Swedish Police Use WhatsApp For Surveillance Ops, Share Intel With Civilians

New submitter TheP4st writes "A group of Swedish police officers thought it would be a good idea to use WhatsApp as a work tool for surveillance operations. The officer that set up their chat group mistyped one of the phone numbers to mistakenly include a civilian IT teacher. Once the teacher informed authorities about the mistake, it took more than 24 hours before he stopped receiving sensitive case information, which included criminal records, passport photos, and communications between surveillance teams tailing suspects. When confronted by Computer Sweden (Google translation of Swedish original), the officer responsible for setting up the group said, 'I know this server is not located in Sweden and that one cannot share every kind of information.' The only mobile chat medium approved for sensitive information is BlackBerry, and this initiative by a small group of officers happened because they do not have access to BlackBerry handsets."

LOL

[Anonymous Coward]

The only mobile chat medium approved for sensitive information is BlackBerry, and this initiative by a small group of officers happened because they do not have access to BlackBerry handsets.

This problem could have been solved in two ways: 1. Get Blackberries, 2. Upload sensitive data to a private company in a foreign country. It's shouldn't be this easy to pick the wrong one.

Re:

[Anonymous Coward]

Aren't those two options pretty much the same thing? Option three: increase police budget to include a system for such communications, and the necessary insurance, supervision and monitoring to not to fuck the project and the operations up. Surely Swedish engineers are capable enough to implement and run such a system.

Re:

[gl4ss]

police don't need insurance in nordic countries... they'll just say oops.

(and any damage payments would come from state anyways)

Re:

[Kichigai Mentat]

Aren't those two options pretty much the same thing? Option three: increase police budget to include a system for such communications [...]

Nope. BlackBerry Enterprise Server (BES) was developed to do just this job. You spin up a BES instance in your existing IT infrastructure (much like you would set up a Exchange server), and then link your BlackBerry to it. Then basically all communications go through that, rather like a VPN setup. And it's encrypted, too.

SubjectsInCommentsAreStupid

[lesincompetent]

And this is why i use Telegram.
And why you should, too.
Truly cross-platform (even PC!)

Re:SubjectsInCommentsAreStupid

[lesincompetent]

No, i did not read the article before commenting. I hereby certify myself a veritable idiot.

Re:

[wonkey_monkey]

Spoilsport!

Oh FFS!

[Anonymous Coward]

A shoddy chat app that is hardly good enough for personal communication is used for sensitive police work? And if they hadn't used that, they would have used fucking Blackberrys, which also store everything on foreign servers? Does the Swedish police not have an IT department which can provide them with secure communication tools?

Re:

[Anonymous Coward]

"Blackberrys, which also store everything on foreign servers"

Why do you say Blackberry runs only on "foreign" servers? You can have your own Blackberry server in any country you like. Even your own

Re:Oh FFS!

[rasmusbr]

Yes. They use Oracle. It has gone about as well as you would expect. Seriously (in Swedish, sorry). [nyteknik.se]

The last comment on that article claims that the Swedish police basically got a new CIO who felt he had to prove his worth by making some sort grand decision. He decided to switch tracks and use Siebel as the basis of their new system.

Sounds plausible enough.

Re:

[stymy]

BlackBerrys only store stuff in foreign servers by default. You can set up your own servers, with end-to-end encryption from them to the phones, and that's presumably what the Swedish police has done.

Re:

[Kichigai Mentat]

This seems to be the part that everyone is forgetting about why BlackBerries were so popular among IT professionals. You just drop BES into your setup, and now connected BlackBerries can be managed like any other part of the infrastructure. It's encrypted, you control the server and all the data, and you can do all sorts of remote provisioning and security tasks. It's the same reason that many companies still like using Microsoft Exchange: they control the servers, and hence the data.

It's not like Android o

blackberry

[Anonymous Coward]

Just got a Z10, I love it! It's OK if you guys hate me though :)

Re:blackberry

[fuzzyfuzzyfungus]

Just got a Z10, I love it! It's OK if you guys hate me though :)

No, no, I find endangered species from vanishing ecosystems to be quite interesting. Some of them are also cute, tasty, or a source of fascinating new biologically active compounds. Like those wacky Amazonian frogs.

Re:

[cold fjord]

Narrator: The bug-eyed Blackberry has entered the clearing.... by the way its moving it appears to be looking for market share. But wait, what's this? It looks like an iSnakepad has grabbed it in a lightning fast strike! The iSnakepad is wrapping itself around the bug-eyed Blackberry and is starting to squeeze. Sadly now, there can be but one outcome.

Re:

[SpzToid]

Hey folks, you won't believe this but I just shot that entire well-lit video sequence using my Nokia N9, and it looks great! I'd share it with you, except I'm in one of those countries, and you are probably in one of the other ones.

Re:

[Kichigai Mentat]

Why would we hate you? It's the disjointed user interface of BBX that most of us have trouble stomaching. That and the lackluster native app selection. There was a lot I really liked about my old BlackBerry Curve, but RIM did a poor job of attracting third party developers, and made a total hash of the touch interface in the latest OS iteration.

It's very much how I felt about Nokia and Symbian. Great hardware, and the OS wasn't too shabby, but there were a lot of things you just couldn't do on the platform

Common problem.

[SuricouRaven]

1. Workplace has confidential information.
2. Workplace puts up elaborate high-security protocols and technology intended to protect that data.
3. Workers find that all this security is getting in the way of actually doing their jobs.
4. Workers ignore protocol and devise their own means of going behind the backs of those dictating security.
5. Embarassing breach occurs.

A common example occurs when IT dictates all passwords must be at least seven characters an include mixed case and punctuation. Faced with difficulty remembering passwords, the staff respond by putting them on post-it notes under their keyboards. Or when getting a new staff member approved for access to the confidential data takes a few days, leading to staff letting temps borrow their credentials so they can get started right away.

Re:Common problem.

[ottothecow]

Pretty much this.

When an organization sees people doing things like this, they should recognize that they are not providing the right kind of IT services to their employees.

Re:Common problem.

[ottothecow]

And if the free software (Whatsapp) isn't deemed secure enough...then they need to look into something like Good where they can still keep the communication walled in but let people use things that aren't outdated blackberries.

Re:

[allypally]

> all passwords must be at least seven characters an include mixed case and punctuation

People can and will work around any barrier that stops them working, even if they are now working in an unsafe environment.

I worked somewhere once with those rules, plus the password had to be changed monthly, and no reuse of ones you'd used previously.

Pretty much everyone would have a compliant password today that was a slight variant on the unforgettable:

Feb.2014

Re:

[ProzacPatient]

A common example occurs when IT dictates all passwords must be at least seven characters an include mixed case and punctuation.

Ha! My IT department where I work (I shall not disclose whom I work for) requires that all passwords have a minimum of 14 characters and the password is required to be changed on a regular interval in a mandatory basis. There is a policy in place against passwords; on post-it notes, in notebooks and so forth so it's really frustrating and really easy to forget if you're not careful.

So...

[fuzzyfuzzyfungus]

On a scale from 'paid vacation' to 'hahaha, paid vacation' do we have any estimates on the penalty for this sort of fantastic adherence to good evidence handling practices and adherence to both the security of an investigation in progress and the rights on anyone who turns out to be investigated but uninvolved?

(Incidentally, who wants to bet that the officers involved may not have adhered to every tedious little 'best practice' in their handling of past cases? Sure is a good thing that they aren't in a p