Brian Jackson - Fotolia

Three-quarters of UK policing websites lack secure encryption

A quarter of UK policing websites have secure foundations, but half have room for improvement, and the remaining quarter are in need of serious and urgent improvement, according to the Centre for Public Safety

Only just over a quarter of UK policing and related websites demonstrate high standards of secure encryption, a study by the Centre for Public Safety has revealed.

The remaining 73% have significant room for improvement, with some putting sensitive information at risk, according to a public safety briefing on UK police cyber security.

The briefing is based on a scan of 71 police and policing-affiliated websites in the first independent assessment of UK policing’s cyber security, according to the centre, which is a non-profit organisation aimed at promoting world-class policing and public safety and providing supporting frontline professionals.

The majority of the websites assessed either lacked a secure (SSL/TLS) connection for visitors or their implementation was deemed deficient or insecure.

Almost a quarter of sites lacked any automatic secure connections, meaning information is communicated in plain unencrypted text across the internet, with more than 70% of these sites inviting users to submit personal data.

In some cases, information specifically relating to criminal activity was sought in plain text without any form of secure connection, which the briefing said should be halted because it puts members of the public at risk.

The briefing said it is ironic that the police service encourages the public to “look for the padlock” that indicates secure internet connections, while many policing sites do not offer this security benefit.

Even some of the newest implementations fell short of the highest standards, the briefing said, with the Cheshire Constabulary scoring a ‘C’ grade in July 2016, but in September 2016 – following the launch of a new “upgraded” website – the connection was less secure, achieving only an ‘F’ grade.

The new version of the website was found to be vulnerable to Poodle and man-in-the-middle (MITM) attacks and lacked support for the latest version of TLS.

With the move towards digital transformation, the briefing said police service and related agencies must ensure their services are secure.

“While the rest of the world moves to secure-by-default, some forces and their IT providers seem intent on delivering not-enough-by-default,” said Rory Geoghegan, founding director of The Centre for Public Safety. “Take the Met Police – spending hundreds of millions per year and only achieving a grade C,” he said.

Read more about encryption

According to Geoghegan, those police forces accepting personal data and information on criminal activity over plain text should implement secure connections as a matter of priority.

The websites of the Civil Nuclear Constabulary and Independent Police Complaints Commission (IPCC) were found to be the most secure, while those achieving A-grades included the police forces of Cleveland, Cumbria, Devon and Cornwall, Dorset, Durham, Gwent, Kent, Leicestershire, Merseyside, Norfolk, North Yorkshire, Police Service of Northern Ireland (PSNI), Suffolk, Warwickshire, West Mercia, and West Yorkshire.

The worst performing, were the websites of the British Transport Police, College of Policing, Dyfed-Powys, Greater Manchester, Hampshire, HMICS, Humberside, Ministry of Defence Police, National Crime Agency, National Police Air Service, National Police Chiefs’ Council, North Wales, Northumbria, Police Investigations and Review Commissioner (PIRC), Surrey, Sussex, and the UK Missing Persons Bureau.

“It’s 2016 – the internet is not new, the cyber security threat is not new – and yet some police forces and their IT providers seem to think it is acceptable to pay large sums of taxpayer money for insecure technology,” said Geoghegan.

“Police and crime commissioners and chief officers are banking on savings from digital transformation. They must ensure the online services provided are secure, or they risk public trust and public safety,” he said.

Read more on Privacy and data protection