The Reg visits London Met Police's digital and electronics forensics labs More than 90 per cent of crime has "a digital element," we were told as The Reg was welcomed into London Metropolitan Police's Central Communications Command Centre, near Lambeth Bridge on the Thames. Not only does that mean an exponential increase in the amount of data stored, with the increasing seizure of phones, it also …
"Obviously victims and witnesses are more than happy for us to have access to the device. "
And this is, I think, *the* problem. If you do not feel happy about this, and you are innocent, you are obviously not innocent in the eyes of those who make this kind of statement.
Unless the 'rights' are enshrined as such in all sectors of governmental and consentary policing, then we are on a slide into 'Nothing to hide, nothing to fear'.
That aside, good on both sides that you got in there.
If I handed over my work phone (or computer) to a third party* and let them download whatever they felt like then I'd get in a lot of trouble with my employer's information security people and/or regulatory authorities**. I guess this could be seen as "unwilling to help with our investigation" to the cops.
*assuming there's no warrant
**it's possible that there will be clinical data in my email
"Would you trust your data to an organisation that still has XP?"
Of course. Why not ? If it's capable of running every application they need it to run, it's perfectly adequate for the job.
Ignoring the slurp features, perhaps a later OS has more "security". So what ? If someone's on your network, you already lost the game. If you're able to run unfiltered executables from outside, you're pretty much the same : there are probably more exploits in actual use now for W10 than XP.
It might well be more sensible for a domestic user with no firewall or basic understanding of computer security to run something more modern than XP. For an organisation that's properly protected, it won't make a jot of difference.
If you disagree, kindly explain.
Let me help you there as someone who worked with them in the past
Their system is air gapped
for those too stupid to google it, they have NO CONNECTION TO THE OUTSIDE WORLD
This is the same organisation that still uses XP.
This is the year of the linux desktop
Apple are so secure you dont need AV
etc
etc
Most modern malware needs to call home, but the worst that can happen to an air-gapped system that just runs software is that it becomes unusable - at which point you rebuild it from the backup (you have a backup right?).
Of course, if all of the machines are air-gapped from the net, but not from each other, then you've got problems of scale to deal with.
The Iranian centrifuges were a special case, as there was a mechanism being controlled by the infected machines that could be put out of whack to cause the problem. Plus that was a state-level hack, not your average script slinger.
"Everyone knows the TARDIS runs on Linux......."
rot, the episodes are only 50 mins or so, they'd spend all the time having to type out where he wanted to go in extremely long long hand.
Add in the fact that if he had problems he would get replies like "well there's your problem, what the hell do you want to go to that planet for FFS?????" to any requests for help....
I was listening to the "Unexplained with Howard Hughes" podcast yesterday, and he was speaking to a chap called Mike Godfrey from a company called Insinia about hacking and cyber threats. And he mentioned, briefly, how everyone thinks the Met work closely with GCHQ on certain threats when in actual fact GCHQ can't trust the Met with any information in fear of them losing it. Aparently there's a track record with the Met and such things.
This chimed with something an uncle of mine (since departed) said to my Dad some years ago. My uncle worked building devices that could detect whether or not a room was bugged and where abouts in the room it was located. He had offers from America for the device, but nothing from the UK. And he said that the British police are always several steps behind everyone else (especially the Americans) in terms of technology to help solve crimes etc. He said that about 15 years ago, and nothing since has proven him wrong.
"[...] certainly DNA and fingerprints are only retained if there has been a criminal conviction."
The police are apparently still retaining such data when there was not a criminal conviction - or even a charge.
Currently the Met cannot access remotely stored data – for example, on the Dropbox service. In order to do so, it would have to go through a Regulation of Investigatory Powers Act (RIPA) – the controversial Act that regulates the powers of public bodies to carry out surveillance and investigation, and the interception of communications. This process can be lengthy, he says.
So they can access it, they just don't want to go through the paperwork.
RIPA is pretty generous act anyway. What are the police asking for, a back door to Dropbox?
Puzzles me that while the mobile phone numbers that punters use to order drugs from dealers can change hands for £thous, the cops seem unable to get the telcos to just cancel those numbers. Every phone contract contains a condition that the service isn't used for illegal purposes.
I've been on these forums an awful long time. And in that time the general conscientious has been that most people on here are opposed to something like a central bio-metric database.
Can I ask why you feel that way?
Is it simply because you do not trust UK Police / Government to make it secure, or are there other reasons?
Surely apart from the obvious security concerns - which believe me I understand and feel the same way, if they were never going to be a problem then, if you've nothing to hide...
Genuinely curious on this.
D
retrospective criminality? thought-police ?
I'm typing this reply today, and although I fully support the Police and wish that they would get extra funding, less manpower cuts and the same share of PRISM that , say, the German police get from the BND/BfV's take (~50%) . . . there's always the sneaking worry that I might be contravening some future law that allows retrospective database policing, low-resolution biometrics being deliberately used, perhaps fitting people up with a crime - as if that could ever happen!
like how the Chinese gov did a routine meta-data pollution study of transport & traffic-jams in Beijing by tracking GSM pings, they needed a few thousand random target handsets - allegedly just chose the top activists IMEI's to permanently monitor, as one might
For me, two reasons. FRR and FMR. Or False Rejection and False Match Rates. One is where a facial recognition system doesn't recognise the person, the other is where it recognises the wrong person. In Hollywood, this doesn't happen. So TPTB do the 'zoom and enhance' thing, and up pops the name, criminal record, phone number and inside leg measurement.
In the real world.. that doesn't happen. Especially if the image is a fuzzy CCTV one showing a partial face under a hat or hoodie. Criminals are aware of CCTV, so try to obscure their faces. If there's a false match, then an innocent person may get seriously inconvenienced trying to prove their innocence.
But in the UK, a facial database already exists, thanks in part to the EU and their push for biometrics. So there are databases for driving licences and passports, and that genie's already partially out of the bottle.
Hence anybody who hides their face is a criminal - QED
Nope, just should mean biometric salespeople should get charged with wasting police time. If you enter a b&w, fuzzy image taken at night and the system returns 177,000 matches.. It's not helpful. It's a GIGO problem, ie if the CCTV cameras are junk, the images are junk. Especially if they're located in the wrong place, namely looking down, not across.
Three main reasons:
1. The inaccuracy problem and the fact that a hard-working and over-stretched officer is likely to attach too much weight to either a match or a rejection. Particularly as it may have the effect of meaning someone has to "prove they are innocent" instead of the other way around.
2. The massive increase in trackability. It becomes much too easy for a lazy (or over-worked) officer to assume that someone who has come to their notice (even if not convicted of any offence) is likely to offend and so should be tracked and watched. So, for example, someone stopped, questioned and free to go at a demonstration may find they are noted by an automatic system every time they appear on any camera and even prevented from accessing future demonstrations (in the interest of keeping out so-called troublemakers). This has already been a real and documented problem with vehicles (see the "John Catt extremism" case and also the Witney Cat Farm). Treating someone as a suspect before they have committed any crime is not how policing is done in a free society.
3. The general principle: one determining feature of UK society is that you are free to go about your business without explaining or identifying yourself, carrying any identification or even staying limited to one identity, as long as you are not committing a crime. In the 1960's there was a real danger of nuclear war and, as a small child, I was frightened by this. My parents didn't try to tell me not to worry, or that they would keep me safe, they explained why we would fight against communism, whatever the cost. The example they used was that communist police stopped people on the streets and demanded to see their papers: which would never happen in a free society.
And in that time the general conscientious has been that most people on here are opposed to something like a central bio-metric database.
Can I ask why you feel that way?
Principle. Recognising another individual by sight, smell or sound is baked into the human (possibly tetrapod) condition, but if I choose to conceal those cues you have no business knowing who I am unless I choose to tell you. That's why I won't go to the wrong side of the pond anymore. My own government don't have my fingerprints so there is no way in hell I'm handing that data to a foreign government.
DNA is even worse. At the risk of Godwinning myself, imagine what certain near historical political regimes would have been able to do with a comprehensive database of this nature. Scan the entire population for genetic susceptibility to Tay-Sachs disease perhaps? Purely for altruistic reasons of pre-emptive health care of course.
"
... opposed to something like a central bio-metric database. Can I ask why you feel that way?
"
Because you cannot trust any government - least of all a government that is yet to be elected. Learn the lessons of history - how many governments have misused their power to the detriment of some or all of their citizens? From minor annoyances such as suddenly finding your insurance has skyrocketed because the police sold the DNA database to insurance agencies who analyse the data for people who have a genetic propensity to certain medical conditions, to genocide when a future extremist government decides to lock up everyone with DNA suggesting a Middle Eastern origin (it's been done before by a democratically elected government). Then there's the possibility of the government making draconian laws that you may well want to break.
'Is it simply because you do not trust UK Police / Government to make it secure' - Yep look at the UK Govm track record with IT and losing information. I can change a password, it takes a lot more effort and money to change a face.
@hi_robb
Good question, and probably many different reasons.
For me it's a principal. For many years the approach in the UK is that a citizen/subject is a free person, and so long as they go about their lawful business then the state has no justification in interfering in their lives. Tied in with this is that as a citizen of the UK I have no need to prove anything - in law the complete onus is (or used to be) on the prosecution to prove its case - no need for the innocent to provide biometrics.
A further problem is complete and total mistrust of the powers-that-be, not always the police themselves (although they have a fair number of very dodgy characters in their ranks) but their response to instructions from their political masters. Having a central database of biometrics is opening the door to massive abuse. No database - no risk.
Sadly the police have, in many cases, forgotten that their role is to "protect and defend" the citizens, not control them. They are the servants of the public, not their masters.
Apart from anything else: it is far from certain that a central biometric database would actually help solve crimes.
Take fingerprints, for instance. Historically, fingerprints have been taken from people who've been arrested. When a print is taken from a crime scene, it's then compared against prints previously taken from people who've been arrested in the same general area. A few thousand, tops. That's - actually a pretty good way of compiling a shortlist, right there.
But - you may be interested to learn - in the very few systematic trials of fingerprint identification, there has been a shockingly high rate of wrongful matching. Where human experts have pronounced definitively that a fingerprint belonged to someone it did not, in fact, belong to. So if you scan a blurry, incomplete fingerprint against a database of 60 million suspects, you will get false positives. Probably lots of them.
Other biometrics are the same. When an expert pronounces in court that there's only a 1 in 100,000 chance that the suspect matches this biometric by chance, what they're really saying - in a country of 60 million people - is, "there are 600 people in the country who would register positive to this test. So if this is the strongest evidence the prosecution has, there's roughly a 1 in 600 chance it's the right person." Of course that's not what the prosecution says, or what the court hears - what they hear is "there is a vanishingly small chance of error". But what they mean is "there is a near certainty of error".
As a way of confirming that someone is who they say they are - biometrics are fine, up to a point. As a way of finding one person in a large population, they're hopeless.
Can I just point out that at no point in my life have I given the Police, or the government, permission to scan and store my personal bio-metric details.
By what right do they claim these privileges?
What if I simply told you that I don't agree with the idea of storing bio-metric data and leave it at that? Someone might ask me why, but is that really any of your business? I have stated my position, I have no need to justify it because that implies you have a right to know why and that I'm arguing my case.
There should be no case. I have the right to go about my life unimpeded unless I transgress the laws of the land.
Obviously real life isn't so black and white, we do need our Police to be effective in order to keep the peace and nail the baddies - but what price are you willing to pay? What if others don't want to pay that price, will you make them?
If the answer to that last question is yes, then you are firmly on the path to a Police state, it's just a question of how far along you are at the moment.
Cityman was excellent phone. Cityman 900 was the first phone that was worthy of replacing my old NMT450 kit. I had it with the full car kit too (handsfree speaker and handset (fairly slim) that dujplicated the display and keypad). Truly excellent. And it survived any accidental abuse it experienced. Oh and it would crush any other phone, literally...
P.S. Been a while since I saw Wall Street, but didn't Gecko have a crappy Motorola DynaTAC?
"If they are not, then the data is not retained."
?!
I was under the impression the current state of affairs is that such data for people NOT convicted of crime SHOULD NOT be retained, but IS RETAINED and it is EXTREMELY HARD to get it removed, and the good old plod DON'T HAVE to remove it, even when there's no conviction?
If I were expecting to have people demand a password from me then I'd set my system up so that user accounts were differentiated by password rather than user name. If the password was wrung from me under duress I'd enter that password whereupon the system would not only show fluffy bunny type information to Mr. Plod but hide or delete the real information.
This isn't a novel concept. Many burglar alarms have alternate keycodes to use in a panic situation -- it might turn the alarm siren off but it also sends an alert to the monitoring center.
(Biometrics aren't an issue, either -- I might want to unlock my device with my face or my face with, say, one eye closed. Its all really a matter of how far one wants to go playing cat and mouse. Personally, I don't carry confidential information on a mobile device. Mr. Plod or the USCIS can have at it all they want, there's nothing to see but it might take them some time to find out.)
On a system where there are multiple users, how would you deal with duplicate passwords?
I'd expect the "account" would be determined by a username/password combination. You would have usernames with multiple passwords, each determining which subset of data could be accessed. Just set up a realistic honeypot of convincing data for the CopperPassword. All your videos are suddenly Rick Astley music videos. Your documents all have listings of Pokemon cards. Your pictures are all Photoshopped pictures of Janet Reno in lingerie (or Margaret Thatcher for you Brits).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
