Infosec twitter collectively shat itself this weekend, when Nadine Dorries — a British parliamentarian slash author of god-awful fiction — proudly announced that she shares her email with her staff — including interns.
My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!
— Nadine Dorries (@NadineDorries) December 2, 2017
All my staff have my login details. A frequent shout when I manage to sit at my desk myself is, ‘what is the password?’
— Nadine Dorries (@NadineDorries) December 2, 2017
For context: She’s talking about Damian Green; a fellow Conservative politician who is currently in a spot of bother over allegations he accessed pornography on his government-issued computer. Dorries argues that just because literally thousands of pornographic thumbnails were discovered on his computer doesn’t mean that he’s guilty.
This is startling because it suggests that credential sharing is a common practice in parliament. And indeed, other MPs chimed in to say that they too shared their log-in details with their employees. What’s the big deal?
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!
I certainly do. In fact I often forget my password and have to ask my staff what it is.
— Nick Boles MP (@NickBoles) December 3, 2017
Nadine Dorries has pointed out that she’s not a member of cabinet, and is merely a backbencher. As a result, she’s unlikely to see any confidential government communications. That’s absolutely true, and is unlikely to change any time soon given the crowning achievement of her political career is an appearance on reality TV show I’m A Celebrity, Get Me Out Of Here, where the veteran MP for Mid Bedfordshire munched on an ostrich anus in front of the entire nation.
Christ, if she ever did get a cabinet position, she’d probably be the Secretary of State for Safety Scissors. And she’ll probably need a grown-up to supervise her at all times. But I digress.
In the UK, MPs act as an advocate for their constituents in a number of sensitive areas, ranging from financial matters, to welfare and immigration issues. It’s seriously alarming Dories doesn’t regard her constituent communications as something that should be protected by adhering to industry best practices.
And as mentioned, the infosec world wasn’t impressed. Some of the best coverage came from Troy Hunt and Javvad Malik, although there was plenty of snark on display from Twitter.
As Troy Hunt pointed out in his blog post, we should approach this with a degree of understanding. Parliamentarians have hundreds of thousands of constituents to answer to. Both Dorries and Boles said they receive hundreds of emails and letters every day. These have to be answered, and it’s impossible for them to reply to them all while tending to their other duties.
The problem is, they’re going about it in entirely the wrong way. For starters, sharing credentials for government email accounts is a major no-no.
But more importantly, there’s a better way. The UK parliament’s email is based on Microsoft Office 365. This supports delegation, which allows authorized third-parties to access specific mailboxes without passing around passwords. This is traceable, revocable, and all-around better.
So, why aren’t MPs using this? It’s entirely possible that they don’t know how. Most MPs tend to have a non-technical background. A (slightly dated) analysis of MPs educational background shows that the majority of parliamentarians studied things like Law, Economics, Politics, and Geography at university. From what I could tell, only two MPs studied computer science to a degree level.
Most MPs tend to be older, too. They aren’t digital natives. The average age of an MP at the 2015 election was 50. According to Wikipeda, Dorries herself is 60.
But that isn’t a defense, and ignorance won’t protect you when a hacker (cough Fancy Bear cough) comes a-knocking.
Get the TNW newsletter
Get the most important tech news in your inbox each week.