Three-quarters of policing and crime websites lack secure connections, according to a study from the Centre for Public Safety.
Look for the padlock: Police websites need to practice what they preach – Photo credit: PA
The not-for-profit centre scanned 71 policing and affiliated websites to assess how well they encrypt online communications, and found that just 27% have the highest world-class standard.
The remainder either lacked a secure connection for visitors (SSL/TLS) or their implementation was deemed deficient or insecure.
The tests, which were carried out once in July and once in September, found that 24% lacked any automatic secure connection. This means that information is communicated in plain, unencrypted text across the internet.
More seriously, the centre said that more than 70% of those sites invited users to submit personal data – some of which were related to criminal activity. These included the UK Missing Persons Bureau, the British Transport Police and the National Crime Agency.
“They are exposing the public to unnecessary risk,” the report said, noting that the lack of security could put someone informing the police of a crime at risk of retaliation.
“The cost of an A+ graded SSL connection is insignificant to these organisations, so the failure to deliver a secure connection is therefore due either to a judgement that the risk is acceptable, or a lack of awareness of the risk in the first place,” the report said.
Big doesn’t mean beautiful
Seven organisations were found to have significant vulnerabilities and gained an F grade, including the National Crime Agency’s Child Exploitation and Online Protection Centre, which has a specific online focus.
Meanwhile, CrimeStoppers, the Home Office’s terrorism and reporting tools and the Track my Crime tool – used by a number of forces – were ranked B and told to make significant improvements.
The best-performing sites included the Independent Police Complaints Commission and a number of regional forces, including Cleveland, Kent, Merseyside and Norfolk.
The work also looked at how much forces spent on their technology, but found that there was little correlation between spending and performance.
For example, the Metropolitan Police – which is also being monitored by the Information Commissioner’s Office for failing to respond to FOI requests quickly enough – spent £110m on just on IT supplier in 2014-15 and obtained only a grade C in the ratings.
Meanwhile, Dorset, Durham and Warwickshire were picked out as achieving A grades despite their much more limited IT budgets.
This suggests that “big doesn’t mean beautiful when it comes to policing and IT”, the centre said in its report.
There were also concerns raised about updates to websites that did not come up to scratch – for instance, the centre said that Cheshire’s upgraded site fell from grade C to F.
“Whether in-house or outsourced, it appears that some continue to fail to provide the foundations for the digital transformation that our police forces are both seeking to achieve and expected to deliver,” the report said.
“All public-facing UK policing digital infrastructure should move to being secure-by-default. The police service should practice what it seeks to preach and in doing so achieve greater security.”