Independent review of Scottish Government's use of mobile messaging apps and non-corporate technology

7. Technologies and risk

7.1 We are living in the 'Fourth Industrial Revolution,' an era of rapid technological advances. The way in which we live, work, and communicate with each other has been (and will continue to be) transformed.

7.2 One such transformation has been to records and their management. Information has never been easier, faster, and cheaper to produce, and we have never had such power in our hands. What was once the preserve of the administrative and filing support staff, is now the responsibility of us all.

7.3 Often these new technologies embed themselves into our lives in ways that feels anything but revolutionary. This risks us being oblivious or desensitised to any associated risks. The extraordinary shifts that are taking place, and some of the vulnerabilities they lead to, are often only apparent when something goes wrong.

7.4 One of the challenges of this revolution is that "[D]isruptive technologies burst onto the scene without warning, before social or legal norms can emerge"^[22] (Bowles, 2018, p.15). This is certainly true but equally, as highlighted earlier, there have been warning signs in recent years with a number of legal and regulatory cases as well as reports and commentary which related specifically to MMAs. (see Appendices 3 and 5).

7.5 The Inquiry has served to shine a bright light on the scale of the use of informal instant messaging platforms. This is not something unique to government. The explosion in use of MMAs (particularly WhatsApp) in recent years highlights how embedded it has become in the lives of many of us. And to state the obvious, government is made up of citizens, whether acting as civil servants or as our elected representatives. The behaviours of those working in the institutions of power will necessarily reflect those of wider society. If the use of MMAs is pervasive across society, it should come as no surprise that our civil servants and politicians are using it extensively too.

7.6 At the centre of this review is the policy document covering the use of Mobile Messaging Apps which was rolled out by the Scottish Government in June 2022 when it was identified (in the context of the pandemic) that Ministers and officials were using mobile messaging apps to communicate. This review has not seen evidence that this was previously identified as an area requiring specific policy or guidance, or one which was considered to pose any particular risk.

7.7 In examining the trigger for the roll-out of this policy, it is apparent that it was reactive and late. Prior to its roll-out, there was little in the way of meaningful advice, information, or guidance. The private nature of instant messaging meant that to a large degree the problem remained hidden.

7.8 It is noted that the UK Cabinet Office updated their guidance on the use of non-corporate communication channels as late as March 2023^[23]. The Scottish Government was not alone in the reactive position taken.

7.9 Reflecting on the issues around the use of a particular technology or platform ex-post is not an effective way to approach any governance.

7.10 The policy that was put in place to respond to the emerging picture in 2022 was written in good faith. It did not, however, take into consideration the wider issues that have subsequently been shown to be so critical. It is an illustration of how, had Recommendations 8 and 11 been in place, the problems that played out may have been better mitigated and managed. It also highlights the urgent need to understand technologies in the wider context of Propriety and Ethics (P&E). The document did little to provide a robust and coherent framework to ensure governance and it did nothing to root the matter within a framework of values or ethical conduct. (Appendix 4 contains the MMA policy with examples of its vulnerabilities highlighted and Appendix 10 considers the relevance of recommendations of this review against the policy timeline.)

7.11 There is a danger that, in an environment of rapidly developing technologies, we do things because we can, rather than because we should. Nowhere is that issue more important to consider than in public service. Process, governance, and policy are profoundly important, not only to ensure compliance with legal and regulatory requirements, but also because they give legitimacy, and they promote trust.

7.12 In July 2022, the UK Information Commissioner's Office published a Report in which the Commissioner stated –

"There have been rapid changes in technology in the two decades since Parliament passed FOIA. This means there is a risk that policies and procedures in place across Whitehall no longer reflect how Ministers and officials work and interact in practice. It is essential we examine and address the impact these technology changes are having and that clearer methods are put in place to ensure this happens each time new technology becomes available. As was made clear by my predecessor at the outset of this investigation, it is not unlawful for ministers and officials to use private channels for conducting official business.

The pandemic placed extreme demands and stress on our public services. It is understandable, therefore, that some Ministers, advisors, NEDs, and senior officials have relied on new technologies to make their work and their lives more manageable.

In our view, however, the deployment of these technologies failed to appreciate the risks and issues around the security of information and managing transparency obligations. This is not solely a product of pandemic exigencies but rather a continuation of a trend in adopting new ways of working without sufficient consideration of the risks and issues they may present for information management across government over several years preceding the pandemic"^[24].

7.13 This is another example of a missed opportunity for government across the UK to respond proactively and comprehensively to this issue (see Appendix 3).

7.14 For those areas involving what the Scottish Government acknowledge to be the 'life blood' of the organisation, it cannot be acceptable to create policy and guidance 'on the hoof' and directed by custom and practice. Policy must be the result of careful and comprehensive review, directed by what is right for the organisation and with a detailed understanding of the associated risks and benefits. It must also, as far as possible, invest time into considering the potential for unintended and unforeseen outcomes.

7.15 It is undeniable that considering the risks and issues of new and emerging technologies is not easy.

7.16 A common response to the question of security and/or privacy in relation to MMAs that has been evidenced during this review (and probably a view shared more widely), is an assumption that the only question of importance and relevance is that of encryption.

7.17 Encryption is important and WhatsApp does have end-to-end encryption in place. But the security and governance considerations do not end there. The question of encryption exists alongside a long list of other matters, all of which must be considered by every user, particularly those in the public sector due to the nature of information involved and the relationship with its citizens.

7.18 As has been noted, WhatsApp is the most commonly used platform in the context of this review (and across society). The following (non-exhaustive) list sets out some of the known risks and vulnerabilities of the platform:

• Many security features are turned off by default. Many cyber security professionals are of the view that security measures should be on by default as it can be challenging for users both from an awareness perspective as well as a practical one (how to find and change the default settings).
• It is possible to track approximate location if the security settings are not managed. (Meta has acknowledged this issue and now offer an option to 'Protect IP address in calls.')
• It does encrypt traffic end-to-end, but it is only secure if the keys are controlled and if the keys are properly exchanged and managed. WhatsApp does not offer this function. The end-to-end encryption can be broken or intercepted (criminals are widely reported as avoiding the use of WhatsApp as it, purportedly, suffers from 'man-in-the-middle' vulnerabilities!).
• It is privately owned by Meta (the company that owns Facebook). It is a 'free' application with a business model that is dependent on data. There have been concerns raised about the use and sharing of this data and the way that "[T]he business model turns us into a commodity."^[25]
• Risks of scams, malware, phishing, and account hijacking. One recent example was the 'Westminster honey trap' case which saw MPs, staffers and journalists targeted by criminals with scam WhatsApp messages^[26].
• Lack of regulatory compliance (see Appendix 5).
• The fast-paced nature of 'group chats' can increase the likelihood of security breaches, lead to important messages getting lost and make it difficult to control the spread of erroneous, false, or misleading information.
• There is an absence of user management features.
• There is no way to track the effectiveness of communications.
• There is a lack of training which stands in stark contrast to the 'on-boarding requirements of the Scottish Government eRDM system.
• WhatsApp specifically prohibit 'non-personal use' although it is not clear what this means in practice.

Appendix 9 includes a detailed security risk map relating to WhatsApp.

7.19 In 2021, the Independent Office for Police Conduct (IOPC) published a Review into the use of WhatsApp and other instant messaging applications within the police service^[27]. In that report it states – "[B]y its nature, WhatsApp presents significant risks[emphasis added] relating to data protection and disclosure."

7.20 That Review looked at the practices of a number of forces in England and Wales. Two forces reported to the IOPC that, having taken the opportunity to consider the risks in detail, they had changed their position from allowing WhatsApp to be used, to prohibiting its use. This serves to illustrate how many of the risks are not well understood. It is only when time is taken, and proper analysis done, a real picture can emerge which allows for a meaningful weighing up of the risks and benefits.

7.21 It is a common theme in the digital era that the technology quietly embeds itself into our lives and we quickly become accustomed to it and trusting of it. These technologies are often designed specifically to capture our attention and are habit-forming-by-design. The relationship which develops can result in either an overestimation of personal immunity from harm, or underestimation of the nature and impact of harm.

7.22 For citizens, businesses, and government, those harms will manifest themselves in different ways and have different consequences.

7.23 Governments have been long used to dealing with a myriad of security risks (local, national, and international). The Scottish Government does, as expected, have a comprehensive risk management framework in place. The individuals that work within those functions are professional, diligent, and committed. The vulnerabilities around the use of MMAs centring around records management are beginning to be better understood. These risks are real, and they are significant. They are not, however, the only risks that need to be considered.

7.24 In talking of risks in this context, there are also important considerations of national security as well as the personal safety of public figures. In the Today^[28] programme on Radio 4 earlier this year, Sir Geoffrey Clifton-Brown discussed security issues raised by the 'Westminster honey trap' case and the evidence of increasing and concerted efforts by hostile actors to gain access to the people and information in government.

7.25 In reply, Sir Geoffrey replied "[O]f course MP's are constantly in the public domain and that means all aspects of their private lives are also constantly under scrutiny, and this whole issue of keeping data safe is of paramount importance, we have very sensitive data on a large number of people – our constituents and so on – it's paramount that we keep that data safe, but it's also paramount that we keep our own data safe and I do think that, as a result of this, the government agencies, parliamentary authorities and members of parliament will need to review how they do all that and I do think that more training and more advice is needed for members of parliament so we can try and avoid this kind of thing if possible happening in the future"^[29]

7.26 Earlier this year, the Home Office announced a £31M package to provide extra security to MPs^[30] around concerns about the personal safety and security of elected representatives. A Holyrood survey^[31] conducted in 2021 found that a third of MSPs had received a death threat since being elected.

7.27 There are approximately 4300 mobile phones in circulation owned by the Scottish Government and the nature of the risk goes well beyond end-to-end encryption for messages that may be sent and received on them. One example is the potential for live location tracking (on applications such as WhatsApp) which is a real and present risk but is not mentioned in the Scottish Government MMA policy.

7.28 Care must be taken to ensure a comprehensive assessment is made of all risks. Those highlighted by the Inquiry, and which prompted this review, are significant and require action. The Scottish Government has a risk assessment in place for national security and physical security risks. It is important to ensure that a problem identified in one area does not result in attention given to that area alone, whilst others are neglected. Risk identification, management and mitigation is a collective endeavour across the whole organisation.

7.29 Questions of legal and regulatory compliance, data governance, data sovereignty, and data security (among others) cannot and must not be ignored. Just because technology allows people to easily step outside the legal and regulatory framework, does not mean they should, and rules should not be moulded around such use. Our relationship with technology should not be framed exclusively around convenience. Rules are there for a reason. They need to be based on rational and informed decision-making and comprehensive risk assessment. They also need as far as possible to be unambiguous, proactively communicated and consistently applied and enforced.

7.30 MMAs have the potential to expose governments to significant vulnerabilities, including (but not limited to) a myriad of data, cyber and personal risks. Those vulnerabilities and risks cannot be ignored.