A non-profit body the Centre for Public Safety has done a scan of the UK’s public-facing digital policing infrastructure to identify whether the foundations are secure.
The centre scanned 71 police and affiliated websites (including its own) and found that just over one-quarter (27pc) demonstrated the highest standard of secure connection; the remainder (73pc) either lacked a secure connection for visitors or their implementation was deemed deficient or insecure.
Almost one in four (24pc) of the sites lacked support for secure connections at all, meaning information is communicated in plain unencrypted text across the internet. Of these, almost 70pc (11 agencies) invited users to submit personal data – and in some cases information specifically relating to criminal activity – via these unsecured connections. They are exposing the public to unnecessary risk.
This is despite the fact that the use of secure connections when transmitting personal data is regularly highlighted in crime prevention and online safety advice (“look for the padlock”) issued by the police service, Government and industry partners. Around one in ten were found to have significant vulnerability in their implementation of a secure connection – including the National Crime Agency’s Child Exploitation and Online Protection Centre (CEOP), which has a specific online focus, along with six territorial police forces.
For more visit the centre’s website.
Rory Geoghegan, Founding Director of the centre, said: “The government and police regularly tell the public to ‘look for the padlock’ when using websites – it’s time they followed their own advice and delivered secure-by-default websites for the public to use. While the rest of the world moves to secure-by-default, some forces and their
IT providers seem intent on delivering not-enough-by-default. Take the Met Police – spending hundreds of millions per year and only achieving a grade C. Over a quarter of police forces have got it right, allowing the public to communicate with them securely – but the rest need to redouble their efforts.
“Those police forces accepting personal data and information on criminal activity over plain text should, as a matter of priority, implement secure connections. It’s 2016 – the internet is not new, the cyber security threat is not new – and yet some police forces and their IT providers seem to think it is acceptable to pay large sums of taxpayer money for insecure technology.
“Police and Crime Commissioners and Chief Officers are banking on savings from digital transformation. They must ensure the online services provided are secure, or they risk public trust and public safety. If you call 999 or 101 you expect privacy and security. If you’re interacting online with the police you have the same expectation. Police and Crime Commissioners and Chiefs need to ensure they have the technology to handle online communications professionally and securely.
“On the basis of our study, just one in four of us have a police force providing the highest standards of online security. It’s essential that policing swiftly moves to ensure the entire country can feel safe and secure interacting with police online. It is perhaps doubly embarrassing for those forces and PCCs who have set cybersecurity and cybercrime as key priorities, while failing to get the fundamentals right in their own organisation.
“The National Cyber Security Centre has a vital role to play and we urge them to ensure they provide a channel for the public and others to report vulnerabilities in police and public safety digital infrastructure.”
