UK Digital Forensics Report

Public records released since January 2019 reveal the scale of the UK’s digital forensics spending, with several new public bodies acquiring the tools and millions being invested to modernise data storage systems, train officials, and renew software licenses.

Digital forensics encompasses a variety of technologies designed to identify, preserve, and extract data from electronic devices. The majority of this report will focus on mobile data extraction solutions which allow authorities to access data from mobile phones, principally to assist in criminal investigations.

Cellebrite’s UFED Premium mobile data extraction tool,^[1] one of many on the market, allows authorities to “gain access to 3rd party app data, chat conversations, downloaded emails and email attachments, deleted content and more,” according to their website.

There’s little doubt these “digital stop and searches” have proved useful for law enforcement agencies. However, questions regarding their proportionality and privacy implications remain.

In June 2020, the UK’s data protection regulator, the Information Commissioner’s Office, published a damning report on the police’s use of mobile data extraction technologies.^[2]

“Current mobile phone extraction practices and rules risk negatively affecting public confidence in our criminal justice system […] with excessive amounts of personal data often being extracted, stored, and made available to others, without an appropriate basis in existing data protection law.” – Information Commissioner’s Office

The Metropolitan Police also acknowledged that the current process of mobile data extraction “creates a data protection risk.”^[3]

Despite these alarming privacy concerns, the technology is widespread among police forces in the UK. In 2018, Privacy International discovered that at least 26 police forces nationwide were using mobile data extraction technologies. Since then, a number of new agencies appear to have acquired the technology.^[4]

The UK’s Ministry of Defence, for example, previously refused to disclose whether or not they had received any services from Cellebrite in response to this Freedom of Information request. However, this contract shows they renewed their licenses for Cellebrite’s digital forensics software in July 2020 at a cost of nearly £90,000.

Similarly, in 2017 Nottinghamshire Police told Privacy International that they do not use mobile phone extraction technologies.^[5] However, this appears to have changed. A contract published on 3 March, 2020, shows the East Midlands Strategic Commercial Unit spent over £30,000 on “Cellebrite premium iOS and Android extraction software for Nottinghamshire Police.”

Our findings also reveal a growth in the number of unconventional agencies acquiring these tools, including the Competition and Markets Authority – a non-ministerial department that works to “promote competition for the benefit of consumers, both within and outside the UK.”^[6]

Even the Food Standards Agency is looking to acquire “digital forensic technicians and services to extract data from electronic media.”^[7]

The use of mobile data extraction technologies made the headlines earlier this year after the Crown Prosecution Service and police were forced to stop using the technology on victims during investigations of rape.^[8]

The decision followed a report published by Big Brother Watch that showed 100% of rape cases were dropped when the victim refused to hand over their phones between 2018-19.^[9]

Not only is the use of this technology controversial, the companies that dominate the market have also been accused of neglecting their human rights responsibilities internationally.

Cellebrite, a market leader in the production of mobile data extraction technologies, have been accused of selling their technologies to Hong Kong and Belarus and enabling authorities to clamp down on dissent.^[10][11]

Of the 33 public records we analysed, Cellebrite is listed as the supplier in 17, with a combined value of more than £4M.

We also found two documents that show Cellebrite’s technology has been purchased via alternative suppliers.

The highly sophisticated nature of these tools and their potential to be misused raises considerable concern, particularly given the lack of legal constraints and the ever-growing amount of money UK authorities are investing in them.

The MPS were an early adopter of digital forensic technologies and account for 80% of all expenditure covered in this report.

A procurement document published in 2015 indicated that by March 2016, there would be Self Service Kiosks (SSKs) in all 32 MPS boroughs.^[12] SSKs, or Digital Forensics Kiosks, are defined as “officer operated equipment based within operational police premises” for the purpose of data extraction.^[13]

Below are details of the Metropolitan Police’s digital forensics contracts published since January 2019.

Remote Search & Review Solution

• Buyer: Metropolitan Police
• Supplier: CDW Ltd.
• Value: £16,500,000
• Date Signed: 13/12/19

The Search & Review solution is intended to “provide frontline officers with the self-service capability to review forensically recovered data from digital devices for evidence and disclosure purposes.”^[14]

Approved in January 2019, the project is expected to last 5 years, with a total cost of £16.5M.

The approved business plan recommends that the technology is procured from CDW Ltd.,^[15] a company that also appears to have supplied the Ministry of Defence with Cellebrite software licenses.^[16]

The business case for the project sheds light on the Metropolitan Police’s digital extraction procedures and highlights their substantial data security risks.

Screenshot from the MPS Remote Search & Review Full Business Case.^[17]

Although the new solution is intended to solve this reliance on physical devices, the creation of a centralised web-based application that contains all the data extracted by the MPS may still put sensitive data at risk.

While storing sensitive data on a USB device is clearly not ideal, it does minimise the amount of data at risk. If the web-based application was compromised in any way, for example, every person would have their data put at risk.

Given that other law enforcement agencies are likely storing extracted data on physical devices, this admission suggests that victims’ data is being held insecurely elsewhere.

Additionally, while increasing the accessibility of extracted data may be useful during investigations, it could also lead to a higher number of people having access to extracted data. As the below shows, accessibility is at the core of the project.

Screenshot from the MPS Remote Search & Review Full Business Case.

Nowhere in the business case does it outline how long data will be stored for or whether there are any limitations on the amount or type of data extracted. According to the document, however, a Data Protection Impact Assessment (DPIA) has been completed.

Currently, there is no regulation that forces authorities to disclose what, or how much, data they have extracted from a given device. As Privacy International have written: “If the police search your home or confiscate your possessions, you will receive an inventory list of those items. However, if they extract data from your devices, you may not even be told that they have done so, let alone be told what kind of data they have extracted.”^[4]

Licences and Ongoing Support for the Cellebrite ‘Premium’ Tool

• Buyer: Metropolitan Police
• Supplier: Cellebrite UK.
• Value: £2,090,000
• Date Signed: 10/09/20

This recommendation, which was approved by the Deputy Mayor for Policing and Crime, Sophie Linden, shows that the Metropolitan Police has purchased Cellebrite’s “UFED Premium” tool at a cost of over £2M. The tool is widely considered one of the most sophisticated on the market.

According to the product brochure: “With Cellebrite Premium you can bypass locks and perform a physical extraction on many high-running Android devices. By performing full-file system and physical extractions, you can get much more data than what is possible through a logical extraction, and access highly protected areas such as the iOS Keychain or the Secure Folder.”^[18]

Manufacturers of mobile extraction technologies pride themselves on how much data can be extracted from a device, without necessarily considering whether carrying out a full-file extraction is warranted, necessary, or proportionate.

This is not the first time the Metropolitan Police has purchased the technology and it’s not even the only type of data extraction tool at their disposal.

Screenshot from the MPS Cellebrite Business Case.^[19]

As the above shows, Cellebrite’s tool is intended to be used alongside another solution that cannot access Android phones. Unlike many other mobile data extraction technologies, Cellebrite’s is capable of accessing data on iOS and Android devices.

These sophisticated tools have led to criticisms from civil liberties advocates. In 2019, Silkie Carlo told the Financial Times that the use of mobile data extraction technologies is “a free-for-all which involves wholesale digital surveillance of someone’s entire life.”^[20]

In one section of the contract, the Metropolitan Police address the potential impact of this technology on equality and diversity.

Screenshot from the MPS Cellebrite Business Case.

“Policing Purpose”, according to the Police Federation of England and Wales, “essentially means the investigation, detection and prevention of crime.” It appears, therefore, there are very few meaningful limitations on the use of mobile data extraction technologies.

Given the MPS has faced a barrage of accusations of institutional racism and discrimination in recent years, there are obvious concerns these sophisticated technologies may be used in ways that exacerbate existing inequalities.

In the U.S., the ACLU has argued that greater restrictions ought to be applied to the use of these sophisticated mobile data extraction technologies.^[22]

“This is an enormously powerful technology, and it needs to be subject to careful checks and balances. The use of these devices is already regulated by the Constitution, but additional protections ought to be enacted, ranging from tight internal law enforcement controls to prevent abuse, to close legislative monitoring and, if appropriate, regulation of law enforcement use.”

However, the MPS is not the only law enforcement agency with access to Cellebrite’s digital forensic technologies.

As well as unearthing public documents that reveal the digital forensic capabilities of multiple local police forces, we also discovered records that show various governmental departments now have access to these tools.

Government departments that have purchased digital forensics include:

• The Home Office
• The Ministry of Defence
• The Competition and Markets Authority
• HM Revenue & Customs

While the use of this technology by the Ministry of Defence is relatively unsurprising, it’s not immediately clear what purpose the technology would serve for other departments.

It is also particularly striking that both the UK Border Force^[28] and UK Immigration Enforcement^[29] agencies have access to these tools. With a combined value of almost £400,000, the contracts reveal both agencies have digital forensic kiosks.

Both contracts list MSAB UK Ltd as the supplier, a company that claims: “In many cases, accessing and screening data on mobile phones is the most accurate and effective method for confirming someone’s identity and detecting threats in border control operations.”^[30]

The German non-profit GFF has argued that: “Asylum procedures are increasingly being digitized – be it automatic data comparison with growing databases, mobile forensics as heretofore only used in criminal proceedings, or artificial intelligence to search for suspicious refugees. The human being with their personal history of flight fades into the background and turns into a collection of pure data.”^[31]

The use of this technology in the U.S. has also been criticised, with the ACLU writing, “The claim by U.S. border officials that they can, with no grounds for suspicion, look through and copy travelers’ cell phones and other electronic devices is creating justified consternation.”

There are also number of procurement opportunities that have recently closed, although details of the finalised contracts are yet to be published.

These include an opportunity to provide the Food Standards Agency^[32] and The Ministry of Defence^[33] with digital forensics technologies. The latter contract is worth £600,000. However, as full details of the contracts are yet to be published, they have not been included in our findings.

Our findings show that UK authorities continue to invest millions into digital forensics tools, with few regulatory safeguards that prevent their misuse.

As the Metropolitan Police’s ‘Remote Search & Review’ business case outlines, many of the current procedures put highly sensitive data at risk, with almost no limitations on the amount or type of data that can be extracted.

Recent events in Hong Kong and Belarus have also demonstrated that these highly sophisticated technologies can be used in ways that undermine citizens human rights.

As these tools continue to proliferate, a number of unconventional agencies appear to be adopting them, increasing the chance they will be misused.

If meaningful regulations are not enacted, the continued investment in mobile data extraction technologies risks creating a huge unchecked surveillance network that is capable of radically eroding citizens’ right to privacy.

We searched publicly available government contracts and procurement databases published since January 2019 to discern the amount of money spent on digital forensics technologies.

All of the contracts discussed are available to view from the embedded tables, with hyperlinks on the date the documents were published.

About Top10VPN

We’re an established VPN review website and we help our readers find the right VPN, for added online privacy and security. We also conduct expert research on digital rights, privacy and security issues.

^{[1] https://www.cellebrite.com/en/ufed-premium/ ↩}

^{[2] https://ico.org.uk/media/about-the-ico/documents/2617838/ico-report-on-mpe-in-england-and-wales-v1_1.pdf ↩}

^{[3] https://www.london.gov.uk/sites/default/files/pcd_675_remote_search_and_review_fbc.pdf ↩}

^{[4] https://privacyinternational.org/sites/default/files/2018-03/Digital%20Stop%20and%20Search%20Report.pdf ↩}

^{[5] https://www.documentcloud.org/documents/4348963-Nottinghamshire-0001-RESPONSE-LETTER.html ↩}

^{[6] https://www.gov.uk/government/organisations/competition-and-markets-authority ↩}

^{[7] https://www.contractsfinder.service.gov.uk/Notice/5b361555-7aab-463d-9f15-1e080e9b7d1a?origin=SearchResults&p=1 ↩}

^{[8] https://www.theguardian.com/society/2020/jul/16/police-and-cps-scrap-digital-data-extraction-forms-for-cases ↩}

^{[9] https://bigbrotherwatch.org.uk/2020/06/rape-cases-dropped-over-digital-strip-search-refusals/ ↩}

^{[10] https://www.technologyreview.com/2020/08/25/1007617/israeli-phone-hacking-company-faces-court-fight-over-sales-to-hong-kong/ ↩}

^{[11] https://twitter.com/joshuawongcf/status/1295792294218436608?s=20 ↩}

^{[12] https://assets.documentcloud.org/documents/3280381/MPS-Digital-Cyber-and-Communications-Forensics.pdf ↩}

^{[13] https://www.cps.gov.uk/sites/default/files/documents/legal_guidance/Disclosure-reasonable-lines-of-enquiry-and-communications-evidence.pdf ↩}

^{[14] https://www.london.gov.uk/what-we-do/mayors-office-policing-and-crime-mopac/governance-and-decision-making/mopac-decisions-0/remote-search-review-full-business-case ↩}

^{[15] https://www.uk.cdw.com/ ↩}

^{[16] https://www.contractsfinder.service.gov.uk/Notice/7f13d579-ad5f-4e2e-9ee0-3bce1cfb47d1 ↩}

^{[17] https://www.london.gov.uk/sites/default/files/pcd_675_remote_search_and_review_fbc.pdf ↩}

^{[18] https://cf-media.cellebrite.com/wp-content/uploads/2020/07/ProductOverview_CellebritePremium.pdf ↩}

^{[19] https://www.london.gov.uk/sites/default/files/pcd_823_cellebrite_licences.pdf ↩}

^{[20] https://www.ft.com/content/2d0ef1f6-caf8-11e9-af46-b09e8bfe60c0 ↩}

^{[21] https://www.polfed.org/Sussex/media/1255/jbb3010.pdf ↩}

^{[22] https://www.aclu.org/blog/privacy-technology/internet-privacy/mobile-phone-cloning-tools-need-be-subject-oversight-and ↩}

^{[23] https://www.technologyreview.com/2020/08/25/1007617/israeli-phone-hacking-company-faces-court-fight-over-sales-to-hong-kong/ ↩}

^{[24] https://www.change.org/p/cellebrite-calling-upon-cellebrite-to-terminate-phone-hacking-cooperations-with-hong-kong-police ↩}

^{[25] https://www.cellebrite.com/en/cellebrite-to-stop-selling-its-digital-intelligence-offerings-in-hong-kong-china/ ↩}

^{[26] https://www.haaretz.com/israel-news/tech-news/.premium-israeli-phone-hacking-firm-cellebrite-halts-hong-kong-deal-with-china-1.9219244 ↩}

^{[27] https://www.amnesty.org/en/latest/campaigns/2016/07/how-fear-of-surveillance-is-forcing-activists-to-hide-from-public-life-in-belarus/ ↩}

^{[28] https://www.contractsfinder.service.gov.uk/Notice/b6cdf309-ace6-4857-b365-b56d111e5422 ↩}

^{[29] https://www.contractsfinder.service.gov.uk/Notice/ff4f0390-b85a-42a5-8a23-26165e7dc7f8 ↩}

^{[30] https://www.msab.com/border-control/ ↩}

^{[31] https://freiheitsrechte.org/home/wp-content/uploads/2020/02/Study_Invading-Refugees-Phones_Digital-Forms-of-Migration-Control.pdf ↩}

^{[32] https://www.contractsfinder.service.gov.uk/Notice/5b361555-7aab-463d-9f15-1e080e9b7d1a?origin=SearchResults&p=1 ↩}

^{[33] https://www.contractsfinder.service.gov.uk/Notice/9b2e7ad7-a297-4720-adb0-287f406e5c5e?origin=SearchResults&p=1 ↩}