Analysis: Should the police hack your computer?

According to reports, the Home Office is believed to have adopted plans to allow UK police forces to hack into personal computers remotely and without a warrant.

The hacking is known as "remote searching" and will allow law enforcement officers to hack into hard drives many miles away, examining the PCs of unsuspecting users.

It is already being carried out. Indeed, the Association of Chief Police Officers said that UK police conducted nearly 200 remote hacking operations in 2007-2008.

However this volume of searches is likely to increase going forward if current plans are extended. Under the new EU rules, police will be able to use intrusive surveillance on private property without having to apply to a magistrate's court for a warrant.

Libertarian campaigners and opposition MPs have been up in arms about the implications, referencing a surveillance state' and suggesting that such a move would be detrimental to privacy.

"These are very intrusive powers, as intrusive as someone busting down your door and coming into your home," Shami Chakrabati, director of rights group Liberty, told the Telegraph newspaper.

"The public will want this to be controlled by new legislation and judicial authorisation. Without those safeguards it's a devastating blow to any notion of personal privacy."

Such concerns are understandable, according to Sophos' security expert Graham Cluley.

"It's quite alarming," he said. "The police have basically been admitting that they have been hacking into people's private homes. If that's happening without proper checks, just as you would expect them to take place with physical searches, then I think that is quite a bad thing."

Cluley said that he believed that the new EU rules could only work with extremely rigid and regimented guidelines about what particular circumstances did allow warrantless intrusion, as with telephone monitoring.

"The concern is that if people are given carte blanche to do this, and the police are policing themselves as to when this is appropriate, then that really sets a dangerous precedent."

The hacking techniques that police will use are believed to be similar to some of the ways that cyber criminals have been using to steal credentials for a number of years.

This includes breaking into a suspect's home and installing a key-logging device on their computer to collect details of their keystrokes.

Another option is sending malware, such as an attachment to a suspect's computer. This could be in the form of a Trojan which could invisibly read whatever they do on their system. Hacking computers using wireless networking is also an option.

Cluley said that from the point of view of his own company, anti-virus vendor Sophos, any malware written by the police would be treated like that made by a criminal.

"If we see the police using spyware to spy on criminals, we're going to do our best to detect it," he said. "We don't care whether it is the police who've written it, or whether it is a cyber criminal. Our job is to prevent infection on computers, and spying on them."

He said that he fully understood why police would want to crack into a computer and get information like passwords needed to read encrypted messages which criminals were likely to be using.

"There are criminals who are taking huge advantage of the internet in keeping their activities secret from the police," said Cluley.

However he reaffirmed his belief that it was wrong for a police officer to be allowed to hack left, right and centre, and that they would be able to police themselves.

His last warning was that if the police weren't careful, criminals could determine that they had spyware installed and use it themselves.

Cluley said: "Effectively you could be putting a weapon in the hands of the criminals, who could then use it to spy on others with a little adaptation."

So should anti-virus vendors be working with the police? In 2001 it was reported that the FBI had developed "Magic Lantern" software which was used to monitor computer use, similar to Trojan software.

It was alleged that the FBI approached various anti-virus vendors, asking them to turn a blind eye and not detect the Trojan.

Of Sophos' position Cluley said: "We are happy to work with the police and have done on a number of occasions. But when it comes to turning a blind eye to their activities if they hack into computers, even with a judge's permission, our software is hopefully going to detect it and stop it."

He added: "We're not going to do anything to limit our ability to do that."

In response to the media coverage and campaigners' outcry to the plans, a Home Office spokeswoman told IT PRO that it wasn't the case that new powers were being given to police by stealth, and that some of the the reports had proved slightly misleading.

She added that it still remains the case that anybody undertaking a search would be tightly regulated under the Regulation of Investigatory Powers Act (RIPA).