MSPs say more work is needed on the privacy and human rights implications of the controversial tools, which bypass phone encryption to access personal data
Scottish ministers have called upon Police Scotland to suspend a rollout of technology that allows authorities to bypass security protections on mobile phones, over concerns the procedure may be illegal.
The row is the latest to focus attention on what powers law enforcement should have over personal data drawn from mobile devices.
The debate notably erupted into the limelight in 2016 when the FBI tried to force Apple to help it gain access to the iPhone owned by a dead man who had carried out a massacre in California.
In that case, the FBI finally used phone unlocking technology to access the device.
The Scottish debate focuses on similar devices, termed cyber-kiosks, which are about the size of a laptop and use undisclosed security vulnerabilities in devices to bypass their security protections.
Police Scotland paid about £500,000 for 41 cyber-kiosks from Israeli firm Cellebrite, which it planned to roll out to police stations across the region from the autumn of last year.
But in a report published on Monday by the Scottish Parliament’s justice sub-committee on policing, MSPs said the project had gone forward without proper oversight.
The committee found that during pilot studies in Edinburgh and Stirling from 2016 to 2018, police searched the mobile phones of suspects, witnesses and victims without the required governance, scrutiny and impact assessments.
Members of the public whose phones were seized and searched were not made aware that the devices were to be searched using the cyber-kiosks as part of a pilot study, and were not offered the option of giving consent.
The sub-committee requested the Scottish government to provide clarity on the legal position of the devices’ use.
Committee convener John Finnie, a former police officer, said an assessment of the possible benefits and risks of the tech should have been carried out, but that in fact only the benefits were presented by Police Scotland to the Scottish Police Authority (SPA), without clarifying known risks.
The SPA, for its part, apparently accepted the information with “very little critical assessment”, Finnie said.
“Even the most fundamental questions, such as the legal basis for using this technology, appear to have been totally overlooked,” he said.
The “sub-standard process” had resulted in half a million pounds’ worth of equipment “sitting gathering dust”, he said, adding that the committee now wants to work with police on a solution that would provide the “necessary safeguards” for the technology’s use.
Assistant chief constable Steve Johnson said Police Scotland and the justice sub-committee on policing had both received written confirmation from the Crown Office and Procurator Fiscal Service about “the clear legal basis, and robust statutory regime” for the cyber-kiosks.
“As the chief constable has already made clear, there is a policing imperative for deploying the equipment to protect vulnerable victims and bring offenders to justice,” Johnson said.
But he acknowledged that privacy and human rights considerations must also be “transparently and satisfactorily addressed”.
Susan Deacon, chairwoman of the SPA, said it would respond in due course and planned to continue strengthening its arrangements for the oversight of policing.
Privacy International warned last year there are as yet “no clear policies or guidance” on the use of phone data extraction tools, meaning individuals are unaware of their rights.
The group estimated that 26 police forces in England and Wales are already using the tools.