Politicians jeopardise the safety of whistleblowers with bad technology

The Western Australian Liberal Party has created a website, www.wawhistleblowers.com, encouraging whistleblowers to report on WA public officers, government ministers and members of parliament.

The site has already been reported to the State Solicitor’s Office for potentially being illegal for encouraging public servants to report wrong doing to the WA Liberal Opposition Leader Mike Nahan instead of reporting to the proper authorities.

Leaving aside the legality of the site and the advice it is giving potential whistleblower, the most serious problem with it is that it has been set up with no attention paid to the anonymity and security of the people using it.

The website uses an email form submission for whistleblowers to use that claims that it is “100% confidential”. This is despite the fact that the form forces the user to put in an email address and suggests that they also give their name.

Although the site now enforces the use of an encrypted https address (it didn’t when first launched), access to the site can still be noticed and recorded by employers. Information submitted via the email form is sent in plain text and will be stored only in the email inbox of the Opposition Leader and anyone else that has access to that email. Because access is not anonymised employers could be watching for anyone accessing the site, exposing employees to exposure and potentially without the protection of the Public Interest Disclosure Act legislation.

In fact, the site gets an F for security from Mozilla’s Observatory security scanning site. Also problematic is the fact that the site uses Cloudflare which means that users may be accessing a copy of the site hosted anywhere in the world. In other words, information submitted through the form would leave Australia, potentially making it more easily accessible to foreign governments and agencies.The site also uses a dot com address which is normally reserved for corporations in the US. The site doesn’t explicitly say that it is being run by the WA Liberal Party, it only mentions the WA Liberal Party in passing at the bottom of the page saying “Submissions go to the office of the WA Leader of the Opposition”.

A good example of a whistleblowing site that the WA Opposition Leader could have emulated is the one provided by the Australian Securities & Investment Commission (ASIC). It starts with comprehensive and clearly laid out information that gives anyone sound advice about what they should do if they have concerns about an employer’s conduct. The form on the site to report to ASIC is properly secured and does not ask for identifying information.

The best approach to whistleblowing securely and truly anonymously is that taken by the SecureDrop site. The site uses Tor to provide anonymity and doesn’t record internet addresses or any other information about people accessing the site. The site was originally created by the late Aaron Swartz and now managed by Freedom of the Press Foundation.

Sites like Wikileaks also provide Tor-based submissions.

Scam-enabling

Sites like WA Whistleblowers unfortunately make it much easier for scammers to set up sites that fool people into handing over sensitive and confidential information. There is nothing on the WA Whistleblowers site that links back authoritatively to the WA Liberal Party. The domain name has no legitimacy and nothing on the site indicates an official website.

There would be nothing stopping anyone stopping anyone to set up a site claiming to be the WA Liberal Party and asking for the same information.

It is similar to the way banks in Australia phone customers, say they are from the bank and then ask for dates of birth and passwords. When the companies and organisations we are supposed to trust behave like scammers, it makes scamming that much easier.

Safer whistleblowing

Whistleblowing can be a legitimate way of uncovering corruption and practices that are not in the public interest. Politicians encouraging people to come forward and become whistleblowers owe them the duty of care to protect themselves in doing so and making sure that they stay within the law of the country. Unfortunately, the WA Whistleblowers site doesn’t do that.

The ASIC site gives good advice about what whistleblowers should be aware of in the context of companies. It also stresses the importance of getting legal advice. From a technological perspective, whistleblowers should do the utmost to not give away unnecessary information and to protect themselves . In that regard, avoiding sites like WA Whistleblowers should be avoided .

Update: