THE rollout of new technology which can be used by police to secretly hack into mobile phones should be halted, MSPs have said.
The call came after it emerged that police officers can use new hacking technology, called "cyber kiosks", to harvest data from phones handed over by witnesses and suspects. That position contradicted a previous statement by Police Scotland which insisted the technology can’t be used to “extract” information, only view it.
The Sunday Herald previously revealed police piloted cyber kiosks, accessing hundreds of phones without telling the owners, then spent hundreds of thousands of pounds to procure 41 devices.
Speaking to the Sunday Herald last week, after this newspaper revealed that the force is now under investigation by the UK’s information watchdog over the use of cyber kiosks, Assistant Chief Constable Steve Johnson said the devices “do not extract information”.
However, under intense questioning by members of the Holyrood justice committee, Detective Superintendent Nicola Burnett admitted that officers can extract data from phones with kiosks.
She said: “There is another option that is available. If for instance there is a case whereby whilst viewing the data on the kiosk there is an opportunity to download the data of consequence onto a disc.”
Burnett also admitted that the force has yet to work out how to encrypt discs containing private and highly personal data taken from mobile phones.
Convenor of the Justice Sub-Committee on Policing, John Finnie MSP, who is a former police officer, said: “Superintendent Burnett’s disclosure that data can be downloaded by the kiosks onto disc was completely at odds with Police Scotland’s previous position and causes me genuine concern.”
MSPs hauled Burnett before the committee after the Sunday Herald revealed last month that Police Scotland carried out secretive trials of cyber kiosks in Edinburgh and Stirling which saw 375 phones and 262 sim cards accessed.
This newspaper then revealed that £370,000 was spent on 41 kiosks. When MSPs asked Kenneth Hogg, Interim Chief Officer of Scottish Police Authority, about the figure, he revealed that the true cost was £445,000 when VAT is included. He also said the use of the devices by Police Scotland costs a further £100,000 a year.
When Burnett was asked by MSPs if people whose phones were accessed during the pilot in Edinburgh in Stirling were told that officers had technology which could override passwords and view everything on the device, including encrypted information, she said “there was no specific advice given”.
The committee of MSPs also heard that police failed to carry out an Equality and Human Rights Impact Assessment (EHRIA) or a Privacy Impact Assessment (PIA) ahead of the pilots which took place in Edinburgh between May and September 2016, and then in Stirling between June 2017 and January 2018.
Convenor of the committee John Finnie MSP, who is a former police officer, accused Police Scotland of “putting the cart before the horse” by spending hundreds of thousands of pounds of public money on kiosks, which are due to be rolled out in the autumn.
Burnett responded: “I anticipate that there will be nothing that will come up in those assessments that we cannot address. Clearly if there is something that means we have to stop, clearly that would be something that would need to occur.”
Speaking to the Sunday Herald, Finnie called on the force to “halt” the rollout and pointed to a “damning” 2015 report by the police and crime commissioner for North Yorkshire into the use of technology which can extract data from mobile phones. The commissioner found that “sensitive” information downloaded onto discs was not encrypted, and in some cases went missing.
Finnie said: “We were told Police Scotland liaised with other UK forces about using this equipment. If that’s the case, then lessons could, and should, have been learnt from the police commissioner’s damning report on North Yorkshire Police citing irregularities, which in some instances "undermined prosecution of serious crimes such as murder and sexual offences" and saw data lost from phones of those never charged.
“There must be a halt on any further deployment of this equipment pending publication and scrutiny of Equality and Human Rights and Privacy Impact Assessments, which Police Scotland say they will compile, and which should have been considered prior to trialling equipment which has impacted on over 600 people.”
Finnie added: “The meeting was an opportunity for both Police Scotland and the Scottish Police Authority to provide some reassurance to members. However, quite the contrary, their evidence gave rise to many more questions, answers to which will initially be sought in writing, following which the committee will consider what further action to take.”
Liam McArthur MSP, the justice spokesman for the Scottish LibDems, who also sits on the committee, said Burnett’s evidence “left many unanswered questions”, adding: “Until the necessary safeguards have been put in place, it would obviously not be appropriate for these kiosks to be in use more widely."
He said: "The bodies to whom Police Scotland is accountable need to know how devices are being interrogated, what kind of information is uncovered and what information is retained.”
ACC Johnson said last night: “Cyber kiosks provide specially trained officers with the ability to triage lawfully seized devices, reducing the number which are required to be forensically examined, and reducing the inconvenience to a witness or victim of retaining a device which, on later examination, has no evidential value.
“No data is retained by the kiosk. In situations where a large amount of specific data from set parameters is available, the device has the capability to copy this to an encrypted disc for later viewing. As part of our ongoing engagement ahead of deploying cyber kiosks across the country, we are developing our policy and procedures around their use. If we utilise the facility of copying data to a disc this would be strictly managed as potential evidence.”
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereLast Updated:
Report this comment Cancel