Use of cloud analytics / extraction
Dear North Wales Police,
I am aware that companies are selling technologies to law enforcement that allow them to take vast quantities of personal data from cloud-based apps and accounts. You can read more [https://privacyinternational.org/long-re....
I make the following request for documents/information under the Freedom of Information Act:
1. Do you use mobile phone extraction technology that includes cloud analytics / cloud extraction capabilities e.g. Cellebrite UFED Cloud Analyser, Magnet Axiom Cloud or Oxygen Forensics Cloud Extractor
2. Do you have other technologies that allow you to access cloud-based accounts and extract this data.
3. Please provide a copy of the relevant Data Protection Impact Assessment.
4. Please provide a copy of the relevant local and/or national guidance/standard operating procedure/policy.
5. Please confirm the legal basis you rely on to conduct cloud analytics/extraction.
Yours faithfully,
Torr Robinson
Dear Torr Robinson,
Enquiry Ref: 2020/138
I acknowledge receipt of your Freedom of Information request.
As set out by the Freedom of Information Act, it will be our aim to
respond to your request by 03/03/2020.
If you have any questions regarding your request, please contact me.
Yours sincerely,
P.P. Sarah Botterill
Swyddog Hawliau Gwybodaeth/Information Rights Officer
Safonau Gwybodaeth a Chydymffurfio/ Information Standards & Compliance
Chyllid a Adnoddau/Finance & Resources
Ffôn /Phone 01492 804477
Est/ Ext 04477
E.bost/ E.mail [1][email address]
[2]cid:image002.jpg@01D4D9AE.42746C10[3]cid:image003.jpg@01D4D9AE.42746C10
Rydym yn croesawu gohebiaeth yn y Gymraeg a’r Saesneg – byddwn yn ymateb
yn gyfartal i’r ddau ac yn ateb yn eich dewis iaith heb oedi.
We welcome correspondence in Welsh and English – we will respond equally
to both and will reply in your language of choice without delay.
Please note: we will process your personal data (i.e. your name, address,
email address, your request etc.) to record and respond to your freedom of
information request/s and provide cross-government advice, support and
co-ordination in responding to freedom of information requests. This data
will be held for two years, plus the current year.
[4]https://www.north-wales.police.uk/access...
References
Visible links
1. mailto:[email address]
4. https://www.north-wales.police.uk/access...
Dear Torr Robinson,
Enquiry Ref: 2020/138
I acknowledge receipt of your email received on 04/02/2020 requesting the
following information;
Section 8 of the Freedom of Information Act states that a request must be
in writing; provide the name of the applicant and an address for
correspondence; and, describe the information requested. In order for a
request to be valid under Section 8 the applicant must use his or her real
name, rather than a pseudonym.
Therefore, please can you provide us with proof of ID?
To enable us to respond to your request please provide the details
requested above or alternatively indicate how we may otherwise assist you.
Unfortunately we are unable to research your request until we have
received this information and the clock will be stopped pending receipt of
your response.
If you would like to discuss this matter please do not hesitate to contact
me.
Yours sincerely,
Sarah Botterill
Swyddog Cymorth Diogelwch Gwybodaeth/Information Security Support Officer
Safonau Gwybodaeth a Chydymffurfiaeth/Information Standards & Compliance
Cyllid ac Adnoddau/Finance and Resources
Heddlu Gogledd Cymru/North Wales Police
Ffon/Tel 01492 804477
[1][email address]
[2]NWP%20Logo%20(Colour) [3]Description:
http://fhqweb001/intranet/Corp_Branding_...
Peidiwch ag argraffu'r a-bost hwn oni bai fod hynny'n wirioneddol
anghenrheidiol!
Please don't print this e-mail unless you really need to!
Rydym yn croesawu gohebiaeth yn y Gymraeg a’r Saesneg - byddwn yn ymateb
yn gyfartal i’r ddau ac yn ateb yn eich dewis iaith heb oedi.
We welcome correspondence in Welsh and English - we will respond equally
to both and will reply in your language of choice without delay.
References
Visible links
1. mailto:[email address]
Dear Torr Robinson,
In response to your Freedom of Information request dated 04/02/2020 sent
to North Wales Police, I would like to point out the following:
The Freedom of Information Act is a piece of legislation which quite
rightly opens up public authorities to greater scrutiny and
accountability.
Under the provision of the Act an authority must process a request in
writing from a named applicant under the terms and conditions of the
legislation. Whilst giving maximum support to individuals genuinely
seeking to exercise the right to know, the Commissioner’s general approach
will be sympathetic towards authorities where request can be characterised
as being part of a campaign. Therefore, with regard to this request we
are issuing a Section 14(1) Vexatious Refusal Notice. Please be aware
that any future requests asking for the same information and from the same
named individuals will attract this exemption.
I have also attached a copy of our review procedure should you not be
happy with our response.
Regards,
Sarah Botterill
Swyddog Cymorth Diogelwch Gwybodaeth/Information Security Support Officer
Safonau Gwybodaeth a Chydymffurfiaeth/Information Standards & Compliance
Cyllid ac Adnoddau/Finance and Resources
Heddlu Gogledd Cymru/North Wales Police
Ffon/Tel 01492 804477
[1][email address]
[2]NWP%20Logo%20(Colour) [3]Description:
http://fhqweb001/intranet/Corp_Branding_...
Peidiwch ag argraffu'r a-bost hwn oni bai fod hynny'n wirioneddol
anghenrheidiol!
Please don't print this e-mail unless you really need to!
Rydym yn croesawu gohebiaeth yn y Gymraeg a’r Saesneg - byddwn yn ymateb
yn gyfartal i’r ddau ac yn ateb yn eich dewis iaith heb oedi.
We welcome correspondence in Welsh and English - we will respond equally
to both and will reply in your language of choice without delay.
Oeddech chi’n gwybod bod modd i chi gael mynediad i wybodaeth am Heddlu
Gogledd Cymru drwy Gynllun Cyhoeddi a Log Datgeliadau Heddlu Gogledd
Cymru? Mae’r ddau ar gael drwy’r dolenni cyswllt isod:
Did you know you can access information about North Wales Police via the
North Wales Police Publication Scheme and the North Wales Police
Disclosure Log? Both are available via the below links:
[5]http://www.north-wales.police.uk/accessi...
[6]https://www.north-wales.police.uk/access...
References
Visible links
1. mailto:[email address]
5. http://www.north-wales.police.uk/accessi...
6. https://www.north-wales.police.uk/access...
Dear Freedom of Information Team,
I do not accept that you have justification to refuse this request as vexatious. Paragraph 91 of the ICO guidance, which can be found here: https://ico.org.uk/media/for-organisatio... states that a request can only be deemed vexatious on these terms if it is part of a campaign designed to disrupt an organisation, a claim for which you have provided no evidence. My request has been made in good faith, with the serious purpose of seeking information in relation to the use of cloud analytics and data extraction.
With that said, I am requesting that you conduct an internal review of your decision. I hope to receive a response within 20 working days.
Yours sincerely,
Torr Robinson
Dear North Wales police,
I write further to my request for an internal review in relation to your response of 4 & 7 February.
The initial FOIA was sent on 4 February 2020 with receipt acknowledged on 4 February 2020. On the 5 February you stated that:
"Section 8 of the Freedom of Information Act states that a request must be in writing; provide the name of the applicant and an address for correspondence; and, describe the information requested. In order for a request to be valid under Section 8 the applicant must use his or her real name, rather than a pseudonym.
Therefore, please can you provide us with proof of ID?
To enable us to respond to your request please provide the details
requested above or alternatively indicate how we may otherwise assist you."
On the 7 February you sent a further email stating:
"The Freedom of Information Act is a piece of legislation which quite rightly opens up public authorities to greater scrutiny and
accountability.
Under the provision of the Act an authority must process a request in writing from a named applicant under the terms and conditions of the legislation. Whilst giving maximum support to individuals genuinely seeking to exercise the right to know, the Commissioner’s general approach will be sympathetic towards authorities where request can be characterised as being part of a campaign. Therefore, with regard to this request we are issuing a Section 14(1) Vexatious Refusal Notice. Please be aware that any future requests asking for the same information and from the same named individuals will attract this exemption."
On 13 February 2020 I responded stating:
"Dear Freedom of Information Team,
I do not accept that you have justification to refuse this request as vexatious. Paragraph 91 of the ICO guidance, which can be found here: https://ico.org.uk/media/for-organisatio... states that a request can only be deemed vexatious on these terms if it is part of a campaign designed to disrupt an organisation, a claim for which you have provided no evidence. My request has been made in good faith, with the serious purpose of seeking information in relation to the use of cloud analytics and data extraction.
With that said, I am requesting that you conduct an internal review of your decision. I hope to receive a response within 20 working days."
I write to further elaborate on my request for internal review. Please add these submissions to the request and consider them at the time of making your decision.
There are two issues that appear to be relevant. Firstly, in relation to my identity, and secondly your position that this request is vexatious.
In relation to identity, I do not accept that you have any reasonable basis to conclude that I am not using my real name and request I prove my identity. A quick google search of my name ("Torr Robinson") reveals that is my real name. The ICO guidelines on this state that if the name given is not an obvious pseudonym then the request should be taken at face value, as can be seen on Page 8 here: https://ico.org.uk/media/for-organisatio...
I will not be providing you with any proof of ID, and have instead requested you conduct an internal review of your decision.
In relation to your position that this request is vexatious, you state that:
* "The Freedom of Information Act is a piece of legislation which quite rightly opens up public authorities to greater scrutiny and accountability."
* "Under the provision of the Act an authority must process a request in writing from a named applicant under the terms and conditions of the legislation. "
* "Whilst giving maximum support to individuals genuinely seeking to exercise the right to know, the Commissioner’s general approach will be sympathetic towards authorities where request can be characterised as being part of a campaign. "
* "Therefore, with regard to this request we are issuing a Section 14(1) Vexatious Refusal Notice. Please be aware that any future requests asking for the same information and from the same named individuals will attract this exemption."
You have not provided any detailed reasons why you believe that this falls to be refused based on the Commissioner’s guidance. You have simply stated that 'the Commissioner's general approach will be sympathetic towards authorities where request can be characterised as being part of a campaign.' Upon reading this section of the ICO guidance I believe that you have mis-characterised the FOIA request and not fully applied the guidance. I address this below.
I will further go into additional detail in this letter which should be read in as part of my request for internal review, to assist your decision making. These submissions are based on the ICO guidance .
In accordance with the ICO guidance, 'introduction' (page 3/4) it states that:
• Section 14(1) may be used in a variety of circumstances where a request, or its impact on a public authority, cannot be justified.
• Section 14(1) can only be applied to the request itself and not the individual who submitted it.
• In cases where the issues it not clear-cut, the key question to ask is whether the request is likely to cause disproportionate or unjustified level of disruption, irritation or distress. This will usually be a matter of objectively judging the evidence of the impact on the authority and weighing this against any evidence about the purpose and value of the request.
• The public authority may also take into account the context and history of the request, where this is relevant.
• Although not appropriate in every case, it may be worth considering whether a more conciliatory approach could help before refusing a request as vexatious.
In relation to the first point above from the ICO guidance, I believe that the FOIA request I have made is justified. I am genuinely exercising the right to know. The Freedom of Information Act, as you acknowledge, was designed to give individuals a greater right of access to official information with the intention of making public bodies more transparent and accountable.
I am not aware that North Wales has any publicly available information on the use of cloud extraction/analytics. As set out in Privacy International's research :
"Cellebrite, a prominent vendor of this technology noted in its Annual Trend Survey that in approximately half of all investigations cloud data 'appears' and that 'typically, this data involves social media or application data that does not reside on the physical device.' This indicates use of cloud extraction technology. "
Given this is an increasingly popular technology with law enforcement, it is in the public interest for there to be transparency about this and accountability.
Privacy International have also found that at least two UK police forces are already using cloud extraction technology . They have elaborated on use by Lancashire and Hampshire police forces.
My freedom of information request was made using Privacy International's draft FOIA and was not done with the intention of misuse or abuse of the Act.
Privacy International state that their campaign is to allow people to ask local forces about cloud extraction and that communities should know what new technologies are being deployed. They update their website page to show if a FOIA has been submitted. It was my intention to send a FOIA to your force as at the time the website showed that North Wales was not in receipt of a FOIA request in relation to cloud extraction. It was my intention to gain transparency as to whether North Wales is using this technology. It is not my intention to be annoying or disruptive or have disproportionate impact on the force.
I therefore do not believe that this FOIA is disproportionate or unjustified. You have not explained why it would cause a disproportionate or unjustified level of disruption, irritation or distress (para 9 ICO guidance). You have rejected is solely on the basis that it is part of a campaign. However, whether or not it is part of a campaign, the intention is to genuinely exercise the right to know. The request is reasonable and justified.
The ICO guidance from page 6 looks at what is meant by vexatious. It notes that this depends on the circumstances surrounding that request. I have elaborated on this above (Privacy International’s research) and believe that it is clear this request is not vexatious, but a request made in the public interest with the aim of transparency and accountability. The materials cited above show that the request has adequate and proper justification.
As the ICO guidance states at paragraph 20:
"20. At the subsequent Court of Appeal Case (Dransfield v Information Commissioner and Devon County Council [2015] EWCA Civ 454 (14 May 2015)), Lady Judge Arden observed that;
"the emphasis should be on an objective standard and that the starting point is that vexatious primarily involves making a request which has no reasonable foundation, that is, no reasonable foundation for thinking that the information sought would be of value to the requester or to the public or any section of the public." (para 68) "
The ICO states that the key question the public authority must ask itself is whether the request is likely to cause a disproportionate or unjustified level of disruption, irritation or distress. You have not made any of these claims.
I believe that the claim is has reasonable foundation and is of value. This can be seen in the context not only of the above information, that is on Privacy International's website, but also given the wide amount of publicity that accompanied Privacy International’s report on mobile phone extraction technologies. Cloud extraction, as stated in Privacy International's research, is an extension of mobile phone extraction technologies and likely to be of equal interest to the public, if not more, given that it can also be associated with facial and emotion recognition technologies, as set out in Privacy International's research.
The ICO guidance goes on to set out indicators of a vexatious request. You have not stated that any of these are relevant and I do not believe any of them can be seen to apply.
When looking at whether a request is likely to cause a disproportionate or unjustified level of disruption, irritation or distress, the ICO guidance considers purpose and value (pages 11-13). As stated above, there is serious purpose behind this request given the growing use of cloud extraction technologies by law enforcement and the apparent secrecy around its use in the UK. The request therefore is of wider benefit to the public who may be subjected to the use of cloud extraction technologies.
You have not stated that there is distress, disruption or irritation that would be incurred by complying with the request. Nevertheless, noting the ICO guidance, the purpose and value of the request provides sufficient grounds to justify this should it be considered part of the refusal.
As I referred to in my request for internal review dated 13 February 2020, the ICO guidance considers 'campaigns' at paragraph 91. It states that:
"If a public authority has reason to believe that several different requesters are acting in concert as part of a campaign to disrupt the organisation by virtue of the sheer weight of FOIA requests being submitted, then it may take this into account when determining whether any of those requests are vexatious."
As stated above, it was my intention to submit a FOIA to North Wales on the basis that no FOIA had been submitted to North Wales police according to Privacy International's website. It is clear from Privacy International's campaign that only one FOIA should go to each force. It specifically states on the relevant page that:
"When we see that a FOIA has gone to a police force, we will strike through their name on the list below and add a link to the submitted request so you can follow its progress."
This indicates that when a request has been sent, this will be indicated so that individuals can track the progress of the FOIA for a particular force. It does not encourage more than one FOIA per force.
This is therefore a very different campaign to that which is in the example in the ICO guidance, Dr Gary Duke vs ICO and the University of Salford (page 23) where it was found the intention was to send in a stream of requests.
The ICO guidance states that:
"93. Authorities must be careful to differentiate between cases where the requesters are abusing their information rights to engage in a campaign of disruption, and those instances where the requesters are using the Act as a channel to obtain information that will assist their campaign on an underlying issue."
"94. If the available evidence suggests that the requests are genuinely directed at gathering information about an underlying issue, then the authority will only be able to apply section 14(1) where it can show that the aggregated impact of dealing with the requests would cause a disproportionate and unjustified level of disruption, irritation or distress."
"95. This will involve weighing the evidence about the impact caused by the requests submitted as part of the campaign against the serious purpose and value of the campaign and the extent to which the requests further that purpose. Guidance on how to carry out this exercise can be found int eh section of the guidance entitled 'Considering whether the purpose any value justifies the impact on the public authority.'"
It is clear from the information I have referred to above and the information on Privacy International's website, that this is a case where the Act is being used to obtain information to assist the campaign on an underlying issue, rather than being one that is abusive. I note that Privacy International's website states:
"You should know what new technologies police are deploying on your local community. We want to find out if UK police are using cloud extraction tech, what law exists to protect your rights and what safeguards are in place. We need your help."
It is clear the aim is one of transparency, not to be abusive of the Freedom of Information Act.
The campaign has serious purpose and the request furthers that purpose. I have set out above further information in relation to the section 'considering whether the purpose and value justifies the impact on the public authority.' I believe that should you decide there is an impact on North Wales police force, it is justified.
It is unfortunate that you have chosen to make a decision that then resulted in a request for internal review. I believe that it would have been better to seek further information from myself and for you to contact Privacy International if you had concerns about the FOIA. Taking steps like this and other considerations are elaborated in the ICO guidance 'Recommended actions before making a final decision.'
Should you require further information from myself before coming to a decision, I am happy to respond to questions you may have. You may also find it useful to contact Privacy International who provided an email contact on the website page for the Cloud extraction campaign: [email address]
I look forward to hearing from you with a response to my Freedom of Information request.
Kind regards,
Torr Robinson
Dear Torr Robinson,
Enquiry Ref: 2020/138
I acknowledge receipt of your review request, received in the Freedom of
Information Unit on 13/02/2020. It will be our aim to respond to your
request by 12/02/2020.
If you have any further questions or queries, please contact me.
Yours sincerely,
pp. Sarah Botterill
Sarah Botterill
Swyddog Cymorth Diogelwch Gwybodaeth/Information Security Support Officer
Safonau Gwybodaeth a Chydymffurfio/Information Standards & Compliance
Cyllid ac Adnoddau/Finance and Resources
Heddlu Gogledd Cymru/North Wales Police
Ffon/Tel 01492 804477
Est/Ext 04477
[1][email address]
[2]NWP%20Logo%20(Colour) [3]Description:
http://fhqweb001/intranet/Corp_Branding_...
Peidiwch ag argraffu'r a-bost hwn oni bai fod hynny'n wirioneddol
anghenrheidiol!
Please don't print this e-mail unless you really need to!
Rydym yn croesawu gohebiaeth yn y Gymraeg a’r Saesneg - byddwn yn ymateb
yn gyfartal i’r ddau ac yn ateb yn eich dewis iaith heb oedi.
We welcome correspondence in Welsh and English - we will respond equally
to both and will reply in your language of choice without delay.
Rydym yn croesawu gohebiaeth yn y Gymraeg a’r Saesneg – byddwn yn ymateb
yn gyfartal i’r ddau ac yn ateb yn eich dewis iaith heb oedi.
We welcome correspondence in Welsh and English – we will respond equally
to both and will reply in your language of choice without delay.
References
Visible links
1. mailto:[email address]
Dear Torr Robinson,
In response to your recent request for a review, please find attached our
reply.
Although your original response has undergone the review procedure within
North Wales Police, you do have the right to contact the Information
Commissioner.
I have attached a copy of our review procedure should you not be happy
with our response.
Regards,
Helen Crowther
Swyddog Hawliau Gwybodaeth/Information Rights Officer
Safonau Gwybodaeth a Chydymffurfio/ Information Standards & Compliance
Chyllid a Adnoddau/Finance & Resources
Ffôn /Phone 01492 804437
Est/ Ext 04437
E.bost/ E.mail [1][email address]
[2]cid:image002.jpg@01D4D9AE.42746C10[3]cid:image003.jpg@01D4D9AE.42746C10
Rydym yn croesawu gohebiaeth yn y Gymraeg a’r Saesneg – byddwn yn ymateb
yn gyfartal i’r ddau ac yn ateb yn eich dewis iaith heb oedi.
We welcome correspondence in Welsh and English – we will respond equally
to both and will reply in your language of choice without delay.
References
Visible links
1. mailto:[email address]
We work to defend the right to FOI for everyone
Help us protect your right to hold public authorities to account. Donate and support our work.
Donate Now