Imagine that you see a petty crime happen on a city street. You are the only witness. As an innocent citizen who saw a crime, you want to chime in about what you saw. Hopefully, if you do they can catch the guy and the victim can get their stuff back along with some justice for the crime done. The police don’t want to ask you much – they want your phone. Not only that, but they can connect it to a new device that downloads everything from your phone – including passwords, photos, deleted messages, browsing history… everything.
“…police are doing it at a massive scale without warrants, without informing or asking people, without any regulation, without any clear legal basis…” – Millie Graham Wood, Privacy International
This is what is happening right now in the United Kingdom. Police have been using technology to do just that in the name of solving a crime but without any checks and balances, without a protocol for deletion of data after a crime is solved, and no independent oversight to ensure citizens are protected as their personal information is given over indefinitely.
Privacy lost (no warrants necessary)
The information that U.K. police are extracting from cell phones includes anything and everything – photos, chat history, emails, call logs including locations and contact information for everyone you’ve spoken with, phone passwords, deleted web browsing history, deleted conversations on encrypted apps – all without a warrant. The privacy lost with extraction doesn’t only affect the owner of the cell phone, it also incriminates anyone that cell phone user ever interacted with.
Their privacy is lost simply by association with someone involved or witness to a crime.
Privacy International, a UK-based privacy rights organization, filed a formal complaint based on the legality of the data extraction practiced by the current police regime with the Information Commissioner’s Office, Home Office, and the Independent Office for Police Conduct. Within the complaint, Privacy International takes a stand for urgent reform of what they call a “totally unregulated, potentially discriminatory and unlawful” practice.
The campaign group also issued Freedom of Information Act (FOIA) requests to 47 police offices across the UK. The FOIA requests are available for the public to request information on federal agencies that is not publicly available. Through these requests, Privacy International learned what police are extracting from phones without a warrant. The deleted messages can be recovered because the messages are not really taken off the phone’s internal memory.
On April 26, 2018, Privacy International formally complained to UK Information Commissioner that the practice is illegal and called for reforms on this unregulated and potentially discriminatory cell phone data extraction practice.
How the data extraction works
Remember a few months ago when news broke that an Israeli company could crack any phone?
Here was a headline from February 2018:
Now fast forward to today…
The technology that enables this data extraction comes from the Israeli company Cellebrite. With this breakthrough technology – and the apparent legal green light – police are now extracting information from the phones of suspects, witnesses and even victims of a crime.
Here’s how that works:
As you can see, this simple device can suck up everything on your phone.
Unfortunately, the UK Police have no clear protocol for deleting the data they extract. Even worse, they can begin extracting the data from an individual at the moment of arrest, whether they are guilty of the crime or not. Errors are inevitable in the fact-finding process, but this time the stakes are higher with reams of incriminating data easily at the fingertips of authorities (and their partners).
With such a powerful tool for data extraction, we can likely assume this is being used by authorities around the world. And despite reassurance from Apple or Android, it appears that anything on our phones is now accessible, even you are using encrypted messaging apps like Signal.
With this in mind, perhaps it is time to give up the “smart phone” in exchange for an older model that does better with privacy. Of course, the convenience factor would be an issue for most people.
Legal in the US?
This practice would likely require a warrant in the United States. However, evidence suggests that while the U.S. may require warrants for such a search, the government can get around this by hiding how police got their information to investigate suspects – whether illegal or legal.
The use of the Stingray device comes to mind, which authorities have used for warrantless cell phone surveillance.
Back in the UK, the potential for abuses runs high with a system of intrusive surveillance without the proper checks and balances.
Meanwhile, British police are defending their practice by referencing legislation which they believe justifies warrantless data extraction.
A victim is always at the heart of an investigation, and in the majority of cases permission will be sought to obtain data from devices such as mobile phones. The officer using the kiosk will then extract only very specific data.
There will, however, be occasions where consent cannot be obtained. For example, where a witness has filmed a murder on their mobile phone but refuses to co-operate with police; or where a victim of domestic abuse does not wish to assist police. Under these circumstances, it may be possible for police to use their powers under PACE to seize and examine this information.
According to the former Greater Manchester Police Chief Constable, Sir Peter Fahy, seeking a warrant every time that police want to search a phone was “just not practical”.
In other words, practicality trumps your right to privacy.
Flashback: UK Snooper’s Charter
And as just a brief reminder, let us not forget about the infamous Investigatory Powers Act – aka the Snooper’s Charter. In late 2016, the bill became law forcing UK web and phone companies to collect users’ browsing history. What was dubbed “world-leading legislation” that provided “unprecedented transparency and substantial privacy protection”, privacy advocates feared it would lead the world closer to authoritarian regimes justifying their own mass surveillance practices. Under the law, browsing histories are stored for 12 months granting agencies access like never before without warrants.
So the current practices of warrantless data extraction using the Cellebrite device perfectly align with the bigger trend. Privacy in the UK is lost – protect yourself accordingly.