Secure The Police!


Imagine, just for a moment, you suspect that a friend of yours is a criminal. Perhaps they are running an illegal proxy, or hosting a search engine, or maybe criticising a dangerous cult, or even taking suspicious photographs.

These are all - apparently - within the remit of The City Of London Police. Better report such heinous crimes to them. As a high-tech policing unit, they encourage you to report crimes online.

City Of London non-secure-fs8

The more astute of you will have noticed that the form is insecure. There's no https:// at the start of that URL. This means any confidential information that you send is transmitted across the Internet in the clear. Anyone sat between you and the police can intercept the data you send and - potentially - change it.

This is sub-optimal - especially for a police force which is seemingly tasked with protecting us from online meanies.

Being the "helpful" chap that I am, I called them out on it. Only to receive these very disappointing responses.

Secure communications between the public and with websites is important. I want to know that all my dealings with the police are treated securely. I want to ensure that the data I send them is unmolested in transit. I want the state to take online security as seriously as they take physical security.

So, let's take a look at every UK Police Force website and see which of them have a secure connection.

I've taken the list of forces from the excellent data.police.uk - along with a few more I found along the way. I've specifically looked at their online crime reporting / contact us pages. Ideally all of the site would be secure - but let's not run before we can walk, eh?

I've tried to be as accurate as possible with these data - corrections and updates gratefully received.

Force Main Site Report / Contact Notes
Avon and Somerset
Bedfordshire Police
Cambridgeshire Constabulary Available, but not forced.
Cheshire Constabulary Main site has https - but not forced
City of London Police Now fixed - see update below
Cleveland Police Available, but not forced.
Cumbria Constabulary
Derbyshire Constabulary
Devon & Cornwall Police
Dorset Police
Durham Constabulary No online contact.
Essex Police Available, but not forced on main site.
Gloucestershire Constabulary
Greater Manchester Police
Hampshire Constabulary
Hertfordshire Constabulary Available, but not forced.
Humberside Police
Kent Police Online reporting no longer available.
Lancashire Constabulary Certificate expired on 01/02/14 10:55
Leicestershire Police Available, but not forced. Contact Us under construction.
Lincolnshire Police
Merseyside Police Available, but not forced on main site.
Metropolitan Police Service
Norfolk Constabulary
North Yorkshire Police
Northamptonshire Police
Northumbria Police
Nottinghamshire Police
South Yorkshire Police
Staffordshire Police Available, but not forced.
Suffolk Constabulary
Surrey Police
Sussex Police
Thames Valley Police
Warwickshire Police
West Mercia Police Available, but not forced.
West Midlands Police Available on main site, but not forced.
West Yorkshire Police Available on main site, but not forced.
Wiltshire Police
Northern Ireland Hate Crime reporting goes to an untrusted site.
Police Scotland
Dyfed-Powys Police
Gwent Police Available on main site, but not forced.
North Wales Police
South Wales Police
Ask The Police
British Transport Police Available, but not forced.
Civil Nuclear Constabulary (formerly UKAEA Constabulary) Now part of GOV.UK
Ministry of Defence Police
The National Crime Agency (NCA)

You know what - that's a lot better than I was expecting, but it's still pretty dismal.

Several forces - even small ones - routinely secure their entire site. It's good to see that several make a point of securing the contact / reporting pages. Some larger forces need a bit of a push to get their websites in order.

Depressingly, some sites do use https - but the user needs to manually type it in to their URL bar! Why bother having https if you don't automatically redirect your users to the secure site?

In this day in age, there's no reason to encrypt only certain areas of your site. The technical overhead of secure communications is trivial and reinforces the idea that security is important to the police.

If the police want to be taken seriously as high-tech crime fighters, they need to ensure their websites meet basic security standards.

Update - 15-August-2014
Have just heard back from the City of London

... the City of London Police have fixed the problem and the relevant forms are now secure and live. We’ll continue to test them to ensure they stay that way and this doesn’t happen again.
Thanks for taking the time to contact us

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.