“Digital strip-searches”: police increasingly downloading everything from smartphones – including from crime victims
Full-body scanners are now a routine sight at airports. Most people are resigned to these virtual strip-searches, despite the obviously intrusive nature of appearing naked to the machines’ operators. But it seems that what amount to digital strip-searches are becoming increasingly common around the world too. For example, it has emerged that victims of crimes in the UK are being asked to hand over their mobile phones and social media accounts so that the police can download all the contents in the search for “relevant” information. As The Independent newspaper reported:
New forms being handed out across England and Wales warn that if a complainant refuses to surrender their digital devices, or tries to prevent any personal information being shared, “it may not be possible for the investigation or prosecution to continue”.
Of particular concern are cases of alleged rape, where victims are understandably cautious about revealing intimate details of their lives that may be used against them by defense lawyers. One woman wrote in the Guardian that her case was dropped not because of an unlikely prospect of conviction, but because she refused to hand over her mobile phone for its data to be downloaded in its entirety:
I consider that request to be a gross violation of my human rights. What is on my phone is private and irrelevant to the crime that was committed. But I know that it has the potential to be used to humiliate and discredit me on the stand. It will be the digital version of the “short skirt”.
A petition has been started calling for the UK police to drop this practice. But a report by Privacy International reveals that the UK police have been routinely downloading material from mobile phones on a “massive scale”. Using Freedom of Information requests, Privacy International found that 26 out of 47 UK police forces admitted they are using mobile phone extraction technology.
The report gives some details about the equipment used. Two companies are particularly active in this emerging sector. One is MSAB, which claims that its XRY software can access over 27,000 devices and apps, including drones. In the UK, the company says over 97% of all police forces there have acquired an XRY system for extracting data – far higher than the 55% which admitted it to Privacy International. MSAB is also active in the US. In 2010, the company received its largest-ever order, from the US government. A further order for double the volume of units meant that the US became the single largest market for MSAB.
The other big player is Cellebrite. According to CNN, “Cellebrite is the FBI’s go-to phone hacker“. A key capability of its products is the claimed ability to bypass pattern, password or PIN locks, and circumvent encryption on phones. Material held on devices is combined with public data on social media to provide a richer dataset:
Easily access, view and incorporate public domain social media and cloud-based data into your investigations, such as location information, profiles, images, files and social communications from popular apps, including Facebook, Twitter, and Instagram.
In the landmark US ruling of Riley v California, the US Supreme Court held that whilst data on a mobile phone is not immune from search, a warrant is generally required first, even in connection with an arrest. However, more recently another court ruled that this doesn’t apply at the US border.
The authorities in Canada take the same approach. When a Canadian businessman landed at Toronto airport recently, a border officer demanded his passwords in order to search his phone and laptop. When the businessman refused, the officer confiscated his devices, and said they would be sent to a government laboratory that would try to gain access – presumably using the kind of tools offered by MSAB and Cellebrite.
As the Canadian Broadcast Corporation reported, the country’s border services claim that they have the right to search electronic devices at the border for evidence of customs-related offenses without a warrant, just as they do with luggage. However, some Canadian lawyers argue that this is unconstitutional.
Irrespective of local laws, there is a larger issue here that is relevant globally. The smartphone is no longer simply a device for making telephone calls. On the hardware level, it is a pocket-sized supercomputer; a camera; a video and sound recorder; a GPS device; and more. Combine this with the millions of apps that are typically available for the main platforms, and you have the most powerful personal device ever created. Smartphones are not just an element of our daily life, but a store of its essence. When the authorities seize our mobile phones, they are seizing our digital selves.
Cardinal Richelieu is alleged to have said: “If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.” Imagine, then, what can be done with six Gigabytes of your most private data, extracted from your phone. Given the incredible richness of that material, it is no wonder that there is a clear trend among the authorities to demand mobile devices when they can, and to download and use as much data as possible. But that very richness means that it imperative to improve both the standard security of mobile devices, so that brute-force extraction tools don’t work, and the legal protection for their contents when governments do manage to gain access to them.
Featured image by US Transportation Security Administration.