What is the problem

Personal, often highly sensitive, data is exposed by the routine use of mobile phone extraction technology. Such intrusive technology allows investigators to see at a glance a persons’ location history, who they speak to and when, and potentially vast amounts of other revealing information.

What is more the use of MPE can take place in secret, without individuals being informed that content and data from their phone is being downloaded and stored indefinitely by the police. We are concerned police and other authorities use this intrusive technology without clear legal basis, effective safeguards, or independent oversight. Without clarity as to how the data extracted is stored, secured, audited, or if it’s ever deleted.

A consequential lack of record keeping or national statistics means that any abuse of this technology or unfair targeting of minority groups is likely to go unnoticed.

Why it matters

Smartphones are akin to a real-time diary – recording where you’ve been, with whom you’re chatting and about what, your worries and concerns (as shown by your search history), and depending on the apps you use perhaps even your sex life or menstruation patterns. For many people, the sum total of their lives can be gleaned from access to their phones.

They are also a repository of information over which the user has no control such as system data, is unlikely to be aware has been retained such as deleted data, and has been automatically stored to the cloud such as images received via WhatsApp.

Mobile phone extraction enables the collection and retention of vast quantities of communications data and content data, including personal and sensitive data of both the device user and many others with whom the user interacts.

Due to the untargeted nature of the data collected by MPE (and technical difficulties with targeted extraction), it can also include items subject to legal privilege, journalistic material, or other protected data.

What is PI doing

We want to ensure there is transparency and clarity as to the legal basis for use of intrusive extraction powers. We want individuals to be given effective legal rights in relation to their mobile phone data. We want law enforcement and other authorities to gather information in a way that complies with relevant data protection legislation and use forensically sound practices to ensure reliability of extracted data.

In summary:

  • Data must only be taken when necessary and proportionate and pursues clear lines of enquiry;
  • Police must delete these data when there is no legal reason to retain it, particularly if they are innocent of any crime;
  • Data must be held securely to prevent exposure of personal data as a result of loss of records, misuse or security breach.

PI has taken legal action to demand transparency and regulation of mobile phone extraction technologies. We are calling for the use of this intrusive technology to be properly regulated, with independent oversight so that abuse and misuse does not go undetected.

In 2018 PI submitted a complaint to the ICO regarding the use of MPE technology by police forces. As a result, in June 2020 the UK’s Information Commissioner’s Office issued a long-awaited and critical report on Police practices regarding extraction of data from people’s phones, including phones belonging to the victims of crime.

In March 2021 the UK government has put forward the Police, Crime, Sentencing and Courts (PCSC) Bill, which contains a legal measure focusing on mobile phone extraction. We believe that this new legal measure fails to safeguard individuals’ data and privacy rights. As a result, we have filed submissions to the Joint Committe on Human Rights. We are calling for numerous amendments to the Bill, and for a public consultation on the Code of Practice in relation to data extraction.

Notes and Links