Friday, September 19, 2008

Web-based Email is Not Secure

I told myself I wasn't going to write any more about Sarah Palin. I think there's enough out about her now that most people either don't think she's qualified for her current position (let alone VP) or have decided they like her no matter what anyone else says. But since I live and work in the IT world, I couldn't let this lie.

I'm sure you saw reports about Palin's use of a Yahoo email account and the subsequent hacking of that account by a group calling itself "anonymous." It should be pointed out that anonymous is not from the Obama campaign, as I've seen suggested by some McCain supporters. Anonymous is a loosely organized hacking group that is currently working to expose and discredit Scientologists in a self-declared e-war against the Church of Scientology. They've done some similar hacking stunts before, and somehow they seem to think Palin is a closet Scientologist. Weird, I know. No matter who they are, they broke the law and should be punished if caught.

Anyway, more to the point is the horribly naive, dangerous, and underhanded decision by Palin to use a web-based email account to conduct public business. First, web-based email is not secure. If you use it, assume that the contents of your email could be viewed by anyone. This is not a system on which to share budgets, staff decisions, or policy proposals. Her government email account will (or at least should) have some safeguards to make the contents of her email more private and secure.

I know this point won't gain traction in the mainstream news because most people probably don't think about email security. To the general public, email is a utility that doesn't require much thought, and a government official using Yahoo mail isn't a big deal. But trust me; it is. You don't want someone in the White House discussing items of national security on an open email account.

Second, there are legal requirements for the retention of government documents. Those requirements are known and understood by the Alaskan IT department, and their email servers are backed up regularly. Yahoo will keep records of emails for a time, I'm sure, but they are not legally bound to keep archival copies of anything. They probably clean out their servers pretty regularly, in fact. Without backups, there is a serious lack of accountability.

Finally, it seems clear from some of the intercepted emails that Palin knew exactly what she was doing by using a Yahoo account. Okay, she obviously didn't know how stupid it was from a security standpoint, but she purposefully used the account to avoid accountability. She knew these emails wouldn't be saved (on her end, at least), and she also knew it was unlikely they could be subpoenaed if she were ever under investigation. These are not actions by a "reformer;" they are the actions of someone with something to hide.

So, in what I hope will be one of my last (if not the last) posts on Sarah Palin, I ask this: Do you want a person a heartbeat away from the Presidency who a) is ignorant/stupid enough to potentially spread sensitive government information over insecure networks, and b) used those insecure networks specifically to hide her activities from regulators? This is a rhetorical question, but maybe it shouldn't be.

Update 9/22: It looks like an article I read linking this to the hacker group "anonymous" was incorrect. Maybe it was an innocent mistake since the hacker of the Palin email account called himself anonymous, but I apologize for re-posting incorrect information. Turns out the hacker in question was a student at the University of Tennessee-Knoxville, whose sloppy gloating resulted in his arrest.

People are quick to point out that he is the son of a Democratic member of the Tennessee State Legislature, so this will give conspiracy theorists ammunition to tie this to the Obama campaign again. I saw fooey on that. While the motivation may very well have been political (assuming he's even a Democrat like his dad), it's a stretch to think anyone from the Obama campaign would go this route if they wanted some dirt.

My initial impression still stands: it's dangerous and deceitful for Palin to have maintained this account if it was used for any state business.

0 Comments:

Post a Comment

<< Home