Parliament's Email Practices Probed by Privacy WatchdogDefenders of MP Accused of Porn Access Reveal Their Own Poor Security Practices
The U.K.'s privacy watchdog has launched a probe into the email security practices of Members of Parliament and their staff.
"We're aware of reports that MPs share logins and passwords and are making enquiries of the relevant parliamentary authorities," the Information Commissioner's Office says in a statement. "We would remind MPs and others of their obligations under the Data Protection Act to keep personal data secure."
The ICO's investigation was triggered by multiple MPs claiming in media interviews and via Twitter that they regularly share their passwords with staff or leave workstations unlocked.
Many of those disclosures were made in defense of Conservative politician Damian Green, who serves as Prime Minister Theresa May's deputy in charge of developing and implementing government policy and overseeing Britain's "Brexit" from the European Union.
In recent days, Green has been accused of accessing a large quantity of pornography using his work PC, which was allegedly found in 2008 during a police investigation into Home Office leaks. At the time, Green was part of the shadow Home Office team.
Green has denied the allegations, which were made by a retired London Metropolitan Police official, and said that he didn't download or access the pornography allegedly recovered from his PC. He noted that he regularly shared the computer with others.
Defense: Everyone Does It
Some of Green's parliamentarians attempted to defend their colleague by saying that they, too, share passwords on a regular basis.
"My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes," Nadine Dorries, a Conservative MP, said in a tweet on Saturday.
Nick Boles, a Conservative MP who was formerly the country's business minister, said that "I often forget my password and have to ask my staff what it is." He later added: "As an MP, I employ four people to deal with the emails and letters constituents send me. They need access to these communications to do their jobs. No one else has access. Passwords are regularly changed."
Will Quince, another Conservative MP, says he regularly leaves his PC unlocked so that his staff can use it, in part because he prefers to save speeches and other documents to his personal PC rather than using collaboration tools such as OneDrive. "My office manager does know my login though. Ultimately I trust my team," he says.
Did MPs Violate Data Protection Act?
The attempted defense of Green appears to have backfired by highlighting dangerous cybersecurity practices on the part of some MPs and their staff (see 'Real People' Don't Want Crypto, UK Home Secretary Claims).
As the ICO notes, parliamentarians must comply with the Data Protection Act - passed by the very same Parliament - which requires that "appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
The DPA also requires that staff be regularly informed and trained about exactly how to do that.
Cybersecurity Essentials Reminder
The Parliamentary Digital Service, which provides IT support to Parliament, has been attempting to help MPs with their cybersecurity practices. "You must not ... share your password," reads a staff handbook on information security responsibilities issued to Parliament.
In the wake of the ICO announcing its probe, Tracey Jessup, deputy head of the Parliamentary Digital Service, wrote to parliamentarians reminding them of password and email security essentials.
"Passwords must be considered as confidential and must be used only by the originator (and so not shared with other users)," Jessup's message read, Sky News reports.
"If you have been working in an insecure way by sharing your password with others, or by logging in to someone else's account, we would like to help," Jessup wrote. "In most scenarios, the solution is to provide colleagues with delegated access to your email and calendar via their own accounts."
Data breach expert Troy Hunt says via Twitter: "Right about now, there's a bunch of MPs beginning to think that maybe sharing their passwords with other people wasn't such a bright idea." (See Senators Again Propose National Breach Notification Law).
Not all lawmakers rushed to Green's defense by highlighting their own poor email security practices.
"Just for the record, I don't share passwords to my parliamentary IT accounts with anyone," Peter Grant, a Scottish National Party MP, says via Twitter.
Just for the record I don't share passwords to my parliamentary IT accounts with anyone. Once an auditor, always an auditor. https://t.co/wcfegaF0WA— Peter Grant MP (@PeterGrantMP) December 4, 2017
The Art of Delegation
As Jessup's communication highlights, MPs already have the tools they need to give staff access to emails without having to share their own passwords.
Indeed, Parliament uses Office 365, which includes that ability for anyone who's been assigned a domain password, which grants access to a number of services, including email, says Sean Sullivan, a security adviser at Finnish anti-virus firm F-Secure.
Based on their Tweets, the MPs are sharing their DOMAIN passwords so assistants can answer EMAILS. If only there were some sort of way to "add" delegates. (If only.) pic.twitter.com/5Zhpww0bzK— Sean Sullivan (@5ean5ullivan) December 5, 2017
"In order to truly delegate access to someone else, it only takes a few clicks," Hunt writes in a blog post devoted to the dangers of password sharing.
But Ed Tucker, CIO at privacy consultancy DP Governance, says commentators have been too quick to blame users. "It's a simple fix in terms of delegate access, but as ever the InfoSec community jumps to blame the user rather than help solve the problem," he says via Twitter.
At least some MPs, however, appear to have been actively avoiding the problem, despite Parliament's IT arm trying to help them.
"Most MPs have that fatal combination of arrogance, entitlement and ignorance, which mean they don't think codes of practice are for them," one MP tells the BBC. But the MP adds that many parliamentarians do appear to have improved their email security practices following attacks this past summer (see British Parliament Targeted by Brute-Force Email Hackers).
Another MP who was targeted by Russian hackers told the BBC that requiring parliamentarians to sharpen their information security practices might be impossible to enforce. "Ultimately, this is a result of each MP and their office functioning as entirely independent small businesses," the MP said. "If one person wants to make daft decisions there is no way of forcing them not to."