Paul Fleet - Fotolia

ICO investigates police use of app to covertly record calls from mobile phones

Surrey and Sussex police forces call in regulators after 1,000 police officers downloaded an app to covertly record phone calls on police-issued mobile phones

The data protection watchdog has begun an investigation into the widespread use of a mobile phone app by officers at Sussex and Surrey police forces to covertly record phone calls on their mobile phones.

More than 1,000 police officers in Sussex and Surrey downloaded a free app from the Google Play Store that was used to make “indiscriminate” covert recordings of calls with members of the public on police-issued phones.

The practice, which went on for over three years, raises questions about the ability of police officers to identify and disclose recordings that are legally required to be shared with defendants under the Criminal Procedure and Investigations Act 1996 (CPIA).

Katie Wheatley, head of the crime, fraud and regulatory team at law firm Bindmans, said the events raised serious concerns about police training and the grasp that the police have on the CPIA.

“Disclosure is really at the heart of it. Potentially, you could have a situation where police had not revealed, and perhaps now even deleted, recordings of conversations that were material,” she said.

The police forces authorised the app for use by hostage negotiators, but it was widely downloaded by police officers across both forces for other purposes.

The Information Commissioner’s Office (ICO) is likely to examine whether there were adequate policy or governance documents in place over the use of police mobile phones and whether the forces should have applied “role-based” access to the Google Play Store.

Surrey and Sussex forces told Computer Weekly that they were alerted to the practice in March 2020 and referred themselves to the ICO and the Investigatory Powers Commissioner’s Office (ICPO) in July 2020.

Temporary assistant chief constable for Surrey Police, Fiona Macpherson, acknowledged in an email statement to Computer Weekly that there was a failure to govern use of the app.

“This situation exposed a lack of governance around the apps which were previously available to our officers and staff, as well as the way they could be used, and this is regrettable,” she said.

Approved for hostage negotiations

Sussex and Surrey police forces sanctioned the use of the recording app, called Another Call Recorder (ACR), for hostage negotiators when dealing with kidnaps and crisis negotiations in 2017.

The app recorded and stored all incoming and outgoing calls made on police-issued mobile phones and mobile data terminals.

But police officers throughout both forces had access to the Google Play Store, where they were able to download the app for other purposes.

“Unfortunately, there were no means by which the use of the app could be restricted to only those undertaking the negotiator role, which meant the app was available to all staff,” the forces said in a statement to Computer Weekly.

According to the supplier’s website, the app worked well on older versions of the Android mobile phone operating systems, but users began experiencing problems making recordings on phones that used Android version 9, released in September 2018, and later versions of Android.

Widespread, indiscriminate and arbitrary use

More than 700 copies of the recording app appeared to have been downloaded on police-issued mobile phones, the IPCO found.

“The use of the app was not a one-off targeted activity. Its use was widespread, indiscriminate and arbitrary,” according to a report by the investigatory powers commissioner, Brian Leveson.

Police officers are understood to have used the app to record conversations with members of the public, in case there was a later dispute over what had been said.

But according to the IPCO, the use of the covert recording app “resulted in the systematic covert recording and indefinite retention of the voice of the other party”.

The use of the app engaged Article 8 of the European Convention of Human Rights, which protects an individual’s right to privacy, including the privacy of communications, the IPCO found.

Details of the use of mobile phone apps to make covert records by the two forces were highlighted in the 2020 annual report of the investigatory powers commissioner, the independent regulator for covert powers used by law enforcement, intelligence agencies and other government bodies.

The report said that “given the widespread nature” of the error by the two police forces, “we consider it important that special attention be drawn” to the incident.

Surrey and Sussex police used a free version of the app, which automatically recorded all incoming and outbound phone calls by accessing the audio data feeds from the microphone and the speaker and saving it to phone storage.

It was unclear how many calls were recorded in the period the app was available and how many of the recorded calls were with members of the public, rather than police.

“It is also not clear why the app was downloaded by so many officers,” the report said. “However, there is anecdotal evidence that the purpose was to enable officers to rely on a recording of a conversation with a member of the public” in the event of a dispute over what was discussed.

Both forces reported the use of the app as an “error of conduct” that may constitute communications interception or surveillance “without the requisite warrant or lawful authority being in place”.

Covert surveillance, not interception

The inability of the free version of the app to automatically export recordings to cloud services saved police officers from a potential breach of the Investigatory Powers Act.

The use of the app did not amount to “interception”, the IPCO found, as the content of communication was only available to the person using the app and not to third parties.

“It is important to note that the version of the app used by Surrey and Sussex did not permit the data automatically to be exported from the device,” it said.

Reaching an alternative conclusion would mean that any recording activity, including by a member of the public, would be a criminal offence.

But the IPCO concluded that police use of the app amounted to “directed covert surveillance” as it did not warn the other party on the call that they were being recorded.

This is in contrast with other apps, such as Skype for Business, Microsoft Teams and Zoom, which automatically warn other parties that they are being recorded.

The privacy of telephone calls and other correspondence is specifically protected by Article 8 of the European Convention on Human Rights.

Remedial action taken

Surrey Police and Sussex Police said they took immediate steps to remove the app from their fleet of mobile devices once the issue was discovered and have taken action to review any recorded data with a view to deleting it, unless required for evidence.

An audit by the police forces found that 1,024 officers had downloaded the app. It established that the app had been used on 432 phones and that those phones held audio files.

The forces instructed officers and staff that had downloaded the app to delete any calls they had recorded without listening to them.

“The app was then removed by Surrey and Sussex police’s IT department. The files were removed and the phones were reset to ensure that all the files were deleted,” a spokesperson said.

The IPCO wrote to all other law enforcement agencies to confirm that other forces were not covertly recording mobile phone conversations and received assurances that they were not.

Evidence relating to offences

Surrey and Sussex police said four officers had identified recordings that contained evidence of an offence currently or previously under investigation.

Three related to criminal cases and each of the investigating officers was advised to ensure the Crown Prosecution Service was informed of the existence of the calls, as required by the CPIA 1996.

“Further enquiries established that only one of these could have had a potential impact if the case had progressed to trial,” the forces said.

Macpherson said Surrey and Sussex had reviewed all of the apps on the Google Play Store to ensure that no other similar recording apps were available.

“Steps were also taken to mitigate the situation by establishing how many officers had downloaded the app, the extent of their use of the app and any impact on upcoming legal proceedings,” she said.

“A robust process is now in place to ensure any new requests for mobile apps are subject to appropriate due diligence and scrutiny,” she said.

Data protection concerns

Police forces have provisions to process personal data for law enforcement purposes under UK data protection laws, but they are still required to process data lawfully and transparently and are bound by Article 8 of the European Convention on Human Rights, which gives individuals the right to private communications.

Monika Sobiecki, a partner specialising in media and information law at Bindmans, said that if police officers had used the app to record calls relating to minor crimes, there could be potential data protection issues.

“You have an app that is designed for kidnapping. What might be proportionate in that case would not necessarily be proportionate in a minor case such as policing a protest or domestic violence,” she said.

The decision by both forces to ask officers to delete recordings before the ICO had completed its investigation may have led to potential “incidental destruction” of evidence of the misuse of the mobile phone app, Sobiecki added.

Lawyer Dai Davies said it was “extraordinary” that out of 1,000 users, only four situations were found where recordings were related to criminal offences.

“Conversations with criminals who are later prosecuted, if not disclosed, irrespective of whether they are probative, could form grounds for appeal,” he said.

Surrey Police and Sussex Police said they had contacted all staff who had downloaded the app.

“We did not identify any recordings with ongoing retention requirements under CPIA 1996 that had already been deleted as a result of contacting all officers and staff who had downloaded the app,” said a spokesperson.

The spokesperson said it would be impossible to establish if any mobile phones which were disposed of before the force conducted its audit had either downloaded the app or contained disclosable recordings.

An ICO spokesperson said: “Surrey Police and Sussex Police have made us aware of this matter and we are making enquiries.”

The app: Another Call Recorder

The mobile phone recording app, Another Call Recorder (ACR) from NLL Apps, which claimed to be one of the most advanced call recording applications available for Android phones, allowed users to automatically record incoming and outgoing calls.

The free version of the app had the ability to list call recordings by matching phone numbers to the user’s contacts and allowed recordings to be searched by contact name.

The app allowed users to password protect recordings or to mark recordings as important to prevent them from being automatically deleted.

The app offered “local Wi-Fi access for easy backup” and the ability to transfer recordings between devices.

The professional version of the app offered the ability to upload recordings to email and cloud storage services.

The IPCO found that the free version of the app used by police officers did not breach laws against interception, as it did not allow recordings to be automatically uploaded to cloud services where they could be accessed by other people.

Although the app appears to have worked well for older versions of the Android phone operating system, users began reporting problems with the app in 2019 and 2020.

A note on the supplier’s website warned users that the app had call recording issues on Android 9, released in August 2018, and later versions of Android. “No call recording app can record calls properly. This is due to limitations introduced with new versions of Android,” it said.

Read more on Mobile apps and software