The vast quantities of data we generate every minute of the day and how it can be exploited is challenging democratic and societal norms. The use by UK police forces of technologies that provide access to data on our phones, which document everything we do, everywhere we go, everyone we interact with, has proceeded in secret for over six years. The lack of public awareness and absence of Parliamentary debate makes a mockery of the Peelian principles of policing by consent.
Using Freedom of Information Act requests, Privacy International have exposed a deeply concerning lack of transparency and accountability in relation to so-called ‘mobile phone extraction’ – technology that enables the police to download all the content and data, even if it has been deleted, from a mobile phone. Despite the police being unsure of the legal basis upon which they can utilise this technology, they are taking data from thousands of devices belonging to witnesses, victims and suspects without their knowledge, without consent and without a warrant.
It is unsurprising the police are resistant to Privacy International’s call for a warrant. They have been able to use this draconian power without stringent safeguards for years. Yet if the police come knocking on your door, in all but the most exceptional cases you would be able to demand a warrant.
Yet when the data we hold in our phones is far more intrusive than the search of a home or person combined, when the police can access more data than we even know exists our devices, why shouldn’t we demand these basic protections?
Despite pushing back on our call for a warrant, our report has largely been welcomed by some senior police officers who accept that the use of this technology has raced ahead of outdated legislation that is not fit for purpose. This support raises questions as to why nothing has been done to date by either the College of Policing, National Police Chief’s Council or the Home Office. It should not take this kind of exposure for an opaque surveillance regime to secure fundamental safeguards.
As part of our research Privacy International experimented with a Cellebrite UFED Touch 2 to gain an understanding of the amount of information that can be taken. Despite having a degree of expectation, we were shocked to see the volume of data taken from several different phones (HTC Desire and Nexus running Android and an iPhone SE). Not only did it obtain contacts, chats (Facebook, Signal, Twitter, WhatsApp, instant message, MMS, SMS), call logs, calendar, cell towers, passwords, unlock pattern, device locations, wireless networks, but thousands of deleted items including browsing history, photos and even messages shared in the Signal app, which offers users end-to-end encryption.
We also used Cellebrite’s Cloud Analyser on the iPhone SE. This enables access to social media and cloud-based sources. Login credentials can be extracted or obtained via ‘discovery means’. As explained by Cellebrite you can “Gain insights into the subject’s intentions and interests by pulling out the history of text searches, visited pages, voice search recordings and translations from Google web history ad viewing text searches conducted with Chrome and Safari on iOS devices backed-up by iCloud.” Even when you return the phone you can continue to track online behaviour as long as passwords aren’t changed.
Our Freedom of Information research in the UK found that:
- 26 out of 47 police forces (55%) that we submitted Freedom of Information requests to admitted they are using mobile phone extraction technology.
- Out of the remaining 21 police forces (45%):
- Eight police forces (17%) have trialed or intend to trial this technology
- Thirteen police forces (28%) either failed to respond to our questions or stated they hold no information on the use of this technology
As technologies used by the police race ahead of outdated legislation, we are left vulnerable to potential for misuse and abuse of our data.
Technology is redefining the boundaries of what we consider acceptable in relation to the data we generate and how it is used. From Cambridge Analytica amassing information on millions and profiling for political purposes, to mass data breaches by Equifax and Uber, the security of our data and what we previously considered unacceptable in relation to our own personal privacy is being challenged in unimaginable ways.
It is understandable that for certain investigations mobile phone evidence will be vital. But it cannot be acceptable that access to such sensitive data can take place without individuals knowing their rights, when the police themselves are confused about the legal basis for these powers and without independent oversight to protect against abuse and misuse.
Whilst data protection legislation including GDPR and the Law Enforcement Directive go some way to protecting our data, there are exemptions for the police. We believe that specific national guidance is needed and specific legislation that addresses the unique concerns raised by these technologies.
Abuse and misuse of our data does not just relate to concerns around data security. The UK has a long history of discriminatory policing from the SUS laws to concerns around modern day stop and search. The damning 1999 Macpherson report found the Metropolitan Police investigation into the Stephen Lawrence killing was marred by institutional racism and the Met Chief admitted institutional racism claims have ‘some justification’ in 2015.
David Lammy MP’s review of the experiences of Black and Minority Ethnic (BAME) people in the criminal justice system found that they still face bias, including overt discrimination in parts of the justice system. The Lammy Review highlighted the risks associated with developments in technology and the need for transparency. We believe that mobile phone extraction presents a danger of replicating or exacerbating existing discrimination.
As surveillance powers and the tools used to exploit our personal data become less visible, we must be more vigilant about protecting our privacy. Recent scandals have shown we have little idea just how much data we generate. When those who can use tools to obtain content and communications data also have the power to remove our liberty we must ensure that transparency around new policing tools is paramount. For too long politicians have failed to understand and address these issues. For too long the police have failed to inform the public and police by consent. It’s time we were told what was going on and it’s time the police obtained a warrant to download and retain our most personal and private information.