Police Scotland has failed to meet official standards for gathering evidence from mobile phones four years after a watchdog first asked it to make improvements, says a new report.
The force examines thousands of electronic devices such as mobile phones and iPads each year as part of evidence gathering. The gadgets are analysed at so-called cyber-kiosks in police stations, or sent to specialist digital forensic hubs for detailed examination.
The data extracted from devices include contacts, photos, emails and private messages.
But concerns that Police Scotland may have broken data protection and human rights laws by introducing cyber-kiosks sparked a probe by the Scottish Parliament and the UK Information Commissioner.
Now a report from the Information Commissioner’s Office (ICO) into Police Scotland’s digital forensic labs has concluded the force has failed to meet key standards. It said the force “cannot demonstrate to externally validated standards that it is using extraction methods which produce reliable results.”
In response to the ICO’s report critics warned that public trust is at stake. One said society “must be reassured as to the reliability of such extracted data and the risks of miscarriages of justice.”
The concerns raised by the ICO come after the reliability of evidence produced by Police Scotland cyber-kiosks was also called into question by the head of the organisation that maintains the popular messaging app, Signal.
No independent certification
In England and Wales police forces must meet standards set out by the Forensic Science Regulator when they gather evidence from mobile devices.
These rules do not apply to Police Scotland, but in a 2017 report HM Inspectorate of Constabulary in Scotland (HMICS) recommended that Police Scotland should adopt the same standards.
HMICS said that Police Scotland should also seek independent certification of their digital forensic services “in order to support effective public performance reporting and assurance.”
Now, fours year later, the Information Commissioner has warned that no progress has been made on the HMICS recommendation.
In its latest report the ICO notes: “Police Scotland is yet to address this [HMICS] recommendation,” and that “the force stated that it is seeking approval and funding for the work necessary to achieve accreditation.”
The ICO report also found the privacy information provided by Police Scotland could be “confusing” and it noted that none of the information related specifically to digital forensic work undertaken by the police.
“This documentation would benefit from detailed review and revision to ensure it is sufficiently clear and consistent,” the report concludes.
Commenting on the ICO findings, Scottish Liberal Democrat justice spokesperson Liam McArthur MSP said technologies play an important role in bringing people to justice.
He added: “But they are not fool proof, and if used without due process can lead to huge reservoirs of deeply personal information resting in the hands of people who don’t need them.”
McArthur argued that Police Scotland have been “slow off the mark” in putting checks and balances in place to make sure new technologies are used in a “proportionate and fair manner”.
He continued: “The legality of cyber kiosks wasn’t properly investigated until parliamentarians started asking questions. Lessons haven’t been learned if similar problems are repeating.
“Just because data collecting is now part and parcel of policing doesn’t mean it should happen without the checks to back it up. Privacy and justice cannot fall victim to bickering over budgets between the Scottish Government and Police Scotland.”
His concerns were echoed by Camilla Graham Wood, of Privacy International UK. She warned: “The delivery of justice is dependent on the integrity and accuracy of evidence and trust that society has in it.
“The use of mobile phone extraction is highly intrusive. If we are to entrust vast amounts of highly personal data to the police, we firstly must be reassured as to the reliability of such extracted data and the risks of miscarriages of justice.”
The Information Commissioner Elizabeth Denham said: “People are right to expect that the police will treat their personal information fairly, transparently, and lawfully, and that only data that is necessary will be taken. The ICO will continue to push for critical changes to ensure compliance with the law.”
Police Scotland said it was “carefully considering” the report from the Information Commissioner’s Office.
Assistant Chief Constable Pat Campbell said: “We have received the report from the Information Commissioner’s Office and will carefully consider its contents and recommendations.
“Police Scotland had already undertaken work in advance of the report’s publication and I am pleased that it has acknowledged the spirit in which our senior leadership engages with external scrutiny, and that it is confident that we understand the importance of accountability.
“We have already started the process of moving towards ISO accreditation across the whole of our Digital Forensic Estate.
“We are committed to providing the best possible service to the victims of crime and witnesses. However, we are acutely aware of the valid concerns around the use of personal data. So our use, or proposed use, of technology will continue to be subject of extensive consultation with external reference groups.
“The service is developing a governance framework and have additional layers of scrutiny in place around all our digital extraction data. This will balance requirements to comply with data protection and privacy regulations, ensure fair and reasonable data usage, maximise the use of data for public good and ensure legitimacy of the police service.”
A Scottish Government spokesperson said: “These are operational matters for the Chief Constable and it is for the Scottish Police Authority and Police Scotland to ensure they exercise their powers in accordance with the law.
“It is important that police officers are equipped with the necessary technology to ensure they can keep us safe. The Scottish Government increased investment in policing this year by £60.5 million to more than £1.3 billion, with an additional £15 million specifically to mitigate the impact of COVID-19 on the policing budget.
“It is also important that the public have absolute confidence in how their data will be collected or retained. All forensic techniques, the use of supporting technologies and the consideration of the use of emerging technologies should be undertaken lawfully, effectively, ethically and subject to appropriate governance.”
Mobile Phones | CC | Jon Fingas | https://flic.kr/p/goVRFZ