MI5 e-mail alert signup shambles - all email subscription web forms sent to the USA, without encryption
What a shambles over the heavily hyped "MI5 e-mail alert system", which failed to be available on Tuesday morning, as was implied in the media, but which has appeared on Tuesday evening, with all the appearance of a rushed job !
Astonishingly, MI5, the Security Service, part of whose remit is supposed to be giving protection advice against electronic attacks over the internet, is sending all our personal details (forename, surname and email address) unencrypted to commercial third party e-mail marketing and tracking companies which are physically and legally in the jurisdiction of the United States of America, and is even not bothering to make use of the SSL / TLS encrypted web forms and processing scripts which are already available to them.
Is this evidence of a rush job, to satisfy the demands of the Home Office spin doctors or is it incompetence, or indifference to the privacy and security of the general public ?
The media were were briefed on Monday. e.g. The Register
The Security Service MI5 will announce tomorrow that subscribers to its website can sign up for email notification of changes to the current threat level.
A spokeswoman for the Home Office said: "There will be two electronic lists, one for people interested in updates to the threat level and one for changes and updates to the website. This aims to improve public understanding of the service's work and to offer faster information about threat levels."
Anyone can sign up to the lists.
The BBC News 24 devoted quite a long segment to it this morning before and during breakfast.
Patrick Mercer, the Conservative "Homeland Security" spokesman and a former Army intelligence officer praised the idea, but pointed out the same sort of problems we asked about during the "Climate of Fear" hype last summer
Despite what much of the press and bloggers are saying, it does not seem that these emails will actually give any detailed information about specific threats, or even what to do exactly before or after a threatened or actual attack. All that they will do is inform people about any change in the crude Terror Threat Alert Status, which is displayed already published on
the Home Office, MI5 and intelligence.gov.uk Cabinet Office web pages, and which is endlessly hyped by the media when it changes from one unreal state to another. e.g. Threat Level CRITICAL - now what are we meant do ?
All this publicity gave the impression that from some, unspecified time on Tuesday 9th January 2007, you would be able to sign up for the Terror Alert Status change emails and the MI5 website News alert e-mails.
What actually happened
This morning. there was no change to the MI5 website since its previous update back in mid December:
Updated 15.12.06 10:00
So all that media hype was wasted, as thousands of people were frustrated in not being able to see what was involved and to try to sign up.
There was another update:
Updated 9.1.07 10:30
The Security Service does not have a Press Office and does not comment on intelligence matters. The Home Office issues statements relating to our work from time to time and we link to these on this page, along with any other relevant official announcements.
SECURITY SERVICE TO OFFER E-MAIL ALERTS (09.01.07)
E-mail alerts of changes to the national Threat Level and updates on the Security Service website will be available in the near future. This will enable subscribers to keep informed of major developments in national security affairs. You will be able to subscribe via a form on the Security Service website. We will publish an update shortly giving the address of the subscription form.
This does not imply some sort of last minute technical hitch, it implies that the scheme has not yet been fully designed and tested and security vetted yet ! Otherwise, why not give an expected launch time and date for the new service ?
At this point, they could have decided, without too much loss of face, to postpone the start of the e-mail alert service, for, say, a week.
However, presumably following pressure from the spin doctors, and possibly by politicians, there was yet another update:
Updated 9.1.07 17:00
which does contain a web form to subscribe to the new e-mail alert service:
This does also appear to be available under the SSL /TLS encrypted version of the website (but this is not linked to separately or automatically). However the Arabic, Urdu and Welsh versions of the MI5 website do not seem to have this form translated - the first sign that this project has been put together in a rush.
Looking through the source code of the web form, before deciding whether or not to trust it, it was obvious that the web form is processed by this script:
Aaaaargh ! no SSL or TLS encryption !
Aaaaargh !! this script is not on the MI5 webserver !!
Who are pmv2.co.uk ?
Xwhois query for pmv2.co.uk...
Results returned from whois.nic.uk:
UK Limited Company, (Company number: 3894107)
4th Floor King House, 5-11 Westbourne Grove
Who are Mailtrack Ltd ?
"Mailtrack is a digital marketing solutions supplier that designs, delivers and manages digital marketing solutions designed to increase total customer value for our customers."
Telephone - 0870 742 0558
Email - firstname.lastname@example.org
Mailtrack Limited 4th Floor, King House
5-11 Westbourne Grove
London W2 4UA
Find Us with Google Maps
Co. Reg. - 3894107
VAT - 752 509 333
Mailtrack is a registered as a Data Processor with the Information Commissioner.
So, MI5 has outsourced the e-mail subscription process to a third party commercial direct email company.
That is not necessarily a bad thing, however, the web server being used to process the e-mail subscription form is physically located in the United States of America !
404 Not Found
/ was not found on this server.
Resin-3.0.17 (built Thu, 22 Dec 2005 12:11:34 PST)
Note the time stamp - PST = Pacific Standard Time i.e. the west coast of the USA and Canada
takes you to
which is an unencrypted login screen for the ProMail version 2 email list management software.
Again there is a Pacific Standard Time timestamp.
Looking up the IP addresss:
IP address: 188.8.131.52
Host name: pmv2.co.uk
Network IP address lookup:
Xwhois query for 184.108.40.206...
Results returned from whois.arin.net:
OrgName: Level 3 Communications, Inc.
Address: 1025 Eldorado Blvd.
i.e. a large USA based internet service provider.
Traceroute to the pmv2.co.uk webserver shows it probably to be connected to the Level 3 network in the Seattle area.
7 6 6 6 220.127.116.11 te-3-1.car3.dallas1.level3.net
8 6 7 6 18.104.22.168 ae-1-51.bbr1.dallas1.level3.net
9 140 54 53 22.214.171.124 as-1-0.mp2.seattle1.level3.net
10 53 53 53 126.96.36.199 ae-12-55.car2.seattle1.level3.net
11 Timed out Timed out Timed out
No SSL / TLS encryption
login page has the following commented out i.e. inoperative section of source code:
<!-- To operate more securely and to protect your data, <BR> <a href="/bin/login?ssl=1">sign in using our SSL server</a>.
So it is not as if they do not know about SSL encryption, they are deliberately not using it to protect the email addresses and names of the people who sign up to the MI5 e-mail alert lists.
The pmv2.co.uk server does not appear to have an SSL / TLS Digital Certificate installed
IP address: 188.8.131.52
Host name: pmv2.co.uk
has many other aliases i.e. it serves many other websites:
IP address: 184.108.40.206 Host name: oem.whatcounts.com
WhatCounts.com seems to provide the back end email list marketing software on an Original Equipment Manufacturer turnkey basis, with different logos for each of their clients e.g. see the similarity between
http://pmv2.co.uk and, say, http://redweek.whatcounts.com
See more about WhatCounts Inc below
How does this square with European Data Protection regulations ?
the subscription form ?
The personal data that you submit will be held securely and will be used to manage your subscription or un-subscription. It will be processed fairly and lawfully in adherence to the Data Protection Act 1998. We will treat your data in the strictest confidence and we will only disclose such data to any personal or organisation for the purposes for which it was collected or for the purpose of our statutory functions under the Security Service Act 1989.
Please see our Privacy Statement for further details.
This statement is simply untrue !
Any ISP or telecomms network administrators, or the Governments of the USA or perhaps also of Canada, can snoop on this MI5 e-mail subscription traffic with impunity.
The MI5 website handles its own SSL / TLS encrypted web forms already, so they know exactly what they should be doing.
Has it been a rush job ?
Has this all been done in a blind panic, because of the briefing to the media yesterday by the Home Office, and so that an insecure commercial off the shelf service was hurriedly put into place this afternoon ? Surely they cannot have been planning to use this unencrypted email list server, physically in the USA, all along can they ?
Has there only been a narrow security impact assessment on the potential risk to MI5's internal systems, rather than a wider risk assessment taking into account the privacy and security of the members of the public who subscribe to the e-mail alert service ?
Which politician, spin doctor, or civil service bureaucrat made the decision to overrule the UK IT security experts, and put our personal data at risk in this way ?
What happens if you actually sign up ?
Bearing all this in mind, we have signed up to the e-mail lists with the following result:
If you do use the encrypted version of the web form i.e.
which is not linked to as such from the homepage), your web browser, should, if the settings are sensible, warn you that you are about to lose the protection of the SSL/ / TLS encrypted session, so the data you are sending "could easily be read by a third party", as you press the submit button.
Then you get:
MI5 E-Mail Lists - Subscription Confirmation
Thank you for your subscription to our mailing list(s).
You will receive an e-mail shortly asking you to click on a link to confirm your subscription.
The email confirmation you get is like this:
To: [email address]
Subject: MI5 What's New - please confirm your subscription
Date: 09 Jan 2007 14:29:20 PST
Security Service MI5
Thank you for your request to subscribe to the MI5 What's New e-mail list.
Your email address '[email address]'
has been submitted to be subscribed to the list. To confirm that you want to join this list, please click on this link to confirm your request:
http://www.whatcounts.com/bin/confirm?code=[22 digit code]
The whatcounts.com is also hosted by the large US ISP Level 3 communications in Seattle, in the USA
IP address: 220.127.116.11 Host name: www.whatcounts.com
TraceRoute to 18.104.22.168 [www.whatcounts.com]
Hop (ms) (ms) (ms) IP Address Host name
8 51 18 Timed out 22.214.171.124 te-3-1.car3.dallas1.level3.net
9 7 6 6 126.96.36.199 ae-1-53.bbr1.dallas1.level3.net
10 54 53 54 188.8.131.52 as-1-0.mp2.seattle1.level3.net
11 54 54 53 184.108.40.206 ae-22-52.car2.seattle1.level3.net
12 Timed out Timed out Timed out -
Xwhois query for whatcounts.com...
Results returned from whois.opensrs.net:
316 Occidental Avenue South
Seattle, WA 98104
Again. there is no encryption to protect your personal details.
WhatCounts, Inc. the a third company involved in the email subscription process, one which offers:
"The powerful WhatCounts e-Communications Suite enables marketers to build brand loyalty through enhanced communication and granular analytics."
i.e. direct marketing / junk mail or tracking and analysis of "customers".
Clicking on the URL link, to confirm the subscription returns you to the MI5 website subscription confirmation page
which, implies, that you are now caught in an endless email spam loop, as
"You will receive an e-mail shortly asking you to click on a link to confirm your subscription."
This error surely would have been caught, if there had actually been any proper security auditing or even usability testing, so this lends support to the idea that this is all a rush job, to placate the premature announcement of the e-mail alert service by the Home Office spin doctors.
Just for fun, we also subscribed separately to the Alert list and checked to see if SSL was available on the whatcounts.com webserver
There is a Digital Certificate for secure.whatcounts.com, which does not match, obviously,
to the www.whatcounts.com URL
Would it really have been so difficult to give the confirmation URL in this format ?
https://secure.whatcounts.com/bin/confirm?code=[22 digit code]
i.e. using encryption rather than
http://www.whatcounts.com/bin/confirm?code=[22 digit code] ?
Interestingly, but unsurprisingly, if they are using relative URLs in the scripts, this does seem to work, and takes you to the SSL encrypted version of the MI5 e-mail confirmation page as before
However, despite starting off with an encrypted session, and finishing with one, our personal data i.e. first name, surname and email address, were put at risk by the unencrypted hop over to Seattle in the middle.
You then get a confirmation email from whatcounts.com, with a similar, unencrypted Unsubscribe link:
http://pmv2.co.uk/bin/listunsub?id=[48 digit code]
Which is handled by exactly the same unencrypted webserver based on the West Coast of the USA, as the original subscription !
Privacy and Security Implications
There is nothing particularly wrong in using a commercial email service for these MI5 email alert lists, except for the fact that this United Kingdom National Security system is being run insecurely in a foreign country, and ignoring some of the built in standard SSL protections which these services are perfectly capable of offering.
We will not be surprised if the entire list of MI5 e-mail list subscribers is stolen in transit or by obtained by unauthorised access, perhaps by an existing customer or employee of Mailtrack, Level 3, or WhatCounts,
It is highly likely that there are logfiles of all of the transactions in this mailing list subscription, un-subscription, confirmation email and confirmation web link access process, all of which are outside of the direct control and protection
of the UK Government.
It may even be the legal property of these US Companies, which they are legally free to use for direct marketing purposes if they wish.
It is certainly at risk of being legally handed over, en masse, to the US authorities e.g.
"Hey, someone called Osama bin-Laden just subscribed to the MI5 news and alert e-mail lists - they must all be potential terrorists, let's put those names and email addresses into our database of suspects".
Why is this e-mail subscription service not being handled by purely United Kingdom based companies and computers ?
Why is this email subscription service not being handled entirely using secure UK Government computer infrastructure ?
Some Questions, which occurred to us before the web form was revealed:
- Why is there no plan to introduce RSS and/or XML syndication feeds, something which these infrequent news and even more infrequent terror threat status level changes would be ideal for, especially via feed aggregators like Bloglines etc. ?
- WIll the e-mail subscription services be, effectively, anonymous or will the jobsworth snoops insist on
lots of unecessary personal details ?
It turns out to ask for email address, first and second names, so in that sense, ot is easily forged.
- What is the policy on storing IP addresses and other browser specific details of those signing up for the emails ?
- What is the policy on access to these sign up forms by disabled people ?
No special provisions apparent.
- What is the policy on access to these sign up forms by children ?
No warning about age of consent, or advice to get notify a parent or guardian.
- What is the policy on access to these sign up forms by foreigners ?
No attempt at restrictions, which would probably be unworkable anyway.
- Since there are Arabic, Urdu and Welsh language versions of the MI5 website, will these email sign up forms also be available in those languages ?
No translations of the e-mail web form available - probably a further sign of a rushed job.
- Will they incompetently store such personal details so that they can be accessed as a file or an SQL query via the website and thereby give spammers and identity thieves and foreign intelligence agencies another list of people to harass ?
- Will they allow the database of people signed up for these alerts to be enumerated via the error message responses or timing delays e.g. a "blind oracle" script feeding likely email addresses into the online form, to see if a particular person or email address is signed up to the scheme or not ?
- Will they allow Denial of Service attacks in the form of mass un-subscriptions from the lists, e.g. through an insecure "password reminder" option, or simply by sending the word "unsubscribe" from a forged email address ?
Obviously we have not investigated this, but since the email list control software is physically hosted in the USA, outside of the UK Government's control and security standards, then we are quite worried by this shared, unencrypted form for forgotten list administrator passwords:
- If more than an email address is required to sign up e.g. a name , then what provisions are there in place to prevent "celebrity name squatting" e.g. people apparently signing up as Tony Blair or Her Majesty the Queen etc ?
- How many people does the Government expect to sign up for these e-mails, and has sufficient extra money been made available in the budget ?
- Have they invested in sufficient infrastructure e.g. peak bandwidth, hardware accelerators, traffic shapers, load balancers etc. to resist Denial of Service attacks on these e-mail signup forms ?
- Will any of the e-mails alerts actually be Digitally Signed to assure people of their authenticity ?
- All of the above points should already have been addressed during the CESG information security re-Accreditation of the MI5 website, given this major change to its configuration. Has this formal Accreditation process actually been signed off yet ?
We are not hopeful about the answers to these questions, based what looks like an rushed job, on the cheap, which was eventually launched today.