FYI.

This story is over 5 years old.

UK Police Are Using Hacking Tools, But Refuse to Say How

As one officer says hacking was used in "a majority" of his cases, police forces refuse to answer Freedom of Information requests.
December 23, 2015, 1:20pm
Image: kirill_makarov/Shutterstock

As the UK considers controversial surveillance legislation that would govern law enforcement's hacking capabilities, the extent and nature of police forces' use of these tools remains opaque.

It is clear that police forces regularly use this kind of surveillance in the course of their work. At an evidence session regarding the draft Investigatory Powers Bill earlier this month, Detective Superintendent Paul Hudson, who leads the Metropolitan Police Service's Technical Surveillance Unit, said that "a majority" of cases he dealt with included the use of equipment interference. Equipment interference (EI) is the term used to describe hacking tools.

Advertisement

But while Hudson argued that EI tools were necessary to combat increasingly techno-literate criminals, the UK's police forces refuse to answer basic questions about the use of such techniques.

Motherboard sent over 40 Freedom of Information requests to different police forces, and did not get any answers to questions on how many investigations had used EI capabilities or technologies, how much had been spent on these technologies, what types of crime EI was being used to combat, or how many EI warrants individual forces had applied for. The Office of Surveillance Commissioners, which oversees the use of covert surveillance techniques, also did not respond to a request for comment.

The majority would neither confirm nor deny that they held the information requested.

This lack of transparency around EI means the public has very little idea about how or why police are hacking into computers.

Out of 44 police forces, 36 replied within the time allocated by FOI legislation. The majority would neither confirm nor deny that they held the information requested. The Police Service of Northern Ireland said that the request would cost too much to fulfill.

The Metropolitan Police Service, which serves Greater London, said that "Any information identifying the focus of policing activity could be used to the advantage of terrorists or criminal organisations. Information that undermines the operational integrity of these activities will adversely affect public safety and have a negative impact on both national security and law enforcement."

Advertisement

EI, sometimes also referred to as "computer network exploitation," is "the power to obtain a variety of data from equipment," according to a fact sheet published by the Home Office. It explains that, "This includes traditional computers or computer-like devices such as tablets, smart phones, cables, wires and static storage devices."

Although scant details exist around UK law enforcement's use of hacking tools, other Technical Surveillance Units have reportedly used remote access trojans (RATs) to gain control of a target's computer, and cracked suspects' WiFi connections to monitor their online activity.

In his evidence as an expert on EI to the Draft Investigatory Powers Bill Select Committee, Hudson said that "Equipment interference is a covert capability, so nothing that we did under equipment interference would cause any damage or leave any trace, otherwise it wouldn't remain covert for very long."

He said that, "As much as we have greater technological investigative powers, the criminals we seek to arrest and bring before the courts have greater technological ability to avoid us."

"Our capabilities are merely moving with the capabilities of the criminals we seek to address," he added.

Hudson also reiterated that the ultimate purpose of EI was to collect evidence to be presented in a court of law. "Nothing we do would reduce the quality of the evidence we are collecting," he said.

Recently, MI5, the UK's domestic intelligence agency, said it had "relied" on EI in "the overwhelming majority of high priority investigations," over the past year. The National Crime Agency (NCA)—essentially the UK's version of the FBI—also has hacking powers. According to a section of the draft Investigatory Powers Bill, more sensitive and intrusive equipment interference techniques are available to "a small number of law enforcement agencies, including the National Crime Agency."

At this point, police use of hacking tools is an elephant in the room for UK law enforcement, no matter how much they attempt to skirt around the issue.

"The head of MI5 called for a 'mature debate' on investigatory powers. Point blank refusing to provide even basic answers to straightforward questions makes that debate impossible," surveillance expert and privacy activist Eric King told Motherboard in an email in response to the unanswered FOIA requests.

"The cold winds of transparency are clearly making the police uncomfortable, but if they want a democratic mandate for these powers, they will need to tell Parliament and public more about how they've used them in the past. For capabilities as intrusive as computer hacking, continuing to pretend they don't exist just won't do."