show image

Revealed: UK police forces plan to spend up to £20m on smartphone hacking tech

British police forces are preparing to spend up to £20m on hacking technology that can bypass smartphone encryption software, NS Tech can reveal.

The plans are detailed in a prior information notice unearthed by Tussell and seen by NS Tech, and could represent a significant expansion of the technology’s deployment in the UK.

Under the proposals, Northamptonshire Police will team up with the National Police Chiefs Council (NPCC) to establish a framework enabling forces to buy the equipment from a central unit.

The notice also reveals that forces will be able to procure software development and extraction training services through the framework when it launches later this year.

“It is hoped that through this dynamic purchasing system police forces can work in partnership with digital suppliers to ensure the market can develop alongside the ever growing policing requirements,” the notice states.

Police forces have become increasingly reliant on extraction software in recent years as smartphones have harvested more data about people’s behaviour. But it’s feared the law has struggled to keep pace with the technology and that there is a lack of oversight of the way in which it is deployed.

The Information Commissioner’s Office confirmed to NS Tech that it had launched an investigation into the use of the technology by law enforcement agencies.

“[This] is a priority area for the Information Commissioner, and the ICO has an ongoing investigation into use of data extraction technology on the mobile phones of suspects, victims and witnesses,” a spokesperson said. “Law enforcement agencies using technologies such as data extraction need to comply with the requirements of the Data Protection Act 2018.”

Scarlet Kim, a lawyer at Privacy International, warned that police forces had struggled to identify which law they were relying on to carry out data extractions.

“They have not made it clear whether they’re relying on case, the investigatory powers act or something else,” she told NS Tech. “You need that fundamental understanding.”

Concerns have also been raised about the fact that officers do not need a warrant to access data on the phones of suspects, victims and witnesses, and that a disproportionate amount of data is being downloaded. In some cases, campaigners have reported that officers have downloaded the entire contents of a users’ phone.

Some critics have claimed that such use of the technology may discourage witnesses from coming forward, fearing their entire phone’s data could be accessed.

Nick Baker, deputy chief constable of Staffordshire Police and NPCC lead for digital forensics, played down such allegations, saying that “full downloads” were very rare.

“Most investigations are about proportionate lines of inquiry,” he told NS Tech. “What we’re endeavouring to do is put the same level of proportionality into these investigations.”

“If you’re talking about a sexual offence between a suspect and a victim, if it’s a long standing relationship, the parameters of the investigation might be more extensive,” he said. “If it’s brief and recent, the scope of your investigation would be a lot smaller.” But he acknowledged that forces must consider “victim concern in terms of how intrusive the investigation is”.

He added that under some laws officers do not need court warrants to search suspects’ properties and that if they needed a warrant every time they wanted to search a phone, it could lead to “inertia” with courts overwhelmed by the volume of requests.

The ICO said it would be reporting on the outcome of its investigation in due course.