Australian politicians might campaign on strong borders and security, but many of them are running websites that are at risk of being compromised. A local study of hundreds of state MPs’ websites revealed several security blind spots which could result in leaks of users’ data and unencrypted messages being read.
In addition, an international study of 7500 politicians’ websites in 37 countries showed that almost 38% of Australian politicians had unsecured websites without HTTPS encryption. The study revealed that the worst performing party — with 41% of websites that were unsecured — was the LNP (36 out of 89 websites), and right behind them was the Labor Party — with 37.5% (33 out of 88) of websites that were unsecured.
Further searches by Crikey found several unsecured politicians’ websites — both state and federal. This includes federal Labor MPs Anthony Albanese and Jason Clare; the Coalition’s Barnaby Joyce; Liberal MP John Alexander; and former Liberal MP Tony Abbott.
State MPs’ websites include that of Victorian Labor Premier Daniel Andrews; NSW Liberal MP Kevin Connolly; and Queensland’s One Nation Senator Malcolm Roberts. The latter is a personal conspiracy theory website.
What is an unsecured site?
According to research by the Australian web hosting company Network Dynamics, 13% of 237 state MPs with websites had sites that were unsecured and unencrypted.
The unsecured websites either do not have SSL certificates in place (for encryption), or they were not installed properly. This leaves the data of anyone who engages with those websites — like signing up to newsletters, sending messages, logging in — open to interception and leaks.
It was concluded that those websites were at risk of “leaking data as users interact with them”, meaning contact details and credit card details could be intercepted.
To know if a website is unsecured, look at the URL bar.
If the URL begins with HTTP, it is unsecured, and if it begins with HTTPS — and is preceded by a little lock symbol — it is secured. Even if encrypted data is intercepted, it cannot be read.
What does this mean for your data?
Dr Damien Manuel, the director of Deakin University’s Centre for Cyber Security Solutions, said if you host your website and email with the same provider — and it’s unencrypted — then staff working at web hosting companies could theoretically access your emails.
Crikey is unable to say whether the state MPs that Network Dynamics assessed also have emails with the same web hosters. Most companies offer them together.
“Emails are being sent to [admin],” Manuel said. “If a politician sends a response back and that person replies back again … there’s a full chain of conversation there.”
Websites hosted overseas could pose problems
Of the 237 politicians’ websites Network Dynamics looked at, 49% of them were also hosted abroad in countries like the US, Singapore and the UK.
While it has also become normal for Australians to buy and register website servers with overseas companies, the Australian Cyber Security Centre does recommend “against outsourcing information technology services and functions outside of Australia”. There are also potential legal implications as any site is subject to the local laws of its host country.
Network Dynamics spokesperson Lawrence Ladomery said, “The worst case scenario is a member of parliament — or anyone, really — hosts with a company based [in a country that’s] not particularly friendly. Let’s say China. Then China, because of the local rules there, may be able to access the data.”
“You could be submitting a form to a state MP with your name, comments and address… and maybe the content you’re submitting says something about your particular political orientation.”
He said it could help a company or government “build a list of people who may not be seen as friendly” to that particular country.
Manuel explained that many people bought websites hosted overseas because they was “cheaper or perceived to be cheaper”, with packages starting from as little as a few dollars a month. Across the board, “[company] staff will have access to the information hosted on websites” — whether they are abroad or in Australia.
A lot of information could be siphoned off when poor controls are in place, he said.
What should be done?
Manuel said it was important to find a website and email hosting company that had a secure service and offered a guarantee of encryption. “Really have a look at the contract and what kind of procedures are in place,” he said.
He also suggested that police and background checks on administrative staff at web hosting companies, with access to emails and private information, could be something to consider.
Ladomery, who is with a local web hosting company, said any Australians with a website — including politicians — should consider trustworthy web hosting services based here.
“There are a good number of trusted hosting providers that have been operating for many years. Some of the global players like Google and Microsoft and Amazon have got their own data centres in Australia,” he added, noting that data would remain under Australian jurisdiction.
Ladomery noted SSL encryption could be bought on an annual basis — or came free depending on the web server you are with. This, he said, is essential to running a secure website.