Several webpages from Elections Canada and MPs lack basic data protections, expert says
Canadians should be concerned that 'security 101' isn't being followed by some MPs, expert says
Several Elections Canada webpages and personal websites from MPs don't have the basic encryption necessary to stop your information from being hacked as it's sent from point A to point B.
Pages to request publications from Elections Canada, as well as the websites of Liberal, Conservative and NDP MPs use an outdated, unprotected chain to carry information you send to them through the network.
Liberal Democratic Institutions Minister Karina Gould, Conservative Finance Critic Pierre Poilievre and the NDP's Ruth Ellen Brosseau had this deficiency on the "contact me" form that asks for personal information — like your email, name and address — before sending feedback to your MP. Gould and other Liberal MPs updated their sites after queries from CBC News.
Conservative Party spokesperson Cory Hann said the party's websites all adhere to proper encryption standards, but the sites of individual MPs are not run by the party.
NDP spokesperson Jonathan Gauvin said the party has "been in the process of updating all sites to ensure they're secure for users" and they're "committed to ensuring this is the default for all of our sites."
There are two different protocols for sending data between your browser and the website you're connected with, the unsecure "HTTP," and "HTTPS" — the secure version, with proper encryption — where the "s" stands for "secure."
Banks and credit card-based sites like Amazon started using HTTPS about 20 years ago, and social media sites have had it in place for more than a decade.
"This is what you can really consider the minimum 'security 101' for your website," said Aleksander Essex, a cyber security expert at Western University who specializes in democratic institutions.
He said if major political players — like Elections Canada and MPs — haven't fixed their websites yet, it's time to consider "what kind of message is that sending."
Elections Canada said they're aware of the security gaps and are working to fix them.
"We share the view that this is an important security measure. We are working on the final stages of implementing HTTPS on our site," they said in an email.
Fears of voter suppression
Basic HTTPS encryption isn't just about protecting information flowing through the internet, Essex said. It's about the user knowing their information will be kept confidential and giving people confidence they're interacting with legitimate organizations.
Without proper security, hackers are able to alter information on a website, including redirecting users to decoy pages. In the case of Elections Canada, Essex said these tactics could be used for voter suppression if information like where to vote is manipulated because the site isn't protected.
Essex said he first reached out to the agency eight months ago to flag the issue.
"I don't see any technical reason that it would take as long as it has," he said, adding a single web page can be converted into a HTTPS-safe site in a few minutes.
"Ultimately it comes down to the organization's priorities."
A spokesperson for the Liberal Party said the "highest levels of security are implemented for all data, communications, and records."
When asked if Canadians should be concerned about sharing personal information over Liberal-affiliated websites, Braeden Caley said the party takes data security seriously.
"We are also providing 2019 candidates, campaign teams, and campaign officials with comprehensive resources and guides on best practices for information security online, on social media, and more broadly."
Not every MP's web page is a security risk. Many MPs are already using HTTPS and all of the parties' primary websites are properly protected.
Similarly, most of Elections Canada's site uses a secure connection when it asks for your information.
'Not sending the right message'
Despite steps to fix the problems, Essex said it should worry Canadians that many MPs and the country's election agency are still operating at 1990s-level internet security.
"They say 'we would like to hear from you please sign up give us your email' and they send it insecurely over the unencrypted connection. It is not sending the right message," he said.
It's not a critical vulnerability, but that doesn't mean it should be tolerated.
"Turning this on is like the minimum thing that they could do."
Political parties have created perplexing cyber security issues, as they are not beholden to privacy laws in Canada.
It's gotten so bad that Canada's Chief Electoral Officer Stéphane Perrault has called them out for being the weak link in the chain.
Perrault said inexperienced staff could fall prey to simple phishing scams and accidentally give hackers access to databases holding the personal information of thousands of Canadians.
In the fall, a team from the Canadian Centre for Cyber Security also quietly briefed the political parties on how to protect themselves from cyber attacks