The campaign group Privacy International has filed a formal complaint against the UK’s police forces over their use of highly intrusive “mobile phone extraction technology”.
The complaint, made to the Information Commissioners Office, alleges that UK authorities have been illegally accessing the contents of people’s phones. According to the filing, this includes downloading photos and recovering the remnants of previously deleted messages - without first gaining a warrant.
Privacy International sent Freedom of Information requests to 47 police forces across the UK and found that police are using technology to extract location data, encrypted apps, call logs, emails, text messages and passwords.
The complaint has also been forwarded to the Home Office and the Independent Office for Police Conduct.
Within the document, PI has called for changes to what it is claiming are “totally unregulated, potentially discriminatory and unlawful” practices.
Data free for all
In the US, it is necessary for police to seek a warrant in order to access the content of people’s phones during the course of an investigation. In the UK, on the other hand, it is alleged that the police have been using various pieces of legislation to bypass the need for a warrant.
Privacy International claims that this has been allowing the police not only to download data from the phones of criminal suspects, but also from devices belonging to witnesses - and even victims themselves.
Millie Graham Wood, an attorney working for Privacy International, has gone on the record with claims that the UK’s police force is using tools provided by the Israeli firm Cellebrite. The software permits the police to download data directly from phones without the owner’s knowledge. Wood commented that:
“The earliest record we have of this is from 2012, when [London’s Metropolitan Police] said it wanted to roll out [the tools] across London, during the Olympics. Since then it’s spread out over the U.K.”
According to Wood, the UK authorities have been using those tools “without any clear legal basis, without any proper record keeping, and without any national statistics that might reveal biases.”
Easy to recover
Wood also claims to have personally tested the Cellebrite UFED Touch 2 device. The device connects directly to the phone from which it extracts information. According to the attorney, it “takes about two hours to extract everything”.
According to Wood, the Cellebrite device was even able to piece back together previously deleted messages from the encrypted messaging app WhatsApp. Unfortunately, the memory in phones is susceptible to being recovered because messages that are deleted are not actually formatted from the phone’s internal memory.
Encryption no help?
By the time WhatsApp messages are stored on a phone, they have been unencrypted by the Signal protocol leveraged by the app. This is not WhatsApp’s or the cryptographic protocol's fault, but it means that using the Cellebrite device, police can access a huge repository of data that shouldn’t be available at all.
It is worth noting, unlike Signal, WhatsApp does not have app-wide password protection. In Open Whisper's messenger, a password is used to encrypt all the messages inside the app. This would, in theory, stop the police from being able to extract any messages.
The Metropolitan Police insisted in a canned statement that its actions are protected under the Police and Criminal Evidence Act (PACE).
A victim is always at the heart of an investigation, and in the majority of cases, permission will be sought to obtain data from devices such as mobile phones. The officer using the kiosk will then extract only very specific data. There will, however, be occasions where consent cannot be obtained. For example, where a witness has filmed a murder on their mobile phone but refuses to co-operate with police; or where a victim of domestic abuse does not wish to assist the police. Under these circumstances, it may be possible for police to use their powers under PACE to seize and examine this information.
According to the former Greater Manchester Police Chief Constable, Sir Peter Fahy, seeking a warrant every time that police want to search a phone was "just not practical". Fahy added that:
"In lots of cases, officers need to be able to access what is on a mobile phone very very quickly and to be able to know whether they can arrest the offender to protect the public and to stop other crimes in action."
Privacy International maintains that the procedure is currently illegal under the UK’s Data Protection Act. What’s more, from next month - when GDPR begins being enforced throughout the UK and Europe - the data collection will become even more unconstitutional. According to PI, the UK’s police force is woefully unprepared to meet the privacy standards set out by GDPR. Wood added that the police: couldn’t “even comply with the Data Protection Act now”.
Labour MP Naz Shah - who is a member of the Home Affairs Select Committee - has come forward to concur with Privacy International. Shah stated that existing legislation had become outdated because it was not designed to deal with such large volumes of data management:
The legislation is not fit for purpose, not just for the people that it would impact, but also for our police forces, who have to keep communities safe.