We don't know whether the most recent response to this request contains information or not – if you are Torr Robinson please sign in and let everyone know.

Use of cloud analytics / extraction

We're waiting for Torr Robinson to read recent responses and update the status.

Dear Merseyside Police,

I am aware that companies are selling technologies to law enforcement that allow them to take vast quantities of personal data from cloud-based apps and accounts. You can read more [https://privacyinternational.org/long-re....

I make the following request for documents/information under the Freedom of Information Act:

1. Do you use mobile phone extraction technology that includes cloud analytics / cloud extraction capabilities e.g. Cellebrite UFED Cloud Analyser, Magnet Axiom Cloud or Oxygen Forensics Cloud Extractor

2. Do you have other technologies that allow you to access cloud-based accounts and extract this data.

3. Please provide a copy of the relevant Data Protection Impact Assessment.

4. Please provide a copy of the relevant local and/or national guidance/standard operating procedure/policy.

5. Please confirm the legal basis you rely on to conduct cloud analytics/extraction.

Yours faithfully,

Torr Robinson

Freedom Of Information, Merseyside Police

Your email to the Merseyside Police Freedom of Information (FOI) in box is
acknowledged.

 

If it contains an initial (new) request under FOI it will be dealt with in
accordance with section 10 of the Act which means that you are entitled to
receive a response no later than 20 working days after the first working
day* on which your request is received.

 

Other arrangements may apply if a fees notice is issued or if the time
period is extended in order that public interest considerations of our
response may take place. Section 10 also allows public authorities to
apply variations to the normal 20 working day timescale in some limited
circumstances.

 

Due to the volume of e-mail correspondence and FOI applications received,
the Force regrets that individual acknowledgement e-mails will not be sent
even if specifically requested.

 

If the correspondence cannot be dealt with as FOI, it will be forwarded
internally and you will be advised of the location. Any related
communication must be direct to the identified location and not the FOI
e-mail address.

 

*The ‘working day’ is defined as any day other than a Saturday, a Sunday,
Christmas Day, Good Friday or a day which is a bank holiday under the
Banking and Financial Dealings Act 1971 in any part of the United Kingdom.
The first reckonable day is the working day after the working day of
receipt.

============================================================
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender as soon
as possible. This footnote confirms that all reasonable steps have been
taken to ensure that this email message has been swept for the presence of
computer viruses. The views expressed in this communication may not
necessarily be the views of Merseyside Police. All communications,
including telephone calls and electronic messages to and from Merseyside
Police may be subject to monitoring and recording.
============================================================

Freedom Of Information, Merseyside Police

Dear applicant

Response Letter - FOI Application DM2020/0171 (please quote in all
correspondence)

I write in connection with your request for information, which was
received by Merseyside Police on 04/02/2020, concerning:

(summary of request) information relating to Merseyside Police use of data
extraction from cloud-based apps and accounts

Your request for information has been considered and I am not obliged to
supply the information that you have requested.

Section 17, Freedom of Information Act, 2000, requires Merseyside Police,
when refusing to provide such information (because the information is
exempt) to provide you the applicant with a notice which:
(a) states that fact,
(b) specifies the exemption(s) in question and
(c) states (if that would not otherwise be apparent) why the exemption
applies.

Reason for Decision:

Request refused by Virtue of Section 14(1) of the Freedom of Information
Act.  Section 14 states that a public authority need not comply with a
request for information if that request is vexatious.

The exact same request has been received from more than one source and it
is apparent that it forms part of a campaign orchestrated by Privacy
International, as the details can be found on that organisation’s website:

[1]https://privacyinternational.org/action/...

Whilst acknowledging that the Freedom of Information Act is designed to
open up public authorities to greater scrutiny and accountability, and
that when viewed in isolation this application appears to be a genuine
attempt to seek information, where applicants work ‘in concert’ with one
another the Force has to consider the aggregated impact of dealing with
such requests, particularly when it may be at the expense of responding in
a timely manner to other individuals who are using the FOI Act
responsibly.

The Information Commissioner’s Office has previously supported this view,
with its guidance stating:

“If a public authority has reason to believe that several different
requesters are acting in concert as part of a campaign to disrupt the
organisation by virtue of the sheer weight of FOIA requests being
submitted, then it may take this into account when determining whether any
of those requests are vexatious”

This communication therefore serves as a Refusal Notice under the FOI Act.

Had Section 14 FOI Act not been a consideration in this case, it is likely
that the requested information would have been refused under Section 31
FOI Act, as it would clearly not be in the interests of law enforcement to
reveal which storage systems the Force is able to extract data from and
which it cannot, as to do so would effectively tell the criminal
fraternity where data can be stored without risk of detection.

Complaint Rights

Your attention is drawn to the information following this response, which
details your rights of review and of complaint.

Should you have any further enquiries concerning this matter, please write
to or e-mail me at the below address, quoting the reference number above.

Yours sincerely

Mr D May
Disclosure Analyst
FOI Team
Data Access Unit
Merseyside Police
PO BOX 59
LIVERPOOL L69 1JD
E-mail: [2][Merseyside Police request email]

Making a complaint or appeal about your Freedom of Information response

We accept that sometimes you may not agree with the decision we’ve made
about your Freedom of Information request. If this is the case there is an
internal complaints procedure that should be followed.

You should make your complaint in writing to:

FOI Team

Data Access Unit
Merseyside Police

PO BOX 59

LIVERPOOL

L69 1JD

It should detail:

What the original request was

The nature of the complaint

Why you feel you should have received more information

Your complaint will be fully investigated and will be dealt with by a
staff member who was not involved in the original decision. We will write
to you to advise the outcome of your complaint.

If you are dissatisfied with the results of your complaint you have the
right to appeal to the Information Commissioner. He can be contacted at:

The Office of the Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

More information is available from the Information Commissioner's website

[3]http://www.ico.org.uk

 

 

 

============================================================
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender as soon
as possible. This footnote confirms that all reasonable steps have been
taken to ensure that this email message has been swept for the presence of
computer viruses. The views expressed in this communication may not
necessarily be the views of Merseyside Police. All communications,
including telephone calls and electronic messages to and from Merseyside
Police may be subject to monitoring and recording.
============================================================

References

Visible links
1. https://privacyinternational.org/action/...
2. mailto:[Merseyside Police request email]
3. http://www.ico.org.uk/

Dear Merseyside Police,

RE: FOI Application DM2020/0171

I write to request an internal review in relation to your response of 14 February 2020.

BACKGROUND

The initial FOIA was sent on 4 February 2020 with receipt acknowledged on 4 February 2020.

On the 14 February you responded:

"Your request for information has been considered and I am not obliged to supply the information that you have requested.

Reason for Decision:
Request refused by Virtue of Section 14(1) of the Freedom of Information Act. Section 14 states that a public authority need not comply with a request for information if that request is vexatious.
The exact same request has been received from more than one source and it is apparent that it forms part of a campaign orchestrated by Privacy International, as the details can be found on that organisation’s website:
[1]https://privacyinternational.org/action/...
Whilst acknowledging that the Freedom of Information Act is designed to open up public authorities to greater scrutiny and accountability, and that when viewed in isolation this application appears to be a genuine attempt to seek information, where applicants work ‘in concert’ with one another the Force has to consider the aggregated impact of dealing with such requests, particularly when it may be at the expense of responding in a timely manner to other individuals who are using the FOI Act responsibly.
The Information Commissioner’s Office has previously supported this view,
with its guidance stating:
“If a public authority has reason to believe that several different requesters are acting in concert as part of a campaign to disrupt the organisation by virtue of the sheer weight of FOIA requests being submitted, then it may take this into account when determining whether any of those requests are vexatious”
This communication therefore serves as a Refusal Notice under the FOI Act."
Had Section 14 FOI Act not been a consideration in this case, it is likely that the requested information would have been refused under Section 31 FOI Act, as it would clearly not be in the interests of law enforcement to reveal which storage systems the Force is able to extract data from and which it cannot, as to do so would effectively tell the criminal fraternity where data can be stored without risk of detection."

Request for Internal Review

I write to request an internal review of your decision. I further respond to your comment that you would have nevertheless refused this request under section 31 FOIA. These submissions are based on the ICO guidance .

The Freedom of Information Act was designed to give individuals a greater right of access to official information with the intention of making public bodies more transparent and accountable. I am genuinely exercising the right to know.

In relation to your position that this request is vexatious, you state that:

• Request refused by Virtue of Section 14(1) of the Freedom of Information Act. Section 14 states that a public authority need not comply with a request for information if that request is vexatious.
• The exact same request has been received from more than one source and it is apparent that it forms part of a campaign orchestrated by Privacy International, as the details can be found on that organisation’s website: [1]https://privacyinternational.org/action/...
• Whilst acknowledging that the Freedom of Information Act is designed to open up public authorities to greater scrutiny and accountability, and that when viewed in isolation this application appears to be a genuine attempt to seek information, where applicants work ‘in concert’ with one another the Force has to consider the aggregated impact of dealing with such requests, particularly when it may be at the expense of responding in a timely manner to other individuals who are using the FOI Act responsibly.
• The Information Commissioner’s Office has previously supported this view,
with its guidance stating:
“If a public authority has reason to believe that several different requesters are acting in concert as part of a campaign to disrupt the organisation by virtue of the sheer weight of FOIA requests being submitted, then it may take this into account when determining whether any of those requests are vexatious”
The purpose of the campaign

You state that the exact same request has been received from more than one source. I have checked WhatDoTheyKnow.com and it appears that one other FOIA request was sent a few days before my request. However, I believe that you have misunderstood the purpose of Privacy International’s campaign.

Privacy International’s campaign page has the clear intention that only one FOIA should go to each force. It specifically states on the relevant page that:

"When we see that a FOIA has gone to a police force, we will strike through their name on the list below and add a link to the submitted request so you can follow its progress."

This indicates that when a request has been sent, this will be indicated so that individuals can track the progress of the FOIA for a particular force. It does not encourage more than one FOIA per force.

I submitted a FOIA to Merseyside on the basis that no FOIA had been submitted to Merseyside at the time I was looking at Privacy International’s campaign page. As noted, the other FOIA to yourselves was submitted only a few days earlier. So, it appears there was an issue with the page not being updated or with WhatDoTheyKnow.com preventing multiple requests to Merseyside using the link that was on Privacy International’s website and auto-filled the name and subject box of the FOIA to Merseyside.

I therefore request that you review your assumptions on the basis of the above evidence. The intention of the campaign is not to encourage individuals to send more than one request to a police force. The intention of the campaign is not to get applicants to work ‘in concert’ with one another leading to the Force having to deal with multiple FOIA.

This is therefore not the kind of case that is envisaged by the ICO guidance which you cite.

Privacy International’s campaign is publicly available. There is no evidence to support the position that they want several different requesters to act in concert to disrupt the organisation by virtue of sheer weight of FOIA requests being submitted.

The purpose of the campaign is therefore very different to that which is in the example in the ICO guidance, Dr Gary Duke vs ICO and the University of Salford (page 23) where it was found the intention was to send in a stream of requests.

The ICO guidance states that:

"93. Authorities must be careful to differentiate between cases where the requesters are abusing their information rights to engage in a campaign of disruption, and those instances where the requesters are using the Act as a channel to obtain information that will assist their campaign on an underlying issue."

"94. If the available evidence suggests that the requests are genuinely directed at gathering information about an underlying issue, then the authority will only be able to apply section 14(1) where it can show that the aggregated impact of dealing with the requests would cause a disproportionate and unjustified level of disruption, irritation or distress."

"95. This will involve weighing the evidence about the impact caused by the requests submitted as part of the campaign against the serious purpose and value of the campaign and the extent to which the requests further that purpose. Guidance on how to carry out this exercise can be found in the section of the guidance entitled 'Considering whether the purpose any value justifies the impact on the public authority.'"

It is clear from the information I have referred to above and the information on Privacy International's website, that this is a case where the Act is being used to obtain information to assist the campaign on an underlying issue, rather than being one that is abusive. I note that Privacy International's website states :

"You should know what new technologies police are deploying on your local community. We want to find out if UK police are using cloud extraction tech, what law exists to protect your rights and what safeguards are in place. We need your help."

It is clear the aim is one of transparency, not to be abusive of the Freedom of Information Act.

The ICO guidance goes on to state that if the requests are genuinely directed at gathering information about an underlying issue, which I believe this is, then you need to show the aggregated impact of dealing with the requests would cause a disproportionate and unjustified level of disruption, irritation or distress.

You have only received two FOIA requests from what I can see. There are numerous options open to you, including informing one of the requesters that you are already dealing with a similar request. In addition, you could have contacted Privacy International about this campaign to obtain clarity. If you simply reply to my request and indicate to the other requester that you are already dealing with the same FOIA, then there is no disproportionate and unjustified level of disruption, irritation or distress.

The ICO guidance states that you can weigh the evidence about the impact caused by the requests submitted as part of the campaign against the serious purpose and value of the campaign and the extent to which the requests further that purpose. Guidance on how to carry out this exercise can be found in the section of the guidance entitled 'Considering whether the purpose any value justifies the impact on the public authority.'"

Purpose and value

When looking at whether a request is likely to cause a disproportionate or unjustified level of disruption, irritation or distress, the ICO guidance considers purpose and value (pages 11-13).

There is serious purpose behind this request given the growing use of cloud extraction technologies by law enforcement and the apparent secrecy around its use in the UK. The request therefore is of wider benefit to the public who may be subjected to the use of cloud extraction technologies.

As set out in Privacy International's research :

"Cellebrite, a prominent vendor of this technology noted in its Annual Trend Survey that in approximately half of all investigations cloud data 'appears' and that 'typically, this data involves social media or application data that does not reside on the physical device.' This indicates use of cloud extraction technology."

Given this is an increasingly popular technology with law enforcement, it is in the public interest for there to be transparency about this and accountability.

Privacy International have also found that at least two UK police forces are already using cloud extraction technology . They have elaborated on use by Lancashire and Hampshire police forces on their website .

My freedom of information request was made using Privacy International's draft FOIA and was not done with the intention of misuse or abuse of the Act.

Privacy International state that their campaign is to allow people to ask local forces about cloud extraction and that communities should know what new technologies are being deployed. They update their website page to show if a FOIA has been submitted. It was my intention to send a FOIA to your force as at the time the website showed that Merseyside was not in receipt of a FOIA request in relation to cloud extraction. It was my intention to gain transparency as to whether Merseyside is using this technology. It is not my intention to be annoying or disruptive or have disproportionate impact on the force.

I therefore do not believe that this FOIA is disproportionate or unjustified. You have not explained why it would cause a disproportionate or unjustified level of disruption, irritation or distress (para 9 ICO guidance). You have rejected is solely on the basis that it is part of a campaign. However, whether or not it is part of a campaign, the intention is to genuinely exercise the right to know. The request is reasonable and justified.

The request is not vexatious

The ICO guidance from page 6 looks at what is meant by vexatious. It notes that this depends on the circumstances surrounding that request. I have elaborated on this above (Privacy International’s research and purpose of the campaign) and believe that it is clear this request is not vexatious, but a request made in the public interest with the aim of transparency and accountability. The materials cited above show that the request has adequate and proper justification.

As the ICO guidance states at paragraph 20:

"20. At the subsequent Court of Appeal Case (Dransfield v Information Commissioner and Devon County Council [2015] EWCA Civ 454 (14 May 2015)), Lady Judge Arden observed that;

"the emphasis should be on an objective standard and that the starting point is that vexatious primarily involves making a request which has no reasonable foundation, that is, no reasonable foundation for thinking that the information sought would be of value to the requester or to the public or any section of the public." (para 68) "

The ICO states that the key question the public authority must ask itself is whether the request is likely to cause a disproportionate or unjustified level of disruption, irritation or distress. If you simply respond to my FOIA and inform the other requester that you are already responding, I do not see that there is disproportionate or unjustified level of disruption, irritation or distress.

I believe that the claim is has reasonable foundation and is of value. This can be seen in the context not only of the above information, that is on Privacy International's website, but also given the wide amount of publicity that accompanied Privacy International’s report on mobile phone extraction technologies. Cloud extraction, as stated in Privacy International's research, is an extension of mobile phone extraction technologies and likely to be of equal interest to the public, if not more, given that it can also be associated with facial and emotion recognition technologies, as set out in Privacy International's research.

Privacy International have also highlighted, as part of their work on cloud extraction, that there is a lack of awareness about cloud computing in the UK. They commissioned a YouGov poll on the basis that:

“We are concerned that not only is this tech being used in secret and without sufficient transparency, but in addition, the public are largely unaware that large volumes of data that they generate via their smart phones and the apps they use, is stored in the cloud and thus accessible using these technologies.”

This supports the serious nature of the work being undertaken by Privacy International.

The ICO guidance goes on to set out indicators of a vexatious request. You have not stated that any of these are relevant and I do not believe any of them can be seen to apply.

Conciliatory approach

It is unfortunate that you have chosen to make a decision that then resulted in a request for internal review. I believe that it would have been better to seek further information from myself and for you to contact Privacy International if you had concerns about the FOIA. Taking steps like this and other considerations are elaborated in the ICO guidance 'Recommended actions before making a final decision.'

Should you require further information from myself before coming to a decision, I am happy to respond to questions you may have. You may also find it useful to contact Privacy International who provided an email contact on the website page for the Cloud extraction campaign: [email address]

Section 31

You have stated that:

"Had Section 14 FOI Act not been a consideration in this case, it is likely that the requested information would have been refused under Section 31 FOI Act, as it would clearly not be in the interests of law enforcement to reveal which storage systems the Force is able to extract data from and which it cannot, as to do so would effectively tell the criminal fraternity where data can be stored without risk of detection."
I do not believe that you would have reason to rely upon section 31 for the following reasons:

Privacy International has publicly available research which provides evidence that Lancashire Police Department UK have publicly stated that they use Cellebrite Cloud Analyser. In addition, Hampshire Constabulary confirmed in response to a FOIA submitted by Privacy International dated 10.12.2018 that they use ‘Cellebrite Cloud Analyser’.

It appears an objection would be unsustainable given that there is already information in the public domain that police forces in the UK are using this technology and about what storage systems can be extracted, as explored in Privacy International’s research, which is based on publicly available information.

In addition, your reasons supporting a section 31 refusal do not equate to the questions asked. You state that it would not be in your interests to reveal which storage systems the force is able to extract data from. However, the FOIA asks:

1. Do you use mobile phone extraction technology that includes cloud analytics / cloud extraction capabilities e.g. Cellebrite UFED Cloud Analyser, Magnet Axiom Cloud or Oxygen Forensics Cloud Extractor
2. Do you have other technologies that allow you to access cloud-based accounts and extract this data.
3. Please provide a copy of the relevant Data Protection Impact Assessment.
4. Please provide a copy of the relevant local and/or national guidance/standard operating procedure/policy.
5. Please confirm the legal basis you rely on to conduct cloud analytics/extraction.
Is does not in fact ask you to reveal which storage systems Merseyside is able to extract data from and which it cannot.

We note in addition that Privacy International revealed, a number of years ago that police forces in the UK were using mobile phone extraction technologies. This has been widely publicised and in particular the use of extraction technologies against victims of rape has been a subject of considerable media reporting. Privacy International Is happy to provide you with their coverage of this issue and sample media reporting.

Kind regards,

Torr Robinson

Freedom Of Information, Merseyside Police

Your email to the Merseyside Police Freedom of Information (FOI) in box is
acknowledged.

 

If it contains an initial (new) request under FOI it will be dealt with in
accordance with section 10 of the Act which means that you are entitled to
receive a response no later than 20 working days after the first working
day* on which your request is received.

 

Other arrangements may apply if a fees notice is issued or if the time
period is extended in order that public interest considerations of our
response may take place. Section 10 also allows public authorities to
apply variations to the normal 20 working day timescale in some limited
circumstances.

 

Due to the volume of e-mail correspondence and FOI applications received,
the Force regrets that individual acknowledgement e-mails will not be sent
even if specifically requested.

 

If the correspondence cannot be dealt with as FOI, it will be forwarded
internally and you will be advised of the location. Any related
communication must be direct to the identified location and not the FOI
e-mail address.

 

*The ‘working day’ is defined as any day other than a Saturday, a Sunday,
Christmas Day, Good Friday or a day which is a bank holiday under the
Banking and Financial Dealings Act 1971 in any part of the United Kingdom.
The first reckonable day is the working day after the working day of
receipt.

============================================================
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender as soon
as possible. This footnote confirms that all reasonable steps have been
taken to ensure that this email message has been swept for the presence of
computer viruses. The views expressed in this communication may not
necessarily be the views of Merseyside Police. All communications,
including telephone calls and electronic messages to and from Merseyside
Police may be subject to monitoring and recording.
============================================================

Freedom Of Information, Merseyside Police

Dear applicant

Thank you for your email requesting an Internal Review of FOI case
DM2020/0171.  This will be conducted by a member of staff who was not
involved in the original decision and you will be notified of the outcome
in due course.

Yours sincerely

Mr D May
Data Access Analyst
FOI Team
Data Access Unit
Criminal Justice
Merseyside Police

show quoted sections

We don't know whether the most recent response to this request contains information or not – if you are Torr Robinson please sign in and let everyone know.