SCOTTISH police have been secretly hacking phones and harvesting massive amounts of data from members of the public, the Sunday Herald can reveal.
The hacking operation uses new technology to override passwords and encryption, and can download every piece of data held on a mobile phone without the owner’s knowledge. Calls have now gone out for any future harvesting of data to be obtained only under warrant.
In a secretive pilot project, 18 officers were trained to use a device known as a ‘kiosk’ - which is similar in size to an iPad and can access text messages, encrypted conversations on apps, passwords, geo-locations, contacts, photos, web browsing history and call records in seconds. Deleted data can also be obtained using the technology. Crucially, data cannot be taken within a specific time frame – if police want to access messages or photographs from a particular date, they must access all photographs and messages.
The trials, which took place in Edinburgh and Stirling, saw 375 phones and 262 SIM cards accessed during investigations of what Police Scotland called “low-level crime”. It is not known whether the phones belonged to suspects, victims or witnesses, or whether owners were told that officers would override passwords to access phones.
Privacy campaigners said there should be independent oversight of Police Scotland’s use of 'kiosks' and accused the force of undermining the fundamental principle of policing by consent. The Scottish Liberal Democrats echoed the call for oversight, and the Scottish Greens said police should obtain a warrant before accessing phones.
Police confirmed kiosk trials took place at Edinburgh’s Gayfield Square Police Station between May 10 and September 2, 2016 and at Stirling Police Station between June 19, 2017 and January 5, 2018. At Gayfield police accessed 195 mobile phones and 262 Sim cards. At Stirling 180 phones were accessed. The initial admission about the existence of trials of the technology came in a response to a Freedom of Information request. In the official response, Police Scotland said: “We have previously trialled the use of kiosks in the East of Scotland for low-level crime, defined as that which appears from the outset to be a case likely to be prosecuted at summary level.” The majority of cases in Scotland are dealt with using summary procedures and offences range from breach of the peace and minor road traffic offences to theft, assault and drug possession.
A force spokesman later said the data extraction trial at Gayfield was “predominantly” for “drugs related” investigations. The spokesman was unable to say how many cases resulted in a conviction. In the official response, Police Scotland said 18 officers were trained to use kiosks and data extracted was “retained at a local level”.
The response to the Freedom of Information request added: “No formal review has been conducted to date and further future trials are being considered.” When the Sunday Herald questioned Police Scotland about the pilot the spokesman appeared to contradict the response to the FoI request by insisting that data has not been retained and “there will be no future trials”.
He confirmed that they used a Cellebrite Kiosk in the trials. The Israeli manufacturer boasts that the units can “access a wide range of evidence sources, including encrypted or locked mobile devices, public and private social media and other cloud data”. Solicitor Millie Wood of campaign group Privacy International said some extraction devices access data based on its type, rather than by its time frame. She said: “You can’t take one message or photo, you have to take all messages or photos. You can’t limit data extraction by time period. Given what we know about how kiosks are used, that’s a huge amount of data to obtain. It’s excessive and it has stirred our concerns.”
Wood believes many people may have been unaware of the trial when police took their phones. She said: “The use of the kiosk in the East of Scotland trial means they must have been using it in live investigations. It’s probable that there are a lot of people out there that were part of a trial they didn’t know about. We don’t know how many people, we don’t know how much data was extracted.” She said police should be compelled to obtain a warrant before using kiosks in Scotland.
“Policing is by consent, which means there must be transparency and integrity,” Wood added. “If this data extraction is happening in secret and under the radar, there can be no consent.
“There must now be independent oversight of Police Scotland’s data extraction activities so that someone can see what’s been going on.”
Former police officer John Finnie, who is now an MSP and the justice spokesman for the Scottish Greens, also said a warrant should be required before Police Scotland can access phones. He said: “It’s important that we see what checks and balances are in place to comply with data protection and human rights as, sadly, Police Scotland has not always had a strong track record in this area. A warrant would be one way of establishing whether data access was proportionate.”
Scottish Liberal Democrat justice spokesperson Liam McArthur MSP, added: “With such an extraordinary amount of data at stake, people are right to ask what oversight there is, and should be, of this process. We need to know what guidance, guarantees and protections against misuse exist.”
It is understood Police Scotland believes it complied with data protection guidelines during the trial and only examined phones that were lawfully obtained.
When asked whether owners gave consent a Police Scotland spokesman said: “All phones had to be lawfully seized for a policing purpose. This can include a device being obtained by use of a warrant or handed to police voluntarily during an investigation.”
Detective Chief Inspector Brian Stuart added: “Given the explosion of mobile devices in recent years, law enforcement has to be innovative with technology and keep ahead of the curve to ensure the safety of its citizens.”
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereLast Updated:
Report this comment Cancel