We are aware that a blog post was published online by an individual claiming to have uncovered security issues with Police CyberAlarm.
The individual’s conclusions are completely untrue and if left unchallenged, potentially damaging to the Police CyberAlarm project. The review is not a review of the Police CyberAlarm tool. It is in fact a review of an old development tool which has never formed part of the Police CyberAlarm system in any live version.
The individual is fully aware of that fact, but has chosen to go ahead and publish a misleading review about a completely different piece of software which does not feature in Police CyberAlarm and never has.
The actual Police CyberAlarm tool has undergone penetration testing by an independent CREST STAR and NCSC-approved CHECK consultancy, which found none of the issues raised in the review. It would, in fact, be impossible to find the issues raised, as they are not part of the Police CyberAlarm system.
Despite having tried to have a reasonable dialogue with the individual about his claims over a number of weeks, including arranging direct access to the developer of Police CyberAlarm, he has continued to post false claims about the security of Police CyberAlarm and tweet selective quotes out of context from the detailed correspondence and discussions we have had with him.
We are genuinely saddened that this individual has taken steps which have the potential to undermine a police led project which is intended to support thousands of businesses and organisations in England and Wales in their fight against cybercrime.
Regrettably, this individual’s lack of good faith has left us with no other option but to publish the full response sent to him to reassure the information security and business communities that Police CyberAlarm is safe. The Police CyberAlarm is a force for good and is designed entirely with the goal of helping businesses better protect themselves from cyber criminals.
It is absolutely right that people challenge the security of any product or system backed by law enforcement. We will always take any issues raised seriously, as we did in this case. But it is not right for an individual to ignore the facts and post false and misleading information wrongly discrediting a product, and its developer, which has been designed to help protect businesses.
The response below has been redacted to remove contact information.
I have made the NPCC’s position clear and do not think there is anything for us to discuss, nor do I consider that there is any value in meeting with you, not least because the Programme team took the time to engage with you and provide you with clear information and this has either been ignored or misrepresented in your publications, and also because of concerns regarding other representations you have made regarding your conduct, described in further detail below.
As a matter of law, it is for you to be in a position to prove the accuracy and truthfulness of your publications, not the other way around, although we in fact provided you with information demonstrating the falsity of your allegations prior to publication. If you were not and still are not in a position to verify the accuracy of what you have published, this demonstrates that it should never have been published in the first place.
Nevertheless, we are happy to clarify the below in respect of your blog:
In relation to your tweets, in response to a question as to whether the NPCC were aware of the issues you raised and nevertheless launched Police CyberAlarm,
Please note that the mere fact that we haven’t engaged with each and every single inaccuracy in your publications should not be taken to mean that we don’t take issue with them; we felt it appropriate to highlight the most significant issues, and it is not conducive to the delivery of the programme’s objectives to spend further time and public money engaging with these issues or with you.
We note that you have already made one update to your post to correct inaccurate information contained within it which has been pointed out to you by a third party, and that other inaccuracies have also been raised with you by such individuals.
The fact that you now appear to accept that your sensational publications were not accurate is demonstrated by your own further publications, although these have not been published on the same scale as your original publication and have been compounded by further falsities. For example, in reply to a tweet (and therefore not brought to the attention of those who have seen your original publicity) you state, “I’ve no doubt that it’s an old version”, but have then gone on to state “The majority of the issues remain in the actual live version”. In reply to another tweet querying the veracity of your statements, you responded that, “You’re likely looking at the current version Dave, which is CentOS 7”. The truth is that you know and have known for a number of weeks that this has never formed part of Police CyberAlarm and that the issues you identified have never formed part of and do not form part of Police CyberAlarm. Despite this, you continue to publish you blog post including that: “This pilot should be pulled immediately. I'd actually go one step further and question how a product with so many simple but critical security flaws could ever be promoted by the Police”; and, “Following my criticisms over the "old" version, I was given an access code to allow me to download the "live" one. Suffice to say, little has changed”. If and as far as these may represent your opinions, as you have suggested to one individual who raised concerns regarding your approach and conclusions, they are based on facts that you know or should know are false and are not conclusions that could be reached by any reasonable person.
It is of particular concern that you have continued to maintain your erroneous position, even following receipt of my letter of yesterday, which merely serves to demonstrate that your conduct was and remains malicious in the legal sense, that is to say that you are publishing material with knowledge of or reckless disregard as to its falsity. Given the fact that you failed to reflect fairly any of the information you had been provided with by the NPCC’s Cyber Crime Programme team, your publications are not an honest attempt to highlight legitimate issues “so serious questions should be asked”. We note in this regard that you were engaging with third parties indicating that you had received “No official response yet” yesterday, but have not now published anything to the effect that you have received an official response refuting all of your allegations and pointing out that you were aware of the NPCC’s position prior to publication, and nor have you removed your publications.
In your email to me of 21:09 last night, you stated, “I registered my interest and received an installation guide; the contents of which led me to a site to download "CyberAlarm". There are no date stamps, version numbers or indeed anything to suggest the version I was sent was outdated or not intended for public use… It makes sense that anyone else in possession of the incorrect link may also have downloaded the wrong image and as such, it could be running inside a firm's network. As a result, I'm afraid that brings it into scope”. Contrary to what you have suggested, I do not believe you were provided with an incorrect link, and had you followed the instructions that are actually provided to members, you would never have gone down this misguided path.
On 11 November 2020, at around 12:46, you engaged in discussions with Pervade when it was made clear to you that the purported issues you raised were simply not present in Police CyberAlarm and never had been. Despite this, you maintained your position, and at Pervade’s invitation, you committed to sending through the alleged deficiencies with Police CyberAlarm. You failed to do so and instead simply proceeded to publish your inaccurate blog post and tweets.
We also note that you continue to use the Police CyberAlarm logo in breach of copyright and without permission or other lawful justification.
We must insist that you remove the post and tweets, publish the requested retraction and commit that you will cease and desist from publishing the same or similar falsities in future, and that you do so today. Should you fail to do so then we reserve the right to publicise our position regarding your allegations, including our letters to you.
We should also make clear that Pervade Software and its officers and staff reserve all their rights in respect of your publications.