THOUSANDS of Scots have had their phone hacked by Police Scotland officers looking for evidence, according to new figures uncovered by our sister title The Herald.
But nearly three-quarters of the searches have been “negative”.
The data, obtained under Freedom of Information, shows that since the so-called cyber kiosks were first properly rolled out at the start of 2020, there have been 4,779 searches.
Of those, only 1,311 have been classed as positive, just 27 per cent.
The low return has sparked questions from opposition MSPs and human rights groups.
The Lib Dems said it was clear the technology was being used “routinely and extensively” and that the force needed to “review how the technology is used”.
Cyber kiosks or digital triage devices are sold as Universal Forensics Extraction Devices (UFED) by the Israeli technology company, Cellebrite.
They were first trialled by Police Scotland in 2016 in Edinburgh and Stirling. They allow law-enforcement agencies to unlock both iPhones and Android smartphones, and extract most of the data on them.
The devices can work even if the phones are locked and even if the data is encrypted. This allows police access to stored passwords and tokens, chats, location data, email attachments, as well as deleted content.
However, the device is less effective on newer phone models. A passcode can also cause the device difficulties.
It is not clear how many of the failed searches carried out by Police Scotland were because there was nothing to be found and how many were because officers were unable to get into the phone.
In April 2018, Police Scotland spent more than £444,000 on 41 cyber kiosk units from the company.
The aim was to deploy them across the country within six months. However, that was paused after concerns were raised by MSPs and lawyers.
It was only in 2020, that the Crown Office and an independent senior counsel commissioned by the force were confident that there was a legal basis for use of the technology.
A recent paper produced for the Scottish Police Authority explained that the kiosks helped with cases by allowing “lines of enquiry to be progressed at a much earlier stage”.
The Herald’s figures show that they were used 849 times in that first year, with 249 positive results. In 2021, there were 2,311 searches with 611 coming back positive.
The figures for this year, up until August, show that there have been 1,619 searches, with 451 proving positive.
The busiest month of the last three years was in September 2021, when 294 searches were carried out.
Any officer seeking to use a device must fill in an Examination Request Form (ERF) which are then assessed by specialist staff in the force’s Cybercrime Gateway.
This assessment “concerns the necessity, legality, proportionality and justification of any examination as well as the category and extent of information requested”.
One ERF can cover multiple devices, which could mean that the real figures are far greater than those provided.
In response to our Freedom of Information request, Police Scotland also confirmed that there had been no evaluation of the devices.
Scottish Liberal Democrat spokesperson for justice Liam McArthur said: “Scottish Liberal Democrats were not alone in raising serious concerns about the legality and way in which this technology was put into use by Police Scotland with few, if any, safeguards.
“While steps were subsequently taken to apply greater safeguards, this FOI suggests that cyber kiosks are being used routinely and extensively. Yet it is also clear that such searches do not turn up evidence relevant to investigations all that often.
“In order to maintain public confidence, it will be important for Police Scotland to continue to keep under review how the technology is used and where further improvements might be made.”
Last year, the CEO of the messaging app Signal said he hacked a cyber kiosk and discovered a series of vulnerabilities which would allow someone to plant code on a phone that would take over Cellebrite’s hardware.
They claimed this would allow them to silently affect all future investigations, and also rewrite the data the tools had saved from previous analyses.
In September, a court ruling in Maryland forced Baltimore Police Department to stop using the cyber-kiosks over concerns that it breached the Fourth Amendment which protects US citizens from unreasonable searches and seizures by the government.
Nevertheless, Cellebrite’s UFEDs remain popular with governments and law enforcement agencies across the world.
When Kayleigh Haywood, a 15-year-girl from Measham, Leicestershire, disappeared in 2015, police were able to use a device to access her tablet and her phone.
They discovered a number of messages between her groomer, Luke Harlow which led them to her murderer, Stephen Beardman.
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereLast Updated:
Report this comment Cancel