back to article UK Info Commissioner slams use of WhatsApp by health officials during pandemic

The UK Information Commissioner's Office (ICO) on Monday issued a reprimand and called for a review of how and whether messaging services should be used for government business practices, after finding widespread and potentially dangerous use of private email, WhatsApp and other messaging tools by officials at the Department of …

  1. Potemkine! Silver badge
    Flame

    To sum it up, all these ministers and officials gave all these potentially sensitive data to MetaFeckbook.

    Those guys who are in charge of taking care of the People have an idiotic behaviour and the IT knowledge of a 11yo kid. They don't listen to any security advice. That isn't a surprise, but it's sad nonetheless.

    1. hitmouse

      They gave their data to everyone. If they used WhatsApp or Facebook Messenger then the transmitted images land in local phone storage where they are freely available to any backup provider plus random image app vendors

      1. AVR

        But most importantly their data is hidden from any official archives or information. It might be entirely innocent, might not, there's no way of telling now unless you're in the GCHQ.

    2. ICL1900-G3 Bronze badge

      You can't help wondering about the tw@s that downvoted this.

  2. tiggity Silver badge

    we all know one big reason

    Was so that dodgy dealings / info passing to their mates was outside recorded official channels

    It's not about "getting things done", its about hiding activities from legitimate scrutiny.

    1. Anonymous Coward
      Anonymous Coward

      Re: we all know one big reason

      I don't know why you've been downvoted when this is quite obviously why they've been using whatsapp

      Perhaps we have a Blojo fanatic lurking amongst us.

      1. Tom7

        Re: we all know one big reason

        This is just paranoid conspiracy-theorising.

        Go have a good look at the data protection practices of your average NHS trust. Use of WhatsApp for staff communication - including discussion of patient information - is absolutely rampant. It's a data protection and management nightmare but no-one seems to be doing anything to rein it in. This has come from the bottom up, not the top down.

        I'm personally aware of two cases where a whole ward were required to join a WhatsApp group and a member of staff used the resulting access to personal phone numbers to stalk other members of staff. Nothing can be proved because he deleted all the conversations from WhatsApp soon after they happened and no-one thought to screenshot them.

        1. Dan 55 Silver badge

          Re: we all know one big reason

          It's very probably IT ineptitude down at the hospital, it's certainly not in any government department.

        2. graeme leggett

          Re: we all know one big reason

          Whataboutery of the first order.

        3. Flywheel

          Re: we all know one big reason

          a data protection and management nightmare but no-one seems to be doing anything to rein it in

          In a case like this, isn't it usually because there is no official, practical working alternative? And if so, why is that?

          1. 43300

            Re: we all know one big reason

            Microsoft Teams?

            Not perfect by any means, but can be used for these sorts of communications, is fully managed and controlled by the IT departments.

          2. 3arn0wl

            Alternatives

            I'm surprised that Tox isn't more widely used.

            And wouldn't a Nextcloud server also be useful?

        4. Richard 12 Silver badge

          Re: we all know one big reason

          We already know that "unofficial channels" were used to unlawfully award multiple contracts, and that some fairly large sums changed hands.

          That's been proven in the High Court.

          We don't know how many billions were fraudulently wasted in this way, what quids were pro quo'd, and what official secrets were exposed to foreign spies - because several ministers' phones were mysteriously lost or wiped before the civil service were able to back that WhatsApp/Signal/SMS information up - as they are legally required to do

          All we know is that this unlawful behaviour was widespread at ministerial, cabinet and PM level.

    2. DS999 Silver badge

      That's probably responsible for a minority of use

      When you know you're doing something wrong or may later be viewed as wrong sure you want to cover your tracks. But isn't like most of their work involves doing illegal or possibly illegal stuff. Most of this WhatsApp usage is probably laziness and convenience.

      For instance, they have their corporate messaging solution on their laptop, but not on their phone because it doesn't work outside the office unless you fire up a VPN which has its own set of issues. So it might be the norm to use whatever solution has been adopted internally when you're using your laptop, but outside of work hours everyone in an organization has tacitly agreed to use WhatsApp or SMS as the lowest common denominator.

  3. Pascal Monett Silver badge

    "a review of how and whether messaging services should be used for government business practices"

    This is just preparing the road to another trough where billions will be spent for a "government-secure messaging system" which will never actually see the light of day.

    Mark my words.

  4. wobball

    Corruption of the highest order is why they used it, obvs! The UK Govt already had secure comms in place but they were monitored so not fit for their purpose! So they decided to use a meeting platform that routed via middle earth along with this wotsapp farce where it was always obvious it was 'cos they are corrupt, to the highest order.

  5. J.G.Harston Silver badge

    A lot of it is bone-headed users, managers, controllers, directors who think: I scream from the rooftops to chat with my kids and mates, of course I also scream from the rooftops to chat with staff colleagues about confidential patient data.

  6. Filippo Silver badge

    Every now and then, government officials may be using private comms in order to hide unsavory activities.

    However, you really don't need to go looking for conspiracies. In the vast majority of cases, they do it simply because it's slightly more convenient, and they - much like the general public - are either unaware or uncaring of the resulting privacy issues.

    The thing is, we, as a society, really do not have a culture of privacy. I do make an effort to protect my privacy, and I think so do most people who read TheRegister's comment pages. But the vast majority out there? They say they want privacy, but only if they don't have to lift a finger for it.

    I mean, they barely tolerate having to click an "I Agree/Disagree" button on a website, an action that literally only takes the lift of a finger. Switching messaging app? Nope. Logging in to your secure email? Not even on the table. IMHO, it will take decades before people really understand what privacy means.

    Never attribute to malice that which can be attributed to laziness, stupidity or ignorance.

    1. tiggity Silver badge

      @Filippo

      They are public servants

      That applies to MPs and the civil servants who they work with in parliament.

      Arguably the most important people in the country in terms of how they can affect what happens.

      With such power there should be full accountability, activities must be transparent and open to full inspection / audit.

      .. Yes there will still be circumvention (e.g. easy to avoid digital & use non audited "paper" messages & judicious use of shredders), but it should be made as difficult as possible to get up to "secret" activities.

      I'm a "nobody", but everything I do at work is recorded (various forms of approved communication only to be used). Any local / cloud data gets checked to make sure no data is stored in the wrong place or beyond time allocated to work with it & that its purged ASAP. That's all just for GDPR compliance (as, for my work I sometimes need access to third party PII)

      .. so it wouldn't hurt the people running*our country to embrace audit culture given some of the massively sensitive information they have access to.

      With the current near zero transparency then unsurprisingly a lot of people assume corruption everywhere. Personally I think there are some MPs with a bit of integrity but the corrupt chancer element seems to have increased markedly over the years (or at the very least become less hidden).

      * opinions may vary on how good a job they are doing

    2. Surrey Veteran

      Never attribute to malice that which can be attributed to laziness, stupidity or ignorance.

      Or even worse a Junior Minister or Middle manager trying to show some IT acumen!

      I seen it some many times, somebody decides to install certain software probably developed in the back of a Garage in Seattle or some cloud service of dubious reputation which of course only the bosses of that somebody are aware and even congratulate it the person for his/her idea.

      But then finally becomes an IT problem when you need to break the news that actually that solution is a danger to the business ..... and is your fault because you are being negative! Not missing my old life in corporate IT.

    3. TheMeerkat Bronze badge

      “Agree / Disagree” button on websites is just stupid.

      It is a type of law the government would come with and then keep knowing perfectly well that it is useless

      It should be got rid of asap.

  7. Gomez Adams

    The logical conclusion is for all officials to be wired 24/7 so that even that passing brief exchange in the corridors of power is recorded including "Do you take sugar with your coffee?"

    1. tiggity Silver badge

      Given so many of them like to spout "if nothing to hide, nothing to fear" then subjecting them to panopticon style monitoring should be fine with them...

  8. Mike 137 Silver badge

    Risk as a basis?

    "adopting new ways of working without sufficient consideration of the risks and issues they may present for information management"

    And simultaneously the UK govt. is proposing to make data protection compliance more 'risk based'. The two key problems with this are [1] that corporate risk management is inward looking - 'risk to us' whereas data protection risk is to the data subject, and [2] almost no organisation seems capable of assessing risk other than by going through the motions of some arbitrary process that relies on wild guesswork, delivering essentially meaningless results. So we're shortly going to have legislation that operates only in theory.

  9. Anonymous Coward
    Anonymous Coward

    Why has IT not locked Access to these back doors?

    Did nobody think of locking these apps and sites down?

    Or is this just doing my job and Covid / lock down is my excuse.

    We went through checking "Whatsapp" out about three times, cos senior management wanted to use it.

    It was the same for Google meet, and it was locked out on the Proxy's and sent you to a warning page on official sanctioned tools.

    But you can't stop "pondlife" from using their own phones or gov provided mobiles for their own purposes.

    1. Martin Summers

      Re: Why has IT not locked Access to these back doors?

      "But you can't stop "pondlife" from using their own phones or gov provided mobiles for their own purposes."

      Yes, exactly the point of the article! Making your rant about IT departments not locking the apps down completely redundant.

    2. Charlie Clark Silver badge

      Re: Why has IT not locked Access to these back doors?

      But you can't stop "pondlife" from using their own phones or gov provided mobiles for their own purposes.

      Government or company provided phones can, and should, be restricted in the apps that are installable. Using a private phone or e-mail for company/government business is usally a breach of contract, as well as any data privacy issues and can lead to sacking. It does happen and I think we've probably all experienced situations where it's been required. Difficult to see this in any kind of context in terms of the pandemic and really a dangerous erosion of data security and sovereignty.

  10. Plest Silver badge
    Mushroom

    Here's a clue bozos!

    How about you come up with a tool that's as good if not better instead of pissing all our tax paid cash into some piss-poor projects that aren't fit for a GSCE computer project let alone a national public service organisation?

    I hate WhatsApp/Faceslap/Twatte et. al with a venomous passion, but WhatsApp is simple and it works, it's not overblown cash-milking machine designed by a company only hired by some minister 'cos his brother is on the board of the IT app coding company!!!

    Argh!!

    1. hitmouse

      Re: Here's a clue bozos!

      If you use Teams chat (as mandated in many regulated environments) it's rated for medical privacy and content is not cached locally.

      However you can't tell a doctor that they've made a choice showing they aren't brilliant in technology understanding...as they just stare you down and say "people will die" .... mic drop.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: Here's a clue bozos!

        Teams chats sucks.

        There are other options. In our Trust we use Siilo. Simple, intuitive, does the job, and "secure" (or so they claim). The ability to use this sort of instant messaging has been transformational for flow and patient safety. Much more so than I initially expected, if I'm honest.

        1. 43300

          Re: Here's a clue bozos!

          Teams chat isn't great, but it basically works and can be managed to be compliant - and assuming you have Microsoft subscriptions, which most will have, it won't cost you any extra.

  11. nsld

    PPE VIP Lane shenanigans

    Several cases of allegedly unrecoverable WhatsApp messages when the Tory party was spaffing our cash on overpriced, unusable PPE from party donors and personal friends.

    Any comms channel outside approved and supplied ones should raise serious questions.

    Given how often Prittler bangs on about access to comms you'd think she'd be all over this.!

    1. Richard 12 Silver badge

      Re: PPE VIP Lane shenanigans

      Oh no, she just wants access to everyone else's communications.

      Nobody should be allowed to read hers, or her cronies.

      It's a perfectly consistent position - the peons need controlling and tightly hammering into our tiny little boxes.

    2. Anonymous Coward
      Anonymous Coward

      Re: PPE VIP Lane shenanigans

      The problem is, MPs just get to resign 'lose their honour'* and walk when it all starts getting hot under the collar, rather than having to go through an exit strategy where they are investigated, and potentially prosecuted.

      *lose their honour, means nothing in today's world. Just look at Sunak and Johnson, having a criminal record. 'No one cares' (the media pushed narrative), and they really should. Those making the law should obey the law first and foremost.

  12. DS999 Silver badge

    This can only be fixed with

    1) random audits of departments to verify non standard / insecure / non loggable communications aren't being used.

    2) remove the roadblocks that limit use of the standard/approved communication solutions in some situations.

    For instance if your messaging solution doesn't have an external gateway but requires you be inside the corporate/government network, you need a VPN. What's more you need that VPN to be both convenient (something that can be configured once and will always be connected without needing to do anything on your phone if you restart / update the OS / etc.) and not cause any other issues - i.e. it must ONLY redirect connections to your corporate network over the VPN rather than all your network traffic.

    Few organizations I've seen manage either 1 or 2, let alone both.

    1. 3arn0wl

      Re: This can only be fixed with

      ... and what happens if the tech gets left on a train, or stolen? (As happens from time to time)

      It's not unreasonable to ask people to log in.

      The encroaching expectation that people will be contactable 24/7 however, is unreasonable.

      1. Richard 12 Silver badge

        Re: This can only be fixed with

        Indeed.

        Which is also why the corporate-approved communication channels must be the only ones available.

        Otherwise it becomes really easy for unscrupulous to target their underlings outside office hours.

      2. the spectacularly refined chap Silver badge

        Re: This can only be fixed with

        ... and what happens if the tech gets left on a train, or stolen? (As happens from time to time)

        You revoke the device key for the VPN. This may have used to be a problem but with secure boot and full disk encryption as used on most corporate laptops these days it's a non issue.

        1. 3arn0wl

          Re: This can only be fixed with

          "You revoke the device key for the VPN."

          Closing the stable door after the horse has bolted. :/

      3. DS999 Silver badge

        Re: This can only be fixed with

        Then it is as secure as your phone, which may or may not be good enough depending on whether the network you are VPN'ing to is zero trust or not. However, there's nothing stopping the VPN from requiring a password to re-establish communication if the device has been locked more than x minutes.

        It could work like those free wifi logins where the first attempt to use it sends you to the web browser to show a page where you have to click ''agree" on their rules and whatnot.

        Expecting people to be contactable 24x7 is irrelevant to the question of whether you make it easy to use the standard messaging solution when employees are outside the network (which they may be while on the clock, if working from home or traveling for work, etc.)

  13. Winkypop Silver badge
    Coat

    WhatsApp

    Doc?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022