Several webpages from Elections Canada and MPs lack basic data protections, expert says

Several Elections Canada webpagesand personalwebsites from MPs don't have the basic encryption necessary to stop your information from being hacked as it's sent from point A to point B.

Pages to request publications from Elections Canada, as well as the websites of Liberal, Conservative and NDPMPsuse an outdated,unprotected chain to carry informationyou send to them through the network.

Liberal Democratic Institutions Minister Karina Gould, Conservative Finance Critic Pierre Poilievreand the NDP'sRuth Ellen Brosseauhadthis deficiency on the "contact me"form that asks forpersonal information like your email, name and address beforesending feedback to your MP. Gould and other Liberal MPs updated their sites after queries from CBC News.

Conservative Party spokespersonCory Hann said the party'swebsitesall adhere to proper encryption standards, but the sites of individual MPs are not run by theparty.

NDP spokesperson Jonathan Gauvin said the party has "been in the process of updating all sites to ensure they're secure for users" and they're "committed to ensuring this is the default for all of our sites."

There are two different protocols for sending data between your browser and the website you're connected with, the unsecure"HTTP,"and "HTTPS"the secure version, with proper encryption where the "s"stands for "secure."

Banks and credit card-based sites like Amazon started usingHTTPS about 20years ago, and social media sites have had it in place for more than a decade.

"This is what you can really considerthe minimum 'security 101'for your website," said Aleksander Essex, a cyber securityexpert at Western University who specializes in democratic institutions.

He saidif major political players like Elections Canada and MPshaven't fixed their websitesyet, it's time to consider"what kind of message is that sending."

Elections Canada said they're aware of the security gaps and are working to fix them.

"We share the view that this is an important security measure. We are working on the final stages of implementing HTTPS on our site," they said in an email.

Fears of voter suppression

Basic HTTPSencryptionisn't just about protecting information flowing through the internet, Essex said. It's about the user knowing theirinformation will be kept confidential and giving people confidence they're interacting with legitimate organizations.

Without proper security, hackers are able to alter information on a website, including redirecting users to decoy pages. In the case of Elections Canada,Essexsaidthese tactics could be used for voter suppression if information like where to vote is manipulated because the site isn't protected.

Essex saidhe first reached out to the agencyeight months ago to flag the issue.

"I don't see any technical reason that it would take as long as it has," he said, adding a single web page can be converted into a HTTPS-safe site in a few minutes.

"Ultimately it comes down to the organization's priorities."

Goodale on the government's new cyber security strategy

6 years ago

Duration 6:30

Public Safety Minister Ralph Goodale joins Power & Politics to discuss the governments new cyber security strategy and what it means for Canadians.

A spokesperson for the Liberal Party said the "highest levels of security are implemented for all data, communications, and records."

When asked if Canadians should be concerned about sharing personal information over Liberal-affiliated websites, Braeden Caley said the party takes data security seriously.

"We are also providing 2019 candidates, campaign teams, and campaign officials with comprehensive resources and guides on best practices for information security online, on social media, and more broadly."

Not every MP's web page is a security risk. Many MPs are already using HTTPS and all of the parties' primary websites are properly protected.

Similarly, most of Elections Canada's site uses a secure connection when it asks for your information.

'Not sending the right message'

Despite steps to fix the problems, Essex saidit should worry Canadians that many MPsand the country's election agency are still operating at 1990s-level internet security.

"They say 'we would like to hear from you please sign up give us your email' and they send it insecurely over the unencrypted connection. It is not sending the right message," he said.

It's not a critical vulnerability, but that doesn't mean it should be tolerated.

"Turning this on is like the minimum thing that they could do."

Are Canadian institutions vulnerable to a Russian cyberattack?

6 years ago

Duration 7:51

'We can never rest,' says Scott Jones, head of the Canadian Centre for Cybersecurity.

Political parties have created perplexing cyber security issues, as they are not beholden to privacy laws in Canada.

It's gotten so bad that Canada's Chief Electoral Officer StphanePerrault has called them out for being the weak link in the chain.

Perrault said inexperienced staff could fall prey to simple phishing scams and accidentally give hackers access to databases holding the personalinformation of thousands of Canadians.

In the fall, a team from the Canadian Centre for Cyber Security also quietly briefed the political parties on how to protect themselves from cyber attacks