Documents: UK lawmakers flout explicit password-sharing ban
British lawmakers are flouting explicit instructions to lock their computers and not to share their passwords, documents obtained by The Associated Press show, a revelation that raises questions about the security of Britain's parliamentary network only months after a well-publicized email break-in.
Conservative Member of Parliament Nadine Dorries first drew attention to the practice on Saturday when she said in a message posted to Twitter that her staff and even interns had access to her log-in details. Dorries defended herself by suggesting that the practice was widespread and that colleagues had no choice but to outsource email management to employees.
"All staff send emails in our name," she said , a statement echoed by fellow Tory lawmakers Will Quince, who said he left his office computer unlocked, and Nick Boles, who revealed that he often forgot his own password "and have to ask my staff what it is."
Documents recently obtained through a British public records request show that lawmakers are explicitly warned by parliament's information technology division to keep their computers locked and not to tell anyone their passwords.
"Make sure that you never share them," reads a slideshow shown to incoming lawmakers, with the words "never share" in bold. Another document — a digital services guide addressed to members of the House of Commons — warns that lawmakers have been targeted by hackers.
"Never share your password or write it down where others could find it" is among the "minimum" practices the guide advises them to follow. It goes on to suggest that there is no need for lawmakers to share their passwords with employees.
"We can arrange for your staff to access your mailbox, calendar and documents through their own accounts," the guide states. It also reminds lawmakers to keep their computers locked and that: "Cyber security is everyone's responsibility."
The House of Commons press office, which handles inquiries for the lower house of Parliament, confirmed that the ban on password-sharing applied to lawmakers.
"We will generally aim to engage constructively with people found to have been breaching policy inadvertently," the press office said in a statement.
An email sent to Dorries' office wasn't immediately answered. In a Twitter message posted Sunday, Dorries seemed to shrug off the concern over digital safety, suggesting there weren't any government documents on her machine.
"On my computer, there is a shared email account," she said . "That's it. Nothing else. Sorry to disappoint!"
British security researcher Kevin Beaumont said lawmakers routinely handled sensitive messages from their constituents and that by flouting IT staff's instructions "they are failing to provide any protection to those people, their voters."
"Members also sit on the internal Parliamentary network," Beaumont said in an email. "They might not think their PCs can access sensitive information, but rogue actors would absolutely test this theory."
The digital security of Britain's Parliament was thrust into the spotlight in June following an aggressive attempt to break into lawmakers' emails. The hack, which was closely covered in the United Kingdom, came about a year after the dramatic leak of Democratic Party operatives' emails in the heat of the U.S. presidential contest.
Those leaks were blamed by some for derailing the candidacy of former Secretary of State Hillary Clinton and their fallout has overshadowed the presidency of Donald Trump.
A previous version of this story has corrected the surname of a British lawmaker to Boles, not Boyles.
Documents relating to Parliament's cybersecurity: https://www.documentcloud.org/public/search/projectid:34689-British-Parliamentary-Documents
Raphael Satter can be reached here: http://raphaelsatter.com