Purchase first, policies later: Police Scotland under scrutiny

With thanks to Cian for notes on the Committee hearing

On Thursday 10 May, the Justice Sub-Committee on Policing in the Scottish Parliament took evidence from Police Scotland on its use of “Cyber Kiosks”, mobile phone forensic technology that acts as a “window” into an individual’s phone. The hearing acted as a ‘window’ into Police Scotland’s worrying approach to technology adoption.

The Committee probed Police Scotland and found that:

  • No human rights impact assessment had been carried out.

  • No public consultation had taken place before carrying it out.

  • No statistics relating to the issuance of warrants during the scheme or the percentage of cases where phones were scanned using these “kiosks”.

This “purchase first, policies later” approach is deeply concerning. Neither is it an isolated incident. Police Scotland’s Digital and ICT strategy includes proposals to introduce iris recognition into police stations, despite the need for introducing proper regulation of the collection, use and retention of biometrics in Scotland is widely acknowledged, including by the Scottish Government

Proper policies, impact assessments and consultation should have taken place before the police spent hundreds of thousands of pounds purchasing equipment, and trialling it in hundreds of cases in Edinburgh and Stirling. This lesson should be taken for future trials introducing technology into the policing environment.

During the hearing, the Police maintained that the power to examine was nothing new. However, as MSP Daniel Johnson pointed out, the legal power may remain the same but the scope of information accessible via this power has grown hugely. It is this step up in capacity that rightly concerned MSPs during the hearing.

The use of “cyber kiosks” in the United Kingdom was brought to public attention by Privacy International’s report “Digital stop and search”. The cyber kiosks, provided by Israeli company Cellebrite, have the ability to access “contacts, chats (Facebook, Signal, Twitter, WhatsApp) instant message, MMS, SMS, call logs, unlock patterns, device location, and thousands of deleted items including browsing history, photos”.

This lack of public information, and assessment is clearly not good enough. Police Scotland’s actions suggest they now recognise that. This Summer there will be work with an external reference group examining the potential issues with the use of this technology. The Police will be approaching Privacy International to contribute, which is a welcome development.

It is important to not view the ‘cyber kiosk’ discussion in isolation. The move towards introducing more technology into policing environment requires proper public scrutiny. Whether the technology is intrusive, like with these “kiosks”, or just plain inaccurate, as the new report from Big Brother Watch shows facial recognition technology can be, we lose too much allowing these technologies to pass into wide policing use without proper scrutiny.