From your cell to the cells, Police Scotland’s Plans for Mobile Phone Forensics & you.

Cian Heasley
6 min readJul 13, 2018

--

When your phone is a witness for the prosecution.

Police Scotland have already purchased and tested technology created by a spy tech corporation to more easily peruse the contents of cellphones retrieved from suspects without warrants or a proper policy framework in place.

In this piece I’ll be digging in to:

  • What this technology is and how it works
  • Why this is problematic
  • What we can do about it

What exactly is a “cyber kiosk” then?

First of all what even is this technology we are talking about?

Police Scotland has chosen to term the devices “cyber kiosks” or even “phone kiosks”, which makes them sound charmingly quaint and fairly harmless, like the kind of thing a tourist would insist on taking a selfie in during the Festival, despite the overwhelming smell of urine.

Cellebrite, the company that designs and manufactures this tech, calls them “Universal Forensic Extraction Devices” which at least gives some idea as to their purpose, less folksy and with more clinical yet faintly sinister undertones.

This is a “kiosk” apparently.

Essentially we are talking about either a hand held tablet or desktop computer with the ability to easily and quickly connect to many, many models of cellphones and extract your user data, bypass your phone’s security and reveal hidden or deleted data that might be stored on your phone.

It is worth lingering on this point for a moment, “user data” is kind of vague, so let’s take a moment to think about the very broad scope of what we are talking about.

User data is literally everything contained on your phone, so information such as:

  • Your text messages
  • Embarrassing selfies
  • Your phone’s browser history
  • Your social media account content and social media logins and passwords
  • Cloud backup access details
  • Those secret WhatsApp chats with your weed dealer
  • Who you have called and metadata regarding those calls
  • Location tracking information that has been logged by your phone and wireless networks you have connected to

Basically if you have used your phone for something then this information is retrievable.

Privacy International have written a more in depth blog entry detailing exactly what is possible using UFED technology, you can read it here.

So what’s the problem?

There is no question that the police need to have in place ways of processing and examining suspect’s cellphones, but should being able to do so become as easy as connecting a cable to someone’s phone?

Police Scotland does not have a good track record when it comes to phones, having previously used surveillance powers to snoop on journalists in violation of the law.

Representatives of Police Scotland admitted at a parliamentary hearing earlier this year that they used this UFED tech to process 375 suspect’s phones in Edinburgh and Stirling as part of a scheme to trial the usage in advance of rolling it out across Scotland.

“We do not have the time or capacity to go into people’s lives and start sniffing around. It’s utterly impossible. We can hardly do the job at the moment, let alone anything else” — Reassuring words from Vice Chair of the Scottish Police Federation (SPF) David Hamilton

Suspects were not notified and the police representatives were unable to confirm whether warrants were issued for the processing of suspect’s phones. The police representatives further admitted that they had purchased and tested the devices out on phones belonging to members of the public without putting in place a policy framework or human rights impact assessment before hand.

This is a problem.

If the police are going to spend in excess of £400,000 on equipment from a corporation that has happily sold technology to regimes that torture their citizens the absolute least they could do is consider the human rights of people here in Scotland. If the police are going to test out this technology, without warrants, on the unwitting public it would be nice to think that they might at least mention it to the people being used as guinea pigs.

Detective Chief Superintendent Gerry McLean has gone on record to say that this technology is necessary for Police Scotland because of a lack of officers trained in digital forensics, but what is convenient for the police is not necessarily beneficial to society.

Police Scotland claim that they are operating under legislation that dates back to a time when the only information stored on a phone was text messages, phone call logs and how pitifully bad your high score on Snake was.

I preferred 21 Black Jack as a source of white knuckle, simulated gambling adrenaline on long bus journeys.

Or as MSP Daniel Johnson said at the committee hearing in May:

“You say that these kiosks don’t provide you with any new powers, that you’ve had the technology since the 1990’s, but do you not recognise that the information contained on these devices now has exploded exponentially and is a degree of sensitivity and personal nature that is just not comparable to the data captured on sim cards, which is what you were referring to in the 1990’s?”

If you are arrested for being drunk and disorderly, urinating behind a bin in the Cowgate or drunkenly singing Venga Boys with an empty bottle of Buckfast as a microphone, at four am in a quiet residential neighbourhood the police could not use your arrest as the basis for searching your flat for incriminating documents, seizing your laptop or rifling through your diary.

Your smart phone contains so much information about your life, it should not be casually accessible by the authorities without a warrant. Searching the phones of people arrested for minor crimes should not become routine for the Scottish authorities.

What can we do?

Police Scotland agreed to the creation of an external reference group which will allow digital human rights organisations such as Open Rights Group and Privacy International to ask questions and voice concerns that should have been addressed before Police Scotland spent a single penny on this technology.

You can add your voices to theirs and follow the progress of this and other issues they are tackling on Twitter: ORGScotland & privacyint

Aside from getting involved with either of those NGOs or others like them you can email or tweet your local MSP and tell them that you have concerns about Police Scotland adopting technology before our elected officials have the opportunity to examine the implications for the public.

Let your elected representatives know that privacy and human rights are important to Scottish voters.

As for what you can do if you think you may find yourself in a situation where you are arrested, that is a more complex question.

By their very nature companies that trade in the kinds of technology that earn Cellebrite lucrative government contracts are extremely secretive, the exploits that they use to bypass your phone’s security are jealously guarded. These exploits are bought and traded in shadowy online marketplaces, the security of millions of consumers’ devices sold to the highest bidder and then sold on to governments, security services and police forces around the world.

There are some things you can do to mitigate the potential loss of privacy an arrest can result in though.

  • Seems super obvious, and it is a standard security mantra, but keep your phone up to date. As information about vulnerabilities become public knowledge companies like Apple have a chance to patch and put in place methods of preventing anyone taking advantage of them. If you don’t keep your phone up to date you are increasing the number of potential attacks that can be used against it.
  • If you are talking about anything you wouldn’t want known to anyone but the recipient consider avoiding using your phone to have these conversations.
  • If you are attending a protest or similar event that could result in a run in with the police think about leaving your phone at home. It is inconvenient, but removes the possibility of someone scouring your phone on a whim, should you be arrested. Burner phones are cheap, free sim cards are easily available.
  • Failing that, ensure that your phone is encrypted, IOS and Android now fully support device encryption, make sure it requires a strong (lengthy and complex) passcode or password to unlock at boot and keep it switched off in situations that seem likely to involve a heavy police presence.

When searching through every shred of data on phones becomes trivial and Police Scotland seem loathe to put in place proper safeguards and policy before using these devices it is up to us to educate ourselves to protect our privacy.

--

--

Cian Heasley
Cian Heasley

Written by Cian Heasley

I work in infosec and live in Scotland, I am fascinated by computer security, privacy and the intersection of the internet, technology and human rights.