Police ask for more Internet powers

Senior UK police officers have asked the government for sweeping new powers to take down Web sites and obtain private encryption keys

Chief UK police officers are asking the government for new powers that would allow them to attack terrorist Web sites.

A list of anti-terror recommendations from the Association of Chief Police Officers (ACPO) has been handed to MPs in the wake of the London bombings this month, as the government is reviewing laws on how to tackle terrorism.

Under the proposals, it would become an offence to fail to disclose encryption keys and to use the Internet to facilitate acts of terrorism.

In a press statement, Ken Jones, chairman of the ACPO Terrorism and Allied Matters Committee, said: "[The] evolving nature of the current threat from international terrorism demands that those charged with countering the threat have the tools they need to do the job. Often there is a need to intervene and disrupt at an early stage those who are intent on terrorist activity in order to protect the public. Clearly our legislation must reflect the importance of such disruptive action."

The list of recommendations does not detail how police would attack Web sites but in many cases remotely disabling a Web server involves a DoS attack. Police added that the measure would help police stop the spread of child abuse images on the Web.

The ACPO statement said: "This power has significant benefits for counterterrorism and overlaps with other police priorities namely domestic extremism and paedophilia. This issue goes beyond national borders and requires significant international co-operation. The need for appropriate authority and warranty is implicit."

One former policeman who now works in computer forensics was concerned about the international implications of making cyberattacks legitimate.

Simon Janes, international operations manager for data-recovery firm Ibas, said: "It's no different to parachuting officers into another country to investigate something. There would have to be some international consent but I can't see a way around it. It does pose the question, what if that [target] is another government Web site?"

A spokesman for public technology pressure Web site spy.org.uk also warned that attacks on foreign Web sites could backfire.

In an email to ZDNet UK sister site silicon.com he wrote: "Who exactly is going to define what a 'terrorist Web site' is? There are none of these hosted in the UK, so the targets must be abroad. Will a blog or discussion forum be attacked because one or more of the posters puts up a message gleefully praising some terrorist atrocity or other?

"The only people who seem to have a legal hacking law at the moment are the Australians but it does not appear that they have dared to use it against overseas targets. Hackers will delight in faking their IP addresses, or using UK government systems which they have compromised to launch 'legal' cyberattacks on their victims — how is anybody going to tell the difference?"

While the police admitted that the time it takes to break some encryption standards has slowed investigations, moves to stop people hiding encryption keys have already been included in the Regulation of Investigatory Powers Act. However, this has yet to be signed off by the Home Office and the police have asked for further updates on its progress.

ACPO said: "Recent investigations have been made more complex by difficulties for investigating officers in ascertaining whereabouts of encryption keys to access computers etc. An amendment to part three of the Regulation of Investigatory Powers Act to make it an offence to fail to disclose such items would provide some sanction against suspects failing to cooperate with investigations."

But Ibas' Janes said this law could overlook cases where people forget their passwords. "It only works if you make the penalty the same for that which you are being investigated. Why would you be compelled to hand over an encryption key unless you were performing acts of terrorism? But people do forget their passwords of course," he said.

Spy.org.uk challenged this point. The spokesman wrote: "Presumably what ACPO are trying to do is to remove the existing defence of 'I have genuinely forgotten my PGP pass-phrase', which is simply unfair, and it still does not acknowledge the existing weaknesses of the part three regulations with regard to opportunistic encryption keys."