(Original post at Decode Magazine)
What does your phone say about you?
From drunken selfies to private emails to banking information, modern smartphones can store vast amounts of personal data about their users. Police across the country are taking advantage of this new reality, investing in new mobile phone extraction technology that can reveal more about the people than your contact list.
A recent report by charity Privacy International revealed that mobile phone data extraction technology is used by 26 constabularies across the UK. The forces in question are supplied with technology from private forensic intelligence companies, such as Cellebrite, MSAB and Radio Tactics.
Devices like MSAB’s XRY software and the Cellebrite Universal Forensic Extraction Device (UFED) can bypass a phone’s password, giving it access to volumes of personal information. Texts and call logs, geolocation data and potentially intimate images can all be downloaded and stored by the police. The most sophisticated devices can even access deleted files or encrypted communications from messaging apps like Signal and Telegram.
Privacy campaign groups such as Privacy International and Big Brother Watch have raised concerns that local police forces lack guidance as to when they can legally use data extraction technology.
In 2017, independent media outlet The Bristol Cable obtained copies of a 2015 review by the Police and Crime Commissioner for North Yorkshire, which found that in half of the 50 cases sampled, a warrant for mobile phone extraction was not obtained.
“It is disturbing that the police have such a highly draconian power, operating in secret, without any accountability to the public,” said Millie Graham Wood, a solicitor at Privacy International, in a press release accompanying their new report.
The right to use mobile phone extraction technology is currently guaranteed under the Police and Criminal Evidence (PACE) Act 1984, which grants the police the power to “require any information stored in any electronic form.”
Professor Peter Sommer, cybersecurity expert and technical advisor for the Joint Investigatory Powers Bill, explains that there are specific circumstances in which search warrants are needed for phones: “You require a warrant to search them under the Investigatory Powers Act, but there’s no real bar to them being used.
“But if you arrest someone, you don’t have to have a separate warrant for their mobile phone. Anything they have on them is fair game,” says Prof Sommer. “My own view is that unless there’s an immediate threat to life, it shouldn’t inhibit police much to get separate authorisation. That then forces the person authorising it to ask whether the use is proportionate.”
Privacy campaigners claim the law could not have predicted how much information we would store electronically in thirty years’ time: “You could search a person, and their entire home, and never find anywhere near as much information as you could from searching their phone,” said Graham Wood.
You don’t need to be arrested for your phone to be subject to police surveillance, as devices like the Cellebrite UFED aren’t the only technology employed to extract mobile phone data.
IMSI catchers, portable surveillance devices that masquerade as mobile phone base stations, indiscriminately log the unique International Mobile Subscriber Identity (IMSI) numbers of phones within their radius.
The devices work by using a phone’s automatic connection to the strongest nearby signal; using this function, IMSI catchers can force nearby phones to connect to them. Once connected, IMSI catchers can track a phone’s location and in some cases intercept messages and calls.
Investigations by the Bristol Cable and VICE News uncovered that at least nine police constabularies, including the Metropolitan Police, have invested in “covert communications data capture” (CCDC) equipment. The term CCDC was later confirmed to refer to IMSI catchers by a South Yorkshire Police report.
No data is published about the police’s use of IMSI catchers, and privacy campaigners have once again questioned the legality of the devices’ indiscriminate data harvesting.
In 2016, VICE News found evidence that IMSI catchers could be in use at several London locations, including an anti-austerity protest, the Ecuadorian embassy, and parliament.
The use of both mobile phone extraction technology has come under scrutiny from legal experts. Anna Rothwell, a solicitor at criminal law firm Corker Binning, wrote in a blog post: “Legitimate concern should attach to indiscriminate police collection of data from hundreds of thousands of individuals.”
“It is highly questionable whether the use of legislation drafted when mobile phones contained a fraction of the information that they do now provides sufficient oversight and control of the use of these various cracking devices.”
Campaigners like Graham Wood are calling for greater oversight of data extraction: “The police are continually failing to be transparent with the thousands of people whose phones they are secretly downloading data from.
“An immediate independent review into this practice should be initiated by the Home Office and College of Policing.
“Let’s be clear – at the moment, the police have all the power and the public have no protections.”
Yet Prof Sommer has a more mixed view of the police’s use of data extraction technology: “The critical thing is whether authorisation goes through. If it doesn’t, it’s wrong. But as far as we know- bearing in mind that we’re working with a relatively new framework with the Investigatory Powers Act- we don’t have particular evidence of abuse of the technology in this country.”
For better or worse, mobile phone data extraction is only growing more sophisticated as technology improves. Thanks to these new technologies, Mark Zuckerberg isn’t the only person who could be reading your messages. Next time you check your phone in a public place, keep in mind that it may not be quite as private as you think.
Bethan Ackerley 