Australasian Science: Australia's authority on science since 1938

Politicians jeopardise the safety of whistleblowers with bad technology

By David Glance, Director of UWA Centre for Software Practice, University of Western Australia

WA Whistleblowers gets an F Author/Observatory Mozilla

The Western Australian Liberal Party has created a website, www.wawhistleblowers.com, encouraging whistleblowers to report on state public officers, government ministers and members of parliament.

The site has already been reported to the State Solicitor’s Office for potentially being illegal. In particular, for encouraging public servants to report wrongdoing to the WA Liberal Opposition Leader Mike Nahan instead of reporting it to the proper authorities.

Leaving aside the legality of the site and the advice it is giving potential whistleblowers, the most serious problem it has is that it has been set up with no attention paid to the anonymity and security of the people using it.

The website uses an email form submission for whistleblowers that claims that it is “100% confidential”, despite the fact that the form forces the user to put in an email address and suggests that they also give their name.

Although the site now enforces the use of an encrypted https address (it didn’t when first launched), access to the site can still be noticed and recorded by employers.

Information submitted via the email form is sent in plain text and will be stored in the email inbox of the Opposition Leader and anyone else that has access to that email. Because access is not anonymised, employers could be watching for anyone accessing the site, putting employees at risk of exposure, potentially without the protection of the Public Interest Disclosure Act legislation.

In fact, the site gets an F for security from Mozilla’s Observatory security scanning site. Also problematic is the fact that the site uses Cloudflare, which means that users may be accessing a copy of the site hosted anywhere in the world. In other words, information submitted through the form could leave Australia, potentially making it more easily accessible to foreign governments and agencies.

The site also uses a “dot com” address, which is normally reserved for corporations in the US. The site doesn’t explicitly say that it is being run by the WA Liberal Party, it only mentions the WA Liberal Party in passing at the bottom of the page saying “Submissions go to the office of the WA Leader of the Opposition”.

A good example of a whistleblowing site that the WA Opposition Leader could have emulated is the one provided by the Australian Securities & Investment Commission (ASIC). It starts with comprehensive and clearly laid out information that gives anyone sound advice about what they should do if they have concerns about an employer’s conduct. The form on the site to report to ASIC is properly secured and does not ask for identifying information.

The best approach to whistleblowing securely and truly anonymously is that taken by the SecureDrop site. The site uses Tor to provide anonymity and doesn’t record internet addresses or any other information about people accessing the site. The site was originally created by the late Aaron Swartz and now managed by Freedom of the Press Foundation.

Sites like Wikileaks also provide Tor-based submissions.

Scam-enabling

Sites like WA Whistleblowers unfortunately make it much easier for scammers to set up sites that fool people into handing over sensitive and confidential information. There is nothing on the WA Whistleblowers site that links back authoritatively to the WA Liberal Party. The domain name has no legitimacy and nothing on the site indicates an official website.

There would be nothing stopping anyone stopping set up a site claiming to be the WA Liberal Party and asking for the same information.

It is similar to the way banks in Australia phone customers, say they are from the bank and then ask for dates of birth and passwords. When the companies and organisations we are supposed to trust behave like scammers, it makes scamming that much easier.

Safer whistleblowing

Whistleblowing can be a legitimate way of uncovering corruption and practices that are not in the public interest.

Politicians who encourage people to come forward and become whistleblowers owe them a duty of care. Unfortunately, the WA Whistleblowers site doesn’t do that.

The ASIC site gives good advice about what whistleblowers should be aware of in the context of companies. It also stresses the importance of getting legal advice.

From a technological perspective, whistleblowers should do their utmost not to give away unnecessary information and to protect themselves. In that regard, sites like WA Whistleblowers should be avoided.

The Conversation


Originally published in The Conversation.