In defence of Damian Green? Tory MPs admit they openly share passwords with staff

Cybersecurity experts have been left in awe after Conservative MPs responded to the Damian Green porn controversy by revealing that sharing passwords with parliamentary office staff is common practice – seemingly in violation of official House of Commons guidance.

They spoke out after a retired police officer claimed a work computer used by Green, the first secretary of state, contained thousands of pornographic images. As Green denied the claims, one Tory MP rallied in support – claiming that anyone could have accessed his machine.

Nadine Dorries MP tweeted: "My staff log onto my computer on my desk with my login every day. Including interns on exchange programmes."

She said it was "preposterous" to suggest that Green could be linked to the trove of alleged adult material simply because it was discovered on his computer.

Unsurprisingly, cybersecurity experts were alarmed by the assertion – which went against password best practice advice issued by the MP's own government.

It also appeared to admit that email inbox access controls – helpfully used to track who is accessing what content, and when, – were routinely being avoided by some British politicians.

Dorries hit back at concerns, branding IT experts "geeky/tech/computer nerdy types". But other MPs admitted to sharing passwords, citing the huge amount of incoming emails.

Conservative Nick Boles MP‏ tweeted Sunday (3 December): "I often forget my password and have to ask my staff what it is. As an MP I employ [four] people to deal with the emails and letters constituents send me. They need access to these communications to do their jobs.

"No one else has access. Passwords are regularly changed," he added.

Meanwhile Will Quince MP added: "My machine is usually on in the office, my team can use my machine, send emails and make diary appointments.

"They have their own machines but I am in and out of the office like a yo yo all day which is a fair treck [sic] from the House of Commons chamber. It's less sharing logins and more that I don't always lock my machine. An MP's office is like a small business, you have to trust your team."

BBC producer James Clayton did not appear surprised by the admission, noting the process of openly sharing passwords remains "extremely common" for some members of parliament.

But GCHQ guidance clearly states: "Staff must not share passwords."

"You should never allow password sharing between users," it cautions. "Sharing accounts, or even occasional use by anyone other than the account holder, negates the benefit of authenticating a specific user. In particular, the ability to audit and monitor a specific user's actions is lost."

The House of Commons staff handbook on data security warns staff should never share passwords. Dorries later claimed she doesn't receive "government docs" via the computer.

'Pandora's box of problems'

Troy Hunt, an Australian security expert, tweeted: "This illustrates a fundamental lack of privacy and security education. All the subsequent reasons given for why it's necessary to have technology solutions which provide traceability back to individual, identifiable users."

On Monday (4 December), he published a blog on the topic, stating: "When you condition people to treating secrets as no longer being secret but rather something you share with someone else that can establish sufficient trust, you open up a pandora's box of possible problems."

While there is no suggestion that emails were accessed by hackers or cybercriminals, some experts said it was concerning MPs and those in power feel that the rules don't apply to them.

One government source told the BBC: "Most MPs have that fatal combination of arrogance, entitlement and ignorance, which mean they don't think codes of practice are for them."

Furthermore, the Information Commissioner's Office (ICO), the UK's data watchdog, tweeted it was "aware of reports that MPs shared logins and passwords." It said: "We would remind MPs and others of their obligations under the Data Protection Act to keep personal data secure."

The Open Rights Group, a UK non-profit which campaigns for digital rights, has put out an appeal for anyone with inside information on password sharing to come forward and speak out.

Director Jim Killock said in a statement: "On the face of it, Nadine Dorries is admitting to breaching basic data protection laws, making sure her constituents' emails and correspondence is kept confidential and secure. She should not be sharing her log in with interns.

"More worryingly, it appears this practices of MPs sharing their log-ins may be rather widespread. If so, we need to know."

A parliamentary spokesperson told IBTimes UK in a statement via email: "In common with other organisations, Parliament has a cyber security policy that applies to all users of its digital services, including Members, their staff and parliamentary staff.

"In line with good practice, this policy includes a requirement not to share passwords."

Dr Jamie Graves, chief executive and founder of enterprise security firm ZoneFox, commented: "It was alarming to see certain MPs over the weekend casually reveal how relaxed they are when it comes to sharing and storing passwords, along with further log-in details.

"It's no secret that passwords alone are susceptible to brute-forcing, theft and phishing, which means there must be protections around them.

"On reading these tweets, the distinct impression is that no such measures are in place."

The blasé approach to passwords appears to be common practice even following the "sustained and determined" cyberattack which targeted parliament email accounts in June.

"There is still more work to be done on the most basic level of security – password protection," Neil Larkins, co-founder of cybersecurity firm Egress, told IBTimes UK at the time of the incident.

"Unfortunately, we cannot trust MPs to always make the best security choices," he added.

In the wake of the Damien Green scandal, Dorries said that based on the current email system in place, there could be "zero proof of who it was who accessed [the alleged porn]".

For Troy Hunt, the cybersecurity expert, that is exactly the issue at hand.

He wrote: "The great irony of the debates justifying credential sharing is that they were sparked by someone attempting to claim innocence with those supporting him saying 'well, it could have been someone else using his credentials!' This is precisely why this is a problem!

"When you consider the sorts of activities we task those in parliament with, you can see how behaviour under someone's identity we can't attribute back to them could be far, far more serious."