Case Study: The Myth of Device Control and the Reality of Data Exploitation

Our connected devices carry and communicate vast amounts of personal information, both visible and invisible.

What three things would you grab if your house was on fire? It’s a sure bet your mobile is going to rank pretty high. It’s our identity, saying more about us than we perhaps realise. It contains our photos, calendar, internet browsing, locations of where we go, where we’ve been, our emails, social media. It holds our online banking, notes with half written poems, shopping lists, shows our music taste, podcasts, our health and fitness data. It not only reveals who we speak to, but holds communications data and content, such as messages or photos, related to friends, family, business contacts.

You could search a person or search a house and never find as much information as you can in one device. If it was lost or broken, we feel the frustration and irritation of setting up anew. But what if someone else just took all that data, without your knowledge, without your permission. What if they could get more from your phone, than you knew existed. What if that someone else was the police?

What happened?

In January 2017 Privacy International reported on an investigation by Bristol Cable into the unauthorised use of mobile phone examination tools by police, a practice which had undermined investigations into serious crimes. We followed up with Freedom of Information requests asking every police force in the UK whether they carry out mobile phone data extraction in low level crime cases and what company provided the tools.

Here’s what we found out: police in the UK use sophisticated technology to extract data from people’s phones contracting with Cellebrite, Aceso, Radio Tactics, XRY (an MSAB product), MSAB and Microsystemation (XRY product).

The companies aren’t shy about the benefits of their products. At a time when ‘the sheer amount of state stored [in mobile phones] is significantly greater today than ever before’ they claim ‘If you’ve got access to a sim card, you’ve got access to the whole of a person’s life’.

This includes access to information about you and your contacts, as highlighted above. But it doesn’t stop there. Products enable access to data beyond our knowledge and beyond our control, such as:

• ‘entered locations, GPS fixes, favourite locations, GPS info’;
• ‘system and deleted data’;
• ‘…inaccessible partitions of the device’
• ‘the acquisition of intact data, but also data that is hidden or has been deleted’
• data from ‘beyond the mobile’ i.e. from Cloud storage
• ‘…copy of the entire flash memory’

What’s the problem?

We think that we own our phones, but what does this mean when there is data on our devices that we cannot access, that we cannot delete, that we cannot check for accuracy, and that is available only to those with sophisticated tools which are not accessible to everyone?

We are in a situation where our devices can betray us but we have little understanding of how, and what we can do about it. Only recently we learned that Uber tagged iPhones with persistent IDs that allowed it to identify devices uniquely after a phone had been wiped and configured from scratch.

At Privacy International we refer to the hidden data, the data beyond your view, as ‘Data in the wings’. Our concern around data in the wings does not just apply to mobile phones. As we discussed in our 2017 presentation at Re:Publica a criminal investigation involving an Amazon Echo in the US, saw Amazon protesting that no voice recording is stored on the device, yet the police were nonetheless keen to examine it and extracted data.

When law enforcement, with the power to arrest us, to charge us with offences, to remove our liberty, are able to purchase and use powerful extraction software to read data from our mobiles, from connected devices in our homes, and from the growing internet of things in public places, where consent of the owner or generator of the data is not deemed to be required,a lack of formal public debate, consultation, or legislative scrutiny is unacceptable.

This is not only because the police are obtaining vast quantities of data without consent for indefinite periods without clear oversight, guidance, or legislation, but because time and again they have proven unable to be trusted with our data.

In the UK, this was shown not only in the lax attitude towards encryption in relation to mobile phone data and in the use of databases for ‘not-work related reasons’, but also by the serious failings to protect highly sensitive information and a disdainful attitude towards data, which have been regularly reported over the years.

For example, in May 2017 when Greater Manchester Police was fined £150,000 after interviews with victims of violent and sexual crimes, stored unencrypted on DVD’s, got lost in the post. The Information Commissioner’s Office said that GMP ‘was cavalier in its attitude to this data and showed scant regard for the consequences that could arise by failing to keep the information secure.’

What’s the solution?

Throughout the world the police are acquiring new technologies which increase their surveillance powers on a scale little understood by those they serve. The law is slow to keep pace. As we surround ourselves with connected devices, sensors, and cameras, traditional search practices, such as those which do not require warrants, are not fit for purpose when our devices, with immense storage capacity, hold the most intimate details of our lives.

While the seemingly unrestrained use of extraction technologies by the police is deeply troubling, the fact that there exists data on our devices that is hidden from us - that can betray us - raises serious questions of the tech giants who produce our software and smartphones, the companies that want us to embrace the internet of things, and those who push for ever ‘smarter’ connected public places.

At its most basic level we demand honesty from these companies, we demand transparency and accountability from the police, and we demand scrutiny from legislators.

People used to come to technology, in the sense that data was generated via express and obvious interactions. Nowadays, technology is coming to people whether they like it or not, and whether they are aware of it or not. Privacy International believes this shift necessitates a change in the law and the terms of the debate. We want full recognition that privacy interferences begin at the moment of data generation. Once data is collected by a technology or an organisation, we have already lost an element of control and therefore privacy. Our devices, networks, and services should not betray us by generating, collecting, processing, and sharing data excessively. Our law must ensure that after creation, data remains within the control of those who the data is about and despite the impossibility, we must strive for a world where it is possible to exist without generating data, if so desired.