Police Scotland are using an Israeli based technology firm to crack the security protections on a growing number of mobile phones each year, The Ferret can reveal.
Freedom of information requests show that in the last three years Police Scotland have successfully obtained data from at least 35,973 phones, with each one taking around eight days to analyse. In the same period the police tackled 16,587 computers.
But as mobile devices hold the key to an increasing amount of data about people’s lives, civil liberties groups and academics have called into question whether the laws that regulate police access to mobile phone data are fit for purpose.
Currently, the law allows the police to seize and analyse electronic devices belonging to people if they are detained or arrested for any reason. Even when the device is protected with a password – or pin code – if the police can bypass this protection without the user’s permission then any evidence obtained is regarded as admissible in court.
Police currently have 56 members of staff dedicated to analysing mobile devices, with growing numbers of staff receiving training in this area each year.
Campaigners say that the police should be required to obtain a warrant each time they search someone’s mobile phone.
Jim Killock, Executive Director of the Open Rights Group, said: “Police Scotland should not be able to analyse mobile phones without a warrant. Full stop.”
“Warrants are essential to ensure that mobile phone analysis is necessary and proportionate, and to ensure that there is public accountability for this practice,” he explained.
For the first time, The Ferret has been able to confirm that Police Scotland use mobile forensics tools provided by a firm called Cellebrite.
Documents outlining the capabilities of Cellebrite tools shows the extent of the data that Police Scotland can obtain by physically analysing a mobile device.
This can include location data, messaging data from encrypted apps, emails, photographs and even the passwords to cloud services, such as social networking and business apps that may be stored on the device.
Critics have suggested that even when people voluntarily give consent to police when they wish to analyse a mobile phone, they may not fully appreciate the extent of the personal data that the authorities may then have access to.
Standard operating procedure documents obtained from Police Scotland provide guidance to investigating officers that seek to access cloud services.
Other police procedure documents say: “Only information held on the mobile telephone or SIM card when it was seized can be retrieved during the course of an examination.” But this restriction can be overcome if the owner of the device gives the police authorisation to examine the phone, or the police obtain a warrant.
The Ferret also asked Police Scotland to clarify the types of crimes that were associated with mobile phone analysis, the types of devices analysed, the number of devices they currently held stored data on, and whether the data obtained was encrypted.
In each case Police Scotland declined to provide a detailed answer.
Kath Murray, policing and criminal justice researcher, said that better oversight arrangements may be required as the number of phones being analysed by police increase.
She said: “Although the use of data extraction tools to download information from mobile phones is increasing, there appears to be a lack of clarity as to how the practice is regulated. For instance, if data is retained, is this encrypted and how is it stored?
“The potential to access data stored in cloud services without a warrant also raises questions.
“Mobile data analysis can be instrumental in police investigations; however, the copying and retention of information needs to be balanced with clear, accessible and proportionate rules, as well as robust oversight arrangements.”
Earlier this year, The Ferret reported that the Office of the Surveillance Commissioner had identified a “significant issue” over the way Police Scotland handled material generated by surveillance operations.
In some parts of the country material from concluded investigations was stored for three years. In other places, such as the North Area of the force, it could be kept by Police Scotland for as long as 12 years, even when the material was not required as evidence. They also found a “lack of understanding and consistency of approach by a significant number of staff.”
In one case highlighted by the Surveillance Commissioners it could not be determined whether two disks containing electronic data “should have, or had since been, destroyed.”
Although Police Scotland now say they have improved their procedures, similar concerns have also been raised about how police forces south of the border handle data from mobile phones.
In January, The Bristol Cable revealed that the growing use of mobile phone analysis tools such as those provided by Cellebrite, had prompted civil liberties campaign group Liberty to call for tighter controls.
Silkie Carlo, a policy officer at Liberty, told the Cable. “It is wholly unacceptable that data extracted is left unencrypted.”
What data can the police get from your phone?
Cellebrite documents give some indication of the range of information that Police Scotland can obtain from the phones and tablets that they analyse.
Released notes for a February 2017 version of the software that powers their analysis devices, claims that it can analyse 21,374 different devices and 3,335 apps.
Spreadsheets outlining the precise capabilities of the software suggest that the firm has found ways to access almost all the data stored on the latest Android phones.
It also claims to be able to access Apple’s iPhone 7 from autumn 2016.
Reportedly the firm can also access messages sent using apps which incorporate some form of encryption and trade on their privacy protections, including Whatsapp, Telegram, Threema and Signal, even if they are installed on the most recent Android phones.
However, the firm stops short of suggesting it can access messages sent with the Signal app on a modern iPhone 7.
Some software from the firm also automates access to data stored in the user’s social media and cloud accounts and helps investigators search across these profiles.
Not all mobile devices can be ‘cracked’
We have also uncovered evidence that Police Scotland struggle to access data on some mobile devices if the owner refuses to hand over their pass code to unlock the device.
As long ago as October 2014, the Office of the Surveillance Commissioner noted in a report into Police Scotland surveillance, that the use of a so-called Section 49 Order was ultimately the only way that crime suspects could be forced to unlock their electronic devices, if police experts were otherwise unable to bypass the devices security protections.
The police can only serve Section 49 Orders on people they suspect of committing a serious crime.
And as a heavily redacted document obtained under freedom of information law shows, the police must also gain the approval of the National Technical Assistance Centre (NTAC), part of the UK Government spy agency, GCHQ, before they can serve a S49 order on a suspect.
If a suspect is found to be in breach of a S49 order in court then they could be jailed for up to five years.
To date, however, no-one has been successfully prosecuted as a result of a S49 order in Scotland, even though Police Scotland have sought a conviction on six occasions.
In most cases, the defendant has been found “not guilty,” suggesting that they unlocked their device for the police at the last minute.
But the Office of the Surveillance Commissioner report suggests that in one case an attempt to convict may have been unsuccessful because the Crown chose not to reveal other “operational information” during the prosecution process.
In 2014, the Commissioner also noted that a successful conviction would be desirable so that the “severe penal consequences of refusal should be made known to the criminal fraternity.”
In response, Detective Chief Inspector Brian Stuart from the Specialist Crime Division said: “Police Scotland can only access someone’s mobile phone if it’s proportionate and there’s accountability, legal authority, necessity and is ethical.
“Information is retained adhering to the UK wide guidelines of managing police information, which is reviewed and audited by appropriate individuals.”
Key source documents referenced in this story are below.
Cellebrite v6 release notes.
Section 49 Process.
Seizure and examination of mobile phones.
Communications Data, Standard Operating Proceedure
Devices analysed and staff training
Police Scotland Cellebrite purchase documents