The UK government has agreed to work with the European Parliament on plans to extend police powers to conduct remote searches of computers.
The European Union Council of Ministers approved a plan in November 2008 to grant law-enforcement authorities in member states the power to perform remote searches of suspects' computers, as well as to perform 'cyber patrols' of the internet and increase data sharing between European police forces. The plan, to be implemented within the next five years, raises the possibility of cross-border co-operation on cyber investigations.
The Home Office said on Monday that it has decided to participate in the further formulation of the European Parliament plans, but that no timetable or detail for the proposals had been settled.
"The UK has agreed to a strategic approach towards tackling cybercrime on the same basis as all member states; however... the Council conclusions are not legally binding, and there are no agreed timescales," the Home Office said in a statement. "We fully support work to develop an understanding of the scale and impact of electronic crime across the EU and will work with member states to develop the detail of the proposal."
According to Richard Clayton, a Cambridge University computer security expert, it has been legal for the police to hack into suspect systems without a warrant since 1995, when a 1994 amendment of the Computer Misuse Act was brought into force. Remote warrantless searches of computers are also legal under part three of the Police Act 1995, and under parts of the Regulation of Investigatory Powers Act 2000.
Clayton told ZDNet UK on Monday that the most likely method for UK police to hack into computers was to enter a premises and install a keylogger on the target system. This would be more reliable than a drive-by download or "sending an email with a dodgy attachment", as the chances of successful interception of data were higher, said Clayton. Alternatively, police could hack Wi-Fi networks to gain access to systems, said the computer security expert.
"The police could sit outside the door, search for the Wi-Fi network, break the WEP or WPA encryption key and look at the contents of the hard drive," said Clayton.
The Association of Chief Police Officers (ACPO) said that between 2007 and 2008 there had been 194 warrantless searches performed by the police, but an ACPO spokesperson was unable to confirm at the time of writing how many of those searches had been of computers.
To perform a warrantless search, the police need the approval of a chief constable — no judicial oversight is necessary. However, according to an ACPO statement, the police should also in some circumstances seek the approval of the surveillance commissioner, except in an emergency.
"To be a valid authorisation, the officer giving it must believe that when given it is necessary to prevent or detect serious crime and action is proportionate to what it seeks to achieve," said the ACPO statement.
Privacy campaigner Simon Davies, director of Privacy International, called on the Home Office to reform the warrant process so remote searches of computer systems have judicial oversight.
"That level of intrusion is more intrusive than telephone interception," Davies told ZDNet UK. "Frankly, the entire warrant system needs to be overhauled."
Davies said that there was a danger that an EU-wide system of remote searches could open the UK to requests for remote warrantless searches of UK computers by law-enforcement authorities from other member states.
"That would open a whole Pandora's box," said Davies. "Any EU government that wanted to could invade the privacy of the British people."
Talkback
Forgive me and my American sentiment - Warrantless searches are among the reasons why the colonies broke away from Great Britain.
Are you folks asleep?
Can you not read George Orwell's text of 1984 buried in the EU proposals?
Every single legal Government oppression has begun with the police for some safety reason and ended with regular troops enforcing tyrranies.
Good Luck.
It would be interesting to see if its legal to keep them from hacking into your system. Or would having a highly secure home computer system hooked to your cable or DSL line become prima-facie evidence that YOU are a criminal? (Obviously he's got something to hide. Let's go hack into that guy's system to find those naughty pictures so we can put him in jail before he does something EVEN WORSE!)
Assuming that if the police seem to think a suspect is "potentially going to commit a crime" the question becomes what did this potential terrorist or criminal or angry jobless IT nerd do to make the police think that he was "potentially" going to commit a crime?
How much pre-arrest surveillance do the police have to do to figure out that this potential terrorist was going to, at some time in the future, commit such a dastardly act as to merit such warrant-less lack of restraint by the police?
Please notice that you can't use the word "alleged" yet because he/she hasn't DONE ANYTHING ILLEGAL YET!
They made a really bad movie about this sort of thing called "Minority Report" starring the scientifically-challenged Tomas Cruising. I didn't realize that it was a reality-TV script for something that WAS GOING TO HAPPEN IN THE FUTURE!
And I thought the US Patriot Act was bad.
What about when the Police hacked into someones PC.
They then managed to find Child Porn on it.
Coincidence or what?
KJR
As we've been getting massive doses of lately, public officials aren't above turning corrupt especially when it lines their pockets. Planting evidence can justify a considerable amount of increased funding for the cops and loss of personal freedoms for the public.
Assuming you can hack your way into the system, you can mess with the clock and plant evidence indicating the owner is a criminal of just about any type of your choosing. Most judges are like the rest of the general population and untrained enough to be able to tell if an "IT forensic expert" or a "police security expert" is telling the truth or not.
If you want to scare the people into submitting to even more surveillance, just find some stooges to plant some terrorist manifestos on their laptops or desktops. Go hack back into their computers, find the planted evidence and then go publicize it and taint the entire jury pool. Throw him in jail and when he gets out, Mr Public Official is out of office and retired somewhere overseas.
I can't help thinking that an experienced lawyer would make an effective case for having such material dismissed as potentially tainted evidence.
If they had to modify your computer remotely to obtain access, then there absolutely no way anyone could subsequently tell the source of any material then found on the machine.
Hmmm. Expect an upturn in the sales of W.O.R.M. drives.
We do need to improve our IT security from cybercrime, but shouldn't we be looking at other ways.
Either way, hacking is not legal for any of us - if I hacked into them they wouldn't like it. I'd be banged up..
The police is an invented organisation, they should NOT have the power to just delve in remotely onto our computers. They are OUR machines and we should be permitted to do what we like.
However where I do think we need changes is the Internet. We do need to improve fraud issues, viruses, terrorists.. but there's other ways than hacking our computers. I dont have a problem with ISPs keeping my traffic for a couple of years. I don't trust the government with that data and I think ISPs should say:
We've had a complaint about some traffic on ---- date, and we need to comply with the authorities.
This data will be disclosed to you in writing and passed to the government.
Then we should be able to see what was sent and then if we feel it's wrong we can justify it and complain. However, if this amount of expense and trouble is going to be required the average cop can't bugger about. Just an idea. But I wont tollerate hacking.. that's just wrong.