Capitol insurrection: Rep. Adam Schiff reveals House Committee's plan on Steve Bannon, warns other subpoenaed Trump aides
'The blood of Jesus is my vaccine': how a fringe group of Christians hijacks faith in a war against science
Capitol insurrection: Watergate prosecutor says congressional Democrats must aggressively enforce subpoenas
Capitol insurrection: Rep. Liz Cheney suggests Donald Trump was 'personally involved' in planning Jan. 6
How ancient Babylonian land surveyors developed a unique form of trigonometry — 1,000 years before the Greeks
We're paying companies millions to roll out COVID vaccines. But we're not getting enough bang for our buck
Politicians jeopardise the safety of whistleblowers with bad technology
The Western Australian Liberal Party has created a website, www.wawhistleblowers.com, encouraging whistleblowers to report on WA public officers, government ministers and members of parliament.
The site has already been reported to the State Solicitor’s Office for potentially being illegal for encouraging public servants to report wrong doing to the WA Liberal Opposition Leader Mike Nahan instead of reporting to the proper authorities.
Leaving aside the legality of the site and the advice it is giving potential whistleblower, the most serious problem with it is that it has been set up with no attention paid to the anonymity and security of the people using it.
The website uses an email form submission for whistleblowers to use that claims that it is “100% confidential”. This is despite the fact that the form forces the user to put in an email address and suggests that they also give their name.
The site does not force users to access it via the encrypted https address and so anything submitted by the form would be visible to employers and potentially anyone eavesdropping on an unsecured connection. This is a very basic security failing for a web site. This would mean that employers could be watching for anyone accessing the site and recording what they submit, exposing employees to exposure and potentially without the protection of the Public Interest Disclosure Act legislation.
In fact, the site gets an F for security from Mozilla’s Observatory security scanning site. Also problematic is the fact that the site uses Cloudflare which means that users may be accessing a copy of the site hosted anywhere in the world. In other words, information submitted through the form would leave Australia, potentially making it more easily accessible to foreign governments and agencies.
The site also uses a dot com address which is normally reserved for corporations in the US. The site doesn’t explicitly say that it is being run by the WA Liberal Party, it only mentions the WA Liberal Party in passing at the bottom of the page saying “Submissions go to the office of the WA Leader of the Opposition”.
A good example of a whistleblowing site that the WA Opposition Leader could have emulated is the one provided by the Australian Securities & Investment Commission (ASIC). It starts with comprehensive and clearly laid out information that gives anyone sound advice about what they should do if they have concerns about an employer’s conduct. The form on the site to report to ASIC is properly secured and does not ask for identifying information.
The best approach to whistleblowing securely and truly anonymously is that taken by the SecureDrop site. The site uses Tor to provide anonymity and doesn’t record internet addresses or any other information about people accessing the site. The site was originally created by the late Aaron Swartz and now managed by Freedom of the Press Foundation.
Sites like Wikileaks also provide Tor-based submissions.
Sites like WA Whistleblowers unfortunately make it much easier for scammers to set up sites that fool people into handing over sensitive and confidential information. There is nothing on the WA Whistleblowers site that links back authoritatively to the WA Liberal Party. The domain name has no legitimacy and nothing on the site indicates an official website.
There would be nothing stopping anyone stopping anyone to set up a site claiming to be the WA Liberal Party and asking for the same information.
It is similar to the way banks in Australia phone customers, say they are from the bank and then ask for dates of birth and passwords. When the companies and organisations we are supposed to trust behave like scammers, it makes scamming that much easier.
Whistleblowing can be a legitimate way of uncovering corruption and practices that are not in the public interest. Politicians encouraging people to come forward and become whistleblowers owe them the duty of care to protect themselves in doing so and making sure that they stay within the law of the country. Unfortunately, the WA Whistleblowers site doesn’t do that.
The ASIC site gives good advice about what whistleblowers should be aware of in the context of companies. It also stresses the importance of getting legal advice. From a technological perspective, whistleblowers should do the utmost to not give away unnecessary information and to protect themselves . In that regard, avoiding sites like WA Whistleblowers should be avoided .