Security Through Obscurity

In June of last year, a report was provided to the Belfast City Council Policy and Resources (Members) Sub-Committee on the Pilot Study that had been carried out to investigate providing information to the Councillors electronically. Belfast City Council uses over 12.5 million sheets of copying paper per year, and a large number of these are in providing the information packs of minutes and reports to councillors for each Council, Committee and Sub-Committee meeting during the year. It was hoped that moving to an electronic distribution system might help this. (Of course the most likely outcome is that the councillors would just print the information themselves anyway, so the environmental argument probably doesn’t really hold that much weight here).

Unfortunately, the report revealed that the system had mostly been a failure. The website providing the papers was only made available from within the Council’s network, and still required multiple passwords to access. Even though it was ‘internal’, the system was very slow, and often completely unavailable, apparently due to firewall issues. The information wasn’t up-to-date, and there was no diary facility or even a schedule of meetings. As a result, some of the pilot group actually abandoned the system during the trial period

I was curious as to what exactly made the system so bad, so I made a Freedom of Information request for the manual that had been created to explain how to use the system. The system seems to have been built on Microsoft Sharepoint as a fairly straightforward Shared Workspace system, providing the majority (all?) documents in Microsoft Word format. Assuming the documentation fairly reflects the actual system, there doesn’t really appear to be anything particularly difficult about it.

I have to assume, therefore that the main problems were actually to do with the unreliable access, and the difficulties of actually accessing the system even when it was working.

The cover letter that arrived with the User Guide provides another interesting view on this, in that the Council decided that they should redact the Guide before sending it to me, in order to remove the references to the server name on which the system was running. Thus, in the Guide I received, the URL bar in each Internet Explorer screenshot has been blanked out.

The Council have claimed a Section 43 exemption for this, which permits a public authority not to disclose information if its disclosure would, or would be likely to, prejudice the commercial interests of any person, including the public authority holding it. They explained that providing “access to information regarding the server name would increase the risk of the security of our internal electronic systems being breached and would therefore be likely to adversely affect the commercial interests of the Council.”

The Act also requires that, even where an authority believes this, they also have to weigh it up against the public interest in disclosure. As such, the Council goes on to say that although disclosure would allow for a more informed public debate on the issue, promote accountability and transparency, and assist the public to understand and challenge Council decisions, they decided that “the public interest is not best served by putting at risk the security of our internal electronic systems.”

Although I have no particular desire to know the name of the internal server hosting this system, or the URLs of any part of the system, I find the Council’s reasoning here to be rather worrying.

Perhaps it’s just an overly paranoid approach to systems security – and the Councillors’ complaints about how the system could only be accessed from within the Council’s own network, and only then with multiple levels of passwords, certainly bear this out. But I was under the impression that it was generally accepted that security through obscurity is a bad policy.

I’m not going to appeal this one (if anyone else feels strongly about it, I’ll certainly give them a copy of the letter and let them take it up with the Council), but I think I am going to make a follow-up request for more information on the information gathered from the Councillors about the trial system. As with other things I’ve discovered in the Council minutes, I support the ideas and ideals that the Council appear to be espousing with such a system, but I think the actual execution leaves a lot to be desired.

Leave a Reply

Your email address will not be published. Required fields are marked *