UK Information Commissioner Says Police Are Grabbing Too Much Data From Phones Owned By Crime Victims

from the losing-the-tech-race,-eh? dept

The UK's Information Commissioner's Office (ICO) has taken a look at what law enforcement officers are hoovering up from citizens' phones and doesn't like what it sees. The relentless march of technology has enabled nearly everyone to walk around with a voluminous, powerful computer in their pocket -- one filled with the details and detritus of everyday living. And that relentless march has propelled citizens and their pocket computers right into the UK's regulatory void.

The ICO's report [PDF] doesn't just deal with the amount of data and communications UK cops can get from suspects' phones. It also deals with the insane amount of data cops are harvesting from devices owned by victims and witnesses of criminal acts. Left unaddressed, the lack of a solid legal framework surrounding mobile phone extractions (MPEs) will continue to lead law enforcement officers to believe they can harvest everything and look for the relevant stuff at their leisure.

Very few people would consent to this sort of intrusive search, but some aren't aware of how extensive these searches are. Those that are aware are less likely to come forward to help further an investigation, even if they're a victim of a crime.

Large volumes of data are likely to include intimate details of the private lives of not only device owners but also third parties (eg their family and friends). In other words, it is not just the privacy of the device owner that is affected, but all individuals that have communicated digitally with that person or whose contact details have been added by the owner. This presents considerable risks to privacy through excessive processing of data held on or accessed through the phone.

Left unexplained, or in cases where it is not necessary or justified, this intrusion into individuals’ privacy presents a risk of undermining confidence in the criminal justice system. People may feel less inclined to assist the police as witnesses or to come forward as a victim, if they are concerned that their and their friends’ and families’ private lives will be open to police scrutiny without proper safeguards…

Privacy is paramount when dealing with those not suspected of committing criminal acts. Standard MPE practice appears to ignore this crucial element, which only heightens distrust of law enforcement agencies. But privacy concerns are being swept aside in favor of efficiency. Why do things the right way when it's so much easier to do them this way?

PI [Privacy International] published a report calling for an urgent review of the use of MPE by the police, (“Digital stop and search: how the UK police can secretly download everything from your mobile phone” 15). It raised questions over the lawful bases for carrying out extractions, the lack of national and local guidance, and the authorisation process. [...] PI were also concerned that the use of MPE kiosks (‘self-service’ devices used by police forces to download and analyse the contents of individuals’ mobile phones) is becoming more common and forming part of ‘business as usual’ for officers, despite a lack of governance, oversight and accountability in their use.

But if law enforcement officers don't get what they want, there's a good chance crime victims won't get what they want. Here's where things get extremely unpleasant. It's not that crime victims feel this way. It's what's actually happening. When investigators aren't given consent to perform MPEs on crime victims' phones, there's a chance law enforcement will just decide to stop pursuing the investigation.

Here's what Big Brother Watch discovered after obtaining records from multiple police forces in England and Wales:

It found officers had asked for the complainant's mobile phone data in 84 sexual assault cases.

And every one of the 14 of those in which the complainant had declined had then been dropped by police.

The report calls for a long list of improvements and reforms, with an eye on safeguarding the privacy of crime victims and witnesses. ICO says all extractions should be logged and audited routinely. Investigators should be made aware that it's almost impossible to comply with data privacy laws when performing MPEs due to the amount of data/communications present on the average phone -- much of which "belongs" to other people who have communicated with the victim/witness.

It won't be enough to establish guidelines under the current legal framework. ICO says new laws must be put in place to make it explicit what can and can't be obtained with phone searches and when they can be lawfully carried out. This law would also need to set time constraints on examinations of extracted data, as well as the length of time it can be stored once obtained.

For now, the UK's legal framework is more limited than law enforcement's powers. The ICO's report aims to change that. Unfortunately, this will move at the speed of bureaucracy while tech continues to move at the speed of innovation. It's impossible to play catch-up at this speed. I say it's time to hit law enforcement with some broadly-written legislation -- you know, the sort of stuff the normals are forced to deal with all the time. Maybe that will slow the roll of data extraction until the government as a whole has time to address all the nuances.

Filed Under: data, ico, phones, police, privacy, uk

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    Zane (profile), 25 Jun 2020 @ 6:31am

    It’s a difficult situation. When it comes to a sexual assault claim, often it is a he said/she said situation. If they are examining the accused’s phone, then they probably should be examining the complainants too. I’m not sure how someone can have a fair trial if the police only look for evidence that is helpful for the complainants account, and do not even look at the complainants phone. The Liam Allan case is one such case where the complainants phone was examined, but the evidence was withheld from the defence. There were messages on that phone which proved that the complainants account was false. He would likely have served a lengthy prison sentence if this evidence never came to light. Disclosure is a very real problem in British justice, it’s the prosecution who decide what to disclose and when. But if they don’t thoroughly investigate by respecting the complainants privacy but violating the defendants privacy – I’m not sure how safe any conviction can really be in such circumstances.

    I get a bit tetchy when I hear the word “victim” used when it’s case when there are two different accounts, and the case has not been proven. If one person says they were sexually assaulted and another says it didn’t happen – both parties need to be treated equally and look at the evidence with an open mind. By using the word “victim” instead of complainant, it introduces bias – and implies that the sexual assault did take place. Which likely affects what evidence is sought. Of course if someone is falsely accused the defendant will be the actual victim. That’s why it is safer to keep with the word “complainant” in these types of cases, unless the case has been proven.

    Basically I don’t think they should really be differentiating between complainant and defendant. Maybe there needs to be some sort of immunity of prosecution for both the complainant and the defendant for unrelated matters, and agree there should be limits on what the police can search for and retain on the phones.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.