The States of Windows XP

Jersey's government confirms it still uses Windows XP for some sensitive tasks Posted 15 November 2016

Recently I wondered how many States of Jersey departments still use Windows XP after seeing that distinctive green Start button on government desktops one too many times. This worried me since Windows XP is truly obsolete and can be remotely exploited by numerous security holes, and it is no longer supported - even by Microsoft. It is over 15 years old and the latest release was from April 2008.

Running it today is not unlike taking off in an old aircraft you found in a field somewhere. You might get the engine to start, and you might even take off, but you have no expectations of safety or reliability. No matter how talented a mechanic you are or how carefully you looked it over before flying, I won’t be surprised when you crash and burn.

The States of Jersey are definitely modernising and they have a great team of talented people bringing government services online. But when William Gibson said “The future is already here — it’s just not very evenly distributed” boy he wasn’t joking.

After reading this Motherboard article on UK NHS hospitals still running Windows XP I was inspired to make a similar Freedom of Information request to discover how many were in use locally. The response came yesterday from the Chief Ministers office and it was pretty much what I expected to see.

image of the FOI document response received

The FOI response with the PR fluff crossed out. Click to download the original (PDF, 92kB).

The States of Jersey website maintains a selective list of FOI requests and their responses on this web page, but at time of posting mine was not yet published. You may download their original response by clicking the image of the document above.

At least some of the ‘very limited’ number of XP machines are being used for sensitive crime prevention tasks and the States must keep further details secret. That information is exempt from FOI disclosure. I do understand this point though I am not sure how effective it is. Attackers can and do rapidly scan Jersey IP addresses for vulnerabilities and if these machines are online they will be exploited.

If I’m on a jury and the defense points out that a key piece of evidence came from a Windows XP system, do I trust it enough to send someone to prison? Is using XP for tasks so sensitive they have to be exempt from FOI disclosure compliant with local Data Protection laws? I don’t have the answers but these are some uncomfortable questions that go away when we upgrade to a modern operating system.

I’m concerned that the gap between the leading edge of e-government and its ‘long tail’ has grown too wide. The government is us, the people of Jersey, so if you are reading this and thinking “Someone else must fix this” you are truly missing the point. It’s up to you to voice your concern to your elected representatives and let them know this is a priority. Those are your private medical records a doctor is inputting into an XP machine at the hospital. Those are your details a police officer is accessing on a remotely exploitable XP install. Hopefully we can quickly upgrade what dangerously obsolete computing infrastrusture remains, and keep our sensitive data safe.