Police Scotland has yet to satisfy legal doubts over a powerful new technology – used by Bahrain’s tyrannical regime to snoop on political activists – that the force wants to roll out, writes Martyn McLaughlin.
If you are unfamiliar with the products and services provided by Cellebrite, a company with a name so pleasingly punchy it ought to be selling children’s breakfast cereal, I regret to inform you that the reality is not quite so colourful.
Log on to the firm’s website and you are met with a finely honed example of purposely vague corporatespeak. It is, visitors are informed, “pioneering solutions today for a safer tomorrow” thanks to what it bills as “the most advanced and trusted digital forensics solution on the planet”.
There is even a section devoted to the company’s values, the most prominent of which is its “commitment to a safer world”. A blurb elaborates: “We are most passionate about the positive, meaningful outcomes our work enables for the powerless, threatened and underserved.”
Which is all obviously terrific and laudable of course, unless it happens to be nonsense. What would, for example, Mohammed al-Singace make of Cellebrite’s commitment to the disenfranchised?
A political activist in Bahrain, he campaigned to raise awareness of the Gulf state’s record on inflation and called on it to raise the basic standard of living for ordinary people. In return he was imprisoned and tortured, according to the Bahrain Centre for Human Rights.
During his trial, numerous WhatsApp conversations and photographs were presented as evidence, with the data culled from his phone thanks to Cellebrite’s “pioneering solutions”, according to a report by The Intercept.
The reason the Israeli-founded firm is in such high demand is the way it has stolen a march on police forces and intelligence services the world over, who struggle to decrypt electronic devices.
Cellebrite’s so-called cyber kiosk device is a silver bullet capable of overriding user passwords and encryption security to rapidly harvest data from mobile phones, tablets, and laptops.
The data sweep does not just take in call records, emails, and texts. It hoovers up biometric data and any documents stored externally on cloud-based servers. What is more, it allows Cellebrite’s customers to recover data belonging not only to a device’s owners, but any third parties they were in contact with.
Bahrain is in good company, by all accounts. A major 2017 hack of Cellebrite-related data linked the firm to authorities in the likes of Russia, the United Arab Emirates, and Turkey. Earlier this year, meanwhile, Privacy International indicated that Cellebrite is marketing its expertise and technological prowess to a new, untapped customer base – authorities who interrogate people seeking asylum.
Now, we can add Scotland to that illustrious roll call, thanks to the zeal with which the country’s national police force is pursuing Cellebrite’s technology.
Last April, Police Scotland spent more than £444,000 on 41 cyber kiosk units from the company, with the aim of deploying them across the country within six months. In December, it paid the firm an additional £379,000 to licence the devices for four years.
To date, the force has examined a total of 375 mobile devices and 262 SIM cards using Cellebrite’s tech via two trials carried out in Edinburgh and Stirling. The force has not been forthcoming with the results, but we know there were no impact assessments carried out beforehand, and the trial results have been summarised as “excellent” and “mixed” respectively.
To make matters worse, those members of the public whose phones were seized and searched were not made aware that their phones were to be scanned using Cellebrite’s technology.
Such spurious conclusions have been seized upon by the force as a justification for the impending rollout of the cyber kiosks.
This week, Susan Deacon, chair of the Scottish Police Authority (SPA) – a police oversight body hardly known for its commitment to transparency – dismissed “sensationalist” concerns over the technology which made it “sound as if it’s something that is much more intrusive and new than it is”.
She argued: “The world has moved on. We have already scrutinised this in some depth including looking at the legal opinion that Police Scotland has received and the independent legal counsel that is has received.”
Which is true, although Ms Deacon may wish to examine that legal advice in greater detail, lest the force itself end up in the dock.
Police Scotland claims there are four broad legal bases for the use of cyber kiosks: common law powers, statutory powers, a warrant granted by a court and consent to search from the owner of the device.
However, its reliance on common law is “insufficiently clear” according to Holyrood’s justice sub-committee, while the Scottish Criminal Bar Association take the view that Police Scotland is trying to draw principles from case law that may be broader than courts intended.
Clare Connelly of the Faculty of Advocates, meanwhile, has raised additional issues in relation to how far the technology has advanced since the introduction of legal regulation.
In that sense, Ms Deacon is absolutely right to note the world has moved on. In other ways, such as the principle of policing by consent, which is 190 years old this year, it has not. She and the SPA may wish to reflect on such matters before taking a page of out of Bahrain’s playbook.