UK Information Commissioner Says Police Are Grabbing Too Much Data From Phones Owned By Crime Victims
from the losing-the-tech-race,-eh? dept
The UK’s Information Commissioner’s Office (ICO) has taken a look at what law enforcement officers are hoovering up from citizens’ phones and doesn’t like what it sees. The relentless march of technology has enabled nearly everyone to walk around with a voluminous, powerful computer in their pocket — one filled with the details and detritus of everyday living. And that relentless march has propelled citizens and their pocket computers right into the UK’s regulatory void.
The ICO’s report [PDF] doesn’t just deal with the amount of data and communications UK cops can get from suspects’ phones. It also deals with the insane amount of data cops are harvesting from devices owned by victims and witnesses of criminal acts. Left unaddressed, the lack of a solid legal framework surrounding mobile phone extractions (MPEs) will continue to lead law enforcement officers to believe they can harvest everything and look for the relevant stuff at their leisure.
Very few people would consent to this sort of intrusive search, but some aren’t aware of how extensive these searches are. Those that are aware are less likely to come forward to help further an investigation, even if they’re a victim of a crime.
Large volumes of data are likely to include intimate details of the private lives of not only device owners but also third parties (eg their family and friends). In other words, it is not just the privacy of the device owner that is affected, but all individuals that have communicated digitally with that person or whose contact details have been added by the owner. This presents considerable risks to privacy through excessive processing of data held on or accessed through the phone.
Left unexplained, or in cases where it is not necessary or justified, this intrusion into individuals’ privacy presents a risk of undermining confidence in the criminal justice system. People may feel less inclined to assist the police as witnesses or to come forward as a victim, if they are concerned that their and their friends’ and families’ private lives will be open to police scrutiny without proper safeguards…
Privacy is paramount when dealing with those not suspected of committing criminal acts. Standard MPE practice appears to ignore this crucial element, which only heightens distrust of law enforcement agencies. But privacy concerns are being swept aside in favor of efficiency. Why do things the right way when it’s so much easier to do them this way?
PI [Privacy International] published a report calling for an urgent review of the use of MPE by the police, (“Digital stop and search: how the UK police can secretly download everything from your mobile phone” 15). It raised questions over the lawful bases for carrying out extractions, the lack of national and local guidance, and the authorisation process. […] PI were also concerned that the use of MPE kiosks (‘self-service’ devices used by police forces to download and analyse the contents of individuals’ mobile phones) is becoming more common and forming part of ‘business as usual’ for officers, despite a lack of governance, oversight and accountability in their use.
But if law enforcement officers don’t get what they want, there’s a good chance crime victims won’t get what they want. Here’s where things get extremely unpleasant. It’s not that crime victims feel this way. It’s what’s actually happening. When investigators aren’t given consent to perform MPEs on crime victims’ phones, there’s a chance law enforcement will just decide to stop pursuing the investigation.
Here’s what Big Brother Watch discovered after obtaining records from multiple police forces in England and Wales:
It found officers had asked for the complainant’s mobile phone data in 84 sexual assault cases.
And every one of the 14 of those in which the complainant had declined had then been dropped by police.
The report calls for a long list of improvements and reforms, with an eye on safeguarding the privacy of crime victims and witnesses. ICO says all extractions should be logged and audited routinely. Investigators should be made aware that it’s almost impossible to comply with data privacy laws when performing MPEs due to the amount of data/communications present on the average phone — much of which “belongs” to other people who have communicated with the victim/witness.
It won’t be enough to establish guidelines under the current legal framework. ICO says new laws must be put in place to make it explicit what can and can’t be obtained with phone searches and when they can be lawfully carried out. This law would also need to set time constraints on examinations of extracted data, as well as the length of time it can be stored once obtained.
For now, the UK’s legal framework is more limited than law enforcement’s powers. The ICO’s report aims to change that. Unfortunately, this will move at the speed of bureaucracy while tech continues to move at the speed of innovation. It’s impossible to play catch-up at this speed. I say it’s time to hit law enforcement with some broadly-written legislation — you know, the sort of stuff the normals are forced to deal with all the time. Maybe that will slow the roll of data extraction until the government as a whole has time to address all the nuances.