Scottish police get green light to use encryption-busting ‘cyber kiosks’

Written by Liam Kirkaldy on 16 January 2020 in News

Officers can finally begin using technology almost two years after it was first purchased

Credit: Andrew Milligan/PA Archive/PA Images

Police Scotland will next week begin using so-called cyber kiosks, allowing officers to bypass encryption to read personal data from certain digital devices, including some models of mobile phones or laptops, without using a password.

The force bought 41 cyber kiosks almost two years ago, and originally intended to deploy them at police stations across Scotland from autumn 2018, before postponing their introduction amid concerns over the legal basis for their use.

The Scottish Police Authority faced criticism from the Scottish Parliament’s Justice Sub-Committee on Policing for a lack of effective scrutiny, while MSPs warned Police Scotland had not followed best practice before trialling the devices.

During the trials, police in Edinburgh and Stirling searched the mobile phones of suspects, witnesses and victims without undertaking the required governance, scrutiny and impact assessments, the committee said.

But Police Scotland said the Crown Office and independent senior counsel had now confirmed the legal basis for use of the technology, which are also known as digital triage devices, with implementation starting in the Forth Valley and Fife Divisions.

Related content

Guidance from Police Scotland says: "The ability to bypass security measures such as PIN codes varies depending on the make and model of the device, the version of the operating system being used, and any security measures enforced by the manufacturer. A specific answer regarding this can only be given on a case-by-case basis. PIN codes or passwords will only be bypassed where absolutely necessary to progress the investigation."

Deputy chief constable Malcolm Graham said officers are “committed to providing the best possible service to victims and witnesses of crime”.

“This means we must keep pace with society. People of all ages now lead a significant part of their lives online and this is reflected in how we investigate crime and the evidence we present to courts,” he said. “Many online offences disproportionately affect the most vulnerable people in our society, such as children at risk of sexual abuse, and our priority is to protect those people.

Graham added: “Increases in the involvement of digital devices in investigations and the ever-expanding capabilities of these devices mean that demand on digital forensic examinations is higher than ever. Current limitations, however, mean the devices of victims, witnesses and suspects can be taken for months at a time, even if it later transpires that there is no worthwhile evidence on them. By quickly identifying devices which do and do not contain evidence, we can minimise the intrusion on people’s lives and provide a better service to the public.”

Cyber kiosks used by Police Scotland will not be enabled to store data from digital devices and, once an examination is complete, all device data will be securely deleted from the kiosk.

Police Scotland emphasised that, in the majority of cases, the devices will be used to retrieve data from phones and laptops belonging to the victims of crime, so they can be returned faster.

The Scottish Police Authority paper said: “It remains the opinion of some agencies including Scottish Human Rights Commission and Privacy International that the legal basis for device examination is not sufficiently clear, foreseeable or accessible and new legislation is required. It is anticipated that representation will be made by agencies and some members of the External Reference Group to the Scottish Parliament, Justice Sub-Committee on Policing requesting a review of the law.”

But it adds: “Police Scotland is confident that existing law supports the use of digital triage devices. This is articulated in the Legal Basis document and confirmed by COPFS in their written submissions to the Justice Sub Committee on Policing”.


About the author

Liam Kirkaldy is online editor at PublicTechnology sister publication Holyrood, where this story first appeared. He tweets as @HolyroodLiam.

Share this page




Please login to post a comment or register for a free account.

Related Articles

What sensitive data did the Home Office lose in Belgrade?
29 September 2020

Department’s annual report shows, for the first time in many years, documents or data lost from a secure government building had to be reported to the ICO. PublicTechnology finds out more...

Personal data of all Welsh coronavirus cases compromised in breach
15 September 2020

Public Health Wales says leak that affected more than 18,000 people to have tested positive was attributable to ‘human error’

UK pins 'cynical and reckless' Olympic cyberattacks on Russia
20 October 2020

Government attributes 2018 campaign to Moscow and claims more assaults were planned for cancelled 2020 summer games

British Airways data-breach fine cut from £183m to £20m after ICO considers coronavirus impact
16 October 2020

Airline slapped with record penalty by ICO – albeit one that is grossly reduced on the regulator’s original intention

Related Sponsored Articles

Workspace, Not Workplace: How Agile Working Increases Productivity whilst Driving Engagement and Fostering Inclusivity
12 October 2020

2020 has been a year of unprecedented change for the UK public sector. Today’s agile working technology enables you to meet citizen needs in this challenging operating environment by empower your...

Why it is time to change our approach to cybersecurity
29 September 2020

Organisations need to understand that a single cybersecurity solution alone is not infallible and instead should move towards a multi-layered approach to security, according to experts from...

Intelligent Spend Management in the Public Sector
24 September 2020

SAP Concur says it's time for the public sector to embrace more efficient invoice management technology

Digital inclusion is vital during the COVID-19 accelerated channel shift
22 September 2020

Accessibility requirements aren’t restrictions that need to be overcome - they’re guidelines to improve online experiences for everyone, says Jadu VP Richard Friend