The Green Party has added a privacy notice to a Freedom of Information (FOI) website which asks users to provide names and email addresses, although the website does not run SSL security.
Spotted by NADPO Chairman Jon Baines, who pointed out on Twitter that the Greens were “defending” FOI by gathering personal data on a page without any privacy notices, the political party has told Infosecurity that it would discuss the HTTPS issue “with our IT team straight away”, and thanked us for raising the important question.
Baines said that he saw this less as an issue of information security due to the general lack of HTTPS on websites collecting data, but more as a pure data protection issue. “Failure to tell people what will happen with their data is a simple and clear breach of the first ("fairness") data protection principle in Sch 1 DPA 1998,” he says.
“Added to that, any marketing emails sent on the back of the lack of a privacy notice would be likely to breach the ePrivacy regulations. Interestingly, and silently, the page has now been given a (cursory) privacy notice.”
Asked if this is going to be a problem, as it is only email addresses and names which are being submitted, Mark James, security specialist at ESET, said: “We have to start to realise ALL data is important, in this particular scenario enough information is being submitted to enable phishing emails to be sent of a nature to trick individuals into supplying possibly more sensitive information that could lead to identity theft or fraud.
“More and more of our data is becoming public knowledge and it’s becoming a lot harder for the average user to determine what’s good and what’s bad when it comes to follow up emails and or phone calls ‘verifying’ or confirming your submitted information.”
James said that an organisation like a political party should be using more secure methods to collect members and potential members’ data, as any requested user information submitted via a website should be sent over HTTPS.
“While it’s not a fool-proof solution, it’s a lot safer than using plain text or unsecured means to transfer data that could be used for foul means or malware type activities,” he says. “There is absolutely no reason to not use this better and safer method especially when the data is requested from a responsible source.”