Cybersecurity , Endpoint Security , Technology

Parliament's Email Practices Probed by Privacy Watchdog

Defenders of MP Accused of Porn Access Reveal Their Own Poor Security Practices
Parliament's Email Practices Probed by Privacy Watchdog
Photo: Ilirjan Rrumbullaku, via Flickr/CC

The U.K.'s privacy watchdog has launched a probe into the email security practices of Members of Parliament and their staff.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

"We're aware of reports that MPs share logins and passwords and are making enquiries of the relevant parliamentary authorities," the Information Commissioner's Office says in a statement. "We would remind MPs and others of their obligations under the Data Protection Act to keep personal data secure."

The ICO's investigation was triggered by multiple MPs claiming in media interviews and via Twitter that they regularly share their passwords with staff or leave workstations unlocked.

Many of those disclosures were made in defense of Conservative politician Damian Green, who serves as Prime Minister Theresa May's deputy in charge of developing and implementing government policy and overseeing Britain's "Brexit" from the European Union.

In recent days, Green has been accused of accessing a large quantity of pornography using his work PC, which was allegedly found in 2008 during a police investigation into Home Office leaks. At the time, Green was part of the shadow Home Office team.

Green has denied the allegations, which were made by a retired London Metropolitan Police official, and said that he didn't download or access the pornography allegedly recovered from his PC. He noted that he regularly shared the computer with others.

Defense: Everyone Does It

Some of Green's parliamentarians attempted to defend their colleague by saying that they, too, share passwords on a regular basis.

"My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes," Nadine Dorries, a Conservative MP, said in a tweet on Saturday.

Nick Boles, a Conservative MP who was formerly the country's business minister, said that "I often forget my password and have to ask my staff what it is." He later added: "As an MP, I employ four people to deal with the emails and letters constituents send me. They need access to these communications to do their jobs. No one else has access. Passwords are regularly changed."

Will Quince, another Conservative MP, says he regularly leaves his PC unlocked so that his staff can use it, in part because he prefers to save speeches and other documents to his personal PC rather than using collaboration tools such as OneDrive. "My office manager does know my login though. Ultimately I trust my team," he says.

Did MPs Violate Data Protection Act?

The attempted defense of Green appears to have backfired by highlighting dangerous cybersecurity practices on the part of some MPs and their staff (see 'Real People' Don't Want Crypto, UK Home Secretary Claims).

As the ICO notes, parliamentarians must comply with the Data Protection Act - passed by the very same Parliament - which requires that "appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

The DPA also requires that staff be regularly informed and trained about exactly how to do that.

Excerpt from a House of Commons publication offering advice for members and their staff on the Data Protection Act 1998 and safeguarding personal information about constituents and others.

Cybersecurity Essentials Reminder

The Parliamentary Digital Service, which provides IT support to Parliament, has been attempting to help MPs with their cybersecurity practices. "You must not ... share your password," reads a staff handbook on information security responsibilities issued to Parliament.

In the wake of the ICO announcing its probe, Tracey Jessup, deputy head of the Parliamentary Digital Service, wrote to parliamentarians reminding them of password and email security essentials.

Parliamentary Digital Service awareness brochure obtained by Associated Press via a Freedom of Information request. (Source: Raphael Satter)

"Passwords must be considered as confidential and must be used only by the originator (and so not shared with other users)," Jessup's message read, Sky News reports.

"If you have been working in an insecure way by sharing your password with others, or by logging in to someone else's account, we would like to help," Jessup wrote. "In most scenarios, the solution is to provide colleagues with delegated access to your email and calendar via their own accounts."

Data breach expert Troy Hunt says via Twitter: "Right about now, there's a bunch of MPs beginning to think that maybe sharing their passwords with other people wasn't such a bright idea." (See Senators Again Propose National Breach Notification Law).

Not all lawmakers rushed to Green's defense by highlighting their own poor email security practices.

"Just for the record, I don't share passwords to my parliamentary IT accounts with anyone," Peter Grant, a Scottish National Party MP, says via Twitter.

The Art of Delegation

As Jessup's communication highlights, MPs already have the tools they need to give staff access to emails without having to share their own passwords.

Indeed, Parliament uses Office 365, which includes that ability for anyone who's been assigned a domain password, which grants access to a number of services, including email, says Sean Sullivan, a security adviser at Finnish anti-virus firm F-Secure.

"In order to truly delegate access to someone else, it only takes a few clicks," Hunt writes in a blog post devoted to the dangers of password sharing.

But Ed Tucker, CIO at privacy consultancy DP Governance, says commentators have been too quick to blame users. "It's a simple fix in terms of delegate access, but as ever the InfoSec community jumps to blame the user rather than help solve the problem," he says via Twitter.

Cultural Challenges

At least some MPs, however, appear to have been actively avoiding the problem, despite Parliament's IT arm trying to help them.

"Most MPs have that fatal combination of arrogance, entitlement and ignorance, which mean they don't think codes of practice are for them," one MP tells the BBC. But the MP adds that many parliamentarians do appear to have improved their email security practices following attacks this past summer (see British Parliament Targeted by Brute-Force Email Hackers).

Another MP who was targeted by Russian hackers told the BBC that requiring parliamentarians to sharpen their information security practices might be impossible to enforce. "Ultimately, this is a result of each MP and their office functioning as entirely independent small businesses," the MP said. "If one person wants to make daft decisions there is no way of forcing them not to."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.