UK Digital Forensics Report

Public records released since January 2019 show UK authorities have spent more than £20 million on digital forensics tools, including over £4 million from Cellebrite, an Israeli firm accused of aiding human rights abuses in Hong Kong and Belarus.
Samuel Woodhams

Key Findings

  • Contracts published since 2019 reveal UK authorities spent £23M on digital forensics tools, training and software renewals
  • The Metropolitan Police Service (MPS) alone have spent £18.5M, including £2M on Cellebrite’s mobile data extraction technology.
  • The most valuable contract, worth £16.5M, is for a web-based application that will store and display data extracted from devices to MPS officers
  • The Ministry of Defence, Home Office, and Competition and Markets Authority all have digital forensic capabilities
  • UK authorities have spent a total of £4.6M on technology made by Cellebrite

Introduction

Public records released since January 2019 reveal the scale of the UK’s digital forensics spending, with several new public bodies acquiring the tools and millions being invested to modernise data storage systems, train officials, and renew software licenses.

Digital forensics encompasses a variety of technologies designed to identify, preserve, and extract data from electronic devices. The majority of this report will focus on mobile data extraction solutions which allow authorities to access data from mobile phones, principally to assist in criminal investigations.

Cellebrite’s UFED Premium mobile data extraction tool, one of many on the market, allows authorities to “gain access to 3rd party app data, chat conversations, downloaded emails and email attachments, deleted content and more,” according to their website.

There’s little doubt these ‘digital stop and searches’ have proved useful for law enforcement agencies. However, questions regarding their proportionality and privacy implications remain.

In June 2020, the UK’s data protection regulator, the Information Comissioner’s Office, published a damning report on the police’s use of mobile data extraction technologies.

“Current mobile phone extraction practices and rules risk negatively affecting public confidence in our criminal justice system […] with excessive amounts of personal data often being extracted, stored, and made available to others, without an appropriate basis in existing data protection law.” Information Commissioner’s Office

The Metropolitan Police also acknowledged that the current process of mobile data extraction “creates a data protection risk.”

Despite these alarming privacy concerns, the technology is widespread among police forces in the UK. In 2018, Privacy International discovered that at least 26 police forces nationwide were using mobile data extraction technologies. Since then, a number of new agencies appear to have acquired the technology.

The UK’s Ministry of Defence, for example, previously refused to disclose whether or not they had received any services from Cellebrite in response to this Freedom of Information request. However, this contract shows they renewed their licenses for Cellebrite’s digital forensics software in July 2020 at a cost of nearly £90,000.

Similarly, in 2017 Nottinghamshire Police told Privacy International that they do not use mobile phone extraction technologies. However, this appears to have changed. A contract published on 3 March, 2020, shows the East Midlands Strategic Commercial Unit spent over £30,000 on “Cellebrite premium iOS and Android extraction software for Nottinghamshire Police.”

Our findings also reveal a growth in the number of unconventional agencies acquiring these tools, including the Competition and Markets Authority – a non-ministerial department that works to “promote competition for the benefit of consumers, both within and outside the UK.”

Even the Food Standards Agency is looking to acquire “digital forensic technicians and services to extract data from electronic media.”

The use of mobile data extraction technologies made the headlines earlier this year after the Crown Prosecution Service and police were forced to stop using the technology on victims during investigations of rape.

The decision followed a report published by Big Brother Watch that showed 100% of rape cases were dropped when the victim refused to hand over their phones between 2018-19.

Not only is the use of this technology controversial, the companies that dominate the market have also been accused of neglecting their human rights responsibilities internationally.

Cellebrite, a market leader in the production of mobile data extraction technologies, have been accused of selling their technologies to Hong Kong and Belarus and enabling authorities to clamp down on dissent.

Of the 33 public records we analysed, Cellebrite are listed as the supplier in 17, with a combined value of more than £4M.

We also found two documents that show Cellebrite’s technology has been purchased via alternative suppliers.

The highly sophisticated nature of these tools and their potential to be misused raises considerable concern, particularly given the lack of legal constraints and the ever-growing amount of money UK authorities are investing in them.

Contracts Overview

The following table shows the 10 most valuable digital forensics contracts published since January 2019.

* This figure is the estimate provided in the Scottish Police Authority’s 2019-2020 Annual Procurement report.

Metropolitan Police Contracts

The MPS were an early adopter of digital forensic technologies and account for 80% of all expenditure covered in this report.

A procurement document published in 2015 indicated that by March 2016, there would be Self Service Kiosks (SSKs) in all 32 MPS boroughs. SSKs, or Digital Forensics Kiosks, are defined as “officer operated equipment based within operational police premises” for the purpose of data extraction.

Below are details of the Metropolitan Police’s digital forensics contracts published since January 2019.

Remote Search & Review Solution

  • Buyer: Metropolitan Police
  • Supplier: CDW Ltd.
  • Value: £16,500,000
  • Date Signed: 13/12/19

The Search & Review solution is intended to “provide frontline officers with the self-service capability to review forensically recovered data from digital devices for evidence and disclosure purposes.”

Approved in January 2019, the project is expected to last 5 years, with a total cost of £16.5M.

The approved business plan recommends that the technology is procured from CDW Ltd., a company that also appears to have supplied the Ministry of Defence with Cellebrite software licenses.

The business case for the project sheds light on the Metropolitan Police’s digital extraction procedures and highlights their substantial data security risks.

Although the new solution is intended to solve this reliance on physical devices, the creation of a centralised web-based application that contains all the data extracted by the MPS may still put sensitive data at risk.

While storing sensitive data on a USB device is clearly not ideal, it does minimise the amount of data at risk. If the web-based application was compromised in any way, for example, every person would have their data put at risk.

Given that other law enforcement agencies are likely storing extracted data on physical devices, this admission suggests that victims’ data is being held insecurely elsewhere.

Additionally, while increasing the accessibility of extracted data may be useful during investigations, it could also lead to a higher number of people having access to extracted data. As the below shows, accessibility is at the core of the project.

Nowhere in the business case does it outline how long data will be stored for or whether there are any limitations on the amount or type of data extracted. According to the document, however, a Data Protection Impact Assessment (DPIA) has been completed.

Currently, there is no regulation that forces authorities to disclose what, or how much, data they have extracted from a given device. As Privacy International have written: “If the police search your home or confiscate your possessions, you will receive an inventory list of those items. However, if they extract data from your devices, you may not even be told that they have done so, let alone be told what kind of data they have extracted.”

Licences and Ongoing Support for the Cellebrite ‘Premium’ Tool

  • Buyer: Metropolitan Police
  • Supplier: Cellebrite UK.
  • Value: £2,090,000
  • Date Signed: 10/09/20

This recommendation, which was approved by the Deputy Mayor for Policing and Crime, Sophie Linden, shows that the Metropolitan Police has purchased Cellebrite’s ‘UFED Premium’ tool at a cost of over £2M. The tool is widely considered one of the most sophisticated on the market.

According to the product brochure: “With Cellebrite Premium you can bypass locks and perform a physical extraction on many high-running Android devices. By performing full-file system and physical extractions, you can get much more data than what is possible through a logical extraction, and access highly protected areas such as the iOS Keychain or the Secure Folder.”

Manufacturers of mobile extraction technologies pride themselves on how much data can be extracted from a device, without necessarily considering whether carrying out a full-file extraction is warranted, necessary, or proportionate.

This is not the first time the Metropolitan Police have purchased the technology and it’s not even the only type of data extraction tool at their disposal.

Screenshot of the MPS Cellebrite Business Case

Screenshot from the MPS Cellebrite Business Case.

As the above shows, Cellebrite’s tool is intended to be used alongside another solution that cannot access Android phones. Unlike many other mobile data extraction technologies, Cellebrite’s is capable of accessing data on iOS and Android devices.

These sophisticated tools have led to criticisms from civil liberties advocates. In 2019, Silkie Carlo told the Financial Times that the use of mobile data extraction technologies is “a free-for-all which involves wholesale digital surveillance of someone’s entire life.”

In one section of the contract, the Metropolitan Police address the potential impact of this technology on equality and diversity.

Screenshot of the MPS Cellebrite Business Case

Screenshot from the MPS Cellebrite Business Case.

According to the Police Federation of England and Wales, ‘Policing Purpose’ “essentially means the investigation, detection and prevention of crime.” It appears, therefore, there are very few meaningful limitations on the use of mobile data extraction technologies.

Given the MPS has faced a barrage of accusations of institutional racism and discrimination in recent years, there are obvious concerns these sophisticated technologies may be used in ways that exacerbate existing inequalities.

In the U.S., the ACLU has argued that greater restrictions ought to be applied to the use of these sophisticated mobile data extraction technologies:

“This is an enormously powerful technology, and it needs to be subject to careful checks and balances. The use of these devices is already regulated by the Constitution, but additional protections ought to be enacted, ranging from tight internal law enforcement controls to prevent abuse, to close legislative monitoring and, if appropriate, regulation of law enforcement use.”

However, the MPS are not the only law enforcement agency with access to Cellebrite’s digital forensic technologies.

Cellebrite Contracts

In August, it was reported that Cellebrite’s technology had been used to break into over 4,000 phones in Hong Kong, including that of pro-democracy politician and activist Joshua Wong. Following a petition launched by Nathan Law, and a subsequent legal challenge by Israeli human rights defenders, the company announced it would no longer sell its technology to Hong Kong and China.

Nathan Law’s petition, which gained over 35,000 signatories, called for Cellebrite to halt the sale of its mobile data extraction to authorities in Hong Kong and China. It claims this was necessary to “safeguard personal safety and confidentiality of citizens, journalists and foreigners travelling, working and living in this city.”

According to a report by Haaretz, security forces in Belarus also have access to the tools, with Israeli human rights activists demanding “the immediate halt of sales by Cellebrite of cellphone hacking technology to Belarus.”

Amnesty International have claimed authorities in Belarus “are able to subject just about anyone to surveillance for a host of overly broad legal reasons, subject to no independent oversight, and entirely shrouded in secrecy.”

The use of mobile data extraction technologies by authoritarian regimes to clamp down on dissent is a stark reminder of the potential of these tools and an urgent reminder of the need to regulate their use.

Cellebrite are listed as the supplier in 17 of the 33 public records we discovered, with a combined value of more than £4M. We also unearthed two contracts that show Cellebrite’s technology has been purchased via alternative suppliers, with a combined value of £177,318.

The following table shows Cellebrite’s contracts with UK authorities published since January 2019.

Government Contracts

As well as unearthing public documents that reveal the digital forensic capabilities of multiple local police forces, we also discovered records that show various governmental departments now have access to these tools.

Government departments that have purchased digital forensics include:

  • The Home Office
  • The Ministry of Defence
  • The Competition and Markets Authority
  • HM Revenue & Customs

While the use of this technology by the Ministry of Defence is relatively unsurprising, it’s not immediately clear what purpose the technology would serve for other departments.

It is also particularly striking that both the UK Border Force and UK Immigration Enforcement agencies have access to these tools. With a combined value of almost £400,000, the contracts reveal both agencies have digital forensic kiosks.

Both contracts list MSAB UK Ltd as the supplier, a company that claims: “In many cases, accessing and screening data on mobile phones is the most accurate and effective method for confirming someone’s identity and detecting threats in border control operations.”

The German non-profit GFF has argued that: “Asylum procedures are increasingly being digitized – be it automatic data comparison with growing databases, mobile forensics as heretofore only used in criminal proceedings, or artificial intelligence to search for suspicious refugees. The human being with their personal history of flight fades into the background and turns into a collection of pure data.”

The use of this technology in the U.S. has also been criticised, with the ACLU writing: “The claim by U.S. border officials that they can, with no grounds for suspicion, look through and copy travelers’ cell phones and other electronic devices is creating justified consternation.”

There are also number of procurement opportunities that have recently closed, although details of the finalised contracts are yet to be published.

These include an opportunity to provide the Food Standards Agency and The Ministry of Defence with digital forensics technologies. The latter contract is worth £600,000. However, as full details of the contracts are yet to be published, they have not been included in our findings.

Conclusion

Our findings show that UK authorities continue to invest millions into digital forensics tools, with few regulatory safeguards that prevent their misuse.

As the Metropolitan Police’s ‘Remote Search & Review’ business case outlines, many of the current procedures put highly sensitive data at risk, with almost no limitations on the amount or type of data that can be extracted.

Recent events in Hong Kong and Belarus have also demonstrated that these highly sophisticated technologies can be used in ways that undermine citizens human rights.

As these tools continue to proliferate, a number of unconventional agencies appear to be adopting them, increasing the chance they will be misused.

If meaningful regulations are not enacted, the continued investment in mobile data extraction technologies risks creating a huge unchecked surveillance network that is capable of radically eroding citizens’ right to privacy.

All Contracts

The following table shows all of the public records analysed in this report. Although some of the contracts were awarded prior to 2019, none of them had been published until January 2019 or later.

Methodology

We searched publicly available government contracts and procurement databases published since January 2019 to discern the amount of money spent on digital forensics technologies.

All of the contracts discussed are available to view from the embedded tables, with hyperlinks on the date the documents were published.

About Us

Top10VPN.com is the world’s largest VPN review website. We recommend the best VPN services to help protect consumers’ privacy online. We also aim to educate the general public about privacy and digital rights through our free online resources and research.

For more of our original cybersecurity research, take a look at our COVID-19 Digital Rights Tracker; Employee Surveillance research or the Dark Web Market Price Index

The authors of all our investigations abide by the journalists’ code of conduct.