- The UK’s data watchdog, the ICO, is looking into reports that MPs hand out passwords to their parliamentary computers to staff.
- MP Nadine Dorries tweeted that she shared passwords with interns, attracting criticism from the security community.
- The issue began with Damian Green, the MP whose Westminster computer reportedly contained pornography.
- Allies said it was possible someone with Green’s password accessed pornography on his computer without his knowledge.
The UK’s privacy and data watchdog is quizzing parliamentary authorities about politicians who share their email and computer passwords with staff – potentially putting sensitive information about their constituents at risk.
The Information Commissioner’s Office (ICO) said in a statement to Business Insider: “We’re aware of reports that MPs share logins and passwords and are making enquiries of the relevant parliamentary authorities. In the meantime, we would remind MPs and others of their obligations under the Data Protection Act to keep personal data secure.”
The ICO can fine individuals for breaching the law.
Security experts and activists have reacted furiously to politicians who have been publicising the fact that other people often access their computers at work.
The furore kicked off after Conservative MP Nadine Dorries, tweeted on Saturday: “My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!”
- embed type
Dorries’ tweet relates to a separate scandal around Damian Green, a Conservative MP and First Secretary of State. A former detective claimed thousands of pornographic images were found on Green’s computer after a police raid in 2008 over parliamentary leaks. Green has denied the claims, describing them as “smears.”
His peers rallied to his defence, variously claiming that pornography wasn’t a police matter, and that if there were images, it’s possible they were accessed by someone other than Green.
Politician Nick Boles wrote: “I certainly do [share parliamentary login details]. In fact I often forget my password and have to ask my staff what it is.”
And Dorries followed up with: “I’m sure if the computers of all MPs – including Labour ones, were investigated there would be a record of porn being accessed. There would, in all cases, be zero proof of who it was who accessed it.”
Since politicians receive and respond to constituent emails on their parliamentary PCs, putting their personal data at risk could constitute a breach of the Data Protection Act.
Jim Killock, chief executive of online privacy group Open Rights Group, said: “On the face of it, Nadine Dorries is admitting to breaching basic data protection laws, making sure her constituents’ emails and correspondence is kept confidential and secure. She should not be sharing her log in with interns.
More worryingly, it appears this practices of MPs sharing their log ins may be rather widespread. If so, we need to know. We are urging MPs staff and former staff to get in touch with us if they have knowledge about insecure data practices in MPs’ offices. Once we know more, we will consider complaining to the Information Commissioner and Parliamentary authorities.”
Troy Hunt, a prominent security blogger, wrote: “This illustrates a fundamental lack of privacy and security education. All the subsequent reasons given for why it’s necessary have technology solutions which provide traceability back to individual, identifiable users.”
Hunt added in a blog post that sharing passwords meant that when something does go wrong – as in Green’s case – MPs have plausible deniability.
“Giving someone else access to your account leaves the door open to shirking responsibility when things go wrong,” he said.
Parliament’s digital service also tweeted out advice to MPs not to share passwords:
In common with other organisations, Parliament has a cyber security policy that applies to all users of its digital services, including Members, their staff and parliamentary staff. In line with good practice, this policy includes a requirement not to share passwords.
— PDS (@ParliDigital) December 4, 2017