Data protection watchdog calls for controls on police mobile phone stop-and-searches

Digital stop-and-search

Police use of mobile phone extraction (MPE) to investigate crimes has accelerated in recent years and has now become the default tool for police investigators, the ICO found.

Investigators use specialist hardware and software, known digital device triage systems or “kiosks” from Israeli company Cellbrite and other manufacturers to extract data from mobile phone software.

More intrusive level 2 searches allow investigators to retrieve deleted data, and level 3 searches may involve a full forensic examination of the phone’s hardware.

The ICO found that police forces were using mobile phone data extraction as the default investigative tool before considering other reasonable lines of enquiry.

It raised concerns that investigators may use mobile phone extraction kiosks for opportunistic “fishing expeditions”.

Consent forms issued by the National Police Chiefs’ Council do not make it clear to the public what the lawful basis is for extracting data from their mobile phones, the ICO said.

And it was not clear that police forces had put policies in place to ensure they were considering indviduals’ right to privacy and family life, as required by the European Convention on Human Rights.

Studies show that during times of high trauma, such as a serious violent or sexual offence, it is unlikely that a victim will be able to make an informed, rational decision to give consent to the police to analyse their mobile phone data, the report said.

Intimate personal data

Mobile phones hold an enormous amount of intimate personal data, including details of the owner’s location, browsing history, Wi-Fi connections, and credentials that allow access to their personal data stored on cloud services.

Phones are also likely to contain sensitive data about people who have exchanged information with the mobile phone owner, including their personal data, videos and photographs, which will often have been placed on the owner’s phone without their knowledge.

The ICO said data extracted from mobile phones can help police to acquire evidence to support a criminal investigation, including providing details of an individual’s actions, movements and state of mind.

But it warned that police must take into account an individual’s human rights and comply with laws governing the use of personal data and investigatory powers. “The level of intrusion into individuals’ privacy must be necessary and proportionate to the matter being investigated,” it said.

“People may feel less inclined to assist the police as witnesses or to come forward as a victim, if they are concerned that their and their friends’ and families’ private lives will be open to police scrutiny without proper safeguards.”

Investigating officers can search data extracted from phones, such as names, dates, phone numbers and phrases, but the ICO said it was not clear that there were procedures in place to document how that data would be relevant to particular lines of enquiry.

The use of mobile phone extraction has caused controversy in rape cases, where victims are routinely asked to hand over their mobile phones for analysis.

According to a report by HM Crown Prosecution Service Inspectorate, it can take 11 months to complete a forensic analysis of a phone in a rape investigation, causing significant delay in bringing prosecutions.

It found that Crown Prosecution lawyers failed to be specific about what data they needed from mobile phones, leading to the default position that prosecutors requested as much data as possible.

This led to prosecutors extracting and processing vast amounts of data about individuals of no relevance to investigations, the ICO said.

“It is critically important that individuals who have been a victim of or witness to crime do not suffer further distress due to unnecessary intrusion into areas of their life that they have a reasonable expectation would be kept private,” said the report.

One rape victim told a review by London’s Independent Victims Commissioner that she felt fearful of handing her phone over to the police. “A mobile phone is just too personal and there is just way too much information on it which is irrelevant to the crime committed, but will nonetheless be used to humiliate and discredit me,” she said.

There was no evidence that forces were attempting to delete non-relevant sensitive personal data once it had been obtained, the ICO found.

Lack of encryption

The report found that not all of the kiosks used to extract data are able to encrypt to prevent unauthorised access.

Police store extracted data on CDs, DVDs or USB drives, but some forces have created secure servers to store information.

Other forces are using analytical tools that allow rapid searching, visualising and analysis of data extracted from multiple devices.

“While we saw no evidence of this, there is clearly the potential for this data to be merged and cross-analysed with other datasets held by police,” said the report. “Such further processing would raise significant privacy concerns.”

The ICO found there was a lack of consistency between forces over the oversight needed for digital phone searches. It was not clear that all police forces were considering the need for strict necessity and proportionality before downloading sensitive data, it said.

It said there is a power imbalance between the state and an individuals. Witnesses may be concerned that if they fail to hand over their phones, it will impact the progress of their case, the ICO warned.

Privacy International described the ICO’s report as a step in the right direction. “MPE technology should only be used where it is strictly necessary,” said Bakina. “Otherwise, the police risk diminishing public confidence in the criminal justice system.

“Currently, there is no clear policy guidance or independent, effective oversight for the police’s use of MPE technology. Considering the extensive use of mobile phones in our everyday lives, and the significant amount of sensitive personal data stored on them, the public need to know that there are rules and safeguards in place – otherwise the police are left to make up their own rules.”

Claire Waxman, London’s Independent Victims Commissioner, said that she had written to the Information Commissioners’s Office about the “serious concerns victims have had about excessive requests and processing of data from their mobile phones”

“It’s clear that the criminal justice system has lost sight of reasonable and proportionate requests and the legislation has not kept pace with technology,” said Waxman. “The sheer amount of personal and sensitive information we now have on our phones means that the current laws are no longer fit for purpose, and we need the Government to urgently review legislation.”

The National Police Chiefs' Council, Crown Prosecution Service, and the College of Policing said in a joint statement that “police investigators must balance the need to follow all reasonable lines of enquiry, guaranteeing a fair trial, with the need to respect privacy. "

"We thank the Information Commissioner for this detailed and thoughtful report which acknowledges the complexity of this issue, and the growing volumes of data which exist in criminal cases. We will now carefully consider the recommendations of the report," they said.