chalabala - Fotolia

Scottish police roll out controversial data extraction technology

The introduction of new mobile phone data extraction terminals to Police Scotland will go ahead despite concerns that the use of the technology could be unlawful

Police Scotland will begin rolling out more than £500,000 worth of mobile phone data extraction devices, despite the expectation of a legal challenge from privacy and human rights advocacy groups.

Known as digital triage devices, or “cyber kiosks”, the 41 desktop-sized machines will enable the force to access encrypted or locked mobile devices or tablets, which it insists will help speed up investigations.

However, according to a Scottish Police Authority (SPA) meeting document dated 17 January 2020, it is anticipated that some agencies, including the Scottish Human Rights Council and Privacy International, will be “requesting a review of the law”.

It added that it is the opinion of these groups that “the legal basis for [mobile] device examination is not sufficiently clear, foreseeable or accessible and new legislation is required”.

The phased roll-out of the kiosks, which will be operated by specially trained officers, will begin on 20 January 2020, and is due to be completed by the end of May.

“We’re committed to providing the best possible service to victims and witnesses of crime. This means we must keep pace with society. People of all ages now lead a significant part of their lives online and this is reflected in how we investigate crime and the evidence we present to courts,” said deputy chief constable Malcolm Graham.

He added that digital devices are increasingly involved in investigations, placing ever higher demand on digital forensic examination teams.

“Current limitations, however, mean the devices of victims, witnesses and suspects can be taken for months at a time, even if it later transpires that there is no worthwhile evidence on them,” said Graham. “By quickly identifying devices which do and do not contain evidence, we can minimise the intrusion on people’s lives and provide a better service to the public.”

In a trial of the technology conducted in Edinburgh and Stirling, officers accessed 375 phones and 262 SIM cards, according to local Scottish press reports.

The Scottish Parliament’s Justice Sub-committee on Policing later heard that members of the public were not aware that data was being extracted from their phones, and that the force had not carried out either a data protection impact assessment, or an equality and human rights impact assessment.

“Police technology is racing ahead of the law. While digital evidence can be important in modern investigations, there is a dangerous regulatory vacuum meaning people, especially victims, have no meaningful protection against the police trawling through the entire contents of their phones,” said Griff Ferris, legal and policy officer at civil liberties group Big Brother Watch (BBW).

“Our phones contain as much, if not more, sensitive and personal information as the entire contents of our homes. Police resources should be urgently invested in getting clear policies and proportionate practices in place, particularly in relation to victims, before buying tech that enables lawless digital strip searches.”

Ongoing legal concerns

Originally slated for December 2019, the roll-out has already been delayed over concerns that use of the technology could be unlawful.

The concerns revolved around the right to privacy, what kind of data and how much would be extracted, the legal basis for accessing the data, and data security.

In its December 2019 submission to Police Scotland’s cyber kiosk External Reference Group, Privacy International argued that the force had not adequately clarified how much data its officers will be extracting.

“They have not stated whether or not selective extraction is possible. If a full extraction is attempted, Police Scotland have not said in any detail how search parameters protect victims’ rights,” said the submission.

“They have failed to clarify whether they will collect and retain all data that can be extracted, even if this is not relevant to the investigation. They have not said whether once the data that is strictly necessary and proportionate to the investigation has been identified, whether the rest can be deleted,” it added.

According to the SPA meeting document, the Crown Office, Procurator Fiscal and independent senior counsel have now affirmed a two-part legal basis.

The first, for the actual seizure of a device by police, relies on the consent of a victim or witness, which the force claims will be achieved by providing the individual with a Digital Device Consent Public Information Leaflet.

“This leaflet, which was designed with the public, contains relevant information ensuring any decision made by the victim/witness to provide the device is adequately informed. This process is relevant to the seizure of devices whether they will be triaged or not,” said the document.

If consent is not given, or the device belongs to a suspect, then a warrant to seize the phone is required.

Following seizure of the device, a separate legal basis is required to extract and process the data, which Police Scotland claim is provided by the Data Protection Act 2018 and the Police and Fire Reform Act 2012.

According to the Privacy International website, consent for any seizure which is for the purpose of examination is still being undermined by the lack of information provided about the data extraction process.

“We believe Police Scotland’s focus on ‘consent’ gives an illusion of involvement and empowerment of the victim or witness, when in reality, withdrawal of consent may have little or no impact on whether or not the Police will continue with the extraction,” it said. “This is because they can rely on separate legal powers and are not forced to return the phone.”

In a separate press release from 15 January 2020, Privacy International added: “This could be deeply confusing and harmful for those individuals to learn that handing over their device voluntarily does not mean they are empowered to have their device returned and the information held on that device not examined.”

On the digital device consent leaflet, Police Scotland said that “the technology used will copy all available information from your device and may recover deleted information”.

It added that police may not look at all of the information, “only what is necessary, reasonable, justifiable and relevant to the investigation”.

In July 2019, it was revealed in a BBW report that police stopped investigating the cases of rape and sexual assault after they refused to disclose up to seven years of their mobile data.

The report claimed that 93% of UK police forces were extracting data from digital devices, and that they were being pressured by the Crown Prosecution Service to collect masses of digital information on victims of crime.

Following the revelations, nine other campaign groups, including Liberty, Privacy International and Amnesty International, joined BBW in calling on the National Police Chiefs Council to urgently revise the policy that required victims of crime to hand in their phones for mass data downloads.

After this action, the Information Commissioner’s Office (ICO) launched a high-priority investigation into the issue, which is still ongoing.

The cyber kiosk terminals being used by Police Scotland are designed and manufactured by Israeli firm Cellebrite, a fully owned subsidiary of Japan’s Sun Corporation.

The company already provides other police forces – including West Mercia Police, Avon and Somerset Constabulary, and City of London Police – with a range of tools to help them extract data from mobile phones and other personal devices.

It has also sold this technology to authoritarian regimes including Turkey, the United Arab Emirates (UAE) and Russia, according to 900GB of data acquired by a hacker from Cellebrite servers in 2017.

Read more about technology and the police force

  • EE will oversee a three-year deal to transform police mobile capabilities in Scotland, alongside Motorola Solutions, Samsung and BlackBerry.
  • Officers will be able to fill in reports directly on their mobile devices for incidents such as crimes, road collisions and traffic tickets.
  • The Metropolitan Police has launched a new tender for the provision of IT infrastructure services with the aim of promoting more agility, flexibility and savings.

Read more on Data protection regulations and compliance