By Tom Espiner, 5 January 2009 16:53
NEWS
The UK government has agreed to work with the European Parliament on plans to extend police powers to conduct remote searches of computers without a warrant.
The European Union Council of Ministers approved a plan in November 2008 to grant law-enforcement authorities in member states the power to perform remote searches of suspects' computers, as well as to perform 'cyber patrols' of the internet and increase data sharing between European police forces. The plan, to be implemented within the next five years, raises the possibility of cross-border co-operation on cyber investigations.
The Home Office said on Monday it has decided to participate in the further formulation of the European Parliament plans but that no timetable or detail for the proposals had been settled.
The Home Office said in a statement: "The UK has agreed to a strategic approach towards tackling cybercrime on the same basis as all member states; however... the Council conclusions are not legally binding, and there are no agreed timescales.
"We fully support work to develop an understanding of the scale and impact of electronic crime across the EU and will work with member states to develop the detail of the proposal."
According to Richard Clayton, a Cambridge University computer security expert, it has been legal for the police to hack into suspect systems without a warrant since 1995, when a 1994 amendment of the Computer Misuse Act was brought into force. Remote warrantless searches of computers are also legal under part three of the Police Act 1995, and under parts of the Regulation of Investigatory Powers Act 2000.
Clayton told silicon.com sister site ZDNet UK on Monday that the most likely method for UK police to hack into computers was to enter a premises and install a keylogger on the target system. This would be more reliable than a drive-by download or "sending an email with a dodgy attachment", as the chances of successful interception of data were higher, said Clayton. Alternatively, police could hack wi-fi networks to gain access to systems, said the computer security expert.
"The police could sit outside the door, search for the wi-fi network, break the WEP or WPA encryption key and look at the contents of the hard drive," said Clayton.
The Association of Chief Police Officers (Acpo) said that between 2007 and 2008 there had been 194 warrantless searches performed by the police but an Acpo spokesperson was unable to confirm at the time of writing how many of those searches had been of computers.
To perform a warrantless search, the police need the approval of a chief constable - no judicial oversight is necessary. However, according to an Acpo statement, the police should also in some circumstances seek the approval of the surveillance commissioner, except in an emergency.
The ACPO statement said: "To be a valid authorisation, the officer giving it must believe that when given it is necessary to prevent or detect serious crime and action is proportionate to what it seeks to achieve."
Privacy campaigner Simon Davies, director of Privacy International, called on the Home Office to reform the warrant process so remote searches of computer systems have judicial oversight.
Davies told ZDNet UK: "That level of intrusion is more intrusive than telephone interception. Frankly, the entire warrant system needs to be overhauled."
Davies said there was a danger that an EU-wide system of remote searches could open up the UK to requests for remote warrantless searches of UK computers by law-enforcement authorities from other member states.
"That would open a whole Pandora's box," said Davies. "Any EU government that wanted to could invade the privacy of the British people."
Comments
There are 16 comments. Join the discussion
1. drew stephenson
Does the term "innocent until proven guilty" mean anything to this government?
2. anonymous
Its bad enough the police having the right to hack home computers without a warrant, but this being spread to other countires within the EU seems dangerous indeed.
3. Richard Davies
Well if they can do that I should be able to ethically hack the police and the government (in fact it should be a free for all) to ensure that they are working on secure systems, doing there jobs, not abusing their powers and not wasting tax payers money!
Imagine:
Policeman has cheating girlfriend / wife...urgently hacks stakeholders computers for evidence!
Policeman doesn't like you...hacks your computer to dig up some dirt on you (just in case your a terrorist!).
My point is that policeman are people (some of them stupid or emotional etc.) and allowing them to have your computer hacked without adequate controls in place is ridiculous.
Will this help them catch the burgulars / drug dealers that they constantly fail to stop. If not they should stop hacking peoples computers and get out on the beat.
What happens if they hack someones computer and it turns out there were no weapons of mass destruction E.g. they were completely innocent. Are the police arrested for illegally hacking an innocent persons PC?
4. Guy Reynolds
Does the term "innocent until proven guilty" mean anything to this government?
Drew,
If you have your PC locked down with a firewall, Anti-virus, Anit-spy-ware and anti-spam software, your data is encrypted, and you either don't use Wi-Fi or you use a secure connection, then it stands to reason that you must be up to something nefarious.
After all the government doesn't carry out these basic data security measures and it handles hugely sensitive data, therefore it follows that if you are protecting the data you have you then must have something to hide, and are thus guilty.
5. Galleyslave
No Drew
Not a damn thing!
Anyway our lords and masters have been doing this for years, now they have perfected It they are just coming clean.
Anyone that doesn't use some kind of incription can't really complain when they end up in court.
Or do what I do, If my computer is hacked it just sends a very large parcel of gobbledegook down the pipe for hours and hours and hours
6. Karen Challinor
and there we were thinking it's just the black hats we have to watch out for hacking in to our equipment
once more the home office demonstrates its utter contempt of the electorate and it's abject fear of not knowing what we are doing from one minute to the next
7. Roger Huffadine
I don't support continual erosion of privacy by governments BUT any criminal who can't detect a key logger on their system - or uses wifi can't really complain if they get caught.
Use only wired systems, have a computer on your network running wireshark so that you can see if you are being probed or do like the intelligent criminals already do - use face to face, go betweens, or dead letter drops.
8. Ask Jacky
I use WEP with a firewall on the router in, my network router & my laptop & tower PCs. I run Anti-Virus, scan every day & run an anti spyware weekly. Despite this, I seem to get an awful lot of warning messages from my AV.....
In case of a visit from Plod I've left a very scatalogical msg for him & his pals on my hard drive.
9. Lionel A Smith
I think Richard Davies makes an excellent point:
"My point is that policeman are people (some of them stupid or emotional etc.) and allowing them to have your computer hacked without adequate controls in place is ridiculous."
It does not take much intelligence to see how such a policy could be used for mischief.
10. GALLEYSLAVE
Oh dear!
we do seem to be getting a bit paranoid, don't we?
I expect that any effforts that we take to protect our data will soon be an offence.
let us be for the moment be thankful that we don't live in China
11. Karen Challinor
Ask Jacky - I suggest you switch to WPA instead of WEP, WPA is much harder to hack
12. Ask Jacky
Thank you for that advice Karen. It's a bit beyond my skill level, but I know a man who can.
Not that I actually have anything to hide on my PC but the idea of Plod snooping offends me & who's to say s/he won't add a little something, like a piece of porn, if I vote for the wrong party? Paranoid? Unfortunately, probably yes.
13. Karen Challinor
"if you have nothing to hide, you have nothing to fear..."
incompetence, malicious acts, mistakes, corruption....
14. Joe Whitehead
A) Any software solution is worse than useless due to someone claiming tampering, and the fact that it can be found/removed/reverse engineered/etc.
B) Even if the big companies had some kind of highly encrypted authentication, there would just be an anonymous third party who came up with a boot CD able to find it regardless of the AV companies' deal with law enforcement.
C) Most people seriously thinking about new ways to do this are wanting a hardware method that uses a microscopic device that sits inside the PC, sending out bursts of data.
D) There are old hardware methods such as laser mikes on windows that work on many crooks. The stories about the LEDs is funny as well. Even through a wall, it is in theory possible to intercept keystrokes. Thus, password hacks are possible.
E) There are lo-jack style programs that sit in the system BIOS or an addon card that can 'call home'. It should in theory be possible to hide a spy somewhere that even the average computer technician wouldn't look. Flash memory is so small that a single chip could carry years worth of keyboard logging space for a later trial!
F) The UK has no self incrimination clause? I just assume that they'd force you to hand over any evidence collected on (and possibly by) your own hardware. In the US, we use that evidence to find more crimes and to measure the extent of the crime. This is great for a jury to see just how bad it was.
There's always the problem of who watches the watchers. I don't know of any new police power that didn't have that issue.
BTW, that WEP being considered secure is classic. There are likely some ways that no one's thought of to get around WPA. Like say, getting the password from the router physically.
15. anonymous
So, if I have a hosted terminal server in another country and I use an encrypted chanel to log onto the terminal session nothing is on my PC to look at.
If I use a Terminal Server box without a hard drive there is no PC to hack by the police.
If I use a keyboard which is projected onto my physcal desk then installing a key logger is more difficult.
If I design a head up Virtual display with a virtual keyboard and mouse this becomes even harder.
Nothing special is required to get around these problems just some creative thinking.
16. Cassandra
All getting a bit technical there - useful - but why must we do all that?
Why do the police need to hack into PC's without a warrant anyway? Will Plod also be monitoring our library book records in case we read up on civil liberties and become a threat to the police state?