The danger of digital strip searches Why we all need protection from unregulated data extraction

Now the police are responding to protests from victim support organisations by offering to meet stakeholders to discuss the new consent forms. In a letter designed to reassure them, the National Police Chiefs Council (NPCC) explains:

“When a crime is investigated, police will regularly seize devices of those accused. This is done using police powers and suspects are not required to consent. Coercive police powers are clearly not appropriate for use against complainants and access to their devices should be on the basis of specific, free and informed consent.” 

This does not reassure me, or quiet my alarm bells.

It only serves to confirm my fears that it’s not only victims who should be concerned about police taking powers to download information from our mobile phones in bulk. The truth is that any of us could find ourselves in a situation where the intimate details of our life are uploaded to a police computer. Any of us could be accused of a crime, or simply witness one. All of us should be asking – what are my rights in such a situation?

Just over a year ago, Privacy International – a charity that advocates for strong privacy protections in law and technology – released a report called “Digital Stop and Search; how the police can secretly download everything from your mobile phone”. After months of dogged investigations using the Freedom of Information Act they concluded that “in the UK, police are using highly intrusive technology to extract and store data from individual’s phones, on a questionable legal basis”.

It transpires that the police have been acquiring highly personal information this way for the past ten years. Some forces have downloaded data from tens of thousands of mobile phones – and with no real legal basis for doing so.

The systems used – often “highly intrusive technology”– varies between forces, and not all have used it. But those that did were able to download far more information than even the phone’s owner could access. Deleted and hidden data – location, health, passwords – could be extracted. The contents of WhatsApp messages, which you might assume are private because they are encrypted, have been extracted and used in court. Then there’s all the easily accessible stuff – calendar, contacts, text messages, photographs – right there in the palm of the police officer’s hand. They could find out far more about you from the phone than they ever could from searching your house.

Unlike a physical search of your house, though, these data extraction procedures were carried out without a warrant and without a clearly defined legal framework. Any legal justifications that were offered by those forces that responded to Privacy International’s enquiries were often vague. Their defence relied heavily on PACE, the Police and Criminal Evidence Act of 1984, which Privacy International (PI) describes as “a piece of legislation written long before a phone became a device that could be used as a pocket surveillance tool”.

Following the publication of their report, Privacy International made a number of recommendations: guidance should be issued to the public about their rights; a warrant should be obtained before forensically examining anybody’s smartphone; and there should be independent oversight. They also invoked the principles of necessity and proportionality – and called on the Home Office to launch an independent review.

In Scotland, the report – combined with further investigations by The Sunday Herald – prompted parliamentary scrutiny. It’s the first time parliamentarians anywhere in the UK have called police to account in relation to key issues around data extraction technology. And as a result, Police Scotland, had to put their “cyber kiosk” roll out on hold.

The technology, which allows officers to circumvent passwords or other security measures to access data stored on mobile devices, was being used, according to the sub-committee on policing, by frontline officers “without any human rights, equality or community impact assessments, data protection or security assessments, and in the absence of any public information campaign”. No oversight. No recourse. No boundaries.

Following the publication of the PI report, the Information Commissioner’s Office is now conducting an investigation into “use of data extraction technology on the mobile phones of suspects, victims and witnesses”.

But rather than wait for the results of this enquiry, police went ahead with their consent form, asking victims to consent to a violation of their privacy and human rights or have their case dropped.

Perhaps they are hoping to address both the failures of the disclosure system and the absence of a formal basis for extracting mobile phone data with one form. If so, they’re misguided on both counts.

Lack of data has not the been the problem behind those recent collapsed cases when the disclosure system failed.

One such high-profile rape case was dismissed, for example, after messages between the alleged victim and her friends were found to include positive references to the accused, Liam Allan, and to their ongoing relationship. Mr Allan had been under investigation for nearly two years and the police had gone through the accuser’s mobile phone data – including 57,000 text messages.

The data was in police files, but the human being responsible for going through it failed to find the key material. Since nothing of note was found, they refused requests to hand over the material to the defence, deeming it “not relevant”. The court case collapsed after three days after the data was finally handed over to the defence lawyers and messages from the victim asking for “casual sex” were found.

There’s no use having the information if you don’t know what you’re looking for – the data might as well be a ton of cuneiform tablets. The police don’t necessarily have the capacity or wherewithal to deal with it, and that’s why the disclosure system is flawed – not because they didn’t get their hands on it earlier.

Furthermore, a consent form, signed under pressure, gives us no protection fromunre unregulated data extraction. And this applies to anyone – not only victims. We should all be be insisting on robust regulation and oversight of the “digital strip search”, because this potentially affects anybody who owns a mobile phone.

Naturally, we’re concerned about those companies who want to profile and target us, in order to sell us stuff. But news that being accused of a crime, witnessing a crime, or even being the victim of a crime – or even having been in touch with any of those people – could remove our fundamental right to privacy in the eyes of the law should worry us much more.

Police forces are currently under no obligation to tell people their rights, to inform them of what kind of information will be obtained, or to give them an inventory of what has been downloaded. There are also no limits on how long they can retain the data.

Data from your mobile telephone has power. It could convict a criminal or exonerate an innocent person, whether you are the accuser, the accused, or a witness. Just as the home of a suspect can yield useful evidence, so too can an electronic device.

So while it may be proportionate and necessary to search such devices to solve or prevent crime, before investigators are allowed to enter our digital spaces, we should expect the same protections we are afforded when they search our homes.

Those legal protections not only guard us against incidental misuse of our data, such as security breaches or miscarriages of justice. They also draw a line around our basic right to privacy from the state.

Only a totalitarian regime should require every citizen to be transparent in the eyes of the law, simply to ease police investigations. The presumption of privacy should be the one to which police have to seek exceptions. Like the presumption of innocence in a defendant, it is a universal right because none of us knows when we might be the one to need it.

---