The Met Police and Mobile Phones (Total Access = Total Violation of Civil Liberties)
Another day, another intrusion into our civil liberties by the Met Police. The Metropolitan Police has implemented a system to extract mobile phone data from suspects held in custody. The data includes call history, texts and contacts, and the BBC has learned that it will be retained regardless of whether any charges are brought.
It is terrifying and frightening that a police force can remove all the data from a suspect in custody without a warrant, and without any charges. There is the obligatory disclaimer that “data extraction can happen only if there is sufficient suspicion the mobile phone was used for criminal activity”. But who decides this?
I would suggest that if you are in a suspect in a police station, then you are already under sufficient suspicion. If the crime one is suspected is directly related to one’s mobile phone – say like organizing a riot against Topshop or a sit-in at a Vodafone shop, then your phone would can be seized and analysed.
The point here is this: the “sufficient suspicion” test will without a doubt be abused. Is there any basis for the legal profession to argue that they Police should destroy the data if charges are not pressed or the person arrested is later on found innocent? Of course there should be. For people that routinely protest and call themselves activists, a mobile phone carries significant more weight than any Facebook relation or “follower” through Twitter.
What will happen next is that the machines will be implemented in the mobile police stations and the phones will be seized on the spot. A case brought to court would easily be winnable.
How does the Law work here?
What is the law now? Proper forensic investigation of a phone would normally require a PACE warrant. One doesn’t get to seize one’s phone just because there has been an arrest. Forensic investigation of a phone would normally require a warrant. Normally police forces carry a “designated person” that has to sign off on not just obtaining communications data NOT CONTENT. Even if just obtaining communications data (not content) there has to be the signing off by the Designated Person in each police force – I’m struggling to see how this scheme can possibly be both legal and yet deliver any significant cost-savings on sending a phone to forensics.
I don’t know about you, but there is a limited argument here that this is going to bring around any significant savings, yet be within the confines of the law at the same time.
I know what you are thinking! Someone will just create a market for encrypted phones! All the suspect has to do is park an encryption key or secret parked outside of the UK and away from everyone else from the prying hands of the Met Police. This doesn’t really APPLY, because s49 RIPA makes it an offence to refuse to give up a password used to encrypt a device holding evidence. Jullian Assange has argued in the past alongside others that there was a need for mobile telephone deniability encryption. Ben Goldacre was suggesting the need for mobile telephone deniability encryption, like Rubberhose (written by Julian Assange and others). I don’t really see how you can plausibly deny sending a mail with encrypted stuff in it might have some meaningful content. On the other hand, Assange suggested TrueCrypt, which is a disk encryption thing along the lines of Rubberhose – now, either of those should work just fine on a phone. The problem that then remains is entropy – there’s far too little in whatever most people use to unlock their phones, so none of this will help.
What does the law say?
RIPA only applies, however to Communications Service Providers. There is no way that a mobile phone in a standard operating mode could reasonably be treated as a communications provider so I struggle to see why RIPA would be in the least bit applicable. The only exception to this would be PART III which covers asking for an unlock code. Yet the thrust of the article is that the technology available to the Met bypasses the access code and removes the data regardless. The only way I can see RIPA applying is on the basis of voicemails stored on a CSP server. With regard to communications data & RIPA – would it not matter if the search was just taking what was on the phone, or whether it involved connecting that phone to the network (Ie retrieving data from the Communications Service Provider)?
The opinion that voice-mail hacking might be a Computer Misuse Act offence was premised on the idea that the voicemail was not retrieved from the handset but from the CSP servers. Is that not likely to be true for these sorts of searches as well? This is why I wonder if RIPA might apply here, whereas it wouldn’t in the seizure of computers from premises (per ss18 and 20 of PACE). With regard to communications data & RIPA – would it not matter if the search was just taking what was on the phone, or whether it involved connecting that phone to the network (ie retrieving data from the Communications Service Provider)? . Is that not likely to be true for these sorts of searches as well?
It’s been a big issue in the US (as to whether a warrant is needed or whether officers can “go fishing” on arrest on electronic devices). The latest word is that data retention from phones will be indefinite, irrespective of the charging decision. However, the data retrieval will be confined to what is stored on the handset, with no retrieval of data from CSP servers (so that would exclude voicemails).