By Dan Ilett, 25 July 2005 17:50
NEWS Chief UK police officers are asking the government for new powers that would allow them to attack terrorist websites.
A list of anti-terror recommendations from the Association of Chief Police Officers (ACPO) has been handed to MPs in the wake of the London bombings this month, as the government is reviewing laws on how to tackle terrorism.
Under the proposals, it would become an offence to fail to disclose encryption keys and to use the internet to facilitate acts of terrorism.
In a press statement, Ken Jones, chairman of the ACPO Terrorism and Allied Matters Committee, said: "[The] evolving nature of the current threat from international terrorism demands that those charged with countering the threat have the tools they need to do the job. Often there is a need to intervene and disrupt at an early stage those who are intent on terrorist activity in order to protect the public. Clearly our legislation must reflect the importance of such disruptive action."
The list of recommendations does not detail how police would attack websites but in many cases remotely disabling a web server involves a denial of service attack (i.e. sending floods of data to overwhelm it). Police added that the measure would help police stop the spread of child abuse images on the web.
The ACPO statement said: "This power has significant benefits for counterterrorism and overlaps with other police priorities namely domestic extremism and paedophilia. This issue goes beyond national borders and requires significant international co-operation. The need for appropriate authority and warranty is implicit."
One former policeman who now works in computer forensics was concerned about the international implications of making cyber attacks legitimate.
Simon Janes, international operations manager for Ibas, said: "It's no different to parachuting officers into another country to investigate something. There would have to be some international consent but I can't see a way around it. It does pose the question, what if that [target] is another government website."
A spokesman for public technology pressure website, spy.org.uk, also warned that attacks on foreign websites could backfire.
In an email to silicon.com, he wrote: "Who exactly is going to define what a 'terrorist website' is? There are none of these hosted in the UK, so the targets must be abroad. Will a blog or discussion forum be attacked because one or more of the posters puts up a message gleefully praising some terrorist atrocity or other?
"The only people who seem to have a legal hacking law at the moment are the Australians but it does not appear that they have dared to use it against overseas targets. Hackers will delight in faking their IP addresses, or using UK government systems which they have compromised to launch 'legal' cyber attacks on their victims - how is anybody going to tell the difference?"
While the police admitted that the time it takes to break some encryption standards has slowed investigations, moves to stop people hiding encryption keys have already been included in the Regulation of Investigatory Powers Act. However, this has yet to be signed off by the Home Office and the police have asked for further updates on its progress.
ACPO said: "Recent investigations have been made more complex by difficulties for investigating officers in ascertaining whereabouts of encryption keys to access computers etc. An amendment to part three of the Regulation of Investigatory Powers Act to make it an offence to fail to disclose such items would provide some sanction against suspects failing to co-operate with investigations."
But Ibas' Janes said this law could overlook cases where people forget their passwords. "It only works if you make the penalty the same for that which you are being investigated. Why would you be compelled to hand over an encryption key unless you were performing acts of terrorism? But people do forget their passwords of course," he said.
Spy.org.uk challenged this point. The spokesman wrote: "Presumably what ACPO are trying to do is to remove the existing defence of 'I have genuinely forgotten my PGP pass-phrase', which is simply unfair, and it still does not acknowledge the existing weaknesses of the part three regulations with regard to opportunistic encryption keys."
Comments
There are 11 comments. Join the discussion
1. Geoffrey Darnton
...the thin end of the wedge ... so now the police want to conduct international information warfare operations ... maybe they haven't talked to the MoD who already conduct information warfare operations ... or is this the beginning of the militarization of the police?
Most people recognize random killing as repugnant ... but it is a very thin line when police are given powers like this to enforce the law, particularly when the law is politically motivated.
Maybe we should also have denial of service attacks against market extremist websites who advocate a system of world trade that results in thousands of deaths per day from thirst and starvation? ... or UK police DoS attacks again foreign websites managed by large multinational software vendors that have been convicted of serious abuse of monopoly power? or DoS attacks against the websites of other nations in chronic refusal to implement UN resolutions? ....
Let us take very careful notice - in the eyes of some, particularly those in power - freedom of speech is ok until it becomes effective - then it is called subversion!
... or am I not supposed to say things like this?
2. Duane Phillips
I run a website www.1984brigade.com to highlight what a big brother police state this country is coming to.
How long will it be before my site will be considered to be subversive and of a terrorist nature becuse it speaks out against the state?
Why is all this nonsense happening? Because we have a power crazed corrupt government that doesnt listen to it's citizens and took us to war on a false premise.
Ladies and gentlemen your freedoms and rights are slowly being eroded. Wake up smell the coffee. Raise your voice in opposition.
3. Norman Bartlett
This is work for the Ministry of Defence not the civil police. I can see it all leading to a situation where police neglect even more than they do today ordinary crime like muggings, burglary and domestic violence in order to strut their glamorous anti-terrorist stuff.
4. Chris Walker
Does anyone seriously suppose that a terrorist intent on a suicide mission would be at all bothered about the penalty for failing to disclose an encryption key?
Yet another example of legislative stupidity penalising the innocent whilst having no effect on the intended targets.
5. richard davies
The police really don't seem that clever to be honest...they can't catch terrorists and just shoot innocent people (shoot to kill as well), which makes me think they will make the same mistakes electronically.
Lets not forget that the internet is a mixture of public and private networks and routes are calculated dynamically between end-points...if the police launched such an attack this heavy traffic load would have to travel over someones network which could cause disruption for innocent people...if this happens I hope they get sued.
with regards to encryption, they will probably ask for key escrow next like the american government tried...I will keep using 512-bit AES encryption...they can decrypt that if they have a spare 49 trillion years.
I am just so fed up of their clod hopper / clumsy approach to the things they do.
6. Tony Harbon
I wouldn't want to throw a spanner in the works, but how do the police plan to launch attacks on these web sites when they get moved to one of the large number of 'bulletproof' web sites that are readily available overseas?
7. Jerrold Baldwin
The idea of 50-odd British police forces attacking bothersome foreign web sites is ludicrous. The Foreign and Commonwealth Office and the security services are already paid to deal with such matters, and they should continue to do so.
8. anonymous
"You have the right to remain silent... but by the way, you still have to tell us what your password is."
9. anonymous
And how do you hand over encryption keys when they are generated by machine and change constantly? Someone with some IT knowledge needs to think this through.
10. anonymous
Better sooner & permanently, than later, or after more senseless loss of innocent lives!!!!
11. Simon Bazley
This is just political noise with no real thought behind it, so our inept government can be seen to be doing something.
If it really wants to 'bring down' offending websites then take an internationally legal view like the Chinese, prevent extra-national access to said IP addresses. It's censorship, but its less likely to come back on them.
That said the police want a police state, that's their job. The politicians are there by proxy to keep them in check. If you want more worldly wise, common sense laws, elect more worldy wise common sense politicians, instead of a bunch of trade unionists, lawyers and ex-teachers.