Secure The Police!

Imagine, just for a moment, you suspect that a friend of yours is a criminal. Perhaps they are running an illegal proxy, or hosting a search engine, or maybe criticising a dangerous cult, or even taking suspicious photographs.

These are all - apparently - within the remit of The City Of London Police. Better report such heinous crimes to them. As a high-tech policing unit, they encourage you to report crimes online.

The more astute of you will have noticed that the form is insecure. There's no https:// at the start of that URL. This means any confidential information that you send is transmitted across the Internet in the clear. Anyone sat between you and the police can intercept the data you send and - potentially - change it.

This is sub-optimal - especially for a police force which is seemingly tasked with protecting us from online meanies.

Being the "helpful" chap that I am, I called them out on it. Only to receive these very disappointing responses.

Police Intellectual Property Crime Unit

@CityPolicePIPCU

Replying to @edent@edent If you would like to report a fraud or internet crime online please visit the @actionfrauduk website actionfraud.police.uk (1/2)

---

Terence Eden is on Mastodon

@edent

.@CityPolicePIPCU Do you offer a secure way to report crime? Your form isn't available via https.
cityoflondon.police.uk/advice-and-sup…

---

Police Intellectual Property Crime Unit

@CityPolicePIPCU

Replying to @edent@edent if you would like to report a crime that took place in the City of London you can report online at: cityoflondon.police.uk/contact-city-p… (2/2)

---

Secure communications between the public and with websites is important. I want to know that all my dealings with the police are treated securely. I want to ensure that the data I send them is unmolested in transit. I want the state to take online security as seriously as they take physical security.

So, let's take a look at every UK Police Force website and see which of them have a secure connection.

I've taken the list of forces from the excellent data.police.uk - along with a few more I found along the way. I've specifically looked at their online crime reporting / contact us pages. Ideally all of the site would be secure - but let's not run before we can walk, eh?

I've tried to be as accurate as possible with these data - corrections and updates gratefully received.

Force	Main Site	Report / Contact	Notes
Avon and Somerset	✓	✓
Bedfordshire Police	✗	✗
Cambridgeshire Constabulary	✗	✗	Available, but not forced.
Cheshire Constabulary	✗	✓	Main site has https - but not forced
City of London Police	✗	✓	Now fixed - see update below
Cleveland Police	✗	✗	Available, but not forced.
Cumbria Constabulary	✗	✗
Derbyshire Constabulary	✗	✗
Devon & Cornwall Police	✗	✓
Dorset Police	✗	✓
Durham Constabulary	✓		No online contact.
Essex Police	✗	✓	Available, but not forced on main site.
Gloucestershire Constabulary	✗	✗
Greater Manchester Police	✗	✗
Hampshire Constabulary	✗	✗
Hertfordshire Constabulary	✗	✗	Available, but not forced.
Humberside Police	✗	✗
Kent Police	✗		Online reporting no longer available.
Lancashire Constabulary	✗	✓	Certificate expired on 01/02/14 10:55
Leicestershire Police	✗	✗	Available, but not forced. Contact Us under construction.
Lincolnshire Police	✗	✗
Merseyside Police	✗	✓	Available, but not forced on main site.
Metropolitan Police Service	✗	✓
Norfolk Constabulary	✗	✓
North Yorkshire Police	✗
Northamptonshire Police	✗	✓
Northumbria Police	✗	✓
Nottinghamshire Police	✗	✓
South Yorkshire Police	✗	✗
Staffordshire Police	✗	✗	Available, but not forced.
Suffolk Constabulary	✗	✓
Surrey Police	✗	✓
Sussex Police	✗	✓
Thames Valley Police	✗	✓
Warwickshire Police	✗	✗
West Mercia Police	✗		Available, but not forced.
West Midlands Police	✗	✓	Available on main site, but not forced.
West Yorkshire Police	✗	✓	Available on main site, but not forced.
Wiltshire Police	✗	✓
Northern Ireland	✗	✓	Hate Crime reporting goes to an untrusted site.
Police Scotland	✗	✓
Dyfed-Powys Police	✗
Gwent Police	✗		Available on main site, but not forced.
North Wales Police	✗	✗
South Wales Police	✗	✗
Ask The Police	✓	✓
British Transport Police	✗	✗	Available, but not forced.
Civil Nuclear Constabulary (formerly UKAEA Constabulary)	✓		Now part of GOV.UK
Ministry of Defence Police	✗
The National Crime Agency (NCA)	✗

You know what - that's a lot better than I was expecting, but it's still pretty dismal.

Several forces - even small ones - routinely secure their entire site. It's good to see that several make a point of securing the contact / reporting pages. Some larger forces need a bit of a push to get their websites in order.

Depressingly, some sites do use https - but the user needs to manually type it in to their URL bar! Why bother having https if you don't automatically redirect your users to the secure site?

In this day in age, there's no reason to encrypt only certain areas of your site. The technical overhead of secure communications is trivial and reinforces the idea that security is important to the police.

If the police want to be taken seriously as high-tech crime fighters, they need to ensure their websites meet basic security standards.

Update - 15-August-2014 Have just heard back from the City of London

... the City of London Police have fixed the problem and the relevant forms are now secure and live. We’ll continue to test them to ensure they stay that way and this doesn’t happen again. Thanks for taking the time to contact us

Terence Eden is on Mastodon

@edent

My blogging fu is mighty!
Thanks @CityPolicePIPCU for fixing your site.
shkspr.mobi/blog/2014/08/s… pic.x.com/iu0za7tncw

---