THE rollout of new technology which can be used by police to secretly hack into mobile phones should be halted, MSPs have said.
The call came after it emerged that police officers can use new hacking technology, called “cyber kiosks”, to harvest data from phones handed over by witnesses and suspects. That position contradicted a previous statement by Police Scotland which insisted the technology can’t be used to “extract” information, only view it.
The Sunday Herald previously revealed police piloted cyber kiosks, accessing hundreds of phones without telling the owners, then spent hundreds of thousands of pounds to procure 41 devices.
Speaking to the Sunday Herald last week, after this newspaper revealed that the force is now under investigation by the UK’s information watchdog over the use of cyber kiosks, Assistant Chief Constable Steve Johnson said the devices “do not extract information”.
However, under intense questioning by members of the Holyrood justice committee, Detective Superintendent Nicola Burnett admitted that officers can extract data from phones with kiosks.
She said: “There is another option that is available. If for instance there is a case whereby whilst viewing the data on the kiosk there is an opportunity to download the data of consequence onto a disc.”
Burnett also admitted that the force has yet to work out how to encrypt discs containing private and highly personal data taken from mobile phones.
Convenor of the Justice Sub-Committee on Policing, John Finnie MSP, who is a former police officer, said: “Superintendent Burnett’s disclosure that data can be downloaded by the kiosks onto disc was completely at odds with Police Scotland’s previous position and causes me genuine concern.”
MSPs hauled Burnett before the committee after the Sunday Herald revealed last month that Police Scotland carried out secretive trials of cyber kiosks in Edinburgh and Stirling which saw 375 phones and 262 sim cards accessed.
This newspaper then revealed that £370,000 was spent on 41 kiosks. When MSPs asked Kenneth Hogg, Interim Chief Officer of Scottish Police Authority, about the figure, he revealed that the true cost was £445,000 when VAT is included. He also said the use of the devices by Police Scotland costs a further £100,000 a year.
When Burnett was asked by MSPs if people whose phones were accessed during the pilot in Edinburgh in Stirling were told that officers had technology which could override passwords and view everything on the device, including encrypted information, she said “there was no specific advice given”.
The committee of MSPs also heard that police failed to carry out an Equality and Human Rights Impact Assessment (EHRIA) or a Privacy Impact Assessment (PIA) ahead of the pilots which took place in Edinburgh between May and September 2016, and then in Stirling between June 2017 and January 2018.
Convenor of the committee John Finnie MSP, who is a former police officer, accused Police Scotland of “putting the cart before the horse” by spending hundreds of thousands of pounds of public money on kiosks, which are due to be rolled out in the autumn.
Burnett responded: “I anticipate that there will be nothing that will come up in those assessments that we cannot address. Clearly if there is something that means we have to stop, clearly that would be something that would need to occur.”
Speaking to the Sunday Herald, Finnie called on the force to “halt” the rollout and pointed to a “damning” 2015 report by the police and crime commissioner for North Yorkshire into the use of technology which can extract data from mobile phones. The commissioner found that “sensitive” information downloaded onto discs was not encrypted, and in some cases went missing.
Finnie said: “We were told Police Scotland liaised with other UK forces about using this equipment. If that’s the case, then lessons could, and should, have been learnt from the police commissioner’s damning report on North Yorkshire Police citing irregularities, which in some instances “undermined prosecution of serious crimes such as murder and sexual offences” and saw data lost from phones of those never charged.
“There must be a halt on any further deployment of this equipment pending publication and scrutiny of Equality and Human Rights and Privacy Impact Assessments, which Police Scotland say they will compile, and which should have been considered prior to trialling equipment which has impacted on over 600 people.”
Finnie added: “The meeting was an opportunity for both Police Scotland and the Scottish Police Authority to provide some reassurance to members. However, quite the contrary, their evidence gave rise to many more questions, answers to which will initially be sought in writing, following which the committee will consider what further action to take.”
Liam McArthur MSP, the justice spokesman for the Scottish LibDems, who also sits on the committee, said Burnett’s evidence “left many unanswered questions”, adding: “Until the necessary safeguards have been put in place, it would obviously not be appropriate for these kiosks to be in use more widely.”
He said: “The bodies to whom Police Scotland is accountable need to know how devices are being interrogated, what kind of information is uncovered and what information is retained.”
ACC Johnson said last night: “Cyber kiosks provide specially trained officers with the ability to triage lawfully seized devices, reducing the number which are required to be forensically examined, and reducing the inconvenience to a witness or victim of retaining a device which, on later examination, has no evidential value.
“No data is retained by the kiosk. In situations where a large amount of specific data from set parameters is available, the device has the capability to copy this to an encrypted disc for later viewing. As part of our ongoing engagement ahead of deploying cyber kiosks across the country, we are developing our policy and procedures around their use. If we utilise the facility of copying data to a disc this would be strictly managed as potential evidence.”