The security of police websites has been slammed after it emerged that many don’t encrypt confidential information sent to them over the internet. Most police forces have online contact us forms with some even allowing people to report crimes online, but scores are failing to encrypt the information allowing anyone to steal and even change details of crimes.
City of London Police, which has a dedicated high-tech crime unit, is one of the worst offenders. Its online crime reporting form does not use HTTPS, meaning that all information is sent in plain text. This allows anyone to intercept and steal personal and potentially highly confidential information. It would also be possible for crooks to change the details of crimes being reported to the police.
The use of encrypted web forms to send personal information over the internet is considered a bare-minimum for online security and is used by just about any website that requests information from users. Terence Eden, the security researcher who uncovered the flaws, said the police needed to take website security more seriously:
“Secure communications between the public and with websites is important. I want to know that all my dealings with the police are treated securely. I want to ensure that the data I send them is unmolested in transit. I want the state to take online security as seriously as they take physical security,” he said.
In the case of City of London Police, the unencrypted web form requests swathes of personal information including people’s names, addresses, email addresses and telephone numbers. The form also asks people to describe crimes in detail including what happened, where it happened and details of any stolen property.
Michael Frost, website manager at City of London Police said that the lack of HTTPS on the website could be a “technical issue”. He said that to the best of his knowledge the web form was encrypted and that he had been in the room when HTTPS certificate was purchased.
When it was pointed out that the web form wasn’t encrypted and that no HTTPS version was available Frost said that “it should be”. City of London Police said they would be investigating and may take the online crime reporting service offline.
Sending personal information and especially details of alleged crimes over unencrypted web connections is extremely dangerous. People even with the most basic technical knowledge can easily intercept and view the information as it is sent over the internet in plain text. Information sent over HTTPS is encrypted and secure.
Out of 47 police websites investigated 19 had contact pages or online crime reporting forms that didn’t use HTTPS. Many police websites do have HTTPS but do not enforce it. That means that anyone wanting to use a secure version of the website would need to type ‘https’ into the address bar.
Lancashire Constabulary, which also has an online crime reporting page, failed to renew its security certificate when it expired on 1 February 2014. Visitingt the page now displays a warning message that the secuirty certificate can’t be trusted.
“In this day in age, there’s no reason to only encrypt certain areas of your site. The overhead of secure communications is trivial, and reinforces the idea that security is important to the police,” Eden said. “If the police want to be taken seriously as high-tech crime fighters, they need to ensure their websites meet even basic security standard.”
At the time of writing the City of London crime report form is still online and still not using HTTPS.