PRESS RELEASE: Unauthorised use of mobile phone examination tools by Police have undermined investigations into serious crimes.
Unauthorised use of mobile phone examination tools by Police have undermined investigations into serious crimes.
In previously unseen documents obtained by Bristol Cable, details have emerged of how Police forces across the UK are using secret and sophisticated technology to extract data from people’s mobile phones, even for low level crimes.
Documents obtained by Bristol Cable reveal serious flaws in the use of powerful tools by the police to extract data from mobile phones in relation to low level crimes, coinciding with a rapid rise in police spending in this area. Data extracted at so-called ‘Self Service Kiosks’ (SSKs) in local police stations, includes call history, texts and contacts, retained regardless of whether any charges are brought. It is unclear whether there are limits on the data extracted, such as photos or emails. The tools allow officers to connect to an individual’s mobile and obtain the data from the device, as well as saving digital records of the content.
A report from 2015 by the Police and Crime Commissioner for North Yorkshire reveals that in half the cases sampled, there was a failure to receive authorisation for the use of mobile phone extraction tools. Poor training resulted in practices which undermined prosecution of serious crime offences such as murder and sexual offences. The report goes on to highlight inadequate data security practices, the failure to encrypt data even though the capacity existed, and lost files which may contain intimate details of people never charged with a crime. The report concludes with 8 recommendations, notes there was limited assurance procedure was being followed appropriately and considered further review necessary. It is unclear whether remedial steps have been taken following this damning report. These failings appear to contravene the ACPO Best Practice Guide on digital evidence, particularly Principle 2 on competency.
The practice of using SSKs in local police stations was initially trialled in London 2012 with SSKs in 18 Metropolitan Police Boroughs. Its nationwide roll out has been accompanied by a paucity of public information. It is not known whether other reviews have taken place and what short-comings may exist. A MET procurement document states that ‘in March 2016 there will be SSKs in all 32 MPS Boroughs and 12 Hubs. The MET SSKs are Aceso units ‘currently rented and maintained under an existing third party arrangement with Radio Tactics’.
Additional Bristol Cable documents indicate a rise in use of and spending on mobile phone extraction units throughout the country without any obvious transparency or oversight into this growing area. In 2015 Durham examined 90% of mobile phones locally and an internal memo documents Cleveland police receiving an additional £124,000 for Forensic Mobile Phone Extraction Systems’ for 2015. Financial records obtained by Bristol Cable document contracts between Israeli digital forensics firm Cellebrite and 28 police forces running to thousands of pounds, and the current figure is likely to be far higher. However, limited information in financial records frustrates any attempt to understand which other companies are providing data extraction tools and a failure to provide a consistent classification of these items also prohibits discovering other providers.
A contract between the Home Office and Cellebrite, worth £81,017.50, describes the power some of these tools offer to the police. UFED’s (Universal Forensic Extraction Devices) are able to search mobile phones to extract data from installed applications, SMS messages, e-mails, videos, call logs, audio and calendars. The tools are able to bypass lock screens and are even able to access and extract deleted data.
The Metropolitan Police in a 2015 procurement document refer to the ‘ingestion of data from tens of thousands of digital devices annually at dozens of different locations’ and to ‘maintenance [of the data] for an indefinite period extending for many years’. Keen to capitalise on the thirst for mobile phone extraction, offering services to other forces and government agencies they go on to state that ‘The MPS vision is to extend this initiative in future by offering a full range of digital forensics services to other UK police forces and government agencies’. This means your data is accessible to police outside the force who collected the data and raises the question of what happens to your data, who is securing it and how can you find out.
Millie Graham Wood, Legal Officer at Privacy International said:
“The North Yorkshire report suggests local police forces are not yet ready to handle these highly intrusive tools and it raises questions about whether other police forces have adopted these technologies appropriately. The police have lost files, undermined serious investigations and failed to safeguard people’s personal data. We need transparency about current practices, procedures and failings. Across the country the police have expanded their use of mobile phone extraction on the quiet, and it is unclear what effective oversight exists.
The bigger issue is whether traditional search practices, where no warrant is required, should be applied to mobile phones, which can contain a massive amount of highly personal data. Modern mobile phones are not just phones, but mini computers, cameras, video players, calendars, recorders, libraries, diaries, albums, maps all in one. Thus, searching a mobile phone cannot accurately be compared to a search of the home, let alone a physical search. It is far more exhaustive. They have immense storage capacity, can hold thousands of pictures, videos and apps, all of which can reveal so much about your and potentially your contacts political, sexual and religious identity They hold location data, and even deleted data as indicated by the Home Office contract.
As noted in the landmark US ruling of Riley v California, an element of pervasiveness characterises mobile phones with data that can go back years. There are several interrelated privacy consequences, complicated by the fact that data viewed on many modern phones may in fact be stored on a remote server. In the US it was ruled that whilst information on a mobile phone is not immune from search, a warrant is generally required before such a search. The warrant requirement was ruled “an important working part of our machinery of government”, not merely “an inconvenience to be somehow ‘weighed’ against the claims of police efficiency.”
We urge the government to consider the general requirement for a warrant before a search can take place. We also call on technology companies to address the betrayal of users by their devices. No one should be able to access more data than the user of a device. Secret functionality and secret data storage is unacceptable and indicates that we genuinely do not own our devices.”
Notes for Editors
- The original documents will be available from this link when the embargo is lifted: https://www.documentcloud.org/search/projectid:31157-UK-Police-Cellebrite-amp-Mobile-Phone-Examination
- Bristol Cable article: https://thebristolcable.org/2017/01/revealed-the-troubling-trickle-down-of-phone-cracking-technology/
- Privacy International has made Freedom of Information requests to all police forces in the UK in order to obtain details about the use of mobile phone extraction in low-level crimes and what reviews have taken place.
- Durham Police in their 2015 ‘PEEL : Police effectiveness 2015 report’ state that current figures indicate 90% of cases are now examined ‘in-house’. Cleveland police received approval for an additional £109,000 for 2014/15 for ‘Forensic Mobile Phone Examination System’ for use in crime investigations.
- The MPS Digitial, Cyber and Communications Forensics Unit, Information for Prospective Bidders, dated 12 June 2015 indicates that mobile phone extraction is a high priority and states that ‘devices and media are seized for forensic analysis in all areas of crime investigation and policing, from volume crime cases such as burglary and drug offences to serious crime cases such as homicides and terrorism.’ Figures in the ‘trend in volume device examinations’ jump from 0 phone examinations at MET SSKs in 2011/12 to 17,508 in 2014/15. The document states that in addition to volume examinations, ‘the Authority undertakes a range of complex digital examinations, including cell site analysis, facial recognition, satellite navigation systems, trackers, chip off — simple and chip off — complex’.