Cops make juicy targets for hackers. Last month, Motherboard reported that a data trader was selling some 700,000 accounts from a popular forum used by law enforcement.
With such a target on their backs, you'd think police forces would take cybersecurity seriously. But it turns out the Metropolitan Police Service (MPS), which serves areas of London, is not even using fundamental email encryption, according to several researchers and experts.
"It's a bit disappointing to see a large organisation like the MPS not deploying robust encryption on a service as critical as email," Scott Helme, an information security consultant, told Motherboard in an email. Helme also said that police should be taking steps to ensure the confidentiality and integrity of emails.
I first came across the issue when the MPS replied to one of my Freedom of Information appeals this week.
"met.police.uk did not encrypt this message," the warning in my Gmail inbox, accompanied by an open red padlock, read. I tweeted out the message, and Tom Brossman, an IT consultant, replied with the results of a scan of the MPS' server.
"TLS [Transport Layer Security] is not an option on this server," the results read. TLS is a basic form of email encryption that protects data in transit, and as Google's warning elaborates, the email delivery services of both the sender and the recipient need TLS enabled for it to work.
"If you were to send me an email at email@example.com it looks as it if would be sent in with no level of encryption, which is surprising as most organisations these days use TLS, and send email over HTTPS by default," Alan Woodward, a visiting professor at the University of Surrey who looked over the results, told Motherboard in a Twitter message. In short, anyone who might intercept emails from this server while in transit—maybe an internet service provider, or someone snooping on either the sender or the recipient's network—doesn't have to worry about encryption getting in the way of the email's content.
The MPS does use another email domain too—part of the police national network—that does come with TLS. But it is the MPS' own domain that does not come with the same protections.
The MPS acknowledged several requests for comment this week, but did not provide a response.