Wednesday, 1 May 2019

UK cops are secretly harvesting all data from the phones and cloud accounts of suspects, victims and witnesses and insecurely storing it forever

Privacy International's blockbuster Digital Stop and Search report details how British police forces have quietly procured phone-searching tools (including mobile "kiosks" that let them probe devices in the field), often from companies with a track-record of abetting some of the world's worst human rights abusers, and they use these in secret to capture all the data they can from phones taken from suspects, victims and witnesses.

The guidance on the use of these tools is patchwork and incomplete (and many forces wouldn't disclose whether they had any procedures in place for their use). Many services retain the data they harvest indefinitely, and some have been caught storing (and losing) the data without encryption: for example, in 2017 the Greater Manchester Police were found to have lost data from victims of violent and sexual crimes, which had been stored unencrypted on DVDs and sent through the post.

Some of the tools they use have the capacity to crawl cloud accounts connected to mobile devices as well, bringing in data stored off the phone as well as the data stored on the phone. Some tools, like those provided by the notorious Israeli-founded, Japanese owned Cellebrite, can sometimes access encrypted data on devices.

Police forces rarely if ever inform people that they've had their data taken, and they provide no information on which data they've taken nor on how it's being used nor on how it's being stored.

Police do not obtain warrants before searching phones.

Police in the UK have now told survivors of sex crimes that their cases will not be pursued unless they surrender their phones.

Searching a mobile phone is not like searching a home or even a physical body search. A phone search is far more exhaustive, because of the vast amount of personal data that we now store on our devices. Modern mobile phones are not just phones, but mini computers that hold thousands of pictures, videos and apps and track our location, all of which can reveal so much about us, and potentially even our friends’ and family’s political, sexual and religious identities.

Given the sensitive nature and breadth of data stored on mobile phones and other electronic devices, Privacy International believes that PACE is insufficient and outdated to justify its wholesale extraction. There must be a clear legal basis for such action, national and local guidance, and the police should be required to obtain a judicially-authorised warrant prior to using extractive tools.

As noted in the landmark US ruling of Riley v California64, an element of pervasiveness characterises mobile phones with data that can go back years and shed light on nearly every aspect of a person’s life. The US Supreme Court ruled that whilst data on a mobile phone is not immune from search, a warrant is generally required before such a search, even in connection with an arrest. The warrant requirement was held to be “an important working part of our machinery of government”, not merely “an inconvenience to be somehow ‘weighed’ against the claims of police efficiency”.

Digital stop and search: how the UK police can secretly download everything from your mobile phone [Privacy International]

(via Dan Hon)

(Image: Cellebrite)