Want to report crime? Use this UNENCRYPTED police web form

The security of police websites has been slammed after it emerged that many don’t encrypt confidential information sent to them over the internet. Most police forces have online contact us forms with some even allowing people to report crimes online, but scores are failing to encrypt the information allowing anyone to steal and even change details of crimes.

City of London Police, which has a dedicated high-tech crime unit, is one of the worst offenders. Its online crime reporting form didn’t use HTTPS, meaning that all information was sent in plain text. This could have allowed anyone to intercept and steal personal and potentially highly confidential information. It would also be possible for crooks to change the details of crimes being reported to the police. Having been alerted to the gaping security flaw City of London Police have now updated their website to use HTTPS. It isn’t yet clear how long the page was left unencrypted.

The use of encrypted web forms to send personal information over the internet is considered a bare-minimum for online security and is used by just about any website that requests information from users. Terence Eden, the security researcher who uncovered the flaws, said the police needed to take website security more seriously:

“Secure communications between the public and with websites is important. I want to know that all my dealings with the police are treated securely. I want to ensure that the data I send them is unmolested in transit. I want the state to take online security as seriously as they take physical security,” he said.

In the case of City of London Police, the unencrypted web form requested swathes of personal information including people’s names, addresses, email addresses and telephone numbers. The form also asked people to describe crimes in detail including what happened, where it happened and details of any stolen property.

Michael Frost, website manager at City of London Police said that the lack of HTTPS on the website was a “technical issue”. He said that to the best of his knowledge the web form was encrypted and that he had been in the room when HTTPS certificate was purchased.

When it was pointed out that the web form wasn’t encrypted and that no HTTPS version was available Frost said that “it should be”. City of London Police have now updated their online crime reporting page to use HTTPS, as well as displaying a message explaining that users will be directed to a secure page to report crimes.

Sending personal information and especially details of alleged crimes over unencrypted web connections is extremely dangerous. People even with the most basic technical knowledge can easily intercept and view the information as it is sent over the internet in plain text. Information sent over HTTPS is encrypted and secure.

Out of 47 police websites investigated 19 had contact pages or online crime reporting forms that didn’t use HTTPS. Many police websites do have HTTPS but do not enforce it. That means that anyone wanting to use a secure version of the website would need to type ‘https’ into the address bar.

Lancashire Constabulary, which also has an online crime reporting page, failed to renew its security certificate when it expired on 1 February 2014. Visitingt the page now displays a warning message that the secuirty certificate can’t be trusted.

“In this day in age, there’s no reason to only encrypt certain areas of your site. The overhead of secure communications is trivial, and reinforces the idea that security is important to the police,” Eden said. “If the police want to be taken seriously as high-tech crime fighters, they need to ensure their websites meet even basic security standard.”