The Long Read: Kent Police can extract mobile phone data without your knowledge, your consent or a warrant.

How important is your mobile phone to you? How important is the data on your phone? If your phone could talk what wouldn’t you want it to say about you? What about the other electronic devices you have?

We who use mobile phones rely on and put our trust in our phones. They reveal so much about our identity, saying more about us than we perhaps realise. They contain our photos, calendar, internet browsing, details of everywhere we go, our emails, social media, medical information, our online banking, our health and fitness data; they reveal our shopping habits, music tastes and political views; and hold a plethora of apps which generate and hold vast quantities of data. The data on our phones does not just relate to you, the owner, but includes personal data, such as messages or photos, related to friends, family, employers and colleagues. And its not just your mobile phone. Your computer, your laptop, tablet, external hardrives, USB sticks and other connected devices tell the world a lot about who you are and what you do electronically.

Yet Kent Police along with many other Police Forces in the Country, have use of sophisticated and highly intrusive ‘mobile phone extraction’ technology, enabling them to download the entire content of someone’s phone – whether a suspect, witness or victim – often without their consent or knowledge and without a warrant, according to Privacy International.

Between 2013 – 2016 Kent Police extracted data from 15,084 devices.

The use of mobile phone extraction involves the extraction, retention and analysis of communications data and content.

In the course of a search of your home, if the police confiscate your possessions, you are entitled to an inventory of those items. Yet if data is extracted from your devices, you may not even know this has taken place, let alone be told what kind of data the police have stored on their database.

According to Kent Police data they have spent £32,619.33 with a company called Cellebrite Mobile Synchronisation Ltd between April 2015 and Sept 2017. The Company was founded in 1999 and is based in Petah Tikva, Israel. It was the company the FBI turned to unlock a terrorists phone in 2016.

Since Kent Police begun using the technology which can take your data from your phones, how many people have been arrested and then released without charge and had the contents of their phones downloaded and not destroyed?

Kent Police stated in  Feb 2017 they had 265 trained officers in mobile phone extraction. The figure – 265 –  includes officers in specialist teams, and excludes the central Digital Forensic Unit.

However, in an FoI in May 2017 by Big Brother Watch figures released by Kent Police for the period 2013 -2016 state:

The figures released in FoI’s responses appear to demonstrate, Kent Police had a huge reduction in trained officers who can extract mobile data. From 265 to 84  that is a staggering 215% decrease in trained officers able to extract data from any phone. However, a trained officer is a trained officer and surely cannot unforget what they have been trained to do. There is a serious anomaly in Kent Police’s data; which needs a serious explanation.

So what can this technology do. Well there are different types of technology available. We do not know what technology  Kent or any other UK force actually have. But here is guide to what is available to the Police from Cellebrite.

UFED Touch is an iPad size device. You plug the phone in and then it extracts everything. This is also known as a download kiosk.

Logical is a type of extraction. There is also file system extraction and physical extraction. This refers to the level of data that will be extracted. Our understanding is that physical extraction is the most in depth and will obtain for example hidden and deleted data on your phone. Therefore the ‘logical’ extraction will enable simple and rapid extraction of data from phones.

Logical analyser and reporting application: We understand this refers to the visualisation of the extraction. i.e. once you taken all the data of the phone, it is the tool that is used (software) to look at what has been extracted. It is the analysis and reporting tool.

UFED Touch Ultimate: This appears to be much more sophisticated than the UFED Touch. It can bypass pattern,password or PIN locks and encryption. It can do not only logical extraction but also file system and physical extraction which includes hidden and deleted data. This is also known as a download kiosk

UFED CHINEX, is a solution for the physical extraction and decoding of evidentiary data and passwords from phones; and UFED. This relates to Chinese chipsets.

Moving on, Kent Police along with Durham Police admitted back in Feb 2017 they  had no local guidance or policy for mobile phone seizure and extraction/examination of data.

Of course, Kent Police need this technology to assist in catching and putting criminals behind bars. However, what happens to the data of those who are innocent and whose data has been downloaded and kept by Kent Police?

Back in 2008 the Police in the UK had to destroy the DNA profiles of almost a million innocent people as part of a major overhaul of the police national DNA database. They included people who had been arrested and never charged, and those taken to court but found not guilty.

In 2016 Kent Police were fined £80,000 for releasing sensitive details found on a domestic violence victim’s phone to her alleged abuser.

In January of this year the Met Police case against Greenwich University Student, from Beckenham,  was abandoned after police were ordered to hand over phone records that should have already been provided to the defence. Should he’s data be destroyed now he has been acquitted? We believe so.

Should anyone who is  innocent, a witness or victim have their extracted mobile data destroyed, just like those on the DNA database were destroyed? We believe so.

According to an FoI sent to Kent Police by Privacy International requesting information on any Kent Police policy for the extraction of data from mobile phones; Kent Police’s response on the 22nd Feb 2017 stated:

• These are not yet developed, and Kent Police currently holds no information relevant to these questions.

It is clear from the figures released by Kent Police in their FoI response, 3,774 mobile phones had data extracted from them by Kent Police. Of these 3,774 how many of these people were a witness a victim or found innocent? Don’t forget the other devices they can extract from too. Also it wise to remember that during this time there was no Kent Police policy or national guidance  in place. As we said at the beginning our phones reveal so much about our identity, saying more about us than we perhaps realise.

In late April of this year, Privacy International sent a letter to the Information Commissioner, Elizabeth Denham setting out their considerable concerns amongst them the fact that in January 2017 Cellebrite was itself hacked and media outlet Motherboard obtained 900 GB of data which ‘includes customer information,databases’ and ‘The dump also contained what appeared to be evidence files from seized mobile phones and logs from Cellebrite devices.’

The Letter makes clear that data extracted from your phone falls under data protection principles which are set out in Schedule 1 and the conditions for lawful processing set out in Schedules 2 and 3 of the Data Protection Act.

Since Jan 2017, new Legislation has come into force. The General Data Protection Regulation (GDPR), Article 5 sets out the Principles relating to processing of personal data, and Article 6 and 7 deal with the lawfulness of processing and conditions for consent respectively. Article 10 is about the Processing of personal data relating to criminal convictions and offences; which states:

• carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.

Kent Police have readily admitted they had no policy or guidance on mobile phone seizure and examination of the data. How then can Kent Police demonstrate they have taken the steps to safeguard your rights and freedoms with regard to your digital phone data, when their was no policy?

How is it possible for Kent Police or any other force without a policy or local or national guidance able to state the data extracted from a phone has been processed lawfully, whether you are a a suspect, witness or victim?

Of course, not just Adults can be a suspect, witness or victim. Children have mobile phones and they too can be a suspect, witness or victim of crime. And article 8 of the GDPR set out the conditions for Children below 16.

In a recent conversation with Gavin Millar QC of Matrix Chambers, he made it very clear that any data extracted from a phone regardless if it was a child or an adult, found not guilty must have the data extracted by the Police destroyed.

Should Kent Police or any other UK Police force have the powers to retain the digital data extracted from a Child’s phone even when found innocent? Again we believe not.

We hope 16 months on from the initial response to the FoI where Kent Police stated:

• These are not yet developed, and Kent Police currently holds no information relevant to these questions.

that a policy has been formulated and published by Kent Police. There needs to be democratic oversight or debate around this matter. We believe extracted phone data should like DNA data be destroyed for those who are innocent, a witness or a victim.

We call on Kent Police to destroy all mobile phone data of the innocent, the witnesses and victims of crime as soon as practicably possible.

Finally, on Friday the 22nd June, The US Supreme Court ruled 5-4  barring police from accessing cellphone records such as call listings and location data without first obtaining a search warrant, in a landmark decision in favour of privacy protections. The five supreme court justices said it had violated the Fourth Amendment.

We believe that it should be statutory that Police Forces in the UK need a warrant to extract your data from your mobile and if found innocent it ought to be destroyed. What do you think?

The Shepwayvox Team  –  Dissent is NOT a Crime.