Policing and the Internet of Things

Policing and the
internet of things
2 Policing and the Internet of Things Policing and the Internet of Things
authors
Katy Minshall
Rory Geoghegan
Henry Rex
Foreword by Assistant Chief Constable Richard Berry
Policing and the Internet of Things Policing and the Internet of Things 3
contents
Foreword ……………………………………………………………………………………………………04
Executive Summary …………………………………………………………………………………..06
Part One: Crime, Digital and the Internet of Things………………………………….07
Part Two: The New Risk Landscape ……………………………………………………………11
Part Three: The State of Play ……………………………………………………………………..14
Part Four: Challenges and Opportunities for the Police …………………………..18
Part Five: Conclusion and Recommendations ………………………………………….22
References ………………………………………………………………………………………………….26
foreword
The digital environment already presents a number of challenges for
public safety and the prevention and detection of crime. I see these
issues on a daily basis in my role leading change for digital investigations,
intelligence and the Communications Data Portfolio for the National
Police Chiefs Council.
The digital influence upon our lives is also both increasing and accelerating.
Some economic forecasters suggest we are on the cusp of the ‘fourth
industrial revolution’. Faster networks using 5th generation (5G) mobile
technology and the proliferation of internet enabled devices are set
to become the norm in the foreseeable future. The increased ‘attack
surface’ requires us all to consider the approaches we might take towards
protection and crime prevention. These are very different challenges
to those of physical security and the application of situational crime
prevention techniques. Data volumes are proliferating; data velocities are
accelerating, data is generated and stored in complex and virtualised ways.
The veracity of data and proving the consequential evidential validity
are both topics which are increasingly attracting the attention of the
investigative and forensic practitioners.
Digital policing is a technological endeavour which demands improved
workforce and operational capabilities. In order to effectively face such
challenges and move at an increasing digital speed, we should look to
create agile approaches to managing change.
Police forces across the country have already been adapting locally and
there are many pockets of good practice. However, digital challenges can
be different to those previously familiar to many in policing. Distributed
network challenges require distributed networked responses. Reliance
on centralised and traditional command and control approaches does not
necessarily provide people and groups with the free space necessary for
creativity and innovation. Such facilitation underpins the organisational
capacity to be adaptive.
4 Policing and the Internet of Things
One of the suggested keys to success has to be working in new
partnerships which help to discover and respond to threats and
opportunities. Adaptation, sometimes at scale and often at speed is set
to become an increasingly important success factor. Closer working with
industry will also be critical. In order to fght crime in the digital age, it is
vital that police have a good understanding of market capabilities. In turn,
it will be important to ensure a regular exchange of views and ideas is
facilitated, for police and industry to work collaboratively in responding to
new crime and security issues.
Despite these challenges, new technologies also present the police with
immense opportunity. Perhaps most importantly, new sensors and smart
devices can provide better protection for ofcers and the vulnerable they
seek to protect in challenging and dangerous situations. More broadly, in
an era of budgetary constraints, digital capabilities can help generate the
efciencies and cost savings required of forces.
This report sets out six incremental steps, which will help police forces
meet the challenges presented and harness the opportunities available.
Beyond this, I hope this report sparks discussion and debate for how we,
as the Police Service can rise to the challenges of Digital Darwinism.
Thank you.
Sincerely
ACC Richard Berry
Chief Ofcer Lead,
Digital Investigations and Intelligence Programme
National Police Chiefs’ Council
Policing and the Internet of Things 5
6 Policing and the Internet of Things
executive summary
The Internet of Things (IoT) is the notion of devices – and not just laptops or smartphones, but everyday
objects – being connected to the Internet; and with each other. In the average UK home, already there
are at least eight connected devices, ranging from security systems to tablets to fridges. In public spaces
too, the IoT is becoming the foundation upon which businesses and governments are building services –
from trafc light sensors providing travel directions, to home health care devices that alert professionals
to changes in patient condition.
This change will have – indeed, is already having – a major bearing on policing. Partly, this is down to
the growing capability of cyber criminals, and the difculty of securing some of these types of devices.
Not only have new risks been created, such as the deployment of ransomware onto devices, but more
‘traditional’ crimes can now be committed online, targeting large numbers of people from almost
anywhere in the world.
“if you want to make it really easy for things to connect then
you tyPically have to trade off security.”
tobin richardson, President and ceo of the Zigbee alliance,
iot standards-setting organisation¹
Online fraud is now the most common crime in the country, with almost one in ten people falling victim.²
Many assessments – most recently the March 2017 NCA & NCSC joint report – forecast that certain crimes
related specifcally to the IoT are now expected to become more frequent.
On the other hand, the IoT presents enormous opportunities to help police better serve their
communities, provide public safety and save money. The IoT could, for instance, improve safety for police
ofcers and other emergency personnel. One pilot project in Dubai used sensors that inform the control
centre if ofcers have been incapacitated and are lying horizontally.
More broadly, mobile and IoT technology offer enormous potential to redesign business processes and
cut out unnecessary paperwork, while analysing data to understand both trends and real-time crime
informing the allocation of precious police resources to maximum effect.
Consideration of this shift is urgent – it is a major societal change that the police must adapt to. Yet, if the
police, industry and other partners do harness the IoT, there are major gains to be had – for police ofcers
and for citizens.
In this analysis, six recommendations are presented; which are incremental steps that can be adopted
quickly:
Addressing the challenges:
1. A new model for partnership with industry and academia
2. Redeployment of the security index
3. Public outreach and a prominent police voice
Maximising the opportunities:
4. Digital skills across the policing curriculum
5. Greater resources for public safety app creation
6. Cyber security as corporate social responsibility
These recommendations intend to help police work collaboratively with industry and civil society in
managing changes brought by the IoT, and ultimately maintain world class policing in the UK.
Policing and the Internet of Things 7
Part one
crime, digital and the internet
of things
8 Policing and the Internet of Things
The last decade has seen a change in crime – with both reported crime and crime
surveys indicating a shift away from traditional volume crime towards fraud and
cyber-crime.
It is unclear whether the decline in ‘traditional’ crime will persist. London and other parts of the UK are
already starting to see a revival of certain forms, potentially bringing the period of sustained decline to
an end.³
However, what is undoubtedly true is that the economics of these new crime types is wholly different.
While a burglar must expend a similar amount of effort – and arguably expose themselves to similar
levels of risk – during the commission of each individual offence, cyber criminals are able to exploit
technology to reduce both the effort and risk of each offence. The scale and nature of cyber-crime, from
port scanning to brute-force attacks to phishing, is unprecedented when compared to conventional
crime.
There is also a decreasing level of technical skill required to commit cyber-attacks now. Malware, and
services like DDoS (distributed denial of service), are easily acquired on the dark web, and a growing
number of individuals are capable of launching basic cyber-attacks.⁴
Cyber-crime
Cyber-crime describes those criminal activities carried out by means of computers or on the Internet.
In June 2014, the Home Ofce, along with the NCCU’s Strategic Governance Group (SGG), agreed on
defnitions to reflect the scope of cyber-crime. The four broad categories can be defned as:⁵
There were an estimated 3.6m cases of fraud and two million computer misuse offences reported in
the most recent Crime Survey for England and Wales. Including the offences for the frst time in its
annual report covering the year to September 2016, this makes up nearly half (47%) of all overall crimes
reported.
Crime Survey for England and Wales,
to year ending September 2016
„ Fraud 30%
„ Computer misuse 17%
„ All other crime 53%
Policing and the Internet of Things 9
Cyber-crime is also considered to be massively underreported. Nobody knows the true extent of it. Sir
Tom Winsor, HM Chief Inspector of Constabulary for England and Wales, told BBC Radio 4 in January
2017 that many frauds go undetected, with most never reported to the police:
“the amount of fraud that is taking Place now is Probably
in ePidemic ProPortions. the Police are having to work very,
very hard to keeP uP with even the ones they know about. the
caPability at Police forces is quite skeletal and that needs to
change and change a great deal.”⁶
Meanwhile, Chris Greany, the National Coordinator of Economic Crime at the City of London Police has
said:
“the scale of the challenge is such that Prevention, and
helPing businesses and individuals Protect themselves, is the
only long-term way of combating the escalating threat.”⁷
The UK economy lost nearly £11 billion to fraud and cyber-crime over 2015/16.⁸ In effect, this represents
a loss of around £210 per person over the age of 16 living in the UK. Research by GetSafeOnline suggests
that the fgure is actually £523 per person for victims of cyber-crime⁹ – trying to include incidents that
go unreported.
Beyond cyber-crime, most traditional criminal offences now leave some form of digital footprint. This
might, for instance, include evidence left on an Internet-enabled device, or an individual livestreaming an
offence on Facebook Live.
The key challenge today is not any particular offence – but rather the scale of the offending and the
complexity associated with securing evidence from an infnite range of devices and services across the
globe. Cyber creates a whole new vector for criminals to act more creatively, at signifcant scale, with an
exponentially greater frequency and level of risk of harm.
The Digital Footprint
The ability for law enforcement to investigate and prosecute offences with a digital component is a
challenge – not just technically, but in terms of volume. As technology has proliferated in society – 70% of
the public own a smartphone¹⁰ – so it has proliferated among criminals in the commission of their crimes.
Indeed, the majority of crimes now leave some form of digital footprint, given the prevalence of
connected devices. This might be the relatively rudimentary communications data showing a burglar to
be placed in the vicinity of a particular crime, through to the Amazon Echo data that the FBI in the US
fought legal battles to access in a murder case in 2016.
This means that while the police are managing rising levels of cyber-crime, even traditional crime has
taken on a digital element as well.
This sort of ‘digital footprint’ is readily understood by law enforcement as an information and evidential
resource that they can call upon. It is, in effect, similar to other third party data that they might seek in
the course of an investigation, such as fnancial records, telephone call records or CCTV footage.
However, with the advent and proliferation of connected devices, the digital footprint now includes data
that can be generated on-demand. For example, the ‘Find My iPhone’ web service that allows users to
geolocate their phone in the event of it becoming either lost or stolen. This data is, of course, still thirdparty in nature, but conceptually it differs from the traditional digital footprint – it is data that does not
exist until it is called upon.
The Internet of Things presents law enforcement with the opportunity both to acquire historical third
party data, and potentially to interrogate and generate new data in real-time. Clearly, there are legal,
ethical and logistical challenges associated with this.
10 Policing and the Internet of Things
It will be vital to develop new frameworks and mechanisms by which these data sources can be accessed
and utilised. If used with accountability, creativity and consideration, signifcant opportunities exist in
relation to the prevention of crime and the protection of society.
The Internet of Things
The IoT is the notion of devices and sensors – not just laptops or smartphones, but everyday objects –
being connected to the Internet and to each other.
This includes everything from tablets to washing machines to burglar alarms to car parking sensors. It
also applies to components of larger machines, like computer systems in a passenger airliner or the drill
of an oil rig. Analysts argue that by 2020 there will be an estimated 50 billion connected devices.
Estimated number of connected devices worldwide 2012-2020¹¹
Internet of Things in numbers
• On average there are now 8.3 connected devices in the UK home.¹²
• By 2020, each person is likely to have an average of 5.1 connected devices on their person.¹³
• Internet of Things (IoT) sensors and devices are expected to exceed mobile phones as the
largest category of connected devices in 2018.¹⁴
• By 2020, more than half of major new businesses will be using the Internet of Things in some
capacity.¹⁵
Policing and the Internet of Things 11
P  
art two
the new risk landscaPe
12 Policing and the Internet of Things
For almost all types of organised crime, criminals are deploying and adapting
technology with better skill and to ever-greater effect. Europol has argued that this is
now the greatest challenge facing law enforcement authorities around the world.¹⁶
The IoT is a growing component of this risk. Ransomware, for instance, has become a major concern in
terms of threat and impact. It encrypts victims’ fles, denying them access unless the victim pays a fee to
have them decrypted. Worries about ransomware came to the fore in May 2017, when large swathes of
the NHS IT system were temporarily shut down by a ransomware attack. However, concerns have been
raised before – including those focused on the growing vulnerability IoT engenders. The NCA-NCSC
assessment in March 2017, for instance, noted that the rise of internet connected devices gives attackers
far more opportunity: “Consumer goods and industrial systems combined with the ever increasing
commercial footprint online provides threat actors with more attack vectors than ever before.”¹⁷
The vast and rapid growth of these connected devices has increased the vector for cyber criminals to
operate on exponentially – and has provided new opportunities for criminals operating in the physical
world. Items compromised range from baby monitors to air conditioners to automobiles.¹⁸ It is likely
that the police will see a growing number of IoT-related crimes within the next 12 months. Users of IoTenabled devices might be divided into three groups: consumers, businesses and public spaces.
I. Consumers
The expectation is that the growing number of smart devices owned by individuals – from speaker
systems to smart TVs to energy meters – is culminating in the ‘smart home.’ A smart home has a
communications network that connects key appliances and services, allowing them to be remotely
controlled, monitored or accessed on a smartphone, tablet or laptop. For example, a refrigerator may be
able to catalogue its contents, suggest menus and order replacements as food is used up. Smart homes
create enormous opportunities to create efciencies, and improve the way we live. A 2014 study by
Accenture predicted that 69% of homes will have a smart device by 2019.¹⁹
However, such connectivity poses several challenges. There are issues around privacy – which devices can
share what information with each other? (Should your toothbrush be able to provide data to your fridge,
and who should have access to this data?²⁰). There are also concerns about compatibility. Making IoT
applications interoperable – linking a patient’s home health monitor to the hospital’s health system, for
example – is a complex systems design challenge.²¹
One of the most pressing issues is security. No device connected to the internet can, by defnition, be
described as totally secure. Indeed, there have been high-profle examples highlighting the difculties
in securing these devices to the standards we have come to expect. So the more personal devices
connected to the internet, the broader the attack surface.
There have been a number of examples of meeting this challenge. UK industry and government, for
example, have worked together to roll out smart meters safely and securely in recent years. More
than 3.6m smart meters have already been installed in UK homes and businesses, with 53m due by
2020.²² After discovering loopholes in meter designs used abroad that could pose a security risk, they
redesigned the Smart Metering System with “proportionate, practical security controls.”²³ Horizon
scanning and joint working between industry and government helped enable effective analysis of the risk
before mass deployment, and the devices’ subsequent secure rollout.
However, the risks are growing. Perhaps most troubling, our private information held on these devices
might be accessed and misused. Many connected devices hold a huge amount of personal data, like
photos, personal messages and ftness information – which could be of value to criminals. For example,
a burglar accessing your smart home devices could deduce when you are not home, and when they
can gain access. More broadly, there are concerns of the impact of one weak link. A vulnerability in one
connected device could be exploited to access an entire network.
Policing and the Internet of Things 13
II. Businesses
The IoT will also have a signifcant impact on businesses, be it networks of connected objects, machinery
and IT systems (the Industrial IoT), or employees equipped with wearable tech.
Alongside the enormous opportunities IoT presents for business, there are also several issues related to
the deployment of connected devices in industry. Aeroplanes, energy grids, industrial control systems
and the like are all obviously targets for criminals, as is employee personal data (as they are today).
One of the industries most embracing of IoT is automotives. Given the prevalence of internet-connected
devices in cars already, however, there are already vulnerabilities. In 2015, Chrysler announced a recall for
1.4m vehicles after a pair of hackers demonstrated to WIRED magazine that they could remotely hijack
a Jeep’s digital systems over the Internet.²⁴ Indeed, the FBI released a warning to drivers later in 2016
about the threat of over-the-internet attacks on cars and trucks.²⁵
With the onset of driverless vehicles, there will be more connected elements and more opportunities
to steal it, interfere with it or misuse it. Future break-ins could even affect more than one car at a time,
disrupting trafc flow or targeting entire fleets.²⁶
III. Public spaces
Smart Cities (IoT deployed in public spaces) will transform urban living. Analysts in Barcelona estimate
that IoT systems have already helped the city save almost $100m a year alone from connected water
management and smart street lighting.²⁷
However, there are immediate challenges. Like with homes and businesses, as urban centres expand their
reliance on automated sensors and algorithms, they increase risks of data theft, infrastructure breaches,
and expand the attack surface. Taking control of parking, trafc lights, street lighting and many other
systems could be appealing to criminals with a range of objectives.
Public services, like police departments, hospitals or schools are all also vulnerable to cyber attack.
Threats of tampering with pacemakers, hospital equipment or police data are just some of the possible
nightmare scenarios.

14 Policing and the Internet of Things
Part three
the state of Play
Policing and the Internet of Things 15
At the core of the mission for British policing – ever since the creation of the
Metropolitan Police in 1829 – has been the detection of crime:
“the basic mission for which Police exist is to Prevent crime and
disorder.”²⁸
In the context of IoT and a world in which the vast majority of crime leaves a digital footprint, both the
opportunity and potential for preventing crime has grown signifcantly.
The UK is a global leader in cyber security. Following on from the previous Government’s aspiration to be
one of the safest places in the world to do business,²⁹ there are a number of institutions that have made
the UK so effective. The globally renowned GCHQ is central to our success, and the opening of the NCSC
in February 2017 is another landmark. More broadly, the UK also has a robust cyber security industry, with
hubs across the UK selling their products globally.
Meanwhile the police have – at the same time as losing 22% of their funding in fve years³⁰ – developed
new processes and structures for the public to report cyber-crimes, and for the police to investigate
them, with notable results. The Met’s Cyber-Crime and Fraud Team, Operation Falcon, for instance, have
charged almost 1000 suspects and seized £12m from cyber criminals.³¹
The Joint College of Policing, NPCC and NCA 2015 strategy document – ‘Digital investigation and
intelligence: policing capabilities for a digital age’ – outlined an aspiration to do more:
“in order to continue to abide by the Peelian PrinciPle that the
Police are the Public, and the Public are the Police, forces must
ensure that they embrace technology, and keeP Pace with future
develoPments.”³²
Three recommendations were laid out: accelerating Digital Investigation and Intelligence capabilities, the
right governance for a digital initiative, and driving the digital transformation.
In the two years since, progress has been made on each of these objectives, yet, challenges remain. The
underreporting of cyber-crime is one, in which there remains only a small chance an offender is brought
to justice. Another is the impact on business: SMEs in particular are increasingly affected by cyber-crime,
with 66% having been a victim in 2016, suffering an average loss of nearly £3000.³³
The focus here is to consider the current state of play through the lens of IoT, considering how different
aspects of policing may be affected.
Cyber-crime reporting and advice
Action Fraud
Action Fraud, established by the City of London
Police, is the UK’s national fraud and cybercrime reporting centre. If a business, charity or
other organisation suffers a cyber attack, it can
be reported to Action Fraud on a 24-hour help
line, using an online fraud-reporting tool, or by
chatting to an online advisor.³⁴
As IoT grows, Action Fraud must be able to adapt
advice quickly as new forms and frequencies
of crime emerge. The priority now must be
channelling people towards Action Fraud, and
making reporting a cyber-crime a universal step
undertaken by all victims. With more accurate
statistics about the scale and form of cybercrime, police will be better able to prioritise and
respond to fast-changing technologies.
City of London – GetSafeOnline
GetSafeOnline is a partnership with the City of
London Police offering free expert advice. It
prioritises offering ‘unbiased, factual and easyto-understand information on online safety,’
as their website provides practical advice to
protect personal computers and devices, as well
as businesses. It also contains guidance beyond
common fraud – like safe online shopping, gaming
and dating. Indeed, there is already advice about
the Internet of Things.³⁵
The challenge now is signposting people towards
it, especially ensuring frontline ofcers know to
direct communities to their advice and provide
the same insights in person.
16 Policing and the Internet of Things
National police structures

Role IoT
Home OfceThe Home Ofce is the lead government
department for immigration and passports, drugs
policy, crime, fre, counter-terrorism and police.
It provides funding, policy and support to police
forces.
The Home Ofce’s Police Information and
Digitisation Unit has been leading the drive in
forensics, biometrics and digital transformation.
The aim is to support the police in the challenges
and opportunities of digitisation. A large part of
preparing forces for the IoT will be such effective
coordination and facilitation.
National Crime Agency (NCA)The National Cyber-crime Unit in the NCA leads the
UK’s response to cyber-crime, supporting partners
with specialist capabilities and coordinating
operations regarding the most serious threats.
Working closely with the ROCUs, the Metropolitan
Police Cyber-crime Unit, and partners within
industry, government and international law
enforcement, the NCCU seeks to respond rapidly to
changing threats.
The NCA acts along each of the ‘4 Ps’ initially
laid out in counter-terrorism strategy: Prevent,
Pursue, Protect, Prepare. Their Prevent work is
based on understanding of the pathway into
cyber-crime. This includes both tactical operations
and communications, education and research
programmes.
Work is already on-going on the impact of the
IoT, not least the joint assessment with the
NCSC in March 2017.³⁶ More broadly, as the NCA
focuses investigations on the most prolifc and
sophisticated cyber-crime, the priority must be to
expand this knowledge and experience to ROCUs
and police forces.
National Police Chiefs Council (NPCC)The NPCC represents police chiefs and acts as a
national coordinating body for a range of police
activities. One of the NPCC’s priorities is improving
digital policing. A Digital Policing Board, chaired by
Chief Constable Steve Kavanagh, was established
to lead reform. Members include PCCs and senior
representatives from Forces and national bodies.
The Board spans three separate portfolios: Digital
First; Digital Public Contact, and Digital Intelligence
and Investigations.
ACC Richard Berry is the NPCC lead for DII, and
already leads work on and speaks publicly about
the new risks posed by the IoT.
Metropolitan Police Service (MPS)FALCON (Fraud and Linked Crime Online) is the
MPS cyber-crime unit. Its mission is to reduce
the harm caused by fraud and cyber criminals in
London. The MPS, like a growing number of police
forces, also has a dedicated digital forensics lab,
where complex casework is undertaken alongside
research and development activities, like the
creation of new tools and techniques.
FALCON covers a variety of investigation and
prevention work. The MPS Digital Forensics Lab
comprises a large team investigating high volume
crime, working not only in London but also with
forces across the country.
The Head of the Digital Forensics Lab, Mark Stokes,
has already been a vocal proponent of the impact
of the IoT on policing, telling The Times in January
2017: “The crime scene of tomorrow is going to be
the internet of things.”³⁷ Maximising opportunities
like this to make use of the IoT will require clear
procedures, as well as the spreading of knowledge
across forces.

Policing and the Internet of Things 17

Role IoT
City of London PoliceThe City of London Police Economic Crime
Directorate is recognised as the national policing
lead for fraud, and is dedicated to preventing and
investigating fraud at all levels. It houses the
National Fraud Intelligence Bureau, which uses
the millions of reports of fraud to identify serial
offenders, organised crime gangs and established
and emerging crime types. The Fraud Squads
investigate complex, signifcant and high profle
cases of fraud.⁴⁰
Considering the impact of the IoT in a 2015
research report, the City of London Corporation
concluded: “one of the unintended consequences
of the massive growth in connected technologies
has been to make it more complex for those
individuals who are not ‘cyber-savvy’ to understand
and act upon the different security risks presented
by technical devices such as computers, mobile
phones and tablets.”⁴¹ As the City of London
continues to disrupt major economic crime, it
will be important for their teams to communicate
effectively, spreading knowledge to police forces
across the country.
Regional Organised Crime Units (ROCUs)The 9 ROCUs provide a range of specialist policing
capabilities at a regional level, which help forces
to tackle serious and organised crime effectively.⁴²
They investigate and disrupt organised crime
groups operating across police force boundaries.
Roles can also include specialist support for forces
during cyber-crime investigations, and advice
aimed at industry and the public about how to
increase protection from cyber-criminals.
ROCUs investigative cyber-crime capacity is
comparatively new. Despite this, they already have
a number of capabilities. They provide a bridge
between national and local policing, while they
can also house regional e-forensics units. Many
cyber-crime capabilities are costly, highly specialist
or relatively rarely needed by forces, and so it
has made sense to place them at ROCU level. In
May 2015 it was announced that regional cyber
operations would be expanded, “so that each of
the 9 Regional Organised Crime Units has its own
cyber unit.”⁴³
Police ForcesPolice forces across the UK now have to respond
to the full range of cyber-enabled and cyber
dependent crimes. On the former, many forces now
have effective cyber-crime teams and units. On the
latter, many ofcers have responded to new online
aspects of harassment, fraud and the sharing of
indecent images.
One of the major changes in recent years has been
the rise of the Digital Media Investigator position.
Not only will roles like this continue to grow, but
it is expected that all frontline ofcers will require
the knowledge to make these assessments in
responding to incidents.
In the coming years, ‘cyber-crime’ will be less an
independent and distinct category. Many or even
most crimes will involve some digital element or
footprint. Ofcers will need to be equipped with
the right skills and tools to do their work.
Police and Crime Commissioners (PCCs)PCCs are elected representatives who work
to ensure police forces in England and Wales
are ‘running effectively.’ They replaced police
authorities in 2012 and were intended to bring
a public voice to policing. Many have shown a
growing interest in cyber-crime. For example
PCCs for Warwickshire, West Mercia and the West
Midlands joined together with Warwickshire County
Council and partners in 2016 to launch the second
annual cyber-crime survey to assess the impact
online crime is having around the region.⁴⁴
As elected representatives with fnancial powers,
PCCs have a major role to play in setting the
priorities for adapting to the new technological
environment. One important part of this will be
making sure PCCs have the skills and knowledge to
make effective judgments. A critical step taken was
the creation of the Police ICT Company. The aim
of the Company is to act as a bridge between the
policing, technological and commercial worlds.
Supporting the Company to fulfl its mission should
be a top priority for PCCs in managing the impact
of the IoT. Procuring a range of new technologies
quickly will be one of the most important features
of successful police force in the coming years, and
national coordination is critical.

18 Policing and the Internet of Things
Part four
challenges and oPPortunities
for the Police
Policing and the Internet of Things 19
Challenges for the police
There are fve major challenges for the police in adapting to the changes brought by the IoT:
1. New forms of traditional crimes
As outlined in Part II, the IoT will create new forms of crimes at home, in the workplace and in public.
Already theft, ransom and fraud are being committed via digital means, and in the future it might include
even more serious incidents (like turning off healthcare devices) or public disorder.
New incarnations of traditional crime will raise multiple questions. What are the greatest risks? Is new
policy or legislation necessary? How can response be quickly adapted to new situations? At a time of
limited resources, horizon-scanning is difcult to do. It will be important for the police to work with
partners in government, industry and civil society to consider these challenges.
2. Volume of crime
One of the major challenges with any form of cyber-crime is the perception of low risk, and the ability
to perpetrate at high volume. Digital disguise makes attribution costly and difcult, while the nature of
the Internet makes it possible to commit crime at mass volume. One of the most famous examples in
recent years – considered the frst major IoT cyber attack – was the October 2016 Dyn hack. Hackers used
internet-connected home devices, like CCTV cameras and printers, to attack popular websites, causing
sites like Twitter, Spotify, and Reddit to be taken ofine. Dyn is a DNS service – an internet ‘phone book’
– which directs users to the internet address where the website is stored. It was attacked by a distributed
denial of service (DDoS), which relies on thousands of machines sending coordinated messages to
overwhelm the service.
The actual frequency, scale and impact of IoT-enabled cyber-crime like this will be difcult for police
to accurately predict in the short term. Many experts highlight the enormous risk, but have difculty
pointing to many real-world examples involving smart fridges and similar. However, the volume of cybercrime and fraud should be considered as some indication – the IoT is simply a new vector for the same
growing group of actors to operate on, and (at the moment) often face weaker security barriers.
3. Skills and resources
A growing number of police ofcers are leading the response to changes brought by technology
impressively. There is no question, however, that more could be done to give ofcers more effective
resources in managing digital change. A lack of tools, capabilities and the appropriate training are some
of the most signifcant constraints on the police’s ability to tackle the growing threat of cyber-crime in an
IoT world.
A November 2016 HMIC report warned about the chronic digital skills shortage in policing, which
can lead to signifcant delays in gathering and processing digital evidence.⁴⁵ And Deputy Chief
Constable Peter Goodman told the Police Federation National Detectives’ Forum (PFNDF): “We are still
consistently letting victims of cyber-crime down where, frankly, policing is not great,” he said, urging
forces to educate frontline ofcers to recognise threats from cyber-crime.⁴⁶ The Home Ofce and Law
Enforcement Agencies need to agree a robust and realistic approach to addressing the digital skills gap
in policing.
4. Role of policing
It is telling that the Government’s Internet of Things review (December 2014) mentions security 48
times – and does not mention the police once. This is understandable. The line between cyber-crime
and national security is blurred; most cyber-crime emanates from overseas; and much of the expertise
in public computer security has been based in GCHQ and now the NCSC. This does, however, raise
questions. Is it the police’s primary role only to detect crime after the event, or is crime prevention as
important as detection? When it comes to crime prevention and the IoT, what role should the police play
in encouraging manufacturers to build in better device security? If the volume of cyber-crime and fraud is
so substantial that the police lack resources to respond effectively, how can they work with other entities
to help manage it?
This report does not answer these questions, but it does seek to spark debate. Police leaders and techUK
have already begun considering this issue in discussions. In an era of limited resources, a recognition of
priorities – and the implementation of strategy accordingly – must be a priority.
20 Policing and the Internet of Things
5. Legislation, Protocols and Governance of Data
As new technologies emerge, there is a challenge to develop effective protocols to reflect the new
landscape. The vast amounts of data now generated online creates vast opportunities to anticipate risk,
and predictive policing is already being trialled. Indeed, the Met Police disclosed in December 2016 that
they have actively been exploring the use of predictive policing, with trials of three predictive mapping
companies between May 2014 and April 2015.⁴⁷
Providing assurances that this data is used in a way that is ethical and effective will require robust public
discussion, especially as much of this technology remains unperfected.
Opportunities for the police
There are four major opportunities for the police in adapting to the changes brought by Internet of
Things:
1. Crime detection
Opportunities provided by new technologies range from the everyday to the almost-science fction. In
March 2017, for instance, the New Scientist highlighted research into using robots to question children
in child abuse investigations; the thinking being, a robot is more likely to ‘stay neutral’ and gather highquality and court-admissible evidence.⁴⁸ At a more basic level, IoT devices ranging from home security
systems to sensors across smart cities will help enable police to know, in the most serious crimes, where
a suspect was, who they were with and what they were doing. Some have theorised that this may indeed
act as a deterrent, as criminals know they have a far more likely chance of being caught. Clearly, the
potential gains in public safety have to be balanced with privacy and ethics concerns. Many advanced
technologies being trialled are in early developmental stages. However, it is undeniable that new
technologies offer potential for the police to provide superior public safety to their communities.
2. Risk analysis and prioritisation of resources
Advanced use of data – bringing together and analysing information from a number of sources – could
help the police better prioritise resources and protect ofcers. Visualisation systems now exist that allow
forces to monitor and integrate a wide array of data streams, like transit maps, weather reports and crime
statistics. Authorities can then look for patterns and trends.⁴⁹
Clearly, there are also enormous ethical and legal challenges in understanding if these technologies
should become widely used, and if so, in what scenarios. Indeed, consideration and discussion of
these tools must be a priority for the new Parliament in 2017. Effective risk analysis, however, could be
transformative in helping the police understand where best to deploy critical community resources. It
could also help better inform ofcers when there is a greater risk to their personal safety, and so what
precautions may be required.
Policing and the Internet of Things 21
3. Evidence-gathering
Digital forensics is a growing aspect of everyday policing. The IoT, however, has the potential to make
it easier and quicker to gather evidence. Mark Stokes, the head of the digital forensics lab at the
Metropolitan Police told The Times in January 2017:
“wireless cameras within a device, such as fridge, may record
the movement of owners and susPects. doorbells that connect
directly to aPPs on a user’s Phone can show who has rung
the door and the owner or others may then remotely, if
they choose, to give controlled access to the Premises while
away from the ProPerty. all these leave a log and a trace
of activity. the crime scene of tomorrow is going to be the
internet of things.”⁵⁰
Mr Stokes said detectives of the future would carry a ‘digital forensics toolkit’ that would allow them to
analyse microchips and download data at the scene, rather than removing devices for testing.⁵¹
If this scenario were put into action, such toolkits could vastly accelerate police investigations, as ofcers
would be able to extract the information required far more quickly than at present.
4. Police and public safety
Perhaps the most important IoT opportunity for the police is the ability to improve safety while saving
money. This can take a number of forms. Connected autonomous vehicles will provide the opportunity
to cover areas that might otherwise not have been prioritised. Systems are already being designed that
allow connected ambulances, police cars and fre engines to communicate with other vehicles on the
road. A device in the emergency vehicle would broadcast that it is approaching before the driver could
see or hear flashing lights and sirens, which could dramatically improve response times.⁵²
Similarly, body cameras have already been deployed across forces to improve accountability, while
sensors offer a further opportunity to support ofcers operating in the most dangerous environments. A
pilot programme in Dubai involving police sensors has enabled the control room to see if an ofcer has
been incapacitated and is lying horizontally, or if they are having a medical emergency.⁵³ Indeed, the
improved situational awareness for frst and second responders during crises could be transformative.
Providing as much detailed information as possible will help inform decision-making and judgment in the
most challenging circumstances.
Obviously, these technologies raise a number of questions, not least because many are still experimental.
However, they offer a glimpse into what kinds of services the IoT could provide to improve public safety.
22 Policing and the Internet of Things
P  
art five
conclusion and
recommendations
Policing and the Internet of Things 23
In the coming years, the distinction between cyber- crime and other crime will
deteriorate. Trends indicate that most crimes will involve some use of the Internet, or
create some form of digital footprint. All ofcers will require the resources and skills
to respond to this.
With this in mind, the police should look for closer collaborations with new partners, especially in
industry. While the police service will need to invest heavily in giving ofcers the skills to manage this
new reality, they must also work closely with industry and civil society to reduce the risk and acquire the
right technologies to do their work effectively.
This echoes the NCA’s call in 2016:
“the sPeed of criminal caPability develoPment is currently
outPacing our resPonse as a community and … only by working
together across law enforcement and the Private sector can we
successfully reduce the threat to the uk from cyber-crime.”
Above all else, a national vision for policing and technology is required. New technologies offer enormous
potential for improving public safety – but must be balanced with real ethical and legal concerns.
Accountability and transparency are critical values of modern policing; to maintain policing by consent
in a digital age, it will be essential for communities to understand and have confdence in the tools being
used by the police. One of the frst priorities of the new Government must be to examine this issue, and
work with the police to craft a national strategy.
Within the scope of this report, however, six recommendations are listed as tangible frst steps towards
achieving the broader aim of a police force prepared for the Internet of Things.
Addressing the challenges
1. A new model for partnership with industry and academia
It is critical that police forces are able to acquire the tools they need to tackle growing threat. In order
to access the specialist external skills and capabilities they need, there needs to be a framework that
would allow police to contract for the expertise and innovative tools they need in an agile and fast way.
The police need to be able to easily access a flexible range of specifed capabilities and skills from local,
regional and national companies. One such model is a Managed Service Provider (MSP). This could work
as a partnership between police forces and specialist suppliers, in which a middle component – the MSP –
exists to manage interactions and maintain the agility that is needed to tackle crime as dynamic as cyber.
The MSP will provide the coordination between the buyer and supplier, vetting and accrediting suppliers
according to strict rules laid down by the Home Ofce.
Potential Structure of Managed Service Provider Model
24 Policing and the Internet of Things
Regular war-gaming exercises with industry and academia would allow all three parties to build links,
develop understanding and improve response to real world investigations. Running a crisis scenario
with various devices and tasking police to work with designated participants would help ensure law
enforcement can stay on top of emerging technologies, and deepen wider understanding of the specifc
requirements of law enforcement. Ideas for scenarios could come from industry and academia, as well as
the police. Debrief and lessons learned should inform further strategy and priorities.
The creation of a police accelerator programme would also offer enormous potential for policing
to develop the tools they need to tackle this threat. The NHS and other public services have already
established their own accelerator programmes. A police accelerator will enable forces to harness
opportunities at low cost, while providing a direct route to the most cutting-edge technologies. It
is a quick way to generate cultural change, and create capabilities to maintain and improve police
effectiveness. A business plan should be created to develop a pilot project.
2. Redeployment of the security index
A security index of different specifc services or devices will reward best practice and drive
improvements. This is based on the success of the Car Theft Index in the 2000s. The number of car
thefts decreased by 16% between 2004 and 2005, with the fall being attributed to improved security
features on the latest vehicles.⁵⁵ Then Home Secretary John Reid said: “The car theft index is a consumer
tool, maintaining pressure on manufacturers to make sure security is a key factor when they design and
make their cars.” In this context, a security index for those devices most featured in crime reports might
be developed. One could be redeveloped for cars, now highly connected. Given that data on the make
and model is already recorded, this would be practicable in the short term, and reassert the police’s role
in helping inform consumers. In the future, one can imagine an index being applied to home security
systems, home assistants or even service providers.
3. Public outreach and a prominent police voice
The NCSC and GCHQ are working hard to create tools and advice for businesses and the public to reduce
cyber-crime. The police must work closely with them, providing input where needed, and staying fully
versed in these technologies, playing a prominent role in deploying them and helping communicate their
purpose and operation to communities.
Public outreach efforts could also be enhanced by the production an educational resource pack for
teachers focused on cyber-crime prevention. Existing cyber-crime prevention research, undertaken by
the NCA and others, has identifed perpetrators of cyber-crime having begun such activities at a young
age. Teachers provided with basic resources and information to discuss the risks of illegal behaviour
online could enable vital interventions at a vulnerable age. Based on the #CyberChoices campaign, they
should be enabled to give clear information of what illegal cyber activity is, what the risks are – and what
the consequences are.
Policing and the Internet of Things 25
Maximising the opportunities
4. Digital skills across the policing curriculum
The capability of frst responders is crucial in building the public’s trust and confdence in the police’s
ability to tackle cyber-crime. This is important if victims are to be encouraged to report these crimes,
especially as cases of online crime grow with the IoT. Embedding of digital skills throughout key policing
education and development – both as a standalone module and throughout wider teaching – will give
more ofcers greater confdence in exploiting technology. This would include Foundation Training,
Professionalising Investigation Programme (PIP) and Strategic Command Course, and focus on digital
forensics, cyber-crime and data analytics. These elements should be embedded across the curriculum,
with each part requiring an associated level of digital awareness.
5. Greater resources for public safety app creation
The use of apps offers enormous opportunity to create efciencies in policing, saving time and money.
Experimentation is already ongoing. In May 2016 it was reported that police were considering an app
to anonymously report online security breaches.⁵⁶ In October 2015, a smartphone app was launched to
make it easier for Londoners to report hate crime and access support services.⁵⁷ Perhaps most groundbreaking, smartphone deployment for ofcers where it has occurred has enabled a number of functions
outside the station, providing apps for activities like accessing local CCTV and fling crime reports. With
the IoT, the potential of apps is even greater. Within a smart city crime-reporting apps could be built into
connected infrastructure, and such public-facing apps could vastly increase the reporting of crime and
intelligence-gathering. Moreover, mobile apps for police devices could allow for much greater efciency
at the scene of a crime, with apps ranging from forensic examination to recording witness accounts.
Perhaps most fundamentally, apps making it easier for at-risk communities to report crime could create a
more effective link between the police and some of the most vulnerable populations.
6. Cyber security as corporate social responsibility
It is difcult for the police to attract and retain individuals with the skills required for effective digital
policing. Employer Supported Policing (ESP), a scheme in which an organisation can support staff
in volunteering as a Special Constable, is already in place. Indeed, special ofcers with unique skills
responding to digital challenges are already volunteering. However, to boost and maximise these existing
opportunities, volunteering as a special constable should be highlighted by the Home Ofce and Treasury
as a way of fulflling a company’s CSR requirements. For companies, the benefts can be substantial:
staff development at little or no cost, greater staff retention and morale, and having a new institutional
expertise on crime. The Home Ofce and the Treasury should work together to facilitate the ESP with a
focus on digital skills.

26 Policing and the Internet of Things
references
1. BBC Click podcast, 2016 https://itunes.apple.com/gb/podcast/click/
id73331490?mt=2&i=380091351.
2. ‘Fraud and cyber-crime are now the country’s most common offences,’ Martin Evans, The
Telegraph, 19th January 2017.
3. ‘Britain hit by surge in violent crime’ 12the April 2017 http://www.telegraph.co.uk/
news/2017/04/12/britain-hit-surge-violent-crime-senior-ofcers-criticised-ignoring/.
4. ‘The cyber threat to UK business,’ NCA-NCSC, 14th March 2017.
5. These defnitions were agreed upon at the ‘Digital Intelligence and Investigations Workshop’,
College of Policing, Ryton, June 2014.
6. ‘Cyber-crime and fraud scale revealed in annual fgures,’ BBC News website, 19th January 2017.
7. ‘Cyber-crime fgures prompt police call for awareness campaign,’ Alan Travis, The Guardian, 21st
July 2016.
8. According to the National Fraud Intelligence Bureau, GetSafeOnline website, 18th October 2016.
9. ‘Fraud & cyber-crime cost UK nearly £11bn in past year,’ GetSafeOnline, 18th October 2016
10. Fast Facts, Ofcom, Q1 2016.
11. ‘Internet of Things (IoT): number of connected devices worldwide from 2012 to 2020,’ Statista,
https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/.
12. 2015 Full Year Digital Adspend Results, Internet Advertising Bureau UK, 14th April 2016.
13. ‘Power Management in Internet of Things (IoT) and Connected Devices,’ Frost and Sullivan, 13th
April 2015.
14. Ericsson Mobility Report; June 2016.
15. ‘Predicts 2016: Unexpected Implications Arising From the Internet of Things,’ Gartner, 3rd
December 2015.
16. Europol’s Serious and Organised Crime Threat Assessment, 9th March 2017.
17. ‘The cyber threat to UK business,’ NCA-NCSC, 14th March 2017.
18. ‘Changing the security mindset for the IoT,’ Jeffrey Esposito, Kaspersky labs, 17th March 2016.
19. Accenture, 2014 State of the Internet of Things study .
20. Though much of this will be covered by the expanded defnition of personal data in the General
Data Protection Regulation.
21. ‘Unlocking the potential of the Internet of Things,’ McKinsey, June 2015.
22. ‘MPs warned of sabotage threat from smart meter hackers,’ Pilita Clark, Financial Times, 24th
September 2016.
23. ‘The smart security behind the GB Smart Metering System,’ Dr Ian Levy National Cyber Security
Centre, 25th April 2016.
24. ‘The Jeep Hackers Are Back to Prove Car Hacking Can Get Much Worse,’ Andy Greenberg, Wired
Magazine, 1st August 2016.
25. ‘The FBI Warns That Car Hacking Is a Real Risk,’ Andy Greenberg, Wired, 17th March 2016.
26. ‘Connected car report 2016: Opportunities, risk, and turmoil on the road to autonomous vehicles,’
PWC, 28th September 2016.
27. Harvard University Report http://datasmart.ash.harvard.edu/news/article/how-smart-citybarcelona-brought-the-internet-of-things-to-life-789.
28. Sir Robert Peel’s Principles of Law Enforcement, 1829.
Policing and the Internet of Things 27
29. ‘Britain’s cyber security bolstered by world-class strategy,’ Philip Hammond, gov.uk, 1st November
2016.
30. Chief Constable Michael Barton of the National Police Chiefs’ Council, ‘Police ‘rationing’ puts
public at risk, warns watchdog,’ Dominic Casciani , BBC News Website, 2nd March 2017.
31. Detective Superintendent Neil Ballard, ‘Crimewatch,’ BBC One, 20th March 2017.
32. Foreword, Mary Calam, Home Ofce, ‘Digital investigation and intelligence: policing capabilities
for a digital age,’ CoP, NPCC and NCA, April 2015.
33. ‘Cyber Resilience: How to protect small frms in the digital economy,’ techUK, 13th June 2016.
34. Action Fraud ‘Contact Us’ http://www.actionfraud.police.uk/contact-us.
35. ‘The Internet of Things,’ City of London Police/GetSafeOnline website.
36. ‘The cyber threat to UK business,’ NCA-NCSC, 14th March 2017.
37. ‘Washing machine will turn detective,’ The Times, 2nd January 2017.
38. City of London Police website.
39. Ibid
40. Ibid
41. ‘The Implications of Economic Cyber-crime for Policing,’ City of London Corporation, October
2015.
42. The 9 ROCUs are: SEROCU (South East); Zephyr (South West); Tarian (Southern Wales); ERSOU
(Eastern Region); WMROCU (West Midlands); EMSOU (East Midlands); TITAN (North West); Y&H
(Yorkshire and Humber); NERSOU (North East).
43. ‘2010 to 2015 government policy: cyber security,’ gov.uk website, last updated 8th May 2015.
44. West Midlands PCC website http://www.westmidlands-pcc.gov.uk/news/news-2016/secondannual-cyber-crime-survey-launches-in-warwickshire,-west-mercia-and-the-west-midlands/
45. BBC News 3 Nov 2016: http://www.bbc.co.uk/news/uk-37846705.
46. Police magazine, December 2016/January 2017, p.19.
47. Freedom of Information Request, Metropolitan Police Information Rights Unit, 18th December
2016 https://beta.met.police.uk/globalassets/foi-media/disclosure_2016/december_2016/
information-rights-unit—information-about-predpol-predictive-policing-technology
48. ‘Robots could help police interview children,’ Timothy Revell, New Scientist, March 2017
49. ‘New Technology Could Help Predict When And Where Crimes Will Happen,’ CBS News, 12th
February 2016
50. ‘Fridges and washing machines could be vital witnesses in murder plots,’ Sarah Knapton, The
Telegraph, 2nd January 2017.
51. Ibid
52. ‘Jaguar Land Rover to start real-world tests of innovative connected and autonomous vehicle
technology.’ Jaguar website, 14th July 2016.
53. ‘Dubai’s smart policing pilot shows promise for crime fght,’ Paula Gilbert, ITWeb, 11th December
2015.
54. NCA Strategic Cyber Industry Group, Cyber-crime Assessment 2016 http://www.
nationalcrimeagency.gov.uk/publications/709-cyber-crime-assessment-2016/fle.
55. ‘Security steps see car theft fall,’ BBC News, 22nd December 2006.
56. ‘Cyber-crime police consider app for people to report security breaches,’ Zlata Rodionova, The
Independent, 24th May 2016.
57. ‘Mayor launches new app to make it easier to report hate crime,’ Mayor of London website, 16th
October 2015.
techUK is the UK trade association for the technology industry.
More than 950 companies are members of techUK, collectively employing
approximately 700,000 people. These companies range from leading FTSE
100 companies to new innovative start-ups.
The Justice & Emergency Services Group represents almost 300 companies
operating in the criminal justice and emergency services market. The
group aims to lead debate on new technologies, optimise use of existing
capabilities and provide a forum for law enforcement to engage with
industry.
techuk.org | @techuk
The Centre for Public Safety is a UK-based non-proft advocating for
world-class policing and public safety.
It seeks to promote police and public safety efciency through a mix of
research, action, leadership projects and events.
centreforpublicsafety.com | @CenPublicSafety

Leave a Reply

Your email address will not be published. Required fields are marked *