Editorial | Don’t be huffy over JamCOVID revelations
That a “comprehensive review “ of the security of all government websites is under way to ensure compliance with “international standards and best practices” is a welcome development. However, the implication that this action may have been occasioned by the JamCOVID fiasco, rather than being a routine exercise, is surprising.
Should this be the case, the Government must not just strengthen the security of its sites. The systems must now be regularly policed to ensure their integrity, which sometimes means being receptive to observers who point out obvious gaps and vulnerabilities, even when they are not officially authorised to do so. In the event, we hope that embarrassment and hubris are not driving the Jamaican authorities to go after the good guys for revealing the frailties and cock-ups at the JamCOVID portal. For, neither that nor declarations about the supposed robustness of its security, or its related app, will of themselves restore confidence in the site.
What is required is a full and frank assessment and disclosure of what went wrong, who is responsible, if and how they have been held accountable. We must also be told the precise nature of the fix. This does not require lengthy study and analysis, which gives the impression that the Government is playing for time to get around having to hold people responsible.
Additionally, the re- establishment of trust in the JamCOVID site, and anywhere else the State stores people’s private data, will demand that the Government follows its own legislation, regulations and guidelines for the management of this information, including its deletion, when required by law. Failure in this regard is not only for the possibility of personal information being stolen by people with malicious intent. It has the prospect, too, of weakening trust in government and raising questions about the real intention of an intrusive State.
These issues have come in sharp focus over the last fortnight by revelations made by TechCruch, an online publication that reports on technology/business issues, about the security failures of the JamCOVID portal, through which Jamaica manages the movement of travellers to the island in the face of COVID-19 restrictions that was left unprotected. First, it was disclosed that the storage server on which data was held had no password. That meant tens of thousands of documents of people’s private data – including negative COVID-19 test results, quarantine orders and signatures – were potentially available for the taking.
There was the sense that the Government was huffy about the revelation and disputative of the potential effect of the vulnerability, even as it announced that the problem had been repaired. But days later, TechCrunch again reported that a file with passwords and other credentials that could take anyone who utilised it to the backend of the application, was openly exposed on the site. Again, Jamaica seemed to suggest that the availability of this file was overblown.
Then on Thursday, the same day Prime Minister Andrew Holness chaired a meeting of the National Security Council focusing on cybersecurity, TechCrunch made a further disclosure of another weakness in the JamCOVID site security that exposed information related to more than half-million quarantine orders. Much of that information, the regulations suggest, should have already been deleted.
The first inclination is to treat the whole affair as a screwball comedy. Except that the matter is so serious. Even before a technical report of the consequences, or lack thereof, of the exposures, a simple explanation of how this could happen again after the first revelation is necessary. This, after all, is about competence and execution of due diligence. Leaving home with your door wide open and getting away with only a scare, might, the first time, be treated as an oversight. Doing so a second and a third time is reckless – and worse.
The fact that there are “inherent risks” in the digital environment from people with malign intent, as the Government has pointed out, should not be conflated with what appears to have happened on the JamCOVID site. Neither should anger be spewed at journalists reporting information that the public has a legitimate right to know. Or for that matter, anyone with the skills to note and highlight the vulnerabilities of the site. Even as we fulfil the obligations under the law, the process should not begin, because of our embarrassment, with huffy tones with such persons.
Jamaica is perhaps lucky that, as the Government reported, there was no “data exfiltration” from the JamCOVID portal. Maybe we should thank TechCruch for the opportunity to fix the vulnerabilities before that happened.