Public records released since January 2019 reveal the scale of the UK’s digital forensics spending, with several new public bodies acquiring the tools and millions being invested to modernise data storage systems, train officials, and renew software licenses.
Digital forensics encompasses a variety of technologies designed to identify, preserve, and extract data from electronic devices. The majority of this report will focus on mobile data extraction solutions which allow authorities to access data from mobile phones, principally to assist in criminal investigations.
Cellebrite’s UFED Premium mobile data extraction tool, one of many on the market, allows authorities to “gain access to 3rd party app data, chat conversations, downloaded emails and email attachments, deleted content and more,” according to their website.
There’s little doubt these “digital stop and searches” have proved useful for law enforcement agencies. However, questions regarding their proportionality and privacy implications remain.
In June 2020, the UK’s data protection regulator, the Information Commissioner’s Office, published a damning report on the police’s use of mobile data extraction technologies.
“Current mobile phone extraction practices and rules risk negatively affecting public confidence in our criminal justice system […] with excessive amounts of personal data often being extracted, stored, and made available to others, without an appropriate basis in existing data protection law.” – Information Commissioner’s Office
The Metropolitan Police also acknowledged that the current process of mobile data extraction “creates a data protection risk.”
Despite these alarming privacy concerns, the technology is widespread among police forces in the UK. In 2018, Privacy International discovered that at least 26 police forces nationwide were using mobile data extraction technologies. Since then, a number of new agencies appear to have acquired the technology.
The UK’s Ministry of Defence, for example, previously refused to disclose whether or not they had received any services from Cellebrite in response to this Freedom of Information request. However, this contract shows they renewed their licenses for Cellebrite’s digital forensics software in July 2020 at a cost of nearly £90,000.
Similarly, in 2017 Nottinghamshire Police told Privacy International that they do not use mobile phone extraction technologies. However, this appears to have changed. A contract published on 3 March, 2020, shows the East Midlands Strategic Commercial Unit spent over £30,000 on “Cellebrite premium iOS and Android extraction software for Nottinghamshire Police.”
Our findings also reveal a growth in the number of unconventional agencies acquiring these tools, including the Competition and Markets Authority – a non-ministerial department that works to “promote competition for the benefit of consumers, both within and outside the UK.”
Even the Food Standards Agency is looking to acquire “digital forensic technicians and services to extract data from electronic media.”
The use of mobile data extraction technologies made the headlines earlier this year after the Crown Prosecution Service and police were forced to stop using the technology on victims during investigations of rape.
The decision followed a report published by Big Brother Watch that showed 100% of rape cases were dropped when the victim refused to hand over their phones between 2018-19.
Not only is the use of this technology controversial, the companies that dominate the market have also been accused of neglecting their human rights responsibilities internationally.
Cellebrite, a market leader in the production of mobile data extraction technologies, have been accused of selling their technologies to Hong Kong and Belarus and enabling authorities to clamp down on dissent.
Of the 33 public records we analysed, Cellebrite is listed as the supplier in 17, with a combined value of more than £4M.
We also found two documents that show Cellebrite’s technology has been purchased via alternative suppliers.
The highly sophisticated nature of these tools and their potential to be misused raises considerable concern, particularly given the lack of legal constraints and the ever-growing amount of money UK authorities are investing in them.