Imagine that you see a petty crime happen on a city street. You are the only witness. As an innocent citizen who saw a crime, you want to chime in about what you saw. Hopefully, if you do they can catch the guy and the victim can get their stuff back along with some justice for the crime done. The police don’t want to ask you much – they want your phone. Not only that, but they can connect it to a new device that downloads everything from your phone – including passwords, photos, deleted messages, browsing history… everything.
“…police are doing it at a massive scale without warrants, without informing or asking people, without any regulation, without any clear legal basis…” – Millie Graham Wood, Privacy International
This is what is happening right now in the United Kingdom. Police have been using technology to do just that in the name of solving a crime but without any checks and balances, without a protocol for deletion of data after a crime is solved, and no independent oversight to ensure citizens are protected as their personal information is given over indefinitely.
Privacy lost (no warrants necessary)
The information that U.K. police are extracting from cell phones includes anything and everything – photos, chat history, emails, call logs including locations and contact information for everyone you’ve spoken with, phone passwords, deleted web browsing history, deleted conversations on encrypted apps – all without a warrant. The privacy lost with extraction doesn’t only affect the owner of the cell phone, it also incriminates anyone that cell phone user ever interacted with.
Their privacy is lost simply by association with someone involved or witness to a crime.
Privacy International, a UK-based privacy rights organization, filed a formal complaint based on the legality of the data extraction practiced by the current police regime with the Information Commissioner’s Office, Home Office, and the Independent Office for Police Conduct. Within the complaint, Privacy International takes a stand for urgent reform of what they call a “totally unregulated, potentially discriminatory and unlawful” practice.
The campaign group also issued Freedom of Information Act (FOIA) requests to 47 police offices across the UK. The FOIA requests are available for the public to request information on federal agencies that is not publicly available. Through these requests, Privacy International learned what police are extracting from phones without a warrant. The deleted messages can be recovered because the messages are not really taken off the phone’s internal memory.
On April 26, 2018, Privacy International formally complained to UK Information Commissioner that the practice is illegal and called for reforms on this unregulated and potentially discriminatory cell phone data extraction practice.
How the data extraction works
Remember a few months ago when news broke that an Israeli company could crack any phone?
Here was a headline from February 2018:
Now fast forward to today…
The technology that enables this data extraction comes from the Israeli company Cellebrite. With this breakthrough technology – and the apparent legal green light – police are now extracting information from the phones of suspects, witnesses and even victims of a crime.
Here’s how that works:
As you can see, this simple device can suck up everything on your phone.
Unfortunately, the UK Police have no clear protocol for deleting the data they extract. Even worse, they can begin extracting the data from an individual at the moment of arrest, whether they are guilty of the crime or not. Errors are inevitable in the fact-finding process, but this time the stakes are higher with reams of incriminating data easily at the fingertips of authorities (and their partners).
With such a powerful tool for data extraction, we can likely assume this is being used by authorities around the world. And despite reassurance from Apple or Android, it appears that anything on our phones is now accessible, even you are using encrypted messaging apps like Signal.
With this in mind, perhaps it is time to give up the “smart phone” in exchange for an older model that does better with privacy. Of course, the convenience factor would be an issue for most people.
Legal in the US?
This practice would likely require a warrant in the United States. However, evidence suggests that while the U.S. may require warrants for such a search, the government can get around this by hiding how police got their information to investigate suspects – whether illegal or legal.
The use of the Stingray device comes to mind, which authorities have used for warrantless cell phone surveillance.
Back in the UK, the potential for abuses runs high with a system of intrusive surveillance without the proper checks and balances.
Meanwhile, British police are defending their practice by referencing legislation which they believe justifies warrantless data extraction.
PACE act
The Police and Criminal Evidence Act (PACE) is the legislation that the UK Metropolitan Police argue supports their mobile data extraction practices. Here is their justification for these practices:
A victim is always at the heart of an investigation, and in the majority of cases permission will be sought to obtain data from devices such as mobile phones. The officer using the kiosk will then extract only very specific data.
There will, however, be occasions where consent cannot be obtained. For example, where a witness has filmed a murder on their mobile phone but refuses to co-operate with police; or where a victim of domestic abuse does not wish to assist police. Under these circumstances, it may be possible for police to use their powers under PACE to seize and examine this information.
According to the former Greater Manchester Police Chief Constable, Sir Peter Fahy, seeking a warrant every time that police want to search a phone was “just not practical”.
In other words, practicality trumps your right to privacy.
Flashback: UK Snooper’s Charter
And as just a brief reminder, let us not forget about the infamous Investigatory Powers Act – aka the Snooper’s Charter. In late 2016, the bill became law forcing UK web and phone companies to collect users’ browsing history. What was dubbed “world-leading legislation” that provided “unprecedented transparency and substantial privacy protection”, privacy advocates feared it would lead the world closer to authoritarian regimes justifying their own mass surveillance practices. Under the law, your browsing history is stored for 12 months and accessible by many different agencies (without a warrant).
Those living in the UK would be wise to use a UK VPN to encrypt and anonymize your online activity, as well as other privacy tools.
So the current practices of warrantless data extraction using the Cellebrite device perfectly align with the bigger trend. Privacy in the UK is lost – protect yourself accordingly.
Is there a phone you’d recommend for privacy and security? I don’t care about bells and whistles and I’m willing to purchase a really old model if it means more privacy. I checked the archives and found nothing. Thanks for your work! This site is a godsend.
Maybe a PinePhone.
https://www.pine64.org/pinephone/
Most people in the UK, like anywhere, are too stupid to realize the extent to which the state spies on people or their use of everyday items, exposes them to all kinds of data mining, used by big government, big tech, big finance & big business…one aspect that might be worth a mention is ancestral DNA gathering, which I’m sure with the recent case in California, where it was used to catch a long time rapist, but I’m sure barely even scratches the surface.
Hell, even your postbox…being registered to vote & having your name/address public.
Everything from credit check agencies, mobile contracts, ISP, contactless payments, debit card use for everything…if you do this, your life is an open book.
Most people don’t care however & think it’s just normal & have no future-time orientation to comprehend that crime isn’t just the fact, but what those in charge will consider your intent that runs counter to a cultural/political agenda that could be made into a crime, whether your a s**t-posting youtuber, making a dog do a nazi salute in Scotland or a professor criticizing mass-migration using statistical evidence, like in Sweden & those goal posts will move however it suits the establishment.
That for me, is the biggest reason to do your utmost to protect your privacy, George Orwell’s 1984 isn’t just a fictional dystopia, it is slowly rolling towards it.
For those of you from the UK or even if you’re not, consider everything you pay for & how you pay & how you interact with everything, it’s not always practical, but nothing is ever simple when it comes to taking control of your own life & don’t ever give up on your loved ones who don’t think it is important.
The ancestral DNA issue is a great point, Richard. I’ve seen arguments that these tests are not reliable and then there is also the privacy aspect as well. And who knows about the people running these DNA testing companies and what they’re doing with the information…
https://thefreethoughtproject.com/ancestry-com-caught-sharing-dna-information-police-warrant/
This comment is of worth note:
“The genetic information provided by our DNA customers is personal and we have strict standards in place to protect their identities and the integrity of their data. These standards are our first priority. On occasion when required by law to do so, and in this instance we were, we have cooperated with law enforcement and the courts to provide only the specific information requested but we don’t comment on the specifics of cases.”
Translation: “We’ll hand over anything they ask without a name on it because it’s too expensive to contest it. Don’t expect us to ever mention we ‘cooperate’ with law enforcement, because that would be bad for our business model & we don’t want to spend money on lawyers, because our priority is profit, not your privacy.”
That is the one of a few we know about. Personally, if I was running a company like this, I’d make my USP the fact that all data is held on a server which only the client can access & the physical data & once tested, is destroyed, unless the client wants it returned.
That way, if ever government/law enforcement forces you to keep records of clients DNA, you can change your TOS & state it publicly that you’ve been forced by government against your own business model & conscience & that lets the public know the direction the country is heading in.
Another point to make is the motives of bad actors: If one person inside a company is paid or coerced by the state to hand over data without the consent of even the management…it’s happened many times with phone companies giving out politicians & celebrities phone numbers to tabloid newspapers…point is, if your name is on it, well…you get the point.