Two computer security vendors claim that they will block police access to protected systems, even if the law allows it.
A little known part of the Computer Misuse Act (1995) allows UK Police to hack into “compromised” systems without the use of a warrant, and since the Home Office is pushing to extend police powers in this area due to Europol, UK security firms find themselves faced with a dilemma: whether to allow Police hacking, and theoretically leave the system wide open, or to block all attempts.
Kapersky Labs said on Tuesday it would block all attempts to access its customers’ systems, regardless of the agency attempting the entry. David Em, Kaspersky’s UK senior technology consultant said “If we provided a backdoor, it could be used by malware authors. People would be able to drive a coach and horses through our security.”
Sophos took the same stance. “We block spyware, regardless of where it comes from,” said Graham Cluley, the security vendor’s senior technology consultant.
Symantec, however, has declined to comment on whether it would block a police hack, saying the matter was “politically sensitive,” although they are known not to scan for the FBI’s “Magic Lantern” software, whether it actually exists or not.
The real problem, which Symantec has alluded to, is that to fully co-operate with the police, there would need to be a “skeleton key,” of sorts, for the police to use. If this key exists, then it could be forged, and that would invalidate the very security that they provide.
The most likely way for police to hack into a system, according to security expert Richard Clayton, would be to place a keylogger on the system, something that they would need access to do. Failing that, they could try the brute force method of breaking your router password, and connect using your WiFi. Both options are very costly in terms of manpower.
The Association of Chief Police Officers (ACPO) said that between 2007 and 2008 there had been 194 warrantless searches performed by the police, but an ACPO spokesperson was unable to confirm at the time of writing how many of those searches had been of computers.