Dutourdumonde - Fotolia
The UK’s data protection watchdog has called for reforms of police powers to extract highly sensitive personal data from the mobile phones of suspects and crime victims during “digital stop-and-searches”.
Police forces are using sensitive personal data extracted from mobile phones as a routine tool for investigating crimes when there is often no clear legal basis for doing so, a report by the information commissioner, Elizabeth Denham, has found.
“People expect to understand how their personal data is being used, regardless of the legal basis for processing,” said Denham. “My concern is that an approach that does not seek this engagement risks dissuading citizens from reporting crime, and victims may be deterred from assisting police.”
The commissioner makes 13 recommendations, including a call for a statutory code of practice to govern extraction of mobile phone data, for police forces to delete data that is not relevant to investigations, and for police to buy phone extraction technology with privacy protections built in.
The campaign group Privacy International (PI), which first called for urgent reforms to police “digital stop-and-search” powers in 2018, said the practice had to stop.
Ksenia Bakina, PI’s legal officer, said: “Today’s critical report by the ICO [Information Commissioner’s Office] vindicates what PI has been saying for over two years. The police are taking data from people’s phones, including the victims of crime, without applying proper safeguards.”
Police use of mobile phone extraction (MPE) to investigate crimes has accelerated in recent years and has now become the default tool for police investigators, the ICO found.
Investigators use specialist hardware and software, known digital device triage systems or “kiosks” from Israeli company Cellbrite and other manufacturers to extract data from mobile phone software.
More intrusive level 2 searches allow investigators to retrieve deleted data, and level 3 searches may involve a full forensic examination of the phone’s hardware.
The ICO found that police forces were using mobile phone data extraction as the default investigative tool before considering other reasonable lines of enquiry.
It raised concerns that investigators may use mobile phone extraction kiosks for opportunistic “fishing expeditions”.
Consent forms issued by the National Police Chiefs’ Council do not make it clear to the public what the lawful basis is for extracting data from their mobile phones, the ICO said.
And it was not clear that police forces had put policies in place to ensure they were considering indviduals’ right to privacy and family life, as required by the European Convention on Human Rights.
Studies show that during times of high trauma, such as a serious violent or sexual offence, it is unlikely that a victim will be able to make an informed, rational decision to give consent to the police to analyse their mobile phone data, the report said.
Intimate personal data
Mobile phones hold an enormous amount of intimate personal data, including details of the owner’s location, browsing history, Wi-Fi connections, and credentials that allow access to their personal data stored on cloud services.
Phones are also likely to contain sensitive data about people who have exchanged information with the mobile phone owner, including their personal data, videos and photographs, which will often have been placed on the owner’s phone without their knowledge.
The ICO said data extracted from mobile phones can help police to acquire evidence to support a criminal investigation, including providing details of an individual’s actions, movements and state of mind.
But it warned that police must take into account an individual’s human rights and comply with laws governing the use of personal data and investigatory powers. “The level of intrusion into individuals’ privacy must be necessary and proportionate to the matter being investigated,” it said.
“People may feel less inclined to assist the police as witnesses or to come forward as a victim, if they are concerned that their and their friends’ and families’ private lives will be open to police scrutiny without proper safeguards.”
Investigating officers can search data extracted from phones, such as names, dates, phone numbers and phrases, but the ICO said it was not clear that there were procedures in place to document how that data would be relevant to particular lines of enquiry.
Development of police digital stop-and-search powers
March 2018: Privacy International publishes a report calling for an urgent review into police use of mobile phone extraction and argues that phone search should only be carried out on the basis of a warrant, issued on the basis of reasonable suspicion.
July 2018: The Crown Prosecution Service publishes guidelines on the examination of digital devices.
August 2018: Information Commissioner’s Office launches an investigation into the use of mobile phone extraction (MPE) by police forces.
April 2019: A report by the Scottish Parliament’s justice sub-committee on policing found that plans by Police Scotland to use mobile phone kiosks to extract phone data lacked effective scrutiny and put the rights of the public at risk.
July 2019: London Independent Victims Commissioner Claire Waxman said in The London Rape Review report that it is unacceptable that victims of rape are being told they must sign consent forms to remove their right to privacy to allow huge volumes of their personal data to be scrutinised, so that they can access justice.
December 2019: A report by HM Crown Prosecution Service found that it can take 11 months to complete a forensic analysis of a phone during rape cases, leading to significant delays in investigations.
June 2020: Information commissioner calls for safeguards to protect the public when their mobile phone data is used in police investigations.
The use of mobile phone extraction has caused controversy in rape cases, where victims are routinely asked to hand over their mobile phones for analysis.
According to a report by HM Crown Prosecution Service Inspectorate, it can take 11 months to complete a forensic analysis of a phone in a rape investigation, causing significant delay in bringing prosecutions.
It found that Crown Prosecution lawyers failed to be specific about what data they needed from mobile phones, leading to the default position that prosecutors requested as much data as possible.
This led to prosecutors extracting and processing vast amounts of data about individuals of no relevance to investigations, the ICO said.
“It is critically important that individuals who have been a victim of or witness to crime do not suffer further distress due to unnecessary intrusion into areas of their life that they have a reasonable expectation would be kept private,” said the report.
One rape victim told a review by London’s Independent Victims Commissioner that she felt fearful of handing her phone over to the police. “A mobile phone is just too personal and there is just way too much information on it which is irrelevant to the crime committed, but will nonetheless be used to humiliate and discredit me,” she said.
There was no evidence that forces were attempting to delete non-relevant sensitive personal data once it had been obtained, the ICO found.
Lack of encryption
The report found that not all of the kiosks used to extract data are able to encrypt to prevent unauthorised access.
Police store extracted data on CDs, DVDs or USB drives, but some forces have created secure servers to store information.
Other forces are using analytical tools that allow rapid searching, visualising and analysis of data extracted from multiple devices.
“While we saw no evidence of this, there is clearly the potential for this data to be merged and cross-analysed with other datasets held by police,” said the report. “Such further processing would raise significant privacy concerns.”
The ICO found there was a lack of consistency between forces over the oversight needed for digital phone searches. It was not clear that all police forces were considering the need for strict necessity and proportionality before downloading sensitive data, it said.
It said there is a power imbalance between the state and an individuals. Witnesses may be concerned that if they fail to hand over their phones, it will impact the progress of their case, the ICO warned.
Privacy International described the ICO’s report as a step in the right direction. “MPE technology should only be used where it is strictly necessary,” said Bakina. “Otherwise, the police risk diminishing public confidence in the criminal justice system.
“Currently, there is no clear policy guidance or independent, effective oversight for the police’s use of MPE technology. Considering the extensive use of mobile phones in our everyday lives, and the significant amount of sensitive personal data stored on them, the public need to know that there are rules and safeguards in place – otherwise the police are left to make up their own rules.”
Claire Waxman, London’s Independent Victims Commissioner, said that she had written to the Information Commissioners’s Office about the “serious concerns victims have had about excessive requests and processing of data from their mobile phones”
“It’s clear that the criminal justice system has lost sight of reasonable and proportionate requests and the legislation has not kept pace with technology,” said Waxman. “The sheer amount of personal and sensitive information we now have on our phones means that the current laws are no longer fit for purpose, and we need the Government to urgently review legislation.”
The National Police Chiefs' Council, Crown Prosecution Service, and the College of Policing said in a joint statement that “police investigators must balance the need to follow all reasonable lines of enquiry, guaranteeing a fair trial, with the need to respect privacy. "
"We thank the Information Commissioner for this detailed and thoughtful report which acknowledges the complexity of this issue, and the growing volumes of data which exist in criminal cases. We will now carefully consider the recommendations of the report," they said.
Read more on Regulatory compliance and standard requirements
Dutch police used deep learning model to predict threats to life
NI police unable to delete data seized unlawfully from journalists for 10 years
EU aid funds used to train ‘unaccountable intelligence agencies’ in high-tech surveillance
Scottish police roll out controversial data extraction technology