Are UK police accessing your cloud apps?
Which police forces in the UK are using cloud extraction and how and why this is lawful, remains opaque
On 12 December 2018 a member of Lancashire Police Department UK told viewers of a Cellebrite webinar that they were using Cellebrite's Cloud Analyser to obtain cloud based 'evidence'. In response to a Freedom of Information request Hampshire Constabulary told Privacy International they were using Cellebrite Cloud Analyser.
They are not alone. In Cellebrite's 2019 Annual Trend Survey, Cellebrite found that law enforcement is increasingly using 'cloud extraction.' But the public in the UK are largely in the dark about when, how often and why cloud extraction is being used. There is a continual failure by the police to be transparent about what new tech they are using to exploit data from our phones.
Cloud extraction is about accessing data that resides beyond the mobile device, hosted in cloud-based applications, services and web pages. It is a massive leap from mobile phone downloads in terms of the volume of data and it allows enables 'continual tracking' i.e. that the police can monitor your social media accounts after you get your phone back. You can read our detailed research on this technology here.
Yet which police forces in the UK are using cloud extraction and how and why this is lawful, remains opaque. We don't know if this is being used when victims and witnesses hand over their mobile phones. We don't know whether suspects are told that their cloud based apps are being accessed. We don't know the legal basis and how individual rights are protected.
Does this target victims phones?
When Cellebrite promotes their cloud extraction product they explicitly refer to victims.
"Track online behaviour
Analyse posts, likes, events and connections to better understand a suspect or victim's interests, relationships, opinions and daily activities."
What do we know about UK police?
Lancashire Constabulary Digital Investigations Unit started testing the use of cloud extraction in 2014. In March 2018 they state they explored cloud forensics in relation to sex offenders, child sexual exploitation, grooming investigations, mob crimes and homicide investigations. In July 2018 they started using Cellebrite UFED Cloud Analyzer.
It is undoubtedly the case that Cloud Analyzer will play a key role in investigating serious offences. However, the capabilities of Cloud Analyzer are phenomenal and it is becoming common practice to use cloud analytics. Lancashire stated that in 2018 they used it weekly in two to three investigations.
When these powerful technologies can be used in a wide variety of investigations and against victims and witnesses as well as suspects, it is vital that we have transparency, public debate and robust legal safeguards.
Lancashire admit that when they started using cloud analytics there was no national standard and no clarity on legal safeguards. They now use different powers depending on the case and context, whether it is Police and Criminal Evidence Act 1984 (PACE), Investigatory Powers Act 2017 or Regulation of Investigatory Powers Act 2000.
Whilst Lancashire told viewers of the Cellebrite webinar that they took the initiative to draft a policy and shared it with the National Crime Agency and other forces, to date they have failed to disclose it in response to Freedom of Information Act Request we made on 18 March 2019. We asked them for the the relevant policy/guidance/standard operating procedure with respect to use of cloud analytics. We are still waiting.
We uncovered that Hampshire Constabulary are using Cellebrite Cloud Analyser in response to our FOIA in December 2018. We asked them:
1. Please provide a copy of the relevant guidance / policy in relation to the use of Cellebrite Cloud Analyser.
2. Do you record the number of times you have used Cellebrite Cloud Analyser and if these statistics are available, please confirm the number of times Cellebrite Cloud Analyser has been used in the last 12 months (since September 2018).
3. Please confirm whether, as per your previous FOIA, you rely on PACE 1984, the CJPA 2001 and CPIA 1996 for seizure and examination using Cellebrite Cloud Analyser.
Hampshire responded to question 1 that the information 'is not held'; for question 2 they did not hold the information in retrievable format. In relation to question 3 they stated that "Devices belonging to victims are downloaded by consent, however, offender devices are seized, examined away from site and downloaded under PACE 1984, CJPA 2001 and CPA 1996 respectively.