Subscriber OnlyTechnology

Karlin Lillington: Is Mr Bean the lead consultant on UK’s email security policies?

Net Results: Hancock’s Gmail use shocking as it exposed affairs of state to great risk

As we learned this past week, anyone who had been predicting the demise of the lowly email – convinced that messaging services and apps would toll email’s death knell – failed to see how some UK politicians would remain devoted to the format.

And by "format", I don't mean just any old high-security, encrypted, well-protected government-issue email address. Oh no: as the recent Matt Hancock affair (in more than one sense of the word) has demonstrated all too alarmingly, today's thoroughly modern cabinet-level politician prefers to conduct the business of state, intimate or otherwise, from the questionable confines of your basic, free, garden-variety, bog-standard, public Gmail account.

That would be the same Gmail that up until 2017, machine-parsed people’s email content in order to serve more targeted ads (imagine if that had still been in place last year, perhaps flogging PPE or antigen tests or secret tryst boltholes).

That's the same Gmail service that stores your receipts for online purchases going back years, a practice that came as a surprise to many when disclosed in 2019. Maybe Matt's receipts' section is full of government purchase orders?


And, that’s the same Gmail service that has been the regular target of major hacking attempts and subsequent data breaches, in which account passwords have ended up on the dark web.

Account settings

Keep in mind too that Gmail enables users to make up passwords with only a modest level of security, and doesn’t require passwords to be changed regularly. If data or passwords do feature in a breach, Gmail unfortunately makes it very unlikely people will see the warning notification – users have to go into their account settings to see the little notice, and how often does anyone review their account settings?

Ministers and politicians in the UK, or Ireland (after all, we have had our own senior officials' Gmail moments)  might want to go check for notifications right now. Earlier this month "the largest password compilation of all time" was leaked online, a trove of 8.4 billion account passwords, including many from Gmail.

Despite all this, the main objection raised to Hancock’s use of Gmail seems to be a lack of “transparency” about government discussions and decisions.

"Cabinet office guidelines stipulate that ministers should use official email accounts, in the interest of transparency, and in order to ensure there is evidence of important decisions and of proper internal scrutiny from officials and staff" states last Sunday's Daily Mail.

Opposition politicians and the UK media have focused primarily on this point – of government activity being hidden from the public record. That’s certainly unacceptable, though from what I could see, it’s not clear if transgressing “guidelines” translates into an actual punishable offence. A similar use of private communications happened during the Trump administration in the US, with little consequence so far.

Sensitive issues

Far more extraordinary – and the point that should be exponentially more worrying both in the UK and abroad – is that a senior cabinet minister, of a prominent G7 and Nato country, used a Gmail account for government business. Which presumably involved regular correspondence on highly sensitive issues, with other ministers and national leadership at home and abroad, during a global health crisis. The internet does not contain enough facepalm gifs to do this justice.

Sad to say but the UK has lax-passwords-in-politics form. Remember when numerous British politicians jumped on to Twitter to laugh about how they routinely shared their passwords with their office staff? All in an effort to minimise the time in 2017 that a conservative minister got caught with porn on his PC and said anyone could have placed it there as so many, many people about the place had his work password.

June really hasn’t been a great month for UK government security, has it? Only last week, 50 pages of top secret military documents, were found behind a bus stop in Kent in a “soggy heap”, one even marked, in an Austin Powers touch,  “Secret: UK Eyes Only”.

Add to that,  the  leak of that compromising Hancock-snog CCTV footage from inside highly restricted government buildings – perhaps from an unauthorised device – and you've got to wonder if Mr Bean was the lead consultant on current UK government security policies.

Not that any of this makes our own domestic cybersecurity woes (much) less painful. The Health Service Executive breach consequences continue in excruciating, still unfolding detail: software and hardware recovery and replacement costs, loss of records, faltering patient care and leaked, sensitive data turning up on the dark web.

But the HSE breach is a more complex failure, involving layers of domestic politics, broad government and institutional ignorance, and funding battles. Ireland lacked a fit-for-purpose, adequately funded national cybersecurity plan, and unfortunately then got whacked by hackers.

By contrast, using a Gmail account for senior cabinet-level ministerial business is elementary school-level Cyber-Stoopid. But his emails! Indeed.