns, at the cost of economy.
-
Solving this dilemma through digital participation, that has been the main interest from abroad to our pandemic experience in the past few years.
-
When I’ve been asking people over the last months, what are the major digital issues in this country, one of the things they come up with is data protection and the big data breach you had last year.
-
There’s too many to count.
-
[laughs]
-
I don’t know which one you’re talking about. [laughs] The household one?
-
Yeah. People say that it’s the largest, by far.
-
The household one.
-
What is the role of your ministry in that problem, because you don’t have data protection as an area of competence, have you?
-
We’re in charge of the data protection for the e-commerce vendors. We are the competent authority if that particular vendor is operating both in the incoming and the service they deliver in cyberspace.
-
For example, Airbnb would not be our purview, but if it’s online NFT store or something [laughs] that’s more like our purview because the goods and service they deliver is not anchored to something that is physical, so what we call just e-shopping sites, general stores online. That is our competence authority’s purview.
-
Is it good to have this divided? Would you not want to have…?
-
A single DPA?
-
Yeah, you get one at some point, right?
-
That was my position since 2014. We had a consultation, 2016, and the general consensus was that we need to have a single DPA. Then later on, GDPR negotiations started, so the council, the NDC, in charge of the GDPR negotiation, took the Personal Data Protection Act interpretation authority from the Ministry of Justice to the NDC. Then, the NDC became our privacy office, so to speak.
-
The goal was always for it to be an incubator so that the NDC can incubate a truly independent DPA at some point. The NDC is interesting because the minister is also an at-large minister or minister without portfolio. The NDC is more horizontal, in the sense that it doesn’t have one single interest, but rather it looks after multiple interests. I’m also a councilor of the NDC, many minsters are.
-
Aside from being not independent, like the term is not guaranteed and so on, it is more well-placed than other ministries to be this privacy office. Now NDC is, as I mentioned, an incubator. They’re aiming for some time next year, to establish the independent DPA for real.
-
You, as a councilor, also have a say in its competencies and its scope?
-
When we designed the data protection acts and so on, it is at the same time as the moda’s preparation. There was in one initial version that the DPA would be an independent commission under the Ministry of Digital Affairs. That version was not accepted by many academic experts.
-
Because they didn’t find it independent enough?
-
Exactly, because although maybe the term would be fixed and the personnel will be independent, the budget is not.
-
The budget would have…
-
If the so-called independent DPA would be still relying on the Ministry of Digital Affairs to defend the budget, then it will not fully satisfy the GDPR constraints. It would be like Singapore because that’s the Singaporean model. They have an independent commission within a ministry, instead of as part of the cabinet.
-
Did you accept that argument? Did you find it a good one?
-
It’s an interesting question. Because I was, in 2014-16, always advocating for full-independent DPA, so of course I could be making that argument. Of course, I endorsed that argument. On the other hand, though, at that time, after I learned, after the Lunar New Year, that I’m tapped to become the Minister of moda…
-
You were divided.
-
It’s difficult because then I will have to sign…For example, I think the DPA is an essential complement to moda and it should be founded at the same time, which was my actual position, but then the legislature has already said that the moda needs to happen first and then the independent DPA.
-
Why? Is there a technical reason for having them not founded at the same time?
-
I know. Everybody think it makes more sense to found them at the same time because otherwise, we’re in a weird place.
-
We will have to do the technical support to the NDC, that is like an actual DPA, but we’re not independent at all. We don’t have the legitimacy to do such decisions. Then we’ll find ourselves in a quite difficult place. We already know that during the preparation times.
-
On the other hand, we cannot tell the legislation that something that you have passed, the executive branch will delay the implementation until you also pass the other legislation, because that is not how separation of concerns works. It is not the administration’s place to boycott the legislation to say, “Unless you pass all, we don’t implement any of them.”
-
They often do.
-
They often do, maybe, but not in Taiwan. In a sense, we’re given the mandate to start the DPA preparation, but not the mandate to present to the legislation the founding acts of the DPA. That work is now, again, in the cabinet, prepared by the National Development Council.
-
Another question regarding DPA. Will it be a small one, will it be a big one? Will it have any power? Does it also, that public administration is part of its scope, or is it…?
-
It is. It will be the competent authority for the Personal Data Protection Act, for the PDPA. The PDPA already has government and non-government entities as its scope. The question you’re asking is, essentially saying, with the new Independent DPA, only take half of the PDPA and the other half still in the NDC, that’s not possible.
-
Legally it’s not possible, unless we separate the PDPA into two acts, but nobody has brought that up. No, I don’t think so.
-
How many people will it have?
-
The NDC is now preparing the founding act. That is for the NDC to decide. Once it has a more comprehensive, that is to say, governmental and non-governmental scope, we can look at nearby jurisdictions like Korea or Japan to nail the rough size.
-
Because often they’re understaffed. In many countries in Europe, they’re understaffed. That’s a way of weakening data protection by making implementation and controls difficult. For example, the most famous case is Ireland.
-
Have you heard about that? The GDPR is seriously hampered by the fact that Ireland is responsible for everything concerning Google, Microsoft, Facebook, etc. because their European branch is always located in Ireland.
-
I’m aware of that.
-
That is an issue, and I wonder whether something similar could happen here that it’s too small to actually do a proper job. That’s why I’m asking.
-
At the end of the day, it would be the legislature. For example, in our case, we proposed certain mandates of moda, but then the legislature added the Administration for Digital Industries. Literally, one-third of our staff is added by the legislators.
-
The legislature may extend its scope or it may remove part of its scope. Because the founding act has not yet been deliberated by the legislature. I will not speculate, but both directions are possible.
-
If the four major parties all feel that we need a really strong DPA, then they may give it the same kind of staff as, for example, the National Communication Commission. On the other hand, if not then maybe they will remove part of the mandates that the NDC sends. It is difficult to say at this point.
-
Speaking of commissions, as far as I know, there was a debate here whether digital affairs should have the form of a ministry or rather be a commision. What was your view in this debate?
-
It depends on whether we hold that kind of licensing power that the NCC, the National Communication Commission has over, say TV stations.
-
In Taiwan, usually, if you want to do something that is very, very top-down like licensed highly regulated industries, then usually takes a form of commission. The financial supervisory commission, for example, handles the licensing of banks.
-
The Commission of Fair Trade, the Central Election Commission, of course, [laughs] and many things that needs a very high degree of regulatory power usually take the form of a commission.
-
Then the ministry is usually seen as something that’s more executive. That is to say, it implements things. It still has a competent authority on a few management stuff, but it is less seen as a very highly regulated body.
-
It then depends on whether the digital competency need to assume the regulatory power of the National Communication Commission, Internet, especially broadcasting media management and regulation.
-
That’s to say whether the digital competent authority should be a competent authority for the European equivalent would be the Digital Service Act. If the digital competency assumed the role of the DSA competent authority, then many think it should be a commission. If we don’t, then that’s still within the NCC. Then maybe we should be a ministry.
-
Because what I heard is that commission in the logic of Taiwanese ministries and government would be more cross-cutting issues.
-
That’s not a problem.
-
Because it connects ministries.
-
Yeah, but that’s not a problem. Although I’m a minister of moda, I am still within the cabinet system, the governmental Chief Information Officer. Using my cabinet’s CIO role, I can still get other ministry of CIO to report and convene and so on.
-
It’s not like being a minister deprive me of this cross-cutting issue, especially information, and cybersecurity. On the other hand, I think the choice of a ministry instead of commission is to make sure that the NCC still retains all these very highly regulated takedown powers, so to speak.
-
You would say that for you it made more sense to run a ministry, or to create and run a ministry than have digital affair organized as a commission?
-
I would not say that. I would say it’s a tradeoff.
-
It’s a tradeoff.
-
Yes. It’s a tradeoff. Because if it’s the digital commission, then the NCC will end up becoming just maybe a third-level content panel. The NCC would disappear basically. The moda will be actually the NCC. We’ll just call it the national digital commission, or something.
-
It would be like the NCC expanding to assume cybersecurity and platform economy powers. In that sense that will work. On the other hand, if the decision as it’s ultimately the result is that NCC still retains full cabinet-level commission power, especially DSA-like stuff. Then, of course, it makes more sense for the Ministry of Digital Affairs to be a ministry.
-
Speaking of DSA, it seems to evolve into global blueprint in various countries, projecting ideas, hopes…
-
Yeah, just like GDPR.
-
What’s your take on the DSA? Do you like it? Do you criticize it?
-
I think the DSA builds up on a strong GDPR, like universal rights framework. I like this framework. The DSA is not just by itself. It also has this interoperability sibling called the DMA. It’s not just accountability, it’s also interoperability. It’s built within a different act.
-
Of course, on top of which there’s also the data governance act, resilience act, and so on. DSA is a part of a puzzle, of which the more competition-oriented arm of it…
-
DMA?
-
Yes, the DMA is the competition-related arm of it, whereas the DSA provides the accountability that is required for these huge global platforms to work with the society. Now, without this foundational act that is the GDPR, I don’t think anything like the DMA or the DSA can function standalone.
-
The DSA does not only increase accountability and transparency of platforms, it also needs to address disinformation. There’s a lot of criticism with regard to that part.
-
What is your take? People here talk a lot about disinformation. What do you think the government should do with regard to that?
-
My stance has always been that disinformation is a symptom. It’s not the cause of antisocial media. Disinformation is what you see as a symptom of the media being antisocial rather than pro-social. It’s a function of the media environment, not a function of…
-
I see it more like a pandemic. It mutates, it gets more toxic, it spreads from people to people. People involuntarily cough, that’s to say, press Retweet. It’s not by itself any single piece of disinformation, any more than a single piece of a variant of a virus responsible for the pandemic.
-
We all know that vaccines, cure and NPI plus good social norms is a comprehensive package in order to counter this. To say, “Let’s just do takedowns,” will be just like, “Let’s just do lockdowns.” Of course, they work to a degree, [laughs] but once it’s at a community-spread level, it doesn’t work anymore.
-
They also have side effects.
-
You mean lockdown? Of course, mental side effects.
-
No, but also, takedowns have side effects.
-
Yes. The thing is that if you only have lockdowns at your arsenal, and you do that habitually, then it would just be like the PRC, at one time, had a zero-COVID mandate that is basically built up on lockdowns, very fine-grained lockdowns.
-
It would just be like saying zero-hate in social media by takedowns, simply banning retweet in general, or simply saying, “Just take down anything that resembled the word civil society.”
-
Of course, you can achieve something with this playbook, but the problem is that the foundation of democracy, which is to say truth-telling, [laughs] journalism, goes with it. I don’t think it’s a good cost to pay, is what I’m saying.
-
As a councilor of the NCC, you would advise against adopting a version…?
-
I’m not a NCC commissioner.
-
I thought you were, as a minister…
-
…NDC.
-
Oh, NDC. Sorry.
-
I’m not at NCC, because it’s an independent body.
-
That’s independent. Now let’s put it that way, if you were advising the NCC, would you advise them to adopt or not to adopt the DSA?
-
You mean the DSA exactly as written?
-
Yeah.
-
I would first say that we need, including the GDPR, the foundational trust to independent bodies. I would also say that the contextualizing services – I have in mind the international fact-checking network, the Community Notes in Twitter – that is far better than lockdowns or takedowns when it comes to get the antibody of the mind, the awareness, the media competence of citizens.
-
I would also say that journalism, including civic journalism, is the actual antidote.
-
I agree. [laughs]
-
Once everyone practiced journalism, then we all have antibodies, and there’s no room for disinformation to grow.
-
I rather thought that if journalism would work better in this country had a higher quality, then disinformation wouldn’t have that kind of effect.
-
Exactly. Instead of addressing the symptom, we should address the root cause, which is a shortage of journalistic capacity, in both traditional media but also civic media.
-
Once journalism is empowered enough so that this journalistic work, the work with integrity and authenticity, spreads faster, have a higher basic reproduction number than this information, then we don’t have to even think about take-downs.
-
Would you say that, as a minister in this country, that is part of your responsibility to…?
-
Yes, to co-prosper with journalism. Although, as I mentioned, because we’re administering now, we don’t have any take-down or censorship power. That’s squarely in the NCC. We are in charge of the co-prospering with the media, especially journalism.
-
I’ve made it one of my three top priority this year, to ensure that Google now has a Digital News Co-prosperity Fund, which all journalists can apply to digitally transform themselves. Meta is working on a plan also. For both of them to commit to add more investment to contextualizing services, to more real-time media competence strategies, that is one of the three most important.
-
Cynics would say that is spreading short of giving money to bad journalism, to make them earn more money with bad outcomes. How do you make sure that it goes into qualified journalists?
-
Then it’s a governance question. The DTA, the Digital Transformation Association, by Chen Jen-ran, JR, and friends, the burden is on them to establish a transparent governance mechanism, in order to make sure that bad journalism doesn’t get extra money.
-
I know Kuo-Wei has strong opinions on this. [laughs]
-
You believe he is accountable. He’s not accountable.
-
I know Kuo-Wei has a very strong opinion on this arrangement.
-
I don’t agree about him.
-
I thought, after listening to a few fact-checkers here, that it would be good to have a code of conduct for media companies, with teeth, having someone checking that they also follow through. What do you think of that?
-
This makes perfect sense. Our work, up to making it transparent, like who is responding to which request and who is not, that is within our purview. What we cannot do is that we cannot, like the NCC, say that, “Oh, you don’t get this TV channel anymore,” because that’s NCC’s purview.
-
What we are doing is, essentially, like AI explainability, [laughs] to explain what’s happening, to open up the tools, so that people can see which disinformation is going viral, which is now the most dominant string, so to speak.
-
To work with cybersecurity companies, such as Whoscall or Gogolook, or Trend Micro, so that they are tapped into these anti-scam and malware frameworks, to reduce the latency from one party recognizing a threat to everybody else recognizing this threat. That’s our job.
-
Most people probably say that disinformation is mainly of Chinese origin, and others say there is a lot coming also from domestic sources. Do you have any…?
-
Do you mean Chinese as a culture or as a jurisdiction? [laughs]
-
Mainland. As a jurisdiction.
-
The Internet doesn’t work this way, as you probably know more than many people.
-
It’s an attribution problem if you mean that.
-
We know, of course, that the packets traveled from outside of our jurisdiction, through submarine cables, to Taiwan. Of course, we know that.
-
As long as they are not cut.
-
As long as they are not cut by fishing vessels or cargo ships, [laughs] in which case, they probably traveled through satellite.
-
Anyway, my point is, of course, the attribution only works up to the point of this submarine cable connection. Beyond which, how many Tor nodes it run through, I don’t think anyone can say the attribution. We know it’s non-domestic. Often in our press release, we say, “Oh, this DDoS comes from extra-jurisdictional sources,” because that’s the extent we know.
-
That you know, that is from domestic?
-
Yeah, that it’s not domestic. Because if it’s domestic, we know both the source and the origin and the destination IP but if it’s trouble from outside, we don’t.
-
Because some people say that also religious groups use now disinformation as a weapon, and then they become normalized that all groups use now.
-
Which is why I say it’s a symptom.
-
Disinformation is a little bit simplified term.
-
No, it’s not.
-
You should categorize what kind of disinformation we are talking about. Some kind of disinformation might be it’s just like and you’ll say it’s a symptom. For somebody, disinformation is not symptom. Actually, it’s a…
-
Bioweapon.
-
Not friendly purpose.
-
Yeah, like a bioweapon.
-
Yeah, I know. That’s why we distinguish between misinformation and disinformation. That is an important distinction, I think.
-
Disinformation, we think in our government…
-
We have to differentiate.
-
It means intentional untruth that cause harm. Intentional, harmful, untruth.
-
There is a question whether it’s also used by domestic groups, right?
-
Yeah, but my point is that disinformation when using that definition is entirely at a behavior-and-content level definition. You’re asking an actor-level attribution, but these two are not the same level.
-
We know that there are coordinated inauthentic behavior, that we know, but whether it is being paid or subsidized or somehow influenced by any particular actor that attributes themselves to a state-backed action, that is a much harder attribution to make.
-
Yeah, it is, but I wonder it makes a difference politically. Whether you can just say blame China.
-
In the case of fishing, or cargo vessel it’s easier to identify the ship’s origin.
-
That’s true, although not always easy either as we see with Nord Stream at the moment.
-
With satellite technology, to identify a sea cable cutting ship is not science fiction.
-
That’s true.
-
On the other hand, if you have a viral disinformation, it probably has been AB-tested in many close groups already. Maybe the payment is just to identify the one that is going to go viral anyway, and then just pay to amplify that. These unknown actors may not even know each other. Unlike ships at sea, this correlation is much harder to identify.
-
Let’s talk about open data. That is an important mission here of this ministry. Some people say it actually needs a legal framework, to do this well.
-
It does, of course.
-
There is none at the moment, is there?
-
There is, the Freedom of Government Information act.
-
I looked a bit on the Internet and there were people complaining about the fact that it’s often not clear when data are updated and how often they are updated when you look at the data set.
-
There are regulations, of course, concerning data quality and data pipelines and so on. The real difficulty here, and the reason why many people say that it requires an act instead of just regulations, is when it concerns demand-side data.
-
For supply-side data, not many people complain about, for example, when we say all these places that masks available. Those places have these air quality measurements. The other places have running water and so on, or earthquake advanced prediction means. Not many people complain about the data quality, but many people do complain about demand-side data.
-
For example, many people would like to know based on the signal data of the major telecommunication carriers, how many people are living in a village. This is not supply-side data. This is not what the government know intuitively as part of doing our work.
-
As for counter-pandemic measures, I think in Germany also in many jurisdictions, signal data from telecoms when processed in a thoroughly anonymous non-identifiable way, is considered a public good for counter-pandemic.
-
This is exactly why, in addition to the data governance act, which contains a relative weak paragraph on data altruism, which is not sufficient to compel the demand side telecoms to hand out their data, because it’s entirely voluntary.
-
They do so they just are the markers at the end it doesn’t really work. There is now cause for a new data act that will essentially compel the telecoms and so on that host demand-side data to provide in a non-identifiable agreeable form where sufficient amount of public benefit can be established.
-
The people you talk to, many of them say, or micro weather data or many other data that is currently under this constraint, is then worth investment and even forced contract-signing with these industrial players. We are not talking about open government data anymore. We’re talking about open data, like a data altruism with certain level of enforcement.
-
That is the scope that you’re probably hearing about.
-
Your Telco industry, are they happy with that when there will be mandatory provisions asking them to?
-
They might not want lose a source of income. [laughs]
-
They are not happy about that.
-
Well, we’ve seen many international examples. One thought is to make it available only after a time period, so they can still sell early access. Then after that, they don’t earn much anymore anyway, in which case they should become open data.
-
We tried that quite successfully with the real-time inventory in the frozen food in the major farmers’ market in Taiwan. Because if they release it on the same day, they lose a lot of money because they cannot arbitrage.
-
If it’s aleady done for the day, it’s a post-trade. Then after a few days, once you release that it doesn’t really matter anymore to the traders. Maybe, open data with a timeline is a compromise position between the demand side people and the supply side people.
-
Is there also an issue of protection, say data protection, and how you balance the two?
-
Of course, we’re all talking about NPDs. None of these data I’m talking about is personal data. We use a different term in our ministry for that. For raw data, we say 資料, but for non-personal data, we say 數據, as in statistics. Processed data that has no privacy risks.
-
Yes and no. In the long run, when you deal with big data, it’s more and more difficult to distinguish non-personal and personal data.
-
Why is that?
-
We used examples with transport data, that when you count people and when you go to the urban fringe of cities, it’s less and less people who use that. Then there are moments where they intersect personal data and non-personal data.
-
That’s a solved problem. Nowadays you can, for example, use entirely synthetic data with differential privacy, so that it has the same statistical properties but none of which is real. You can do Open Algorithm, in which you submit a code, then we run the data and just give you the statistics. Now with zero-knowledge tools, we’ve got more.
-
Yeah, It’s doable, but the question is, are these practices, are they mandatory, are they defined somewhere?
-
That’s why we need an independent DPA because when we run our projects, of course, we say it’s mandatory. We are not the competent authority for most of those data projects. We can say with some certainty, if you do it this way, you get our funding.
-
The truth is that neither we or even the NDC can say we ban the use of old k-anonymizers, because at the end of the day, the competent authority, like the transport data, will be the Ministry of Transportation. Only with an independent DPA can harmonize these requirements.
-
Do you also observe that proposal of a data act on the EU level, have you looked at that?
-
Yes, of course.
-
This sharing?
-
Yes.
-
I’m not sure if it will ever see light of the day, that’s still unclear, but to make it mandatory also for the private sector to share data it gathered?
-
For us, it’s the only reason why we need to go to the legislation because then it would be expansion of state power. If it’s just about data quality in the government, we can solve it with regulation. If it’s concerning the private sector, for the service of public good of course, then if we do that by a regulation, that violates the legal reservation principle.
-
That’s why you need a law?
-
Yes.
-
Did the data act proposal, did it inspire you, or were you…?
-
Yes, of course.
-
I’m just asking. [laughs]
-
Of course. We’ve got many friends in the EU. [laughs]
-
In Taiwan, we deliberately chose a translation for data altruism as 公益, public good, instead of 利他, for the good of others. The reason why is that, we already saw the comparative weakness of the data altruism organization outcome in the EU.
-
We are already thinking about the full data act when we set up the moda, and the Department of Plural Innovations is set up to assume many different ways. Within the Plural Innovation Department in the moda, there are, for example, the section on open data, the section on MyData, which is voluntary use of my personal data stored in any place.
-
There’s also section for data altruism, there’s also the section for data capacity empowerment of the civil society. All these represent, which is why it’s called Plural Innovation, represent different data reuse models.
-
How interesting. I didn’t see much online about that.
-
About the Plural Innovation?
-
Would I be able to talk to someone from this group?
-
Of course. Our department is at Shinkong. You can of course interview the D.G. or her deputy.
-
That would be very nice.
-
Another issue I’d like to mention is the eID project. Could you tell me a bit more about the state of things in this…?
-
Of course. We use TW FidO, which is the mobile version of the eID, practically every day, to sign official documents. It combines the standardized FIDO2 authentication protocol and the standardized PKCS digital signing protocol. It’s very useful.
-
Now, prior to the introduction of the TW FidO, there was also an IC-card-based form factor, called as Citizen Digital Certificate, the CDC, unrelated to pandemic. CDC card is not super popular in Taiwan.
-
The Minister of Interior, at one time, thought we can make it more popular if we just make sure that the paper-based plastic card and the Citizen Digital Certificate if we just merge them, tape them together, and do the same card.
-
Of course, they say, if people don’t want to use the IC chip, they can still get the same governmental services. The main goal is just to get more people using this Citizen Digital Certificate.
-
Why did they not use it?
-
Not use the CDC card?
-
Yeah.
-
A couple of things. First is that Electronic Signatures Act in Taiwan, unlike, say, in Estonia, gives the freedom to the person receiving the signature to accept or reject electronic signature at will. You can say, “I accept this DocuSign this moment,” the next moment you say, “No, just handwriting.”
-
In many EU states, that’s not possible. Once you say you start accepting electronic signature, you cannot unsay that. You will have to then accept eIDAS and other European blockchain, or whatever that you have adopted. You may take some time to prepare yourself for it, but once you join, you cannot say, “From tomorrow, on paper only.” That’s not legal even.
-
In Taiwan, because our Digital Signatures Act is quite dated, that is possible. To implement the CDC card possesses a risk that if the competent authority suddenly is saying, “No, paper only,” then all this investment in infrastructure is for naught.
-
You are going to reform it?
-
The Digital Signature Act?
-
Yeah.
-
I would strongly prefer an Independent DPA Act to be in the legislation before we reform any of those acts. Because otherwise, there is a key clause in these acts that is still filled by the Ministry of Interior or other ministry that issue this. That is to say, the personal data protection authority.
-
That was the civil society’s consensus when the new eID was being deliberated in the National Academy, which I also participated. I said quite publicly when I was in the National Academy deliberation, that I also support the independent DPA being one of the key cornerstones before we introduce anything like that.
-
Your relationship to civil society, you come from that world?
-
Still part of civil society.
-
That was my question, has it changed in one way or another, the relationship?
-
The cybersecurity domain, which I only started processing full-time since the cyberattack last August, [laughs] that is much harder to make it truly grassroots.
-
The need for, I would just say national-security-related secrecy is unlike the other things like platform economy or open data or things like that. Because in platform economy or open data, I just say, everything I know the civil society also know. We’re radically transparent that way.
-
In cybersecurity, oftentimes it’s, just as Kuo-Wei said, sometimes it’s an intentional attack in the gray zone, highly coordinated with their military. Just publishing this part would be misleading, without also publishing PLA movements. I don’t think the Minister of National Defense would like it very much if we publish all PLA movements to the public.
-
This is a fundamental dilemma between participation for safety and participation for progress. Participation for progress can move fast and they won’t break things, but participation for safety requires a lot of deliberation.
-
Generally, the relationship hasn’t changed. Because I heard that there is also more criticism now, that you face some criticism.
-
On the cybersecurity side, yes.
-
Only in that field.
-
Yes. I don’t think people criticize me when it comes to, for example, delivering good e-service that’s going to get everyone NT $6,000 in a few weeks now. It’s about e-service stuff. I don’t think just because I’m the moda minister, I don’t think any criticize me because of that, but on the cybersecurity, yes.
-
I think my last question concerns, actually your indicators of success. How do you measure your own success as a minister?
-
Of course, the safety (administration for cyber security), the progress (administration for digital industries), and participation (departments in the moda proper) have different KPIs. For example, in cybersecurity, you would like to measure by the incidents discovered sufficiently mitigate the zero trust architecture reform and so on.
-
In the progress part, you would like to participate more fully to international FIDO, W3C, and so on, making this international e-commerce more fair to different jurisdictions to solve the complication, because of the lack of zero-knowledge technology. The personal data attributions in the APAC alone, I think thousands and thousands of incompatible regulations.
-
To streamline that would be of course a great KPI. In the departments related to data and e-services, of course, we subscribe to the public idea where we don’t do one shot, like handing people $6,000 NT system.
-
Rather build it as a public infrastructure, so that all municipalities and even people abroad like X-ROD or DR folks can learn from our foundations. To strengthen not just the safety, but also the convenience of things.
-
When you ask me my personal KPI, it’s none of these three. It is to increase the overlap of the participation, safety, and progress. The more that we can instead of seeing things as a trilemma, we have to choose between those three different parts.
-
The more that we can navigate this narrow corridor to find the co-creative solutions that take care of all of the safety, participation, and progress concerns. Then that would be a success. If at the end of my term, people generally think, “Oh, you have to make a trade-off, one side must lose,” then I would have failed as a minister.
-
That is still a bit vague, to say to have than being more in harmony with each other or technical…
-
You’ve just given me a couple of examples. You’ve just said like personal data, if you do it more and more then sooner or later there will be privacy breaches and so on.
-
I must say, that is the kind of KPI that I’m giving myself and that I can give convincing results that says, “No, this dilemma doesn’t exist anymore.”
-
Do you have any questions?
-
No, I don’t. I just come with you.
-
[laughs]
-
You ask me the question, I don’t know.
-
I think that was it.
-
Are you going to interview our Plural Innovation department about data policy?
-
Yeah, that would be wonderful, if I could.
-
Yeah, it would be good.
-
How soon, what’s the ETA? Would you like to finish the report today?
-
She will stay here until 21st.
-
In the next couple of weeks?
-
No. I’m leaving on the 25th of March, but I could also do later. If per face-to-face meeting is not doable in the next couple of days, I could also do a Zoom meeting.
-
The thing is, we’re pretty sure that pretty soon the founding of the Independent DP Act will be ready. The answer you’re going to get after that is not the same as before that.
-
It makes sense rather to talk later?
-
Yes. Once the IDPA is ready, not just the Plural Innovation, but you may also want to interview the NDC preparatory office. Because then there will be a ministry that’s not me in charge of the Independent DPA founding. Many of your questions is better answered by that ministry.
-
How would I organize that once I’m back in Berlin? Could I do Zoom meetings with them?
-
I think we still prefer Google Meet or something because Zoom has not yet promised to function when all these so many cables are cut. [laughs] Maybe set up a Google Meet. For Plural Innovation, we can make introductions.
-
For the IDPA, once the preparation office is ready, I can personally ask that minister, whether they would like to accept your interview, but the decision because it’s independent, it’s up to them.
-
Zoom isn’t still on? I would just suggest that…
-
It’s still not encouraged.
-
In public, right?
-
Not encouraged for public sector use.
-
The public sector.
-
They had not very good records a few years ago. We’re still under negotiations.
-
Our data protection officer came to some agreement with them, so since then we can use it. Because our public service that was an issue there with how we would use.
-
Now, hopefully soon we’ll have a data protection officer too.
-
We had in German ministries, incompatible streaming services they would not allow to use the other one. During the pandemic, there were some ministries using the Cisco one, and another one…
-
Some Webex…
-
Yeah. It didn’t work out at all for a while.
-
What happened when they are joined? I can get a meeting, they’re using the Zoom?
-
No, I use Zoom because when I choose…
-
No, I mean the Germany get a representative.
-
Yeah, but that depends always on the ministry. That would be in the ministry of commerce, but ministry of justice used a different one. They could not communicate with each other for a while.
-
Hopefully with the DMA, in just a couple of years, you can call into any Zoom meeting with Google Meet, because it’s one of the key interoperable clauses.
-
Yeah, but Google Meet has no stable bandwidth.
-
I think the France and Germany…
-
They’re using the Cisco stuff.
-
Germany and France both invested in Matrix, as in Element.
-
We use that also, in one of the research institutes where I am. We use only open-source stuff there and Matrix is one of them that we use.
-
We also use Matrix and Signal.
-
Rocket.Chat, I don’t know, all these different ones…
-
We use Rocket.Chat too. Rocket.Chat is now being converted into a Matrix frontend. That is the end goal of DMA, that you have many different programs, but they all talk to each other just like email.
-
That would be wonderful.
-
That end-point solves one of the main…
-
Interfaces.
-
…interface problem for also disinformation, because a lot of disinformation is piggybacking on this network effect of social media apps.
-
With the DMA, you say, any interface, just like podcasts and emails, can look at the short videos produced on any other platform, then the platform’s coercive control or surveillance capitalism is much less, because if I learn it’s surveillance capitalist, then I just switch to Element/Matrix or whatever, but I still enjoy the same content feed.
-
It often doesn’t work. In Singapore, everybody uses WhatsApp. There are so many alternatives, but they just don’t switch. In Germany, lots of people switched from WhatsApp to Signal or to Telegram. You never know. You cannot ask people to…
-
The point I’m making is, with the DMA interoperability, it doesn’t matter then. Whomever using whichever software will be able to appear in your contact, and you can just send messages, not caring about the email program they’re using.
-
The same would be for the short messages and eventually, video conferencing. When I say solving at the root, I mean something like that.
-
I do understand that. There’s another question that I wanted to ask, and I forgot, I heard that your ministry had problems getting enough staff and that you share a problem with German administration, that the rules for hiring people goes back to very ancient Japanese…
-
That is for the Administration for Cyber Security, yes.
-
That you solved it by one-year contracts, is that true?
-
The initial thought during the formation of moda last year was to solve it with one-year contracts. I would say that, for the Administration for Cyber Security, it didn’t quite work out that way.
-
Because you can’t hire good people?
-
The reason why is that the salary range for one-year hires is still capped so that it can only get half of my salary. All the good cybersecurity people, not even senior ones, good junior ones, enjoy at least deputy minister salary nowadays. The senior ones all enjoy higher salary than the minister. It’s not possible to retain them with one-year contracts.
-
We solved that for real, last month, by establishing the National Institute of Cyber Security, the NICS, which is operating our labor law and not the Public Service Act. This institute, when it does, for example, cybersecurity audits, by law, because they passed the background check, they act as a public body.
-
By this idea, we set our salary range for researchers and engineers to peg on the median income of cybersecurity practitioners in telecom and financial industries.
-
You could do that, you have the latitude to do that because you created a new organization for them?
-
They are not public servants. Many public servant one-year contract positions ends up moving to the NICS, after NICS founded, because otherwise they will recruit someone, and after a while, the financial or the telecom industry would just poach them because they are now passed the background check, and therefore, worth more [laughs] in those highly-regulated industries.
-
By pegging the NICS salary to the median, then we don’t lose people by default. Now, the counter problem to this is then for the people who remain in the public service. What’s the incentive for them to remain in the public service? Do they get also some extra payment, or do they just quit their job and become a NICS contractor or a NICS employee, for that matter?
-
Because our labor law is pretty good in the regard of protection, there’s no at-will firing or things like that, so they don’t lose much by switching from a public sector position to the NICS position. The fix here, the solution here, is just to figure out how to add back the compensation for the people who nevertheless stay in the public sector. We’re still working on that.
-
Because it turned out in Germany that we were never good at hiring engineers, therefore we outsourced a lot of engineering tasks, but didn’t have the skills in the ministries to assess the quality of the work being outsourced. I heard that this is also a problem with money.
-
There’s that. There’s also that, just because it’s contracted out, it doesn’t mean that you don’t retain the architecting vision of what needs to be done. If you contract out, especially the initial planning capacities, then you’re constrained by whatever technical solutions that your contractors have.
-
Then, when new technologies come, Web3 or AI or whatever, you end up getting last-century solutions.
-
That’s an ongoing problem in Germany.
-
[laughs]
-
We think we’ve got some solutions to that, regulation-wise. That’s probably the most important thing, internal organization-wise, in moda. It’s not to solve any particular problem quickly, but to solve it in a way that it’s reusable in the future.
-
As you said, you keep the architecting, architectural vision in your ministry, that would be then by non-engineer people, or would it be by engineers willing to accept…?
-
It would be engineering people.
-
They would accept the lower salary that you have in the ministry?
-
Wwe’re working on the compensation plan for that. It goes into a lot of detail. In Taiwan, a new ministry can choose between getting most of its personnel as technical personnel, operation or administration personnel.
-
In Taiwan, there is a special profession in public sector called economic development, 經建職系, which is somewhat like the administration, in that it does planning and strategy. It is also somewhat technical, in the sense that you have to be an architect of mechanism design.
-
This economic architect line of work applies to many policy planners in the digital ministry. Although that profession came from a non-digital background, we were able to re-purpose this to serve our purpose.
-
Whereas in many other ministries, you see comprehensive planning, 綜規, in moda all the sections are called strategy, 策略. In Plural Innovations, you have this inclusive strategy section 共融策略科 or the department of digital strategy 數位策略司.
-
The idea is that they would be able to bridge between engineering and planning, because they can fuse them into one position, and then the compensation is also better.
-
Thank you.
-
Thank you.
-
[laughs]
-
Very interesting.
-
Thank you.