Campaigners from U.K.-based Privacy International have formally complained about British police being able to download the contents of people’s phones—phones, photos, even fragments of deleted conversations—without a warrant.
While warrants are required to do this in countries such as the U.S., in the U.K. dozens of police forces point to various pieces of legislation to support the idea that they don’t need them. Privacy International says the practice is illegal, however, and has complained to the Information Commissioner’s Office, the British privacy regulator.
The organization has also complained to the Home Office and the Independent Office for Police Conduct, calling for reforms to what it describes as a “totally unregulated, potentially discriminatory and unlawful practice.”
Millie Graham Wood, a solicitor for the group, said the police are using tools from companies such as Israel’s Cellebrite to download data from the phones of not only criminal suspects, but also witnesses to and even victims of crimes, “without any clear legal basis, without any proper record keeping, and without any national statistics that might reveal biases.”
“The earliest record we have of this is from 2012, when [London’s Metropolitan Police] said it wanted to roll out [the tools] across London, during the Olympics,” Graham Wood told Fortune. “Since then it’s spread out over the U.K.”
Graham Wood said she had personally tried out a Cellebrite UFED Touch 2 device, which is connected via a data cable to the telephone whose data is to be extracted, and found it was very easy to operate without training. “It takes about two hours to extract everything,” she said. She added that the device was even able to reconstruct deleted chats from encrypted messaging apps such as WhatsApp, as the data from the deleted conversations was not overwritten on the phone. “It will extract them and somehow rebuild the conversations,” the solicitor explained.
The Metropolitan Police said in a statement that it relies on the Police and Criminal Evidence Act (PACE), a 1984 piece of legislation, to back up its use of such devices.
“A victim is always at the heart of an investigation, and in the majority of cases permission will be sought to obtain data from devices such as mobile phones. The officer using the kiosk will then extract only very specific data,” the London force said.
“There will, however, be occasions where consent cannot be obtained. For example, where a witness has filmed a murder on their mobile phone but refuses to co-operate with police; or where a victim of domestic abuse does not wish to assist police. Under these circumstances, it may be possible for police to use their powers under PACE to seize and examine this information.”
Privacy International says the practice is illegal under the U.K.’s current Data Protection Act, and will be even more so when the act is replaced next month, to be more in line with the EU’s incoming General Data Protection Regulation (GDPR). The revised act will also include a new law enforcement directive that is supposed to provide more safeguards for this kind of search.
So will the police behave better once that new law comes into force?
“If, by the 6th of May, they can bring in clear legislation, write out policies, and have a clear framework about what’s going on, that would be great,” Graham Wood said. “But I’m not sure the police are as up to speed on data protection as a lot of companies that have been focused on GDPR for years. They can’t even comply with the Data Protection Act now.”