what is white box?
a ledger for Australia’s tech stack.
Every day I spend an hour or so collecting everything from official documents to news articles that when collated, show how Australia’s tech stack actually gets built.
Through daily random sampling within a strict time limit, I simply translate what I read into line items and the result is a contour map of money, mandate, enforcement and the rails they run on. The format for the ledger is simple really. It tracks who pays whom, with what instrument, over what term, to do what, and at what risk.
This is an example of the format I would use to randomly sample:
SAMPLE: Daily sampling structure (2 hours):
20 min: One parliamentary inquiry (read latest submissions)
20 min: One state auditor-general report (pick most recent IT audit)
20 min: ASX announcements from last 7 days (filter gov/tech)
20 min: One super fund annual report (search the PDF)
20 min: Defence industry press (scan last week’s headlines)
20 min: Wildcards (FOI logs, ACCC registers, AUSTRAC, university grants – rotate daily)
Search terms include: inquiry + tech sector + australia
or something like defence + AI + news
I keep it vague and see what comes up.
In addition to the table, I will be compiling a glossary and additional resources that explain key terms, show recurring links, etc. and will add these as they are fleshed enough to provide consistent and reliable information. Or, build your own and send it to me. That’s kind of the point of the exercise.
I’ll be providing weekly “wrap-ups” of things found and some points of interest that I’ll write my own pieces from.
Australian media reflects the government’s attitude towards technology; it is reactive, requires a level of media literacy most of the public does not have time or is capable of expending energy on, and provides information as unreliable as the weather.
Most people don’t have the time or patience to cultivate media literacy for this stuff. It’s siloed, paywalled, jargon-heavy, and deliberately boring. The ledger removes that toll. It presents hard facts in a stable grammar so you can see arcs before they become fait accompli.
Just a little note, I am a writer and systems designer. I do not work in the government or anything considered big tech. I’m more of a random digital tinkerer, my income does not come from anything near what I’m logging.
This was started because I couldn’t keep up with my frustration at Australian journalism and the naivety of technology’s effect on Australia being communicated to the people who really need to know. The risk here is entirely my own to hold really, but I hope it is ultimately helpful for those who feel the same way that I do, and need to understand what they are being signed up for without their knowledge.
What it is
Each row records an event with fields that stay constant across domains.
date, layer, entity_from → entity_to, instrument (contract, legislation, ruling, tender, pilot, whole-of-government deal, etc.), declared value, term, capability (“what this actually does”), risk (one-word flag plus a sentence when needed), and notes.
This is not an exhaustive document nor is it guided by specific search terms or trends. I’m not doing this for any particular reason other than to provide transparency in a detailed, cross-sourced format to the public to use at their disgression. Professionally, people like journalists, policy makers and those working within the industries currently being heavily regulated or changed because of tech, this is for story generation and guidance.
Here are a few numbers, just to place the frame.
After one day of sampling, the ledger holds 269 entries dated 1970–2026 (old statutes show up as live infrastructure), the risks skew amber over red and green, which tracks with our national habit of normalising medium-risk arrangements through policy language rather than actually stopping them.
The rows that touch AWS/Microsoft/Google add to roughly AUD 10.5B in declared spend. This is a clean demonstration of what the ledger shows quickly what a single person would potentially have to parse over a thousand press releases. No one has that time.
Why I’m doing it
Because “tech news” in Australia is theatre without the stage plan, a bored audience and a drunk cast. The extent of our literacy in technology is fleshed through opinion columns, only teaching debate values to the public and professional, while the real shifts are locked into multi-year instruments.
It is deeply boring and siloed to extract, but instrument is the policy. If you only read ministerial quotes, you’ll miss that procurement clauses quietly force “voluntary” codes, that retail wallets function as identity rails, and that “modernisation” often means moving the control plane offshore. If you only read legacy media, you’ll either hit a pay-wall and get distracted, be presented with impenetrable jargon that isolates you and generates fear, frustration or confusion (sometimes all three) or you’ll end up in a silo of your own following beats you trust for personal reasons. That’s absolutely not a dig, it’s designed that way.
What this ledger does is instead of having to rely on your own level of media literacy, it presents the hard facts and assembles them in arcs you can locate before they become fait accompli.
How to read a row
Think like an librarian who moonlights as a hit-man.
Entity_from → entity_to
This show you power and dependency. Who writes the cheque; who now owns the risk (and reward).
Instrument
This tells you about permanence. A consultation is vibe that can dissipate. A contract is a hard-wall and generates its own gravitational field.
Term
This tells you the lock-in. Anything beyond three years will warrant or prompted scrutiny; anything 7–10+ years is a reshaping of the field. It’s the difference between dealing with the devil or a handshake at the pub. Sadly, a lot of the preamble, happens in the pub. Lucky we have receipts.
Layer
This tells you the part of the stack: substrate (the layer which the note operates within. e.g. compute, cloud, spectrum, power), infrastructure (networks, data centres), platform (software control planes, enterprise, etc.), identity/payments (wallets, loyalty, rails), regulatory/enforcement (the teeth biting down on the fact), defence/intel (sovereignty posture), finance (capital flows and listings).
Capability
This says what the thing really does when the press release fog clears.
Risk
This is a practical flag that is generated via a standard checklist I can provide but remains consistent. It assesses vendor lock-in, surveillance creep, data governance mess, safety theatre, compliance burden that becomes a sorting mechanism, etc.
What it is not
It’s not an expose, a FOI project, or a master database of all contracts. I’m not doing this for work or for anything professional or self-oriented.
It’s a disciplined daily habit with enough rigour to make patterns obvious that I suspect is what is missing from most Australian tech coverage, and led me to the frustration that inspired the project.
This is an experiment and is not a proven full-stop or certified formatting exercise. I’m a writer and systems designer that likes building things and is obsessed with media literacy.
I’ll miss things, there’ll be repetitions, I’ll log early signals that later fizzle, but the point is cadence and comparability and a randomised, vibe-less yet diligent approach removes bias and provides a template for public use not for my own personal gains.
Typical arcs you can already see (examples, not the story)
In white box ledger one (free to download or browse here), I have gone through and done a sweep of things that re-occurred or I flagged as personally interesting or important.
#1: sovereignty via outsourcing.
Security uplift narratives travel alongside whole-of-government cloud deals. Control planes consolidate in US hyperscalers under long terms. If you believe “resilience” is about who can push a re-configuration at 03:12am on a public holiday, then this matters more than the slogan war.
#2: payments stapled to identity.
Retail wallets and loyalty programs are quietly becoming everyday identity checkpoints. Tie that to the Consumer Data Right and you have private rails with public consequences, framed as “convenience” and “portability.”
#3: soft law that acts like hard law.
A bill stalls; a voluntary code appears; six months later a tender bakes code-compliance into the selection criteria. No Act required. Procurement did the legislating.
#4: retail face recognition got a baseline no
(OAIC vs Bunnings), which will now be tested by police interest in similar tooling. Expect retreat, rebrand, and re-entry under “safety.”
Importantly, these are examples of how the ledger helps you read, not the point of this post. But you can see that these simple points can provide simple information
Method, briefly
Daily scan, small quota. Record, don’t editorialise. The schema forces me to name the instrument and the term and to write one honest line about capability and risk that isn’t personal; it just is. I log both Commonwealth and state activity, plus retail/finance/critical-infra moves that function as civil infrastructure whether or not Parliament says so. Where a date is fuzzy, I mark it and keep moving. Where value is undisclosed, I don’t invent it. Rows are links in a chain, not stand-alone think pieces, you can write whatever you want from the information you gather here.
Why this format could work at scale
I’m a realist so I don’t expect this to take off immediately. Mainly because it is a spreadsheet and they generate anxiety in the best of us. However, presenting complex information in an accessible and simplistic format is a way I see best to show how Australia governs through panels, frameworks, and “whole-of-” arrangements. These bits of information are siloed and incredibly hard to parse and so they are naturally found out either too late or not at all.
Australia has a culture of avoidance and “if it happens, we’ll deal with it”, but that is wearing out in the face of tech’s grip. There is an urgency that is fuelled by a lack of instrument tracking, and so we are bombarded with press conference garble, and the facts lost in translation.
Information alone is unsteady on purpose, particularly in shaky sectors. Vendors change names and products while contracts remain binding. Innovation is usually plumbing, and plumbing is where power hangs out. If you don’t pin the date and term, you can’t see the half-life of a decision.
Limits and bias
I will update this with every spreadsheet I post. This is in reference to the total of spreadsheets posted so far. (12th November, 2025)
Bias one: over-collect where money, identity, and enforcement meet (because that’s where everyday life changes).
Bias two: I’m suspicious of single-vendor control planes sold as “interoperability.”
Bias three: I prefer documents to quotes.
If you need cheerleading or catastrophe porn, there are ten better feeds and they’re talk less than me. If you want to know which clauses will be used against you later at work or at home, this ledger is for you.
How you can use it
If you’re a journalist, I imagine (well, how I would use it as a former journalist) it would be used a scaffold for questions. The entires can match instruments to outcomes and ask why the term is that long.
If you’re in government, there is opportunity to see patterns that can reveal blind spots across spheres, or potentially the hole you, your boss or successor could fall into.
If you’re a citizen just hanging out stressed about the internet, use it to translate the language into the real-world mechanics you’ll feel in your electricity bills, the checkout or a police stop.
If you’re a vendor, well, sorry—but this is just a clear read as to what your sales team actually sold.
Roadmap
I’ll keep logging daily and will publish periodic syntheses: identity/payments drift; sovereignty through procurement; soft-law mandates; safety theatre vs safety outcomes; defence spillover into civil systems.
I’ll also start running simple, reproducible queries over the ledger once I figure out what to build that are the most useful, logical, maintainable.
E.g. all amber/red entries where the instrument is contract and term ≥ 5 years touching hyperscalers; all identity-layer items co-mentioned with payments; all voluntary-code regimes that reappear inside tenders.
Open to suggestions here (and someone who is better with spreadsheets than I am)
Corrections, additions, blind spots
If I’ve logged something wrong, email me with a doc; I’ll mark and date the correction.
If I’m missing a seam (rural connectivity funding, spectrum carve-outs, state health ERPs, energy-adjacent compute policy) point me at sources and I’ll start capturing it.
Tips welcome.
Anything welcome really.