U.K. cops want to attack terrorism Web sites

A list of antiterror recommendations from the Association of Chief Police Officers has been handed to Members of Parliament in the wake of the London bombings this month, as the government reviews laws on how to tackle terrorism.

Under the proposals, it would become an offense to fail to disclose encryption keys and to use the Internet to facilitate acts of terrorism.

In a press statement last week, Ken Jones, chairman of the ACPO Terrorism and Allied Matters Committee, said: "(The) evolving nature of the current threat from international terrorism demands that those charged with countering the threat have the tools they need to do the job. Often there is a need to intervene and disrupt at an early stage those who are intent on terrorist activity in order to protect the public. Clearly our legislation must reflect the importance of such disruptive action."

The list of recommendations does not detail how police would attack Web sites, but in many cases remotely disabling a Web server involves a denial-of-service attack, in which floods of data are sent to the server to overwhelm it.

The organization said that the measure would help police stop the spread of child abuse images on the Web. "This power has significant benefits for counter terrorism and overlaps with other police priorities namely domestic extremism and paedophilia," ACPO said in its proposals. "This issue goes beyond national borders and requires significant international co-operation. The need for appropriate authority and warranty is implicit."

One former policeman who now works in computer forensics was concerned about the international implications of making cyberattacks legitimate. Simon Janes, international operations manager at Ibas, said: "It's no different to parachuting officers into another country to investigate something. There would have to be some international consent, but I can't see a way around it. It does pose the question, what if that (target) is another government Web site?"

A representative for Spy.org.uk, a civil-liberties advocacy Web site, also warned that attacks on foreign Web sites could backfire.

In an e-mail to CNET News.com sister site Silicon.com, the representative wrote: "Who exactly is going to define what a 'terrorist Web site' is? There are none of these hosted in the U.K., so the targets must be abroad. Will a blog or discussion forum be attacked because one or more of the posters puts up a message gleefully praising some terrorist atrocity or other?"

"The only people who seem to have a legal hacking law at the moment are the Australians, but it does not appear that they have dared to use it against overseas targets," the representative continued. "Hackers will delight in faking their IP addresses, or using U.K. government systems which they have compromised to launch 'legal' cyberattacks on their victims--how is anybody going to tell the difference?"

While the police have admitted that the time it takes to break some encryption standards has slowed investigations, moves to stop people hiding encryption keys have already been included in the Regulation of Investigatory Powers Act. However, this has yet to be approved by the Home Office, the U.K. government agency that oversees law enforcement, and the police have asked for further updates on its progress.

ACPO said: "Recent investigations have been made more complex by difficulties for investigating officers in ascertaining whereabouts of encryption keys to access computers etc. An amendment to part three of the Regulation of Investigatory Powers Act to make it an offence to fail to disclose such items would provide some sanction against suspects failing to co-operate with investigations."

But Ibas' Janes said this law could overlook cases where people forget their passwords. "It only works if you make the penalty the same for that which you are being investigated. Why would you be compelled to hand over an encryption key unless you were performing acts of terrorism? But people do forget their passwords, of course," he said.

Spy.org.uk challenged this point. The representative wrote: "Presumably what ACPO are trying to do is to remove the existing defence of 'I have genuinely forgotten my PGP pass-phrase', which is simply unfair, and it still does not acknowledge the existing weaknesses of the part three regulations with regard to opportunistic encryption keys."

Dan Ilett of Silicon.com reported from London.