Police Scotland has admitted it did not fully consider the privacy or human rights implications of new mobile phone analysis tools set to be used throughout Scotland, despite spending over a million pounds on them.
MSPs grilled officials from Police Scotland and the Scottish Police Authority this week about the purchase and use of cutting edge technology at Holyrood this week.
During the May 10 session of the Justice Sub-committee on Policing at the Scottish Parliament, officials admitted that a trial of ‘kiosks’ used for analysing mobile phones in 2016 was conducted without proper training, guidance or policy in place to support it.
The kiosks, produced by Cellebrite, allow officers to access data held on mobile phones even if the device is password protected and encrypted.
Following the trial, Police Scotland spent more than £1m on a suite of hardware and software tools to allow more officers to access data on mobile phones.
MSPs on the committee were critical of the purchase given that no formal assessment has yet been made by Police Scotland on the privacy or human rights impact of expanding the use of the technology.
John Finnie MSP, Convenor of the committee, argued that committing to such a large spend on hi-tech tools was “putting the cart before the horse.”
He said: “What if the human rights assessment said that there were implications and we’ve already had that expenditure of a million pounds?”
The 2016 trial saw more than 600 phones or sim cards analysed by police officers in both Edinburgh and Stirling.
It emerged at the committee meeting that no owners of devices involved in the trial were told their phones would be analysed and Police Scotland could not confirm how many phones were analysed with a warrant.
Detective Superintendent Nicola Burnett admitted that the kiosks allow data from a phone to be downloaded directly by officers to a disk, without the devices needing to be sent to specialist digital forensics labs. She also conceded that Police Scotland were “still looking at how those disks can be encrypted.”
Johnson was particularly critical of claims form officials at the committee that the new tools that Police Scotland sought to use were not significantly different to those the Police have used for decades.
He said: “You say that these kiosks don’t provide you with any new powers, that you’ve had the technology since the 1990’s, but do you not recognise that the information contained on these devices now has exploded exponentially and is a degree of sensitivity and personal nature that is just not comparable to the data captured on sim cards, which is what you were referring to in the 1990’s?”
“Giving officers the ability to look at that data as a matter of routine requires additional sensitivity.”
Liam MacArthur MSP said he shared concerns over a lack of preparation ahead of the introduction of the new technology, adding: “The concern would be when you move this technology closer to the front line, then the use of it will increase.”
Last year The Ferret revealed the number of mobile devices analysed by Police Scotland had been steadily increasing. In 2016, officers analysed at least 12,000 devices.
In reply to questions by The Ferret following the meeting, Mathew Rice, Scotland Director of the Open Rights Group, said the public deserved better from Police Scotland.
He said: “Our phones contain so much about us. From our contacts, our chats from applications like WhatsApp and iMessage, call logs, calendars, passwords, unlock patterns, even deleted items like photos, these “cyber kiosks” appear to be able to access much of our private lives.
“Police Scotland’s inability to answer even basic questions about their use of “cyber kiosks” is deeply troubling.
“Proper policies, impact assessments and consultation should have taken place before the police spent hundreds of thousands of pounds purchasing the equipment. The Scottish public deserved better than a rubber stamped trial scheme.”
Open Rights Group are not the only civil society group to raise concerns over the Police use of mobile phone analysis technology. In written evidence to the committee Privacy International highlighted the lack of clear regulation in this area.
They said: “There is no clear legislation, policy framework, regulation or independent, oversight in place for the police’s use of this technology, and to protect the public from abuse of this technology.”
The Privacy International submission also highlights an investigation into North Yorkshire police forces use of similar technology. There the probe found evidence that poor training undermined prosecution of serious crime offences and that sensitive data obtained from the kiosks was lost.
In response Steve Johnson, Assistant Chief Constable Specialist Crime and Intelligence, said: “Cyber kiosks provide specially trained officers with the ability to triage lawfully seized devices, reducing the number which are required to be forensically examined, and reducing the inconvenience to a witness or victim of retaining a device which, on later examination, has no evidential value.
“No data is retained by the kiosk. In situations where a large amount of specific data from set parameters is available, the device has the capabiility to copy this to an encrypted disc for later viewing.
“As part of our ongoing engagement ahead of deploying cyber kiosks across the country, we are developing our policy and procedures around their use. If we utilise the facility of copying data to a disc this would be strictly managed as potential evidence.”