Politicians jeopardise the safety of whistleblowers with bad technology

July 12, 2017 by David Glance, The Conversation
WA Whistleblowers gets an F. Credit: Observatory Mozilla

The Western Australian Liberal Party has created a website, www.wawhistleblowers.com, encouraging whistleblowers to report on WA public officers, government ministers and members of parliament.

The site has already been reported to the State Solicitor's Office for potentially being illegal for encouraging public servants to report wrong doing to the WA Liberal Opposition Leader Mike Nahan instead of reporting to the proper authorities.

Leaving aside the legality of the site and the advice it is giving potential whistleblower, the most serious problem with it is that it has been set up with no attention paid to the anonymity and security of the people using it.

The website uses an email form submission for whistleblowers to use that claims that it is "100% confidential". This is despite the fact that the form forces the user to put in an email address and suggests that they also give their name.

The site does not force users to access it via the encrypted https address and so anything submitted by the form would be visible to employers and potentially anyone eavesdropping on an unsecured connection. This is a very basic security failing for a web site. This would mean that employers could be watching for anyone accessing the site and recording what they submit, exposing employees to exposure and potentially without the protection of the Public Interest Disclosure Act legislation.

In fact, the site gets an F for security from Mozilla's Observatory security scanning site. Also problematic is the fact that the site uses Cloudflare which means that users may be accessing a copy of the site hosted anywhere in the world. In other words, information submitted through the form would leave Australia, potentially making it more easily accessible to foreign governments and agencies.

The site also uses a dot com address which is normally reserved for corporations in the US. The site doesn't explicitly say that it is being run by the WA Liberal Party, it only mentions the WA Liberal Party in passing at the bottom of the page saying "Submissions go to the office of the WA Leader of the Opposition".

A good example of a whistleblowing site that the WA Opposition Leader could have emulated is the one provided by the Australian Securities & Investment Commission (ASIC). It starts with comprehensive and clearly laid out information that gives anyone sound advice about what they should do if they have concerns about an employer's conduct. The form on the site to report to ASIC is properly secured and does not ask for identifying information.

The best approach to whistleblowing securely and truly anonymously is that taken by the SecureDrop site. The site uses Tor to provide anonymity and doesn't record internet addresses or any other information about people accessing the site. The site was originally created by the late Aaron Swartz and now managed by Freedom of the Press Foundation.

Sites like Wikileaks also provide Tor-based submissions.

Scam-enabling

Sites like WA Whistleblowers unfortunately make it much easier for scammers to set up sites that fool people into handing over sensitive and confidential information. There is nothing on the WA Whistleblowers site that links back authoritatively to the WA Liberal Party. The domain name has no legitimacy and nothing on the site indicates an official website.

There would be nothing stopping anyone stopping anyone to set up a site claiming to be the WA Liberal Party and asking for the same information.

It is similar to the way banks in Australia phone customers, say they are from the bank and then ask for dates of birth and passwords. When the companies and organisations we are supposed to trust behave like scammers, it makes scamming that much easier.

Safer whistleblowing

Whistleblowing can be a legitimate way of uncovering corruption and practices that are not in the public interest. Politicians encouraging people to come forward and become whistleblowers owe them the duty of care to protect themselves in doing so and making sure that they stay within the law of the country. Unfortunately, the WA Whistleblowers site doesn't do that.

The ASIC gives good advice about what whistleblowers should be aware of in the context of companies. It also stresses the importance of getting legal advice. From a technological perspective, whistleblowers should do the utmost to not give away unnecessary and to protect themselves. In that regard, avoiding sites like WA Whistleblowers should be avoided.

Explore further: What is the dark web?

Related Stories

What is the dark web?

August 13, 2015

The "dark web" is a part of the world wide web that requires special software to access. Once inside, web sites and other services can be accessed through a browser in much the same way as the normal web.

Adult dating website hack exposes personal data

May 22, 2015

A data breach at a website billed as "the world's largest sex and swinger" community may expose personal and sexual information on millions of users worldwide, a report said Friday.

Republicans blast FDA monitoring of whistleblowers

February 26, 2014

(AP)—Republicans are blasting the Food and Drug Administration for secretly monitoring the emails of agency scientists who went public with allegations that they were pressured to approve certain medical devices.

Benefits of whistleblower programs outweigh costs

November 18, 2014

Promoting and maintaining financial fraud whistleblower programs, such as those of the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC), is costly.

Apple software developers site hacked

July 22, 2013

Computer and software giant Apple said it took its software developers website offline after it was hacked, warning that personal information about its users may have been stolen.

Recommended for you

A not-quite-random walk demystifies the algorithm

December 15, 2017

The algorithm is having a cultural moment. Originally a math and computer science term, algorithms are now used to account for everything from military drone strikes and financial market forecasts to Google search results.

US faces moment of truth on 'net neutrality'

December 14, 2017

The acrimonious battle over "net neutrality" in America comes to a head Thursday with a US agency set to vote to roll back rules enacted two years earlier aimed at preventing a "two-speed" internet.

FCC votes along party lines to end 'net neutrality' (Update)

December 14, 2017

The Federal Communications Commission repealed the Obama-era "net neutrality" rules Thursday, giving internet service providers like Verizon, Comcast and AT&T a free hand to slow or block websites and apps as they see fit ...

The wet road to fast and stable batteries

December 14, 2017

An international team of scientists—including several researchers from the U.S. Department of Energy's (DOE) Argonne National Laboratory—has discovered an anode battery material with superfast charging and stable operation ...

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.