Plan to extend police-hacking powers gathers pace
The UK government has agreed to work with the European Parliament on plans to extend police powers to conduct remote searches of computers.
The European Union Council of Ministers approved a plan in November 2008 to grant law-enforcement authorities in member states the power to perform remote searches of suspects' computers, as well as to perform 'cyber patrols' of the internet and increase data sharing between European police forces. The plan, to be implemented within the next five years, raises the possibility of cross-border co-operation on cyber investigations.
The Home Office said on Monday that it has decided to participate in the further formulation of the European Parliament plans, but that no timetable or detail for the proposals had been settled.
"The UK has agreed to a strategic approach towards tackling cybercrime on the same basis as all member states; however... the Council conclusions are not legally binding, and there are no agreed timescales," the Home Office said in a statement. "We fully support work to develop an understanding of the scale and impact of electronic crime across the EU and will work with member states to develop the detail of the proposal."
According to Richard Clayton, a Cambridge University computer security expert, it has been legal for the police to hack into suspect systems without a warrant since 1995, when a 1994 amendment of the Computer Misuse Act was brought into force. Remote warrantless searches of computers are also legal under part three of the Police Act 1995, and under parts of the Regulation of Investigatory Powers Act 2000.
Clayton told ZDNet UK on Monday that the most likely method for UK police to hack into computers was to enter a premises and install a keylogger on the target system. This would be more reliable than a drive-by download or "sending an email with a dodgy attachment", as the chances of successful interception of data were higher, said Clayton. Alternatively, police could hack Wi-Fi networks to gain access to systems, said the computer security expert.
"The police could sit outside the door, search for the Wi-Fi network, break the WEP or WPA encryption key and look at the contents of the hard drive," said Clayton.
The Association of Chief Police Officers (ACPO) said that between 2007 and 2008 there had been 194 warrantless searches performed by the police, but an ACPO spokesperson was unable to confirm at the time of writing how many of those searches had been of computers.
To perform a warrantless search, the police need the approval of a chief constable — no judicial oversight is necessary. However, according to an ACPO statement, the police should also in some circumstances seek the approval of the surveillance commissioner, except in an emergency.
"To be a valid authorisation, the officer giving it must believe that when given it is necessary to prevent or detect serious crime and action is proportionate to what it seeks to achieve," said the ACPO statement.
Privacy campaigner Simon Davies, director of Privacy International, called on the Home Office to reform the warrant process so remote searches of computer systems have judicial oversight.
"That level of intrusion is more intrusive than telephone interception," Davies told ZDNet UK. "Frankly, the entire warrant system needs to be overhauled."
Davies said that there was a danger that an EU-wide system of remote searches could open the UK to requests for remote warrantless searches of UK computers by law-enforcement authorities from other member states.
"That would open a whole Pandora's box," said Davies. "Any EU government that wanted to could invade the privacy of the British people."