Who's afraid of WhatsApp?

The Senate Estimates committee focus on the security of WhatsApp missed two key issues. Secure communications is a people problem. And does it even have to be 'secure' in the first place?
Written by Stilgherrian , Contributor

The Australian Senate's Finance and Public Administration Committee, and in particular Senator Penny Wong, gave the Department of Prime Minister and Cabinet (DPMC) a grilling over communications security on Monday, but were they turning up the heat for the right reasons?

At the core of the sometimes tense hearing -- Senator Wong was even accused of "badgering" one DPMC witness -- was the issue of cabinet ministers using the messaging app WhatsApp among themselves and their staff.

It all began last Wednesday, when Fairfax Media published the story, "Malcolm Turnbull and senior cabinet ministers using WhatsApp could pose security risk: experts". It accurately pointed out that WhatsApp isn't on the Australian Signals Directorate (ASD) lists of Evaluated Products or Certified Cloud Services.

"I can't imagine ASD is very happy about it," one staffer is reported as saying.

Wong spent half an hour on Monday putting a series of questions to DPMC deputy secretary Allan McKinnon and other staff about the "range of allegations" about "insecure communications". She was clearly unhappy with McKinnon's answers -- that he "tended not to attach particular credence" to the news reports, and that "Fairfax may report as it pleases".

Wong demanded to know whether DPMC had conducted any investigations to "confirm the assumption" that there were no security implications from using WhatsApp. They had not.

The Prime Minister's special advisor on cybersecurity, Alastair MacGibbon, responded to questions about the security of WhatsApp specifically with the kind of nuanced answer that information security requires.

"If I can not give you an assessment of WhatsApp versus other apps, what I can say is that the use of messaging apps can increase privacy and security, based on their encryption, versus a telephone call or an email or an SMS," he said.

MacGibbon's statements were accurate. "All communications by their nature can be attacked," he said. Is WhatsApp more secure than, say, sending an SMS message? "It depends." But those nuanced responses didn't please committee chair, Senator James Paterson. Nor did they please Wong, who continued to ask who gave advice to whom, and when.

All this completely misses the point, however.

The real point was made when MacGibbon returned to give evidence later on Monday, armed with a statement from the ASD.

"The Australian Signals Directorate has advised that encrypted over-the-top applications such as WhatsApp provide users with significant amounts of privacy. The Australian Signals Directorate has no concerns with such applications being used for unclassified communications," it read in part.

The ASD confirmed that classified information must be handled in accordance with the government's Information Security Manual, but that doesn't apply to unclassified communications.

MacGibbon went on to clarify that the term "sensitive" communications has a very narrow definition on the Protective Security Policy Framework issued by the Attorney-General's Department. It applies only where a secrecy provision applies under law, or where the law prohibits disclosure of the information concerned.

Nothing else is, technically, "sensitive".

Now we get to why this whole discussion is a non-issue.

Ministers and staffers may well have "taken to using the app within the highest levels of the government", as BuzzFeed wrote. But that's not the same as saying that WhatsApp is being used for the highest level of government communication.

In the Fairfax Media story, Emeritus Professor Bill Caelli from the Queensland University of Technology said cabinet communications should happen on a secure device or not at all. True, but not all communications between cabinet ministers is cabinet communications. Much of it would be as routine as changing the time for a coffee meeting, asking when a report will be ready, or agreeing with colleagues that an opposition MP is a goose.

This does leave the issue of whether ministers and their staffers are meticulous about keeping sensitive government information off WhatsApp. But the same could be said for their use of the unclassified email network, the phone, Australia Post, or even a conversation over beer in a public bar.

That is to say, it's already an area where individual judgement affects government security. It's a people problem, not a technical problem.

Australia's favourite Attorney-General, Senator George Brandis QC, reassured the Senate committee that any communications via WhatsApp was "entirely unremarkable". His expertise in these matters speaks for itself.

Editorial standards