21/03/2024
Jim Parsons
[FYI request #25573 email]
Tēnā koe Jim Parsons
OIA: 1323733 – Further information regarding the Zero Data Service
Thank you for your email of 26 February 2024 to the Ministry of Education (the Ministry) requesting
the following information:
One - Can you please provide information about where the zero.govt.nz services are
hosted within Azure. For example, are they in a DMZ network, which would be logically
isolated from other internal services.
Two - Can you provide a list of all top-level domain names that have been accessed from
the zero.govt.nz service in the last 6 months, as well as the number of bytes
transmitted/received OR number of requests. To clarify, for top level domain, I would group
www.youtube.com under youtube.com, and www.facebook.com or web.facebook.com
under facebook.com. If this data is not available in the requested format, then a list of raw
domain names and number of bytes or requests would be sufficient.
Three - In regards to the penetration test that you have mentioned has taken place, are you
able to provide a brief summary of risks identified. You should be able to provide this
information, assuming all risks have been mitigated.
Thank you also for your email of 1 March 2024 in which you declined our invitation to meet and
confirmed that you would prefer our response be provided in writing.
Your request has been considered under the Official Information Act 1982 (the Act).
In response to
part one of your request, Zero Data (the service) systems are hosted in the
managed cloud environments of government agencies involved with the service. These cloud
environments have several layers of security built into them, including different forms of firewalls
and other network security tools.
We are unable to disclose specific information regarding the security controls that safeguard the
service. Therefore, we are refusing
part one of your request under section 18(a) of the Act, by
virtue of section 9(2)(k) of the Act, as the withholding of the information is necessary to prevent the
disclosure or use of official information for improper gain or improper advantage.
Wellington National Office, 1 The Terrace, Levels 5 to 14, Wellington 6011
PO Box 1666, Wellington 6140, DX SR51201 Phone: +64 4 463 8000
In response to
part two of your request, we are providing a standard report showing the top 20
top-level domains by their total requests for the period July 2023 to February 2024, inclusive, as
Table One of
Appendix A.
Please note that our standard reporting only includes the top 20 second-level-domains out of the
approximately 700 domains noted in the report. To provide a breakdown of the 700 second-level-
domains would require the manual processing of a substantial volume of low traffic information and
would be a significant administrative task to undertake.
As required by sections 18A and 18B of the Act, we have considered whether extending, charging
and/or further consulting with you would enable a more substantive response to be provided.
However, we do not consider that any of these mechanisms sufficiently mitigate the significant
administrative burden associated with attempting to provide a response.
For these reasons, your request for
all top-level domain names is therefore refused under section
18(f) of the Act, as the information requested cannot be made available without substantial
collation or research.
In response to
part three of your request, the penetration testing included both web application
security testing and white-box host configuration review. We are unable to disclose information
regarding the specific risks identified as part of this testing, as the withholding of the information is
necessary to prevent the disclosure or use of official information for improper gain or improper
advantage. Therefore, we are refusing
part three of your request under section 18(a) of the Act, by
virtue of section 9(2)(k) of the Act.
As required under section 9(1) of the Act, I have considered the public interest in releasing the
information withheld. I do not consider the public interest considerations favouring the release of
this information are sufficient to outweigh the need to withhold it at this time.
Please note, we may publish this response on our website after five working days. Your name and
contact details will be removed.
Thank you again for your email. You have the right to ask an Ombudsman to review my decision
on your request, in accordance with section 28 of the Act. You can do this by writing to
[email address] or to Office of the Ombudsman, PO Box 10152, Wellington 6143.
Nāku noa, nā
Stuart Wakefield
Chief Digital Officer
Te Pou Hanganga, Matihiko | Infrastructure and Digital
OIA: 1323733
Appendix A
Table One: A breakdown of the top 20 top-level domains by request number and byte for the Zero
Data Service.
Destination
Request1 Byte
.education.govt.nz2
3833208
121305M
.zero.govt.nz3
3665936
3566420K
<error>
345590
1236543K
.microsoft.com
92994
7016767K
.amazonaws.com
86698
2564877K
.healthpoint.co.nz
71754
8266988K
.plunket.org.nz
34038
9790M
.typekit.net
31186
1299607K
healthify.nz
20450
3291558K
.googleapis.com
14230
366486K
.googletagmanager.com
14140
782307K
.smallsteps.org.nz
9404
903521K
.crazyegg.com
8716
42540490
.google-analytics.com
8454
33625596
staticcdn.co.nz
7412
16066286
.youtube.com
6894
254753K
.facebook.com
5750
12984592
.typography.com
5164
5281304
.justathought.co.nz
4244
120129K
healthed.govt.nz
4208
117255K
other: 700 2nd-level-
126882 18653M
domains
8397352 178943M
Sum
1 This is the Request as defined in HTTP protocol; i.e. every component of a web-page that browser
“request” from the servers is counted as one request.
2 The significant share of this line is the zero.govt.nz landing site traffic that is hosted on
zero.education.govt.nz
3 The large number of requests is reflective of the common components of the zero data service such as the
ribbon rendered on top of every page noting the page is delivered via zero data service.
OIA: 1323733
