On 5th January 2009, the BBC published an article stating how the police are to be encouraged to “hack” into personal computers, for the purposes of investigation, following an EU report on the subject. This statement raises many questions, not least of which is:
“How can the police legally hack into my computer?”
Firstly the actual EU report,that the BBC mentions, its not quite as explosive as implied by the BBC. The report, entitled “Council Conclusions on a Concerted Work Strategy and Practical Measures Against Cybercrime” states that “If necessary, the European platform could be a tool for …….facilitating remote searches if provided for under national law” (emphasis added).
The EU does not provide for covert searches and surveillance, but instead thinks this is an effective method of investigating computer crime, and suggests member states use whatever laws they have available.
This still leaves the question of What laws are available to the UK Police for covert computer searches?
The UK Police don’t have much to say on the issue, with very little documentation produced by the advisory body known as the Association of Chief of Police Offices – ACPO – on the subject of . In 2005 ACPO did release the National Intelligence Model which only has this to say about covert operations:
“Covert operational teams are regularly deployed within communities and in the investigation of serious crimes. In addition to gathering operation-specific information, unrelated information will also be generated. This must also be recorded and evaluated following the principles for managing and sanitising confidential information“
ACPO has even less to say on the subject of covert searches:
“Covert searches – surveillance authorities may be required – collection of personal data by covert means.”
In 1997 the at the reading of the Police Bill in the House of Lords the subject of covert searches was discussed:
“Surveillance and covert searches are likely to be authorised if a chief constable thinks that they are necessary; they would then be approved by one of the commissioners“
But the Police Bill was superseed by RIPA (2000), which allows for all sorts of methods survellliance, phone tapes, and intrusive survelleiance. It these survelliance power that allow the police to search computers remotely (i.e hack computers), as this law providers for covert and intrusive searches.
The Home Office document, Covert Surveillance – Code of Practice, produced as a guide for the police to use RIPA, states this:
5.6 In many cases, a surveillance investigation or operation may
involve both intrusive surveillance and entry on or interference with
property or with wireless telegraphy. In such cases, both activities
need authorisation. This can be done as a combined authorisation (see
It then goes on to state this about who can authorize this:
5.7 An authorisation for intrusive surveillance may be issued by the Secretary of State (for the intelligence services, the Ministry of Defence, HM Forces and any other public authority designated under section 41(l)) or by a senior authorising officer (for police, NCIS, NCS and HMCE).
5.10 The senior authorising officer should generally give authorisations in writing. However, in urgent cases, they may be given orally. Urgent oral case, a statement that the senior authorising officer expressly authorised the conduct should be recorded in writing applicant as soon as is reasonably practicable.
5.11 If the senior authorising officer is absent then as provided section 12(4) of the Police Act 1996, section 5(4) of the Police (Scotland) Act 1967, section 25 of the City of London Police or sections 8 or 54 of the 1997 Act, an authorisation can be given writing or, in urgent cases, orally by the designated deputy.
5.12 In an urgent case, where it is not reasonably practicable regard to the urgency of the case for the designated deputy to consider the application, a written authorisation may be granted person entitled to act under section 34(4) of the 2000 Act.
There is no doubt that RIPA provides the police with much needed powers, but it has also been miused many times. Both by the police and more commonly by councils. In fact there were so many occurences of RIPA being misused at a local level, the central government had to warn the councils to stop misusing the powers in this way.
This is not the issue of if the powers are needed, or if they will be misused, we know the powers are needed, but we also know they will be misused. Whenever people are given access to data and survelliance, there will always misuse it, it is, sadly a fact of life.
The issue is do we want the goverments exectuve agencies (and councils) to have these powers, knowing they will misuse them? Is that a balanced risk?