Scottish police get green light to use encryption-busting ‘cyber kiosks’
Officers can finally begin using technology almost two years after it was first purchased
Credit: Andrew Milligan/PA Archive/PA Images
Police Scotland will next week begin using so-called cyber kiosks, allowing officers to bypass encryption to read personal data from certain digital devices, including some models of mobile phones or laptops, without using a password.
The force bought 41 cyber kiosks almost two years ago, and originally intended to deploy them at police stations across Scotland from autumn 2018, before postponing their introduction amid concerns over the legal basis for their use.
The Scottish Police Authority faced criticism from the Scottish Parliament’s Justice Sub-Committee on Policing for a lack of effective scrutiny, while MSPs warned Police Scotland had not followed best practice before trialling the devices.
During the trials, police in Edinburgh and Stirling searched the mobile phones of suspects, witnesses and victims without undertaking the required governance, scrutiny and impact assessments, the committee said.
But Police Scotland said the Crown Office and independent senior counsel had now confirmed the legal basis for use of the technology, which are also known as digital triage devices, with implementation starting in the Forth Valley and Fife Divisions.
- MSPs probe data privacy concerns over Police Scotland’s cyber kiosks
- Police face political backlash over plans to demand rape victims’ phones
- EE swipes £21m mobile deal with Police Scotland
Guidance from Police Scotland says: "The ability to bypass security measures such as PIN codes varies depending on the make and model of the device, the version of the operating system being used, and any security measures enforced by the manufacturer. A specific answer regarding this can only be given on a case-by-case basis. PIN codes or passwords will only be bypassed where absolutely necessary to progress the investigation."
Deputy chief constable Malcolm Graham said officers are “committed to providing the best possible service to victims and witnesses of crime”.
“This means we must keep pace with society. People of all ages now lead a significant part of their lives online and this is reflected in how we investigate crime and the evidence we present to courts,” he said. “Many online offences disproportionately affect the most vulnerable people in our society, such as children at risk of sexual abuse, and our priority is to protect those people.
Graham added: “Increases in the involvement of digital devices in investigations and the ever-expanding capabilities of these devices mean that demand on digital forensic examinations is higher than ever. Current limitations, however, mean the devices of victims, witnesses and suspects can be taken for months at a time, even if it later transpires that there is no worthwhile evidence on them. By quickly identifying devices which do and do not contain evidence, we can minimise the intrusion on people’s lives and provide a better service to the public.”
Cyber kiosks used by Police Scotland will not be enabled to store data from digital devices and, once an examination is complete, all device data will be securely deleted from the kiosk.
Police Scotland emphasised that, in the majority of cases, the devices will be used to retrieve data from phones and laptops belonging to the victims of crime, so they can be returned faster.
The Scottish Police Authority paper said: “It remains the opinion of some agencies including Scottish Human Rights Commission and Privacy International that the legal basis for device examination is not sufficiently clear, foreseeable or accessible and new legislation is required. It is anticipated that representation will be made by agencies and some members of the External Reference Group to the Scottish Parliament, Justice Sub-Committee on Policing requesting a review of the law.”
But it adds: “Police Scotland is confident that existing law supports the use of digital triage devices. This is articulated in the Legal Basis document and confirmed by COPFS in their written submissions to the Justice Sub Committee on Policing”.
MPs, unions and academics call for rules on the use of tech that can monitor remote workers
Attack on Scottish environment watchdog happened on Christmas Eve
Government considering launching online tool – but not in time for upcoming polls
Venues in Scotland will be able to conduct trials with juries based in cinemas or other offsite locations
The remote-first world has seen email being relied on more than ever as a core communication mechanism - but with 93% of IT leaders acknowledging a risk to sensitive data, what steps should be...
2020 was a cyber security wake up call for many organisations. Attempting to provide secure remote access and device flexibility quickly exposed the flaws in legacy systems and processes. As we...
In 2020 public sector organisations have been tested to a degree never experienced before. According to CrowdStrike, increasing cybersecurity attacks are an additional complication they must...