February 2021 – Under UK law, the police are not permitted to use evidence obtained through the interception of communications but a recent Appeals Court ruling allows them to use evidence obtained by systematically hacking the supply chain of secure communications software and hardware vendors.
Julian Dean, founder of the Great Seal Cyber Security Network, says: “We all understand the need to disrupt criminal organizations in order to protect the public, but this court ruling is still a worrying development. In effect, it legitimizes cyber attacks by the police and security services on technology companies, which appear to result in something very similar to ransomware being installed on computers of end-customers.
“The argument accepted by the court is that this secretly-installed software that copies the user’s data to police servers, milliseconds before it is actually transmitted to the intended recipient, is not technically classified as interception of communications, so the relevant laws on how such data can be used do not apply.
“Apart from the fact that this is clearly a technicality, which makes little sense in the real world, it is very worrying that it appears to make all technology companies legitimate targets for cyber attacks by the police and security services, which will result in confidential user data being routinely copied to police servers.
“This is a game-changer for cybersecurity technology vendors, which means they have to assume their supply chains are being actively targetted for cyber attacks by Government agencies, and that in order to maintain customer confidence and protect confidential customer data they need to substantially review & revise supply chain security.”