Lawyers representing campaign group the Good Law Project have written to the UK government to ask why a minister overseeing lucrative Covid-19 contracts conducted government business on unofficial channels, on a broken phone, and without any documentation. The practice raises questions not just about public scrutiny but also cybersecurity awareness at the highest level of UK government.
The revelations came last week in court as the Good Law Project argued against the government’s attempt to apply blanket redactions to documents related to the controversial award of contracts to Abingdon Health. Junior health minister Lord Bethell used his personal email address to conduct government business, it emerged, and neglected to declare meetings with firms that went on to win contracts with the Department of Health and Social Care.
In sworn evidence during the hearing, the government admitted that Lord Bethell had conducted official business via WhatsApp or text message, and then in December 2020 replaced his ‘broken’ phone weeks after being told it would need to be searched for documents related to the case.
While the use of private communications channels is not illegal as long as records are kept, the ICO has launched an investigation into their use at the Department of Health and Social Care, which UK information commissioner Elizabeth Denham described as “concerning”.
“The government’s own Code of Practice sets clear standards, and emphasises the importance of good records management in ensuring public trust and confidence, particularly following a national crisis,” Denham said. “That is why my office has launched a formal investigation into the use of private correspondence channels and served information notices on the department and others to preserve evidence relevant to my inquiry.
“That investigation will establish if private correspondence channels have been used, and if their use led to breaches of freedom of information or data protection law.”
The Good Law Project’s questions to the government include when the device in question was replaced, what applications were used, if and when records were backed up to a cloud provider, and what steps were taken to preserve or transfer documents and communications related to government business.
Cyber risk of using personal devices
Critics view the use of personal communications as a way for government officials to avoid public oversight. “This government seems allergic to scrutiny: redacting some documents, hiding others from public scrutiny via ‘confidentiality rings’, permitting ministers to award billions in public money via private, as well as official, channels, and failing to protect evidence from destruction,” the Good Law Project wrote this week.
Foxglove, another campaign group, warned earlier this year that government officials including the prime minister may be using self-deleting messages on apps including WhatsApp so they cannot be retrieved at a later date. “This lack of transparency is an urgent threat to democratic accountability and to the future of the public record,” the group said.
However, a former UK civil servant suggested in a note to Tech Monitor that the use of personal phones and unofficial channels is the modern equivalent of private, face-to-face chats that were not previously recorded.
But the practice may also expose the government to information security threats. Morten Brøgger, CEO of communications and collaboration platform Wire, told Tech Monitor that use of unofficial channels is alarming “not just because they lend politicians to taking decisions outside of office hours and without the input of key stakeholders, but because mainstream apps like WhatsApp lack the security features that are essential for the protection and security of sensitive government data”.
“At a time when the UK government is pledging to make data security a top priority, having outlined its strategic cybersecurity policies for the coming 12 months, the continued use of such apps is ill-advised,” Brøgger said. “It also belittles the need for every institution to take responsibility to keep data – including data exchanged in the form of calls and chats – protected.”
UK government officials are known to be the target of state-backed cybersecurity threats. Last year, it was revealed the Russian hackers had accessed the personal email account of former trade minister Liam Fox in 2019. The hackers stole official documents that were later leaked online, prompting questions about why Fox had used his personal account to handle these documents.
And last month, WhatsApp CEO Will Cathcart revealed that messages from government officials – including those of US allies – had been intercepted in 2019 by foreign governments using NSO’s Pegasus ‘spyware’ software.
Meanwhile, a recent survey by data security provider Egress revealed that 94% of organisations had suffered an “insider data breach” – one caused by an employee – in the past 12 months, with human error the most common cause. A majority of IT leaders surveyed said the risk of a ‘human error’ breach is increased by the use of mobile devices.
“The most serious insider data breach for us would be employees sending proprietary company data into personal devices and emails,” an unnamed IT leader is quoted as saying. “I think the employees are doing it unintentionally, trying to make their life easier in a work-from-home environment.”