Just 27% of policing websites have secure encryption, report says
Three-quarters of policing and crime websites lack secure connections, according to a study from the Centre for Public Safety.
Look for the padlock: Police websites need to practice what they preach - Photo credit: PA
The not-for-profit centre scanned 71 policing and affiliated websites to assess how well they encrypt online communications, and found that just 27% have the highest world-class standard.
The remainder either lacked a secure connection for visitors (SSL/TLS) or their implementation was deemed deficient or insecure.
The tests, which were carried out once in July and once in September, found that 24% lacked any automatic secure connection. This means that information is communicated in plain, unencrypted text across the internet.
More seriously, the centre said that more than 70% of those sites invited users to submit personal data – some of which were related to criminal activity. These included the UK Missing Persons Bureau, the British Transport Police and the National Crime Agency.
“They are exposing the public to unnecessary risk,” the report said, noting that the lack of security could put someone informing the police of a crime at risk of retaliation.
“The cost of an A+ graded SSL connection is insignificant to these organisations, so the failure to deliver a secure connection is therefore due either to a judgement that the risk is acceptable, or a lack of awareness of the risk in the first place,” the report said.
Big doesn’t mean beautiful
Seven organisations were found to have significant vulnerabilities and gained an F grade, including the National Crime Agency’s Child Exploitation and Online Protection Centre, which has a specific online focus.
Meanwhile, CrimeStoppers, the Home Office’s terrorism and reporting tools and the Track my Crime tool – used by a number of forces – were ranked B and told to make significant improvements.
The best-performing sites included the Independent Police Complaints Commission and a number of regional forces, including Cleveland, Kent, Merseyside and Norfolk.
The work also looked at how much forces spent on their technology, but found that there was little correlation between spending and performance.
For example, the Metropolitan Police – which is also being monitored by the Information Commissioner’s Office for failing to respond to FOI requests quickly enough – spent £110m on just on IT supplier in 2014-15 and obtained only a grade C in the ratings.
Meanwhile, Dorset, Durham and Warwickshire were picked out as achieving A grades despite their much more limited IT budgets.
This suggests that “big doesn’t mean beautiful when it comes to policing and IT”, the centre said in its report.
There were also concerns raised about updates to websites that did not come up to scratch – for instance, the centre said that Cheshire’s upgraded site fell from grade C to F.
“Whether in-house or outsourced, it appears that some continue to fail to provide the foundations for the digital transformation that our police forces are both seeking to achieve and expected to deliver,” the report said.
“All public-facing UK policing digital infrastructure should move to being secure-by-default. The police service should practice what it seeks to preach and in doing so achieve greater security.”
Campaign groups Foxglove and The Citizens to launch court case in two weeks if practice is not stopped
With the Online Safety Bill now published, former police superintendent Iain Donnelly writes for PublicTechnology on the challenges that need to be overcome in order to ensure the law’s...
PACAC claims its recommendations have not been sufficiently engaged with
Thirteen-strong team of tech experts brought together
PublicTechnology talks to Salesforce about why police forces need to adopt new omnichannel capabilities, offer the public channel choice and the benefits of doing so
It’s been one of the most challenging years for healthcare providers, but Salesforce sees lasting change from accelerated digital transformation