MSPs probe data privacy concerns over Police Scotland’s cyber kiosks
Law enforcement earlier this year bought 41 of the devices for use across the country
Credit: Andrew Milligan/PA Archive/PA Images
Concerns have been raised by members of the Scottish Parliament (MSPs) about the data privacy implications of the police ‘cyber kiosks’ deployed across the country.
MSPs on the Justice Sub-Committee on Policing expressed their worries about the personal data that can be accessed via the kiosks, as well as the legal basis for accessing it, the right to privacy, and arrangements for data security.
Earlier this year, Police Scotland bought 41 cyber kiosks for use across Scotland, following trials in Edinburgh and Stirling. The digital forensic devices can rapidly search electronic devices such as mobile phones or laptops to look for evidence, helping police at the early stage of investigations.
The Holyrood committee has held sessions on the devices, where significant concerns about the legal basis for the use of kiosks were outlined by both the Information Commissioner’s Office and the Scottish Human Rights Commission.
At a meeting of the sub-committee on 13 September, detective chief superintendent Gerry McLean told MSPs the legal basis for accessing data on electronic devices could vary, either being through a warrant, under a statutory framework such as the Misuse of Drugs Act 1971 or “more frequently” under a ‘common-law power’ such as a witness offering police a device saying there was something relevant on it.
- Police Scotland lays out £300m plan for IT transformation
- Met Police tenders for range of managed services to enable focus on ICT transformation
- Plans unveiled for £20m national police cybersecurity centre
Diego Quiroz of the Scottish Human Rights Commission asserted that searching a search of electronic devices should be on a par with a physical search of a property.
He said: “We know that cyber kiosks can access private data – everything from texts to photos and web browsing – and even more sensitive data, such as biometric data. My phone has my fingerprints and my voice, for example. In a criminal law context, there can even be information about journalistic material or legally privileged information. That is incredibly sensitive data, so the framework and its legality are important.”
He added: “It is possible to find more private information in a mobile phone than in a bedroom or a house. Let us keep with that metaphor. The police need a warrant to search a house. That being the case, a more or equally intrusive digital measure will certainly require a similar safeguard. However, this is the first time that I have heard the police mentioning the idea of using warrants. I think that the commission would not be satisfied if there was no similar legal safeguard to that which there is when a house is searched in Scotland.”
McLean told the sub-committee that if there was no legal basis for Police Scotland to continue with the technology, the rollout would not proceed.
However, Police Scotland has confirmed that it is continuing with the introduction of cyber kiosks across Scotland, scheduled for December 2018 and early 2019.
Justice Sub-Committee on Policing convener John Finnie MSP said: “MSPs and the public will be rightly concerned to hear that the police service is very close to rolling out cyber-kiosks while major questions remain unanswered over the legality of using these machines. The sub-committee has been at the forefront of raising questions about cyber-kiosks, and we will continue to hold police leadership to account for their decisions in the coming weeks.”
The sub-committee has invited these witnesses to give evidence on the topic again on Thursday 15 November.
After two breaches inside a week, department commissions independent assessment of compliance
Process of assessing use of technology has been 'sub-standard' committee finds
National Crime Agency leading inquiry after malware assault
Leaders at the National Cyber Security Centre lift the lid on the impact of and lessons learned from the Triton malware assault