Police Scotland have opened their Pandora’s box
In an attempt to establish new procedures for the seizure and examination of digital devices Police Scotland may have opened a Pandora’s box. Their inability to give a clear legal basis for the use of digital forensic kiosks has raised questions of the legal framework covering the whole digital forensics framework in Scotland. Open Rights Group submitted evidence calling for a halt to the rollout of the kiosks that was proposed to begin in December. In addition we are calling for the creation of a holistic legal framework covering the whole forensics framework in Scotland.
The problems for Police Scotland began at a Committee hearing in May which saw Police Scotland walk back their purchase first, policies later approach. Then followed a Committee hearing in September where Police Scotland were taken to task for failing to provide adequate clarity in Data Protection Impact Assessments and Equality and Human Rights Impact Assessments. This most recent hearing on 15 November showed the scope of the problem was much larger than just the rollout of kiosks.
The initiative from Police Scotland was to install 41 Cellebrite kiosks across Scotland that would be used in a triage process to lift a backlog of 10s of thousands of phones waiting to be examined for potential evidential value by Cybercrime Hubs. As part of this intitiative Police Scotland invited organisations like Open Rights Group, Privacy International and the Information Commissioner’s Office to assess the policies to roll these kiosks out.
While this effort to reduce the backlog is welcome, and Police Scotland’s openness to scrutiny here a marked contrast to the UK, the discussion of the legal basis for the kiosk is to narrow. It needs to include the Cybercrime Hubs.
Digital devices carry so much of our personal lives it is our diary, our calendar, our correspondence, our photos, our location. Never before has so much of a person been available in a single piece of property. Due to this, the existing process for seizing property in Scotland is unsuitable and we need something new, reflecting the unique and particularly invasive interference the seizure of a digital device can bring.
Police Scotland’s framework needs to reflect the nature of the interference, giving due regard to the insight digital devices provide, and giving the public and others clarity as to their rights, the limits of police powers and the safeguards.
The right to privacy is not absolute. This means a State can interfere with it if it is “necessary in a democratic society”. However, the State needs to show how their interference is “necessary in a democratic society”. This includes showing that the interference is in accordance with law. This includes testing whether the law is clear, foreseeable and adequately accessible. These principles are so important that a finding that the measure was not in accordance with the law can lead to a violation of the European Convention on Human Rights.
The law is not clear, lacks foreseeability and is not accessible. We have been given a statement from Police Scotland in the impact assessments that the legal basis a mix of common law powers, statutory power that makes provision for seizure, and statutory offences that make no provision for seizure. This provides no foreseeability for individual’s rights, and it is right that the rollout of kiosks is postponed until we get clarity on what laws Police Scotland will be using.
Focusing on just the kiosks though would miss the bigger problem, and the bigger opportunity. The kiosks are just a small part of a larger framework involving the operation of Cybercrime Hubs, where phones are imaged and searched and evidence generated used in criminal process. The whole system suffers from a lack of clarity, with no clear articulation of the legal basis and no demonstration of proper oversight. That is a big problem. That places the legality of digital forensics in Scotland, a key and growing part of criminal investigations, in jeopardy.
The opportunity is for Police Scotland to expand the work that is currently being done in stakeholder groups on the kiosks, with Open Rights Group and other organisations such as Privacy International and the Scottish Human Rights Commission, and expand them to the whole digital forensics framework in Scotland.
The witnesses at the hearing on 15 November all agreed that the legal basis has not been clearly articulated. The Faculty of Advocates went as far to say that it isn’t about giving more specific information about the current law, there needs to be an assessment and a redrafting of laws to reflect the new technological age. Open Rights Group agrees.
Pandora’s box was a cautionary tale about how a process once begun generates a host of problems. What started as an effort to introduce technology to frontline policing in Scotland has lead to the likely postponement of the introduction of these kiosks, and opened a host of new problems regarding the operation of digital forensics in Scotland.
Now is not the time to close the box and hope the problems go away. They won’t. Police Scotland need to take the positive steps they have already made in bringing organisations in to discuss their policies, and expand it to whole legislative framework for digital forensics in Scotland.