CONSIDER, just for a moment, what I could learn about you if I got my hands on your mobile phone. Say I dopple-gangered your fingerprints or retinas, or cracked your pin – what would I find?
For starters, there’s your contacts, your recent call sheet and your text messages. If you still wield an elderly Nokia, the data trail might end there. But if, like 78% of Scots, you also use your phone to access the internet, chances are your smartphone would tell me a great deal more about you than that.
I would have free reign through your photos, your internet search history, where you’ve been, what videos you’ve watched, what you’ve recently bought on Amazon, how many steps you’ve taken that day, all your emails and your social media accounts, even recordings of your voice or biometric data.
Your phone can also be a gateway to the cloud, so I may be able to go spelunking through any information you’ve stored externally.
If you are being unfaithful to your partner, I may learn of the affair. If you are still in the closet, I could well find out. If you are a journalist, I might acquire sensitive data on your sources. If you’re a lawyer, I might learn privileged information about your clients.
I would have subverted not only your privacy – but the privacy of anyone who has contacted you. The potential for collateral intrusion is immense.
You can understand, therefore, why MSPs were concerned to learn that Police Scotland had invested in and deployed “digital device triage systems” – known as cyber kiosks – which are capable of doing precisely this.
READ MORE: Police Scotland's cyber kiosk roll-out criticised by MSPs
In a report published last week, Holyrood’s Justice Sub-committee on Policing is stinging in its conclusions.
There is, they concluded, no clear legal basis for the police to use this technology, and worse, “this technology was used on a trial basis without any human rights, equality or community impact assessments, data protection or security assessments.”
When it comes to basic issues of privacy, Police Scotland have been remarkably cavalier.
So how does the kit work? When your phone or tablet is plugged into one of these unassuming terminals, the kiosk is capable of extracting all of the data stored on the device, side-stepping any passwords and security measures you’ve put in place. Officers are then able to browse through all your contacts, correspondence, and photographs. In April 2018, Police Scotland invested in 41 of these devices from Israeli firm Cellebrite. The price tag was £444,821. Their intention was to deploy them throughout Scotland in autumn 2018.
Cyber kiosks were first trialled at two sites back in 2016. During this period, 180 devices were examined in Stirling, and 195 mobile phones and 262 SIM cards were examined using the terminals in Edinburgh.
These phones belonged to suspects, victims and witnesses. It is unclear whether those who voluntarily surrendered their phones to the police were made aware of the extent of the personal data which officers would be capable of accessing. I rather doubt it.
Under Article 8 of the European Convention on Human Rights (ECHR), “everyone has the right to respect for his private and family life, his home and his correspondence.”
Yes, that right is qualified. But the European Convention makes it crystal clear that if any public authority wants to interfere with your privacy, that interference must be necessary and proportionate.
The convention also demands a clear basis in law for any interferences, setting out, “with reasonable clarity the scope and manner of exercise of the relevant discretion conferred on the public authorities.”
Police Scotland is governed by these rules. So what’s the relevant law? Detective Chief Superintendent Gerry McLean did his best to defend the force’s investments, soft soaping the committee with the cold comfort that “we are confident of the legal basis on which Police Scotland applies the law in relation to digital forensics at this time.”
He reeled off common law, some statutes and consent as sound legal bases for what his officers had been doing. But when pressed on these “assurances”, the DCS dissolved into a jurisprudential puddle, breezily implying he was across the detail, while making a very thin legal case.
Much sharper and clearer were the submissions from both the Information Commissioner’s Office and the Scottish Human Rights Commission. Diego Quiroz, for the SHRC, set out the facts in no uncertain terms: “The current law is not clear; the lawful use of cyber kiosks has no clear basis in domestic law.
‘‘The law does not have a sufficient quality to be accessible and foreseeable, and that relates to legal certainty. There are no adequate safeguards in place in the law because the legislature did not consider those situations of seizure and search in that context.”
Accessing phones against this backdrop is almost certainly incompatible with Article 8 of the ECHR.
If the police want to raid your house, they’ve got to secure a warrant from the court. This warrant will carefully establish what they are, and are not, entitled to seize.
On arrest, the police have long held the power to search you and seize relevant items of property. But when digital stop and search can unpack the whole world in your pocket – it’s a new ball game. In privacy terms, what’s the better analogy for gaining access to all the data someone has stored on their phone: frisking a suspect, or raiding their house?
Unlike my university students – who were all born in the late 1990s – I’m not a digital native. As a child of the 1980s, for most of my childhood, computers meant heavily-pixelated games of Frogger, static encyclopaedias and endless games of solitaire. Personal mobiles didn’t materialise till my teenage years. Technology has sprinted ahead of traditional legal paradigms. The law needs to catch up.
The committee were dogged. DCS McLean fought a valiant rear-guard action to try to salvage Police Scotland’s position. In response to the committee’s concerns, the “ambitious” national deployment of the kit was first delayed till September, then October, then November, then December. In the new year, the Chief Constable of Police Scotland finally realised the writing was on the wall, confirming that the devices will not now be deployed “until the issues of legality and policing by consent had been addressed.”
Iain Livingstone expressed his regrets that “we did not reach out as broadly as we could have done and did not absolutely establish and articulate the clear legal and rights-based authority for the use of the equipment.” It’s an all too familiar story.
As John Finnie MSP, pictured above, observed this week, the bottom line is this: “this sub-standard process has resulted in over half a million pounds worth of equipment sitting gathering dust.” It is the job of newspaper columnists to thunder about political malfeasance, brigandry and incompetence in public life.
With Brexit still in the headlines and Boris Johnson poised to be the next Prime Minister, there will be plenty of time for donner and blitzen. This is another cock-up Police Scotland does not need.
But credit where due. How John Finnie’s committee has handled Police Scotland’s cyber kiosk flop has been a credit to the Parliament. It is the Scottish Police Authority’s job to hold the national police service to account. It has – once again – fallen to MSPs to do so.
Their questions haven’t been self-serving or grand-standing. They haven’t been generating hysteria for hysteria’s sake. Substantive, grown-up, cross-party, level-headed, agenda-setting, forensic: this is what effective Parliamentary committees should be about.
Why are you making commenting on The National only available to subscribers?
We know there are thousands of National readers who want to debate, argue and go back and forth in the comments section of our stories. We’ve got the most informed readers in Scotland, asking each other the big questions about the future of our country.
Unfortunately, though, these important debates are being spoiled by a vocal minority of trolls who aren’t really interested in the issues, try to derail the conversations, register under fake names, and post vile abuse.
So that’s why we’ve decided to make the ability to comment only available to our paying subscribers. That way, all the trolls who post abuse on our website will have to pay if they want to join the debate – and risk a permanent ban from the account that they subscribe with.
The conversation will go back to what it should be about – people who care passionately about the issues, but disagree constructively on what we should do about them. Let’s get that debate started!
Callum Baird, Editor of The National
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules hereLast Updated:
Report this comment Cancel