Reports that Australia’s new, tech-savvy prime minister, Malcolm Turnbull, has recommended that his cabinet colleagues use the messaging software Slack to communicate with one another has prompted questions about the platform’s security and privacy.
While Turnbull has been similarly enthusiastic about messaging system Wickr, his recommendations have now unleashed a flurry of questions about the proposal from senator Penny Wong in the parliament’s Senate Estimates.
In a response to Wong, Allan Mckinnon, deputy secretary of national security described Slack as offering “end-to-end encrypted messages”. “In simple terms it is a heightened degree of security and privacy for your communications,” he said.
While Slack does encrypt messages, it has not been immune to attack and was hacked in February 2015. The service, which is offered out of Amazon datacentres in the US, has since beefed up security with two-factor authentication.
Nevertheless, Mckinnon indicated to the senator that there was no reason why the cabinet should not use the messaging platforms despite them being hosted overseas.
IBRS analyst James Turner said: “The musings and collaborative work of our prime minister will be of great interest to many other parties, so there is a clear requirement for a higher level of information security.”
However, he added, compared with some of the legacy systems deployed in enterprises and across the government, modern software-as-a-service (SaaS) communications systems offered much greater functionality and value.
“There are so many issues around information security that can be addressed through clever design. Jurisdiction does not matter if you’ve thought through how you’ll use encryption and key management. The metadata about usage that the vendor may be able to access does not matter if your contract stipulates that the SaaS vendor will not create or retain this data,” said Turner.
“It would be a mistake to think that just because a service is in the cloud that it is inherently better or more secure. But it would equally be a mistake to think that there isn’t a better or more secure way of doing enterprise IT than we currently are.”
Security is one issue, governance and probity another. This is something the US is also grappling with regarding former secretary of state Hillary Clinton’s decision to use a private rather than government server to manage her emails, which has led to subsequent access to information challenges for the administration.
In Australia the issue of Freedom of Information (FOI) requests and access to messages shared through services such as Slack and Wickr was raised in Senate Estimates.
Mckinnon told senators that any communication which is an official government communication would be subject to the provisions of the Freedom of Information Act and the Archives Act.
However, Wickr does not collect or store any user data, so there would be no record of communications to access. In a recent blog post, the company’s general counsel, Jennifer de Trani, wrote: “Wickr’s communications platform enables encryption between devices in such a way that unencrypted user data never touches our servers.”
So, even if an FOI case was launched there would be nothing to discover.
In the case of Slack, there could be a lengthy legal delay. The company’s access policy states: “Slack does not accept legal process directly from law enforcement entities outside the US or Canada. Foreign law enforcement agencies should proceed through a mutual legal assistance treaty or other diplomatic or legal means to obtain data through a court where Slack is located.”