We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
Michael Gove needs a lesson on Gmail security risks

Michael Gove needs a lesson on Gmail security risks

Forget freedom of information – a minister using Gmail is plain reckless

Article comments

Could Education Secretary Michael Gove’s alleged use of Google’s Gmail to conduct bits of his political communication away from prying eyes be about to land him a spot of embarrassing technological detention?

The substance of today's Financial Times story is that Gove’s department was unable to provide emails sent via Gmail between the minister and his advisors asked for under Freedom of Information (FoI) legislation despite the newspaper having evidence that they existed. Woops.


The Department of Education couldn’t provide the emails of course because unless securely mirrored (for instance by setting up automatic forwarding) the documents would only exist on the servers of a famous company, Google, set up by a pair of enterprising Stanford University PhDs based in California.

There’s a constitutional issue that needs little spelling out here. Ministers are not supposed to communicate in ways that might have a bearing on their jobs in any medium without that being recorded for later examination under basic principles of democratic accountability.

Gove’s defenders will point out that it’s not illegal for a minister to use a public email system but in truth using systems such as Gmail in parallel to official email is a daft anomaly that has been waiting patiently to be reformed.  

Hitherto, the flawed assumption has been that ministers will use public systems at their own risk for private emails, switching to Her Majesty’s email for anything to do with their jobs. Deep into the Gmail, Facebook and Twitter age, we now know that this thinking is years out of date.

The technical dimension is even less flattering – Gmail just isn’t up to secure email communication of this sort, period.

Admin headache number one is that Google’s email servers are not only under its management and terms and conditions (which don’t guarantee retrieval with time stamping) but they aren’t even in the UK. Gove’s to and fro would almost certainly have been sitting on a hard drive somewhere in a US data centre that could in principle be accessed by one of its managers under a different legal jurisdiction.

We also have to assume that Gove and his advisors would have accessed these accounts with the bare minimum of authentication, which is to say using a password and username. Earlier this year Google started offering two-factor authentication (2FA) for Gmail, which ties access to an account to a one-time password sent to a supported smartphone, but this ups the level of inconvenience which is why few people, including important politicians, bother to use it.

Once in the system, what other sorts of mad things might a less than tech-savvy minister be tempted to do? Gmail has all sorts of interesting features that would let a naïf run amock, including the ability to log into third-party accounts to mirror old-fashioned pop email, effectively sucking out secure communications to an inbox service more often used by 15 year olds to flirt with one another.

An aide or minister would have to be completely crazy to do such a thing surely. To be fair it's not clear that government email servers allow remote authentication to occur (a secure design insists that authentication happens from within a given subnet) but the public can’t be assured that it is impossible in all cases.

An exchange reported by the FT from Gove’s political aide Dominic Cummings offers us a final scary glimpse into the complacency of the Gmail mindset. The claim is that Cummings preferred Google for some kinds of correspondence, allegedly telling colleagues that he would not answer some emails to his official DoE account and that, "I will only answer things that come from Gmail accounts from people who I know who they are. I suggest that you do the same in general but that’s obv up to you guys – I can explain in person the reason for this."

The idea that anyone can be sure with whom they are exchanging emails on a public service available from any domain on the Internet is pretty eye-popping and that’s before you get into the whole issue of stolen and forged certificates. Quite simply, you can’t.

Perhaps these chaps think that Gmail is a pop version of the BlackBerry Messenger service also used by HM Government to exchange emails at senior level, but that’s an end-to-end encrypted service with policies managed by government employees and using secure keys loaded from its own subnets.

With the Information Commissioner now involved, the obvious question is why a Government minister and his advisors might feel the need to communicate on a system other than the one provided for them by Realm. Are they worried about FoI or simply paranoid about being tapped by the Civil Service equivalent of J. Edgar Hoover?

We can leave the speculation up to political commentators, but on the technical matter we can at least be clear. If Michael Gove and his advisors were chucking important emails of a political nature back and forth to one another on Gmail it was not because they understood or took seriously the critical matter of email security.

Share:

Comments

  • Mark_Simpson To be honest I think the reason why theyd only explain the reason for using Gmail in person is that they knew damn well that this was a blatant attempt to bypass the FOI Act in order to conduct Departmental business Outside of any public scrutinyAny security concerns are a side effect of thatQuite frankly I think they should all be in jail
  • cyberdoyle He probably used gmail to send family snapshots to aged relatives abroad orreceivethem as we all know that official email accounts have very little capacity for large files or storage over weekends witness the many bounced messages like mailbox full you get from any civil servants or corporate accounts Its time the whole digital age caught up with these people If they had a service fit for purpose they would use it
Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open
* *