SCOTTISH police have been secretly hacking phones and harvesting massive amounts of data from members of the public, the Sunday Herald can reveal.

The hacking operation uses new technology to override passwords and encryption, and can download every piece of data held on a mobile phone without the owner’s knowledge. Calls have now gone out for any future harvesting of data to be obtained only under warrant.

In a secretive pilot project, 18 officers were trained to use a device known as a ‘kiosk’ - which is similar in size to an iPad and can access text messages, encrypted conversations on apps, passwords, geo-locations, contacts, photos, web browsing history and call records in seconds. Deleted data can also be obtained using the technology. Crucially, data cannot be taken within a specific time frame – if police want to access messages or photographs from a particular date, they must access all photographs and messages.

The trials, which took place in Edinburgh and Stirling, saw 375 phones and 262 SIM cards accessed during investigations of what Police Scotland called “low-level crime”. It is not known whether the phones belonged to suspects, victims or witnesses, or whether owners were told that officers would override passwords to access phones.

Privacy campaigners said there should be independent oversight of Police Scotland’s use of 'kiosks' and accused the force of undermining the fundamental principle of policing by consent. The Scottish Liberal Democrats echoed the call for oversight, and the Scottish Greens said police should obtain a warrant before accessing phones.

Police confirmed kiosk trials took place at Edinburgh’s Gayfield Square Police Station between May 10 and September 2, 2016 and at Stirling Police Station between June 19, 2017 and January 5, 2018. At Gayfield police accessed 195 mobile phones and 262 Sim cards. At Stirling 180 phones were accessed. The initial admission about the existence of trials of the technology came in a response to a Freedom of Information request. In the official response, Police Scotland said: “We have previously trialled the use of kiosks in the East of Scotland for low-level crime, defined as that which appears from the outset to be a case likely to be prosecuted at summary level.” The majority of cases in Scotland are dealt with using summary procedures and offences range from breach of the peace and minor road traffic offences to theft, assault and drug possession.

A force spokesman later said the data extraction trial at Gayfield was “predominantly” for “drugs related” investigations. The spokesman was unable to say how many cases resulted in a conviction. In the official response, Police Scotland said 18 officers were trained to use kiosks and data extracted was “retained at a local level”.

The response to the Freedom of Information request added: “No formal review has been conducted to date and further future trials are being considered.” When the Sunday Herald questioned Police Scotland about the pilot the spokesman appeared to contradict the response to the FoI request by insisting that data has not been retained and “there will be no future trials”.

He confirmed that they used a Cellebrite Kiosk in the trials. The Israeli manufacturer boasts that the units can “access a wide range of evidence sources, including encrypted or locked mobile devices, public and private social media and other cloud data”. Solicitor Millie Wood of campaign group Privacy International said some extraction devices access data based on its type, rather than by its time frame. She said: “You can’t take one message or photo, you have to take all messages or photos. You can’t limit data extraction by time period. Given what we know about how kiosks are used, that’s a huge amount of data to obtain. It’s excessive and it has stirred our concerns.”

Wood believes many people may have been unaware of the trial when police took their phones. She said: “The use of the kiosk in the East of Scotland trial means they must have been using it in live investigations. It’s probable that there are a lot of people out there that were part of a trial they didn’t know about. We don’t know how many people, we don’t know how much data was extracted.” She said police should be compelled to obtain a warrant before using kiosks in Scotland.

“Policing is by consent, which means there must be transparency and integrity,” Wood added. “If this data extraction is happening in secret and under the radar, there can be no consent.

“There must now be independent oversight of Police Scotland’s data extraction activities so that someone can see what’s been going on.”

Former police officer John Finnie, who is now an MSP and the justice spokesman for the Scottish Greens, also said a warrant should be required before Police Scotland can access phones. He said: “It’s important that we see what checks and balances are in place to comply with data protection and human rights as, sadly, Police Scotland has not always had a strong track record in this area. A warrant would be one way of establishing whether data access was proportionate.”

Scottish Liberal Democrat justice spokesperson Liam McArthur MSP, added: “With such an extraordinary amount of data at stake, people are right to ask what oversight there is, and should be, of this process. We need to know what guidance, guarantees and protections against misuse exist.”

It is understood Police Scotland believes it complied with data protection guidelines during the trial and only examined phones that were lawfully obtained.

When asked whether owners gave consent a Police Scotland spokesman said: “All phones had to be lawfully seized for a policing purpose. This can include a device being obtained by use of a warrant or handed to police voluntarily during an investigation.”

Detective Chief Inspector Brian Stuart added: “Given the explosion of mobile devices in recent years, law enforcement has to be innovative with technology and keep ahead of the curve to ensure the safety of its citizens.”