Numerous UK citizens have expressed their concerns over what are flagrantly poor data security practices among several members of Parliament (MPs).
On 2 December, MP Nadine Dorries was just one of several politicians to come to the defense of Damian Green following the publication of a BBC News article a day earlier. In the story, former Scotland Yard detective Neil Lewis explains how he examined the senior Tory MP's computer during a government inquiry in 2008 and came across "thousands" of pornographic thumbnail images. The Metropolitan Police chastised Lewis for making information acquired through a government inquiry public, but the damage was done.
Which brings us to Dorries. The MP took to Twitter to dispute the notion that Green was responsible for having downloaded the pornographic content to his computer. She did so by revealing that her staff use her login to access her computer every day, thereby raising the possibility that one of Green's staff members could have accessed the porn.
Those upset by Green as well as members of the information security community immediately turned their attention to Dorries. She did her best to justify her answer. However, she only made matters worse.
For example, one individual asked her if she was aware of foreign hackers accessing UK government computers. In response, she wondered whether anyone would want to target "an MP with a computer in a shared office upon which lives an email account." Security expert Graham Cluley explains what's wrong with that statement:
Oh dear... She's wrong, of course. I would bet my bottom dollar that there is plenty of information on her PC that would be of value to criminals (they'd probably ignore the porn). It's not just the personal information of the people she corresponds with, but also the fact that her PC, email and social media accounts could be used as a launchpad for attacks against others.
Dorries also claimed that an investigation into all MPs' computers would yield a record of porn viewership, which doesn't paint a flattering picture of how UK politicians spend their time.
At that point, other MPs joined the conversation. Their comments revealed similarly poor data security practices in the UK government. Will Quince, for example, said he routinely leaves his computer unlocked because he trusts his team with his computer and that his office manager knows his password. And then there's Nick Boles, who admitted he doesn't know his password and that he frequently needs to ask his staff for it.
Needless to say, people were not pleased by these MPs' confessions of risky behavior, and they had reason to feel disgusted. On the one hand, it's an issue of following government regulations. Some Twitter users pointed out that the House of Commons Staff Handbook (PDF) specifically urges members to not share their passwords with others. The Information Commissioner's Office (ICO) affirmed this obligation among MPs in a tweet:
We’re aware of reports that MPs share logins and passwords and are making enquiries of the relevant parliamentary authorities. We would remind MPs and others of their obligations under the Data Protection Act to keep personal data secure.
On the other hand, it's about a failure to lead by example. If Dorries, Quince, Boles, and other MPs refuse to follow best data security practices, they are in a weak position to discuss encryption backdoors and other measures that would affect all UK citizens' data security. Until they change their behaviors, they therefore can't claim the authority to know for what reasons regular people use encrypted messaging apps like WhatsApp and Telegram, among other issues of security and privacy.
Members of Parliament should not be accessing pornographic content on their computers. Even more importantly, however, they should be taking steps to strengthen their digital security. That includes guarding their passwords…just like ordinary users should do.