Old Law, New Tech and Continue Opacity: Police Scotland's use of mobile phone extraction
“...a mobile device is now a huge repository of sensitive data, which could provide a wealth of information about its owner. This has in turn led to the evolution of mobile device forensics, a branch of digital forensics, which deals with retrieving data from a mobile device.”
The situation in Scotland regarding the use of mobile phone extraction has come a long way since the secret trials were exposed. The inquiry by the Justice Sub-Committee, commenced on 10 May 2018, has brought much needed transparency and has interrogated the use of cyber kiosks prior to their deployment. Without this inquiry, impact assessments would have not necessarily been carried out, the deficiencies in the legal basis would not have been exposed and the public would have less knowledge about the use of highly intrusive technology.
Yet in many respects the inquiry has led to more questions than have been answered. As we set out in our submissions, the use of cyber crime hubs remains opaque and the cyber kiosks have capabilities that could be used but have not been sufficiently clarified.
Mobile phone extraction technologies present great risks to privacy, inappropriate use will be in breach of data protection and human rights safeguards and insufficient consideration has been given to the implications, from the point of view of forensic science, of police officers using new technologies to carry out digital forensics. There are risks relating to quality and reliability of evidence, as highlighted by the House of Lords Science and Tech Committee report into forensics, published May 2019.
It has been said repeatedly by Police Scotland that investigations increasingly have a digital element.
“Within the UK alone there are over 51 million Smartphone users, which number is growing every year. In 2017, Police Scotland reported that over 40,000 mobile devices were seized. 90% of those submitted for examination were Smartphones….”
These figures are only going to rise. This fact alone is a stark reminder that the law must be sufficient to deal with new realities.
The key question is whether there is lawful basis for Police Scotland to use cyber kiosks. The resounding outcome of the Justice Sub-Committee’s inquiry and the submissions from the External Reference Group is that the legal basis upon which Police Scotland seek to rely is deficient. In this context it is deeply regrettable that the Cabinet Secretary for Justice is not willing to take a more proactive role or instigate any actions by the Scottish Government to tackle this issue.
On the one hand we have Police Scotland who believe they have legal basis but equally have no law-making powers and on the other, the Government which could push for sound legal basis appear prepared to leave resolution of the issue to the Courts – a time consuming and costly exercise which is not to the benefit of any of the parties which have been willing to engage in an open and constructive dialogue through the Committee inquiry and the External Reference Group.
Privacy International believe that not only do we need transparency and accountability, but in order to protect the public we need robust safeguards. In particularly, Privacy International believe that consideration of the need for a warrant is of the utmost importance. Unfortunately, we are yet to see adequate safeguards put in place.
In our submissions we look at the background to the inquiry including the failure of Police Scotland to originally carry out impact assessments; review our understanding of the functioning of mobile phone extraction technologies and the cyber kiosks and cyber crime hubs in Scotland; highlight issues relating to security and digital forensics; and examine the problems with the existing legal framework.
We are grateful to the Justice Sub-Committee on Policing for pursuing their inquiry and encourage ongoing critical examination of the use of new technologies by the police. We note that Police Scotland have now committed to a Post Implementation Review of Digital Triage Devices approximately six months following roll out.
We acknowledge the engagement by Police Scotland in the process and believe that police forces in the rest of the UK would do well to note the value of this experience, even if we have reached a conclusion to the process which we deem unsatisfactory, given the points regarding lawfulness.