Technology that allows police officers to break passwords on smartphones and pull user data from them for analysis is set to be rolled out from January 20, Police Scotland has confirmed — despite sustained criticism from NGOs and parliamentarians over the use of the so-called cyber kiosks, or digital forensic devices.

Police Scotland said this week: “Cyber kiosks are desktop computers, which will be located in police stations across local policing divisions.

“The technology allows specially trained officers to triage mobile devices to determine if they contain information which may be of value to a police investigation or incident. This will allow lines of enquiry to be progressed at a much earlier stage and devices that are not relevant to an investigation to be returned quicker.”

The force says it will “only examine a digital device where there is a legal basis and where it is necessary, justified and proportionate to the incident or crime under investigation” and will not store any data: “Once an examination is complete, all device data is securely deleted from the cyber kiosk” it promises.

The force has bought 41 cyber kiosks for its police stations.

All will be operational from May 2020, it said.

Cyber Kiosks Announcement Follows Cellebrite Contract

A 2018 contract notice shows that Police Scotland spent over half-a-million pounds on hardware from Israeli firm Cellebrite.

The company promises the ability to “bypass technical hurdles to access data from the widest range of devices”, saying its tools “easily and quickly challenge encryption… perform logical, filesystem and physical extractions, and use exclusive bootloaders, Advanced ADB, EDL and other methods to get the most data out of the devices.”

“Extract and decode every ounce of data within digital devices. Breakthrough complicated locks and encryption barriers to extract deleted and unknown content” the company boasts in its marketing collateral.

(Tests by Privacy International using a Cellebrite UFED Touch 2 pulled information from two Android and one iPhone devices that included pretty much everything possible on their systems: all chats, OS, fingerprint, etc. Cellebrite can reportedly break protections on most modern systems, including the iPhone X).

The minutes of a January 2019 Digital Triage Device (Cyber Kiosk) Stakeholder Group meeting of Police Scotland claimed: “There have been no submissions… articulating that the use of digital forensic triage is not supported by current Scottish legislation”.

Privacy International disagrees. It wrote to Michael Matheson, then Cabinet Secretary for Justice, on 4 May 2018, citing concerns that: “There is no clear legislation, policy framework, regulation or independent oversight in place for the police’s use of this technology, and to protect the public from abuse of this technology.”

Police Scotland says since that point “significant consultation has been undertaken with external advisory and stakeholder groups”. It has promised a presentation on the roll-out to the Scottish Police Authority for discussion on Friday.

This week Cellebrite announced that it had bought San Jose-based BlackBag Technologies, extending its toolkit to the desktop space as well as mobiles.

More to follow.

See also: 5 Crucial Takeaways from the Biometrics Commissioner’s Report