In a rapidly evolving digital world, the police and other investigating agencies routinely deploy sophisticated methods of obtaining electronic evidence from mobile phones. Such methods have the potential to raise a plethora of legal and ethical challenges when used by the police.
We now rarely leave home or office without our mobile, carrying the equivalent of a PC’s worth of information around with us. Our mobiles contain a wealth of highly personal data about both ourselves and our contacts. Information establishing our political, sexual and religious identity, as well as our every movement. A mobile will likely contain more information than could be found by searching our home. Understandably the police, in anything but the simplest investigation, will want to seize, image and examine the contents of a suspect’s mobile.
Many of us have become aware of the sensitivity of the data we store on our mobiles and safeguard this by installing on them sophisticated encryption and hardware technology. Criminals often do likewise and if compelled to surrender their phones to the police many refuse to divulge passwords. Such refusals, originally hard to overcome, are driving the police to employ sophisticated surveillance and examination software.
Police powers to seize phones and obtain passwords
We all carry far more information about with us now than was imaginable when the main search powers under the Police and Criminal Evidence Act 1984 (PACE) were promulgated. Under PACE, officers can search, seize and retain data from a mobile phone belonging to anyone who has been arrested on suspicion of committing an offence, provided that they have a reasonable belief that it contains evidence of an offence or has been obtained in consequence of the commission of an offence. Similar seizure powers exist in regards to the execution of search warrants production orders. Data seized can only be kept for the purpose of a criminal investigation and for use as evidence at trial. The police also have additional powers to seize mobile phones under other statutes, such as the Misuse of Drugs Act 1971 and Terrorism Act 2000.
In the case of a suspect’s refusal to supply police with the necessary passwords once a mobile phone has been seized, Parliament has provided a partial remedy in the form of a written notice served under section 49 of the Regulation of Investigatory Powers Act 2000 (RIPA). This formal demand addressed to the suspect requires him/her to hand over passwords or encryption keys, or to provide unencrypted copies of material (e.g. biometric data such as thumb prints or iris scanners). If the suspect persists in their refusal this renders them guilty of an offence under section 53 of RIPA, for which they could be sentenced to up to two years imprisonment, and up to five years if the case is one of national security.
However, according to a recent report in The Times, a sizeable number of suspects refuse to comply with this notice because the penalty is less severe than the offences they are being investigated for. The most recent available data from the Office of Surveillance Commissioners also suggests that fewer section 49 notices are issued than might have been expected and, despite the high percentage of refusals to comply, not many cases appear to be prosecuted. The figures for 2014/15 show that there were 37 notices issued, 22 refusals and only 3 prosecutions.
The reason for this appears to be that the police are increasingly able to resort to phone cracking technology, enabling them to override a mobile phone’s password protection.
Phone cracking: Universal Forensic Extraction Devices
An investigation conducted by the investigative magazine “Bristol Cable” revealed that about 28 of the 44 UK police forces use phone cracking technology manufactured by an Israeli company called Cellebrite. The Guardian reported that the Metropolitan Police has widely distributed amongst its officers a Cellebrite product; the Universal Forensic Extraction Device (UFED). It is reported that a UFED can, in a matter of minutes, retrieve data from thousands of different mobile phone models. This data includes text messages, emails, contacts, photos, videos, and GPS data. WhatsApp, Signal and Telegram encrypted chat history databases, and Facebook messenger are all easily obtainable already.
The ease and frequency of involuntary police access to a mass of any individual’s data should raise concerns that this process is inadequately regulated and may be being carried out by insufficiently policed staff. Given that the need for clear, accessible and proportionate rules governing the retention of personal data has been emphasised by the courts in the context of coercive police powers, the lack of oversight of the use of these devices to extract abundant amounts of data raises very serious legal and ethical questions around proportionality, the extent of searches, and the risk that evidential continuity is compromised. Privacy International have recently argued that the use of data extraction equipment to download information from suspects’ mobile phones should require a search warrant.
The need for adequate controls over the storage and usage of someone’s personal data was underlined by reports that Cellebrite itself was hacked and 900MG of data stolen, including evidence files from seized mobile phones, accessed by Cellebrite’s devices.
The tech world in particular never stands still. Any publicised police breakthrough in overcoming encryption stimulates a counter reaction in a never-ending race to get ahead. This was recently demonstrated in the FBI’s recent litigation with Apple in the United States, over access to the deceased San Bernardino terrorist’s iPhone 5C. The litigation was spawned by the police and security services’ inability to overcome the encryption software installed in the latest versions of Apple’s iPhones. In this case, the FBI director admitted that they resorted to paying a third party $1.3m for a hacking tool which could access the phone’s data. In a less expensive tactic, the Metropolitan police were recently reported to have distracted and then snatched a suspect’s iPhone while he was speaking on it. They then desperately and continually tapped the phone to ensure it did not lock before they could download all of its data.
The litigation caused by Apple’s intransigence reflects an emerging conflict between the interests of law enforcement and mobile phone manufacturers. Up until 2013, it was commonplace for Apple to assist the authorities in accessing locked phones. Now, it appears that Apple perceives a greater interest in parading its advanced encryption on iPhones. One winner from this clash is Cellebrite; it announced in late February 2017 that their technology can now unlock iPhone 6 and 6+ devices. This is available via its in house service only, presumably to thwart Apple’s ability to reengineer the software.
Surveillance devices: IMSI catchers
Another form of technology causing alarm amongst privacy campaigners is the increasing police use of IMSI Catchers (also known as stingrays in the United States). It is understood that at least seven UK forces have purchased this technology.
An IMSI Catcher is an indiscriminate surveillance device that harvests data from all mobile phones within a five mile radius by presenting itself as a base station amongst the mobile network. The IMSI Catcher enters the network as the most powerful base station available and all mobile phones within that area connect to it. The Catcher then does what it says; it is able to read the text messages, the emails and listen to the phone calls of thousands of people. These devices have also been miniaturised to the point of being easily concealable. No large vans with antenna on the roof are needed. There have even been reports in the United States of their use in industrial espionage, with companies finding Catchers strapped onto lampposts outside their offices.
In the UK, activists allege that Catchers were used at anti-austerity protests by police. Statistics published by the Office of Surveillance Commissioners reveal that 2,070 authorisations for property interference were granted in 2015/16. It is not possible to tell from this how many concern usage of these Catchers. Police forces refuse to confirm their purchase of such devices.
The use of IMSI Catchers can be authorised by a chief constable without having to seek permission from a judge or minister, as their use has been deemed to fall under the Police Act 1997 as an “interference with property”. However, when drafted, this legislation was aimed at the security services planting individual bugs in houses or cars concerning specific individuals.
It is highly questionable whether the use of legislation drafted when mobile phones contained a fraction of the information that they do now provides sufficient oversight and control of the use of these various cracking devices. Legitimate concern should attach to indiscriminate police collection of data from hundreds of thousands of individuals. It is also unclear whether the large amounts of collateral data collected by such devices is automatically deleted, again raising very serious questions about the retention and security of individuals’ data and privacy.