UK Info Commissioner slams use of WhatsApp by health officials during pandemic The UK Information Commissioner's Office (ICO) on Monday issued a reprimand and called for a review of how and whether messaging services should be used for government business practices, after finding widespread and potentially dangerous use of private email, WhatsApp and other messaging tools by officials at the Department of …
To sum it up, all these ministers and officials gave all these potentially sensitive data to MetaFeckbook.
Those guys who are in charge of taking care of the People have an idiotic behaviour and the IT knowledge of a 11yo kid. They don't listen to any security advice. That isn't a surprise, but it's sad nonetheless.
This is just paranoid conspiracy-theorising.
Go have a good look at the data protection practices of your average NHS trust. Use of WhatsApp for staff communication - including discussion of patient information - is absolutely rampant. It's a data protection and management nightmare but no-one seems to be doing anything to rein it in. This has come from the bottom up, not the top down.
I'm personally aware of two cases where a whole ward were required to join a WhatsApp group and a member of staff used the resulting access to personal phone numbers to stalk other members of staff. Nothing can be proved because he deleted all the conversations from WhatsApp soon after they happened and no-one thought to screenshot them.
It's very probably IT ineptitude down at the hospital, it's certainly not in any government department.
We already know that "unofficial channels" were used to unlawfully award multiple contracts, and that some fairly large sums changed hands.
That's been proven in the High Court.
We don't know how many billions were fraudulently wasted in this way, what quids were pro quo'd, and what official secrets were exposed to foreign spies - because several ministers' phones were mysteriously lost or wiped before the civil service were able to back that WhatsApp/Signal/SMS information up - as they are legally required to do
All we know is that this unlawful behaviour was widespread at ministerial, cabinet and PM level.
When you know you're doing something wrong or may later be viewed as wrong sure you want to cover your tracks. But isn't like most of their work involves doing illegal or possibly illegal stuff. Most of this WhatsApp usage is probably laziness and convenience.
For instance, they have their corporate messaging solution on their laptop, but not on their phone because it doesn't work outside the office unless you fire up a VPN which has its own set of issues. So it might be the norm to use whatever solution has been adopted internally when you're using your laptop, but outside of work hours everyone in an organization has tacitly agreed to use WhatsApp or SMS as the lowest common denominator.
Corruption of the highest order is why they used it, obvs! The UK Govt already had secure comms in place but they were monitored so not fit for their purpose! So they decided to use a meeting platform that routed via middle earth along with this wotsapp farce where it was always obvious it was 'cos they are corrupt, to the highest order.
Every now and then, government officials may be using private comms in order to hide unsavory activities.
However, you really don't need to go looking for conspiracies. In the vast majority of cases, they do it simply because it's slightly more convenient, and they - much like the general public - are either unaware or uncaring of the resulting privacy issues.
The thing is, we, as a society, really do not have a culture of privacy. I do make an effort to protect my privacy, and I think so do most people who read TheRegister's comment pages. But the vast majority out there? They say they want privacy, but only if they don't have to lift a finger for it.
I mean, they barely tolerate having to click an "I Agree/Disagree" button on a website, an action that literally only takes the lift of a finger. Switching messaging app? Nope. Logging in to your secure email? Not even on the table. IMHO, it will take decades before people really understand what privacy means.
Never attribute to malice that which can be attributed to laziness, stupidity or ignorance.
@Filippo
They are public servants
That applies to MPs and the civil servants who they work with in parliament.
Arguably the most important people in the country in terms of how they can affect what happens.
With such power there should be full accountability, activities must be transparent and open to full inspection / audit.
.. Yes there will still be circumvention (e.g. easy to avoid digital & use non audited "paper" messages & judicious use of shredders), but it should be made as difficult as possible to get up to "secret" activities.
I'm a "nobody", but everything I do at work is recorded (various forms of approved communication only to be used). Any local / cloud data gets checked to make sure no data is stored in the wrong place or beyond time allocated to work with it & that its purged ASAP. That's all just for GDPR compliance (as, for my work I sometimes need access to third party PII)
.. so it wouldn't hurt the people running*our country to embrace audit culture given some of the massively sensitive information they have access to.
With the current near zero transparency then unsurprisingly a lot of people assume corruption everywhere. Personally I think there are some MPs with a bit of integrity but the corrupt chancer element seems to have increased markedly over the years (or at the very least become less hidden).
* opinions may vary on how good a job they are doing
Never attribute to malice that which can be attributed to laziness, stupidity or ignorance.
Or even worse a Junior Minister or Middle manager trying to show some IT acumen!
I seen it some many times, somebody decides to install certain software probably developed in the back of a Garage in Seattle or some cloud service of dubious reputation which of course only the bosses of that somebody are aware and even congratulate it the person for his/her idea.
But then finally becomes an IT problem when you need to break the news that actually that solution is a danger to the business ..... and is your fault because you are being negative! Not missing my old life in corporate IT.
"adopting new ways of working without sufficient consideration of the risks and issues they may present for information management"
And simultaneously the UK govt. is proposing to make data protection compliance more 'risk based'. The two key problems with this are [1] that corporate risk management is inward looking - 'risk to us' whereas data protection risk is to the data subject, and [2] almost no organisation seems capable of assessing risk other than by going through the motions of some arbitrary process that relies on wild guesswork, delivering essentially meaningless results. So we're shortly going to have legislation that operates only in theory.
Did nobody think of locking these apps and sites down?
Or is this just doing my job and Covid / lock down is my excuse.
We went through checking "Whatsapp" out about three times, cos senior management wanted to use it.
It was the same for Google meet, and it was locked out on the Proxy's and sent you to a warning page on official sanctioned tools.
But you can't stop "pondlife" from using their own phones or gov provided mobiles for their own purposes.
But you can't stop "pondlife" from using their own phones or gov provided mobiles for their own purposes.
Government or company provided phones can, and should, be restricted in the apps that are installable. Using a private phone or e-mail for company/government business is usally a breach of contract, as well as any data privacy issues and can lead to sacking. It does happen and I think we've probably all experienced situations where it's been required. Difficult to see this in any kind of context in terms of the pandemic and really a dangerous erosion of data security and sovereignty.
How about you come up with a tool that's as good if not better instead of pissing all our tax paid cash into some piss-poor projects that aren't fit for a GSCE computer project let alone a national public service organisation?
I hate WhatsApp/Faceslap/Twatte et. al with a venomous passion, but WhatsApp is simple and it works, it's not overblown cash-milking machine designed by a company only hired by some minister 'cos his brother is on the board of the IT app coding company!!!
Argh!!
If you use Teams chat (as mandated in many regulated environments) it's rated for medical privacy and content is not cached locally.
However you can't tell a doctor that they've made a choice showing they aren't brilliant in technology understanding...as they just stare you down and say "people will die" .... mic drop.
This post has been deleted by its author
Teams chats sucks.
There are other options. In our Trust we use Siilo. Simple, intuitive, does the job, and "secure" (or so they claim). The ability to use this sort of instant messaging has been transformational for flow and patient safety. Much more so than I initially expected, if I'm honest.
Several cases of allegedly unrecoverable WhatsApp messages when the Tory party was spaffing our cash on overpriced, unusable PPE from party donors and personal friends.
Any comms channel outside approved and supplied ones should raise serious questions.
Given how often Prittler bangs on about access to comms you'd think she'd be all over this.!
The problem is, MPs just get to resign 'lose their honour'* and walk when it all starts getting hot under the collar, rather than having to go through an exit strategy where they are investigated, and potentially prosecuted.
*lose their honour, means nothing in today's world. Just look at Sunak and Johnson, having a criminal record. 'No one cares' (the media pushed narrative), and they really should. Those making the law should obey the law first and foremost.
1) random audits of departments to verify non standard / insecure / non loggable communications aren't being used.
2) remove the roadblocks that limit use of the standard/approved communication solutions in some situations.
For instance if your messaging solution doesn't have an external gateway but requires you be inside the corporate/government network, you need a VPN. What's more you need that VPN to be both convenient (something that can be configured once and will always be connected without needing to do anything on your phone if you restart / update the OS / etc.) and not cause any other issues - i.e. it must ONLY redirect connections to your corporate network over the VPN rather than all your network traffic.
Few organizations I've seen manage either 1 or 2, let alone both.
... and what happens if the tech gets left on a train, or stolen? (As happens from time to time)
You revoke the device key for the VPN. This may have used to be a problem but with secure boot and full disk encryption as used on most corporate laptops these days it's a non issue.
Then it is as secure as your phone, which may or may not be good enough depending on whether the network you are VPN'ing to is zero trust or not. However, there's nothing stopping the VPN from requiring a password to re-establish communication if the device has been locked more than x minutes.
It could work like those free wifi logins where the first attempt to use it sends you to the web browser to show a page where you have to click ''agree" on their rules and whatnot.
Expecting people to be contactable 24x7 is irrelevant to the question of whether you make it easy to use the standard messaging solution when employees are outside the network (which they may be while on the clock, if working from home or traveling for work, etc.)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
