Centre for Public Safety tests reveal that only one in four show high standards for encrypting data from the public
Many policing affiliated websites are failing to meet high security standards, according to a new study from the Centre for Public Safety.
The not-for-profit organisation, which promotes efficiency in policing and public safety, says in its Secure Foundations report that only 19 of 71 websites it tested show high standards of secure encryption, with the rest either lacking a secure connection for visitors or using one deemed insecure.
Almost one in four (17) lacked any automatic secure connections, so that information is communicated in plain unencrypted text across the internet, and in some cases information relating to crime was sought in plain text with no secure connection.
The centre says this places the public at risk and such practices should be terminated, as they go against crime prevention and online safety advice issued by the police.
Some of the newest implementations fell short of the high standards expected. The report highlights Cheshire Constabulary’s website which, after an intended upgrade earlier this year, recorded a lower security grading than before.
It does praise some sites, providing A+ ratings for those of the Civil Nuclear Constabulary and the Independent Police Complaints Commission; and several regional police services receive A ratings.
But a large number are rated F or U, including regional forces and national bodies such as British Transport Police, the College of Policing, Ministry of Defence Police and the UK Missing Persons Bureau.
Rory Geoghegan, founding director of the Centre for Public Safety, said: “While the rest of the world moves to secure-by-default, some forces and their IT providers seem intent on delivering not-enough-by-default.”
He added: “Over a quarter of police forces have got it right, allowing the public to communicate with them securely, but the rest need to redouble their efforts.
“Those police forces accepting personal data and information on criminal activity over plain text should, as a matter of priority, implement secure connections.”
He urged the newly launched National Cyber Security Centre to provide a channel for the public to report vulnerabilities in police and public safety digital infrastructure.
The websites covered in the report were tested in July and again in September of this year. This involved seeing if they supported secure sockets layer technology, the standard for establishing an encrypted link between a web server and a browser.
Image (amended) by Southbanksteve, CC BY 2.0 through Wikimedia