If you don't want something read, don't email it
I agree that the government should give the facts – and clearly – about this business of the MITTS system being hacked into. No good can come of silence, and it makes it seem that they’re worried about telling people what really happened. The explanation that this will damage the investigation is not quite convincing. Presumably, the individuals involved have heard by now that there is an investigation going on and have had ample time to delete any incriminating evidence and to concoct a couple of good stories. I can’t see how releasing the facts at this late stage in the game is going to harm the investigation.
When, some years ago, the police informed the prime minister that the chief justice and another judge were under investigation for taking bribes to reduce the sentence of a drug trafficker, the prime minister took the correct course of action and informed the leader of the opposition, then made a statement to the nation in front of the television cameras, explaining the situation. He was applauded for doing so, and the only people who criticised him were the judges themselves, who claimed he had prejudiced their right to a fair trial. Meanwhile, one of them appears to have escaped trial altogether, even though the other has served his sentence already.
Nobody is criticising the government because the MITTS system was hacked into. Hackers are hackers, though this should teach a few people some lessons about making the system more secure. No. All the criticism is focussed on the lack of an explanation.
The MITTS situation is nowhere near as dramatic as the case of the two judges. It does not require statements to the nation by the prime minister, but it does require a clear explanation as to what happened. Sant is right in saying that in a true democracy this explanation has to be given. I find it extraordinary that he has moved to fill in the role of leader of the opposition, demanding this explanation, while the acting leader flaps around talking ridiculously of smoke screens and paraventi and the real leader is cavorting in Tripoli with Alex Sceberras Trigona. It was Muscat’s place to demand an explanation in forthright tones, but Muscat – the quintessential empty vessel – is amusing himself elsewhere, the full significance of his role not having dawned on him yet, except for the fact that it makes him feel important.
Unfortunately, Sant’s correct demand for an explanation is undermined because it appears to be driven by personal interest and by his preoccupation that somebody might be reading his emails. Is he worried about this on principle, or because exposure of those emails might cause him embarrassment? It would have been more effective if he had left that out altogether, because he comes across as being more concerned about people reading his messages than about the wider implications of what might have happened. I find his belief that emails are secure to be almost touching in its naivety. With email, there is one golden rule: if you don’t want it read by persons other than the one to whom you are sending it, don’t write it in the first place. Of course, this applies to letters, too – but emails, unlike letters, can be sent around to thousands of people at the touch of a key. You may trust the recipient, but that’s not enough. Emails, unlike letters which can be locked in a drawer, stay there on a wider system, forever and ever amen.
Wednesday, 8th October 2008 – 21:11CET
Sant hits out at MITTS investigationFormer Labour leader Alfred Sant today accused the government of using police investigations into alleged hacking at MITTS as a screen so as not to give an account of what had really happened. Speaking in Parliament, Dr Sant said that what was taking place was a parody of an investigation on matters which in a real democracy were of utmost importance. The investigation was being used so that the government would not be held to account. The same thing had been done in the Mistra case.
What was taking place in Malta was in stark contrast to what took place in Britain, where no facts were hidden by the government in a similar case. Dr Sant said that he had expected MITTS to at least inform him whether anyone had unauthorised access to his e-mails over the past two years, but nothing had happened.
He recalled that last September, when he was still Opposition leader, he could not access his e-mails and he had informed the Clerk of the House of his problems. The Clerk contacted MITTS and he was asked to change his password for access to Internet and his e-mail account. But no explanation was given. What was involved in this case, Dr Sant said, was not only his own fundamental rights, but also his work as an MP and then Opposition leader and also the rights and interests of those who had communicated with him through e-mail.
The ongoing police investigation probably meant that more people were seeing his e-mails. It was scandalous that the government was seemingly ignoring this case and accusing others of coming up with “a pack of lies”. Dr Sant said he had now written to the chairman of MITTS demanding an explanation, and he would take all other appropriate action to safeguard his rights. It was a disgrace that a government which boasted of its European credentials was ignoring its obligations under the most important of European values, those on which good governance were based, Dr Sant said.
12 Comments Comment
Leave a Comment
If Dr Sant, and indeed any other e-mail user, wishes to ensure that his e-mails are not being read, then the e-mails should be encrypted.
It is far easier to hack into an e-mail account than it is ro read e-mails encrypted using any of the freely or commercially available encryption solutions. It has been suggested that e-mail accounts are being accessed because passwords are stolen or hacked – but if encryption was used, then anyone with an e-mail password would still not be able to read the e-mails.
Unfortunately, not many people know this. People assume that e-mails are secure and safe but, as a matter of course, they aren’t. Few people know how to secure e-mails. Fewer still encrypt information.
Since the Data Protection Act insists that confidential information should be transmitted securely, I would expect that people in government, especially MPs, have been told that they should encrypt e-mails containing confidential information. This means that, theoretically at least, they know how to secure items.
Do they?
[Daphne – I get the feeling that it’s not matters of political business they’re worried about.]
Who said anything about politics?
If I send an e-mail containing my bank account details, or containing a doctor’s report or containing a shopping list, I can encrypt it if I want to. If I encrypt it, having my password will still not reveal the content of the e-mail.
If any MP is worried that some personal information will be revealed, s/he should encrypt the e-mails.
It is as simple as that … provided, of course, that MITTS actually provides these encryption facilities, but one would hope so.
Antoine… the problem is that the so called ‘hacker’ had physical access to the mail server so any protection would have been futile since he was an insider.
[Daphne – So he wasn’t a hacker, but a company employee breaching confidentiality. Or was he a company employee who hacked a system to which he had no regular access? That’s why we really need to be told.]
That’s why Dr. Alfred Sant had misprints on his party’s manifesto…while sending emails somebody must have tampered with the data! LOL…
Joseph is checking his hindsight my dear! He may ask for a clear statment in 5 years!
Well said. This point cannot be stressed enough – YOUR EMAILS ARE NOT SECURE!
Any mail system administrator of your ISP has access to your mail. Obviously, they never should open your mail without reason, but they can do it.
If you really need to send something important and/or high risk and/or secret via email, then the best thing to do is to save the document as a text or Word file, encrypt the file, sned it and then give the password to the addressee telephonically (or something).
The police chiefs of some countries, in similar situations, give the press at least a brief enough explanation to reassure the public of what has happened and what’s being done – it’s always possible to find a sensible balance between saying too much and stoking rumours by keeping mum.
“[Daphne – So he wasn’t a hacker, but a company employee breaching confidentiality. Or was he a company employee who hacked a system to which he had no regular access? That’s why we really need to be told.]”
One wonders if this is a case of industrial espionage of some sort.Could it be related to a case of break-ins in offices of various IT companies reported in Maltatoday some months ago?
[Daphne – They were advertising agencies, not IT companies. I often wonder how much of this sort of thing goes on and remains undiscovered and unreported. Clerks at insurance companies have access to the details of the valuables in our homes. Any bank teller can get into any client’s account and see what he or she has got or hasn’t got. We leave a lot to trust. And while they have strict confidentiality agreements and will lose their job and in some situations even face prosecution for releasing details, I sometimes wonder how it can be possible to monitor the behaviour of those thousands of people, some of whom may be silly enough to think nothing of looking up a disliked neighbour’s account, for example, and going home to tell, say, their mother.]
There must be a gazillion examples of little intrusions – what I wonder about is how many companies the data protection commissioner’s staff actually visit to check that the very detailed and very impractical and unrealistic checks set out in the law creating their office lays down? You never do read about any private companies being charged in court over non-compliance with data protection, do you?
Apologies for the delay in replying to Mr/Ms I.M. Dingli – your statement is categorically untrue. If any person has access to a mail server, s/he will only be able to read unencrypted mail. On the other hand, if encryption and digital signatures are used, then even your ISP or system administrator will be unable to read your mails.
Ironically, the Government of Malta was one of the first countries in Europe to include a definition of “digital signatures” and encryption into its laws. Despite this, it does not seem as if e-documents (which are signed electronically as defined and allowed by law) are being used.
http://www.timesofmalta.com/articles/view/20081011/local/no-mitts-employees-involved-in-e-mail-hacking-chairman-says
Hello everyone,
I know that this is an old post but wanted to add my comment to this post given my previous thoughts on the matter. Take a look at the article listed on The Times here: http://www.timesofmalta.com/articles/view/20081014/local/attack-on-mitts-system-started-in-cairo-embassy-information-extracted-on-sept-4
Note the following paragraph:
“Among measures which could be disclosed, were the introduction of token/smart cards to MPs and people in sensitive posts, without which email accounts could not be accessed. Secure Mail was also being introduced immediately to encrypt email.”
Tokens and smart cards contain digital signatures and when using them, as the article points out, no one can read your mail unless these items are in hand. It’s similar to the online banking token.
Good to see that they’re going to use them (and encrypted e-mails) even though it is a little late.