Press release: Privacy International issues complaint to UK Information Commissioner about police downloading data from phones of suspects, witnesses and even victims of crime without consent

Press release
UK Home Secretary Amber Rudd and Met Police Commissioner Sir Bernard Hogan-Howe

We found this picture here.

Privacy International has today a issued a formal complaint to the UK Information Commissioner about the police’s use of intrusive ‘mobile phone extraction’ technology, enabling them to download all of the content from a person’s phone — without a warrant, and whether they are suspect, witness or even victim of a crime. Further complaints have also been sent to the Home Office and the Independent Office for Police Conduct, calling for urgent reforms to a totally unregulated, potentially discriminatory and unlawful practice. (All complaint letters can be downloaded at the bottom of this page).

The complaints highlight findings in Privacy International’s recent report ‘Digital stop and search; how the UK police can secretly download everything from your mobile phone’, which examined UK police forces’ use of sophisticated and highly intrusive mobile phone extraction’ technology enabling them to download the entire content of someone’s phone, whether a suspect, witness or victim — often without their consent or knowledge.

Privacy International has written to Information Commissioner, Elizabeth Denham, to argue that the secretive, opaque and potentially unlawful practice is in breach of the Data Protection Act 1998, and the upcoming Data Protection Act 2018. The complaint highlights: the lack of protection for personal and sensitive data, which may include journalistic material or legally privileged information; raises concerns about the potential for misuse and abuse of this technology, particularly in the absence of independent oversight; and emphasise that without any kind of record keeping, abuse of this technology or unfair targeting of minority groups is likely to go unnoticed.

Privacy International has tested out a Cellebrite UFED Touch 2 and included extracts in their letter to the Commissioner, detailing a long list of device information, personal data and sensitive personal data that can be extracted from mobile phones. Extracted data includes phone unlock patterns, web history, deleted data, and messages from the encrypted WhatsApp and Signal messenger services.

Companies, public sector bodies, and charities across the UK and Europe are finalising their preparations for the General Data Protection Regulation. coming into force on 25 May 2018. But it is clear the UK police, despite handing vast quantities of highly sensitive personal data, are a long way behind in complying with the relevant requirements in this legislation and the accompanying Law Enforcement Directive.

If the Information Commissioner finds the police have breached the data protection act, she can pursue a criminal prosecution, or a non-criminal enforcement and audit. The Information Commissioner also has the power to serve a monetary penalty notice on a data controller, which could lead to fines of hundreds of thousands of pounds. The ICO recently fined Humberside police £130,000 for a data breach.

Millie Graham Wood, solicitor, Privacy International said:

“A search of your phone will reveal so much more about you than a search of your home, so it is incredible that the police are doing it at a massive scale without warrants, without informing or asking people, without any regulation, without any clear legal basis, without any proper record keeping, and without any national statistics that might reveal biases and discrimination against minority groups. It is nothing short of a scandal. We wrote to the Home Office about this issue four weeks ago and have received no response. While they may be busy trying to address other aspects of their hostile practices, this is something they must also deal with urgently.

“If you own a modern smartphone, you are carrying a massive amount of personal information — not only about yourself, but also about your friends, families and colleagues. Which means that personal information about you resides on potentially hundreds of other people’s phones too. So this means that even if you never interact with the police, it doesn’t mean personal information about you won’t come into the possession of the police. That the police are potentially taking all this data unlawfully and in breach of basic data protection safeguards is a worrying reflection on the attitude of the police towards our most sensitive and personal information. We are looking to the Information Commissioner, The Independent Office for Police Conduct and The Home Office to address this scandal urgently.”

ENDS

For media enquiries email press@privacyinternational.org or call 020 3422 4321.

NOTES TO EDITORS

You can download the letters referenced in this press release below.