Police Scotland has admitted seizing more than a hundred mobile phones a day, amid mounting calls for ministers to clarify the rules that protect citizens from police snooping.
Police management has been under scrutiny by the Scottish Parliament over the seizure and subsequent forensic analysis of mobile phones, tablets and computers.
MSPs and human rights groups have raised concerns that the police may be overstepping their legal powers when taking devices and searching them, breaching people’s privacy.
A Holyrood inquiry by the justice sub-committee on policing was sparked by concerns over a 2016 trial of so-called “cyber kiosks”, which police officers hope to use to boost their capacity to analyse more phones. MSPs have also probed wider police processes used to investigate phones and computers.
At an evidence session on May 10, Police Scotland officials said they were now seizing more than 40,000 mobile devices per year from people in Scotland – equivalent to more than 100 per day.
Under questioning from MSPs, senior officers admitted that they had a backlog of more than 2,000 devices currently awaiting analysis from specialist officers in five “cyberhubs” around the country.
They said the cyberhubs undertook a more detailed forensic analysis of around 15,000 devices per year. But figures obtained by The Ferret suggest that this number could in fact be even lower.
In response to a freedom of information request, Police Scotland said it couldn’t provide a figure for the number of devices analysed in 2018 or 2017, even though it had released numbers in prior years. The force added that the number of “cases” processed by the cyberhubs in 2018 was around 6,740.
Although officials said each case could include multiple devices, last year just 5,520 cases were categorised on case submission forms as “phone” and 1,240 as “computer.”
Asked to clarify the statistics, a police spokesperson said: “Police Scotland seize around 40,000 mobile phone devices a year but only a small proportion are currently submitted for digital forensic examination.
“As part of that process, we introduced a revised case management system in 2016, and this means that a submission form can relate to more than one device.”
Judith Robertson, chair of the Scottish Human Rights Commission, said that the lack of clear data on the number of devices analysed was a concern.
“While we are not able to comment on the specific numbers provided, it is important that information about police use of cyber technology is collected, monitored and reported in a transparent manner, as part of an oversight and accountability framework.”
Matthew Rice, Scotland director of the Open Rights Group was concerned about the standard of Police Scotland record keeping. “The trial of cyber kiosks showed that Police Scotland’s record keeping is selective at best,” he said.
“They reportedly seized and analysed over 600 mobile devices and SIM cards in Edinburgh and Stirling during the 2016 trials. However they failed to show whether any of the seizures proved useful, what information was provided to individuals, or the legal basis they used for seizing those devices.”
Rice added: “This does not bode well for the important effort required from Police Scotland to show these powers are used in a limited manner and clearly things have to be improved.”
Robertson and Rice have been joined by MSPs, independent legal experts, police officers and Scottish Police Authority (SPA) officials in supporting the introduction of new rules to govern the police seizure and analysis of mobile phones.
The truth is we have analogue laws for a digital age. Liam McArthur MSP
Many highlighted that the laws that govern the way Police Scotland seize and analyse mobile devices date back to a time that predates the ubiquitous use of mobile phones that have access to a large volumes of private and potentially sensitive data.
Following the latest justice sub-committee meeting, Scottish Liberal Democrat justice spokesperson, Liam McArthur MSP, said: “The attempted roll out of cyber kiosks has illustrated perfectly how out of date our legislation is in this area. The truth is we have analogue laws for a digital age.
“At the justice sub-committee, Police Scotland and the SPA both accepted the need for a legal and regulatory framework that is fit for purpose. This will need to balance the needs of the police in fighting crime that is ever more sophisticated with the human rights of citizens.
“Scottish Liberal Democrats strongly support the updating of our laws in this increasingly important area.”
Police Scotland has been under pressure from MSPs to demonstrate that officers are acting lawfully when they seize mobile devices from people for analysis. The Crown Office and Procurator Fiscal Service was asked by the force to set out its interpretation of the law.
Police Scotland also commissioned Murdo MacLeod QC to provide an opinion on the matter. In his evidence to the committee he concluded that the police were acting within the law when they used cyber kiosks to analyse mobile phones.
This led senior officers to claim to MSPs that they now had “legal clarity”. But MacLeod also favoured the introduction of a new code of practice to ensure that the rules around device seizure and analysis were clearer.
“In an environment where the law perhaps struggles to keep up with the rapid advancement of digital technology, it is essential that the right balance continues to be struck between the need for the police to investigate crime effectively and the maintenance of procedural safeguards and rights,” he said.
Police Scotland officers also told MSPs that they plan to roll out the cyber kiosks across the country later in the year following MacLeod’s advice, supported by more than 400 specially trained officers. But critics say that the legal opinion has only highlighted further issues that need to be resolved.
The Open Rights Group argued that Police Scotland cannot rely on the MacLeod opinion to settle the debate over police searches of mobile devices. It “does not give Police Scotland the green light they claim it does,” Rice insisted.
“It is more emphatic in supporting a code of practice or legislation to be passed than it is supportive of seizing and searching electronic devices without judicial warrant, and rightly so. It is only right that proper safeguards are put in place to protect against the arbitrary interference that powerful and invasive technology can so easily cause.”
Rice said that the debate was about more than a legal opinion and that Police Scotland would need to address further issues, such as internal policies, training and data protection issues before the cyber-kiosk roll out begins.
MSPs have also called for further information from Police Scotland.
Green MSP John Finnie, chair of the justice sub-committee on policing, has written to the police officer leading the cyber kiosk roll out, DCC Kerr, asking questions on the extent of the powers that Police Scotland have to seize digital devices. The issues must be resolved before the roll out of commences, Finnie argued.
“The legal opinion suggests that there is only a legal basis for searches without warrants prior to apprehension in “urgent cases”. Could you please confirm whether Police Scotland agree with this limitation on its power of search and provide details of what would constitute an “urgent” case?” Finnie wrote in the letter on 14 May.
“The legal opinion also suggests that in the case of witnesses or complainers a warrant or consent would be needed to search a device. Could you please confirm whether Police Scotland agree with this limitation on its power of search?”
The Scottish Government has not yet decided what to do. “The Scottish Government is currently considering the Scottish Parliament’s justice sub-committee report on digital device triage systems, and we have noted follow-up evidence from both Police Scotland and the Scottish Police Authority,” said a spokesperson.
“We will submit our own response in the coming weeks.”
How do Police Scotland analyse digital devices?
Police Scotland currently analyses most of the computers and phones it seizes at five “cyberhubs” around the country, but has been criticised for failing to provide information on how these devices are analysed. The Ferret has found out the tools in use by specialist officers by submitting requests under freedom of information law.
We have previously reported on Police Scotland use of Cellebrite hardware and software to support the investigation of mobile phones and tablets. In 2017, we published evidence that the software could analyse more than 21,000 different devices and 3000 apps, regardless of whether they were encrypted or not.
The trial and proposed deployment of Cellebrite “cyber kiosks” to police stations around the country has been the focus for MSP concerns over potential police privacy and human rights rule breaches.
Since 2017, court documents filed in the US suggest that Cellebrite technology has continued to keep pace with modern device technology and is able to access data on phones such as the iPhone X.
Police Scotland have purchased Netanalysis forensic analysis software.
This software is designed to help investigators analyse someone’s internet activity. It can recover stored passwords, credit card details and it can reconstruct websites that have been visited by the users of a device by looking at hidden information such as cookies and other technical data stored by their web browser software.
Encase Forensic software has also been purchased by Police Scotland. The manufacturers claim it to be the “gold standard in forensic investigations.”
It is said to enable investigators to “crack passwords” and decrypt encrypted data on computer disk drives. The manufacturers say it can access files encrypted with encryption software such as Dell Data Protection, Symantec, and McAfee.
The firm also demonstrates how the software can also be used to circumvent locked mobile phones.
Our freedom of information request also shows that Police Scotland have purchased a product called Encase Portable from the same supplier, which can carry out many of the functions of the Cellebrite cyber kiosks.
According to an independent test of the software by the National Institute of Justice in the US, the product is housed on a USB stick and allows “non-expert” police officers to capture digital data from computers in the field.