Alan Stockdale - stock.adobe.com
Scottish Police accessed personal data from hundreds of mobile phones and SIM cards without informing the public what would happen to their phones and their data, Scottish MPs heard yesterday (10 May 2018).
The force, which faces investigation from the office of the UK’s data protection watchdog, the information commissioner, has been accused of using its equipment to access sensitive data held on suspects and witnesses without warrants.
It is one of a large number of forces that have tested advanced technology, known as cyber kiosks, that can allow officers to quickly access highly personal information, including people’s location history, web browsing, social media and text messages – including hidden or deleted data.
During a hearing yesterday, detective superintendent Nicola Burnett told MSPs on the Scottish Parliament’s Justice Sub-Committee on Policing that she was not clear whether police had carried out an impact assessment of the technology on human rights, data protection, or equality, before carrying out the technology trials.
“Human rights and data protection impact assessments are ongoing,” she said.
Committee members also raised concerns that people whose phones were taken for analysis had not been given any advice on their rights and may not have been told police were accessing their data.
“As far as I am aware, there was not specific advice,” Burnett told the committee. “If a phone is seized by police, most of the time the owner would be aware, being present, though not all the time. It has to be seized for a lawful policing purpose.”
Police Scotland conducted trials of cyber kiosks, also known as digital device triage systems, made by the Israeli company Celleberite, in Edinburgh and Stirling, to investigate summary offences.
The force spent over £440,000 on 41 cyber kiosks, licences and training to analyse information on the public’s phones as part of a trial in its Policing 2026 project.
A freedom of information request by the Sunday Herald newspaper revealed that police officers in Stirling and Edinburgh accessed data from 375 phones and 262 SIM cards between 2016 and 2018.
According to Police Scotland’s implementation plan, installation of the kiosks is planned to take place in 2018-2019.
Technology reduces load on forensic examiners
Police Scotland told the MPs that the technology allowed police officers to return devices to the public, that were not of interest to the police, at a much earlier stage, without the need to send them for forensic examination.
That would free up forensic specialists to spend time on serious and complex cases.
“To clarify, this is not new technology, it has been available to UK law enforcement since the 1990s and has been used since the start of Police Scotland. The difference is we have been able to provide that capability at the front end,” said Burnett.
But Daniel Johnson MSP said information held on mobile phones and SIM cards had grown exponentially since police first used kiosk technology in the 1990s, giving officers the ability to look at a completely different category of information.
“Absolutely yes, the amount of information is growing on those devices. The public would expect us to have the right technology so we can utilise any piece of evidence,” said Burnett.
It was not unusual for the police to have access to have access to highly sensitive data she said: “We have to take some really significant intimate details. That is part of our role as police officers.”
Downloading phone data to disk
Burnett told the committee that once a phone has been examined, the cyber kiosk is deleted from the device, leaving only audit data and a unique reference number.
But it also emerged the devices have the capability to download data from mobile phones on to a computer disk.
“That is an option. We are looking at how we will manage that,” she said. “We are looking at how those disks will be encrypted.”
Burnett conceded that Police Scotland had “probably not informed elected members of the Scottish Parliament”, including those in the constituencies affected, before the trials took place.
The non-governmental organisation Privacy International said that the hearing was the first time that parliamentarians in the UK have questioned police on the use of mobile phone extraction technologies.
Millie Wood, lawyer at Privacy International, told Computer Weekly: “There was concern among MSPs, particularly those representing constituents where trials have taken place, such as Edinburgh, that there has been a complete absence of engagement with parliamentarians and the public throughout the trial period, when over 600 mobile phones were subject to cyber kiosks.
“Worse still, the police stated that individuals were not informed of their rights when mobile phone extraction technologies were used on their devices, no impact assessments were carried out, and they failed to answer whether there existed any independent oversight,” she said.
Expert group to advise Police Scotland
Police Scotland said in written evidence that it was developing a robust framework, which would include an equality and human rights impact assessment, and privacy impact assessment, before operational deployment.
Burnett said Police Scotland planned to create an “external reference group” of experts to advise on the use of kiosks, which would include a representative from Privacy International.
The force planned a “show and tell of the device”, and would provide an opportunity to discuss planning.
The technology is due to be rolled out in August, but would only get the go ahead after the reference group had done its work, she said.
Privacy International wrote to Michael Matheson, the cabinet secretary for justice in the Scottish government on 4 May, raising concerns that there was no clear legislatory framework for cyber kiosks.
The letter said that it was a matter of concern that police were taking data from people’s phones secretly, without them being informed and without a warrant.
“Without any kind of record-keeping or national statistics, abuse of this technology and unfair targeting of minority groups is likely to go unnoticed,” it said.
Read more on Privacy and data protection
Data protection watchdog calls for controls on police mobile phone stop-and-searches
Police use of facial recognition ‘unjustifiable’, says Scottish Justice Committee
Scottish police roll out controversial data extraction technology
Scottish Justice Committee wants extra powers for biometrics commissioner