Use of cloud analytics / extraction

Waiting for an internal review by British Transport Police of their handling of this request.

Dear British Transport Police,

I am aware that a similar request to the below has been made but you have not responded to this request as you seek a full name. I do not take a position on whether your request for the individual's name is correct or not. Nevertheless I provide my name and the name of the organisation which I believe is in accordance with ICO Guidance. I look forward to your response to the FOIA.

I am aware that companies are selling technologies to law enforcement that allow them to take vast quantities of personal data from cloud-based apps and accounts. You can read more [https://privacyinternational.org/long-re....

I make the following request for documents/information under the Freedom of Information Act:

1. Do you use mobile phone extraction technology that includes cloud analytics / cloud extraction capabilities e.g. Cellebrite UFED Cloud Analyser, Magnet Axiom Cloud or Oxygen Forensics Cloud Extractor

2. Do you have other technologies that allow you to access cloud-based accounts and extract this data.

3. Please provide a copy of the relevant Data Protection Impact Assessment.

4. Please provide a copy of the relevant local and/or national guidance/standard operating procedure/policy.

5. Please confirm the legal basis you rely on to conduct cloud analytics/extraction.

Yours faithfully,

Yours faithfully,

Millie Wood
Privacy International

Freedom of information, British Transport Police

Dear Millie Wood,

 

Freedom of Information request ref: 273-20

 

Thank you for your request under the Freedom of Information Act 2000 (‘the
Act’).

 

Your request was received on 7^th February 2020 and will be processed in
accordance with the Act.

 

Please quote the above reference number on any correspondence.

 

Yours sincerely,

 

Katie Hulland

Information Governance Officer /Swyddog Llywodraethu Gwybodaeth

Information Management Unit / Uned Rheoli Gwybodaeth

Capability and Resources / Gallu ac Adnoddau

British Transport Police, 3 Callaghan Square, Cardiff, CF10 5BT

Heddlu Trafnidiaeth Prydeinig, 3 Sgŵar Callaghan, Caerdydd, CF10 5BT

DX 153042 Cardiff 36

Office / ffôn swyddfa 02920 525 338

Internal / ffôn mewnol 5525338

Email / e-bost [1][email address]

[2]www.btp.police.uk

 

 

Unless otherwise stated above, this e-mail is considered ‘OFFICIAL’

Oni nodir fel arall uchod, mae’r e-bost yma i’w gael ei ystyried ‘SWYDDOGOL’

 

 

show quoted sections

Freedom of information, British Transport Police

2 Attachments

Dear Millie Wood,

 

Thank you for your Freedom of Information Request, our reference 273-20.

 

Please find attached our response.

 

Yours sincerely,

 

Katie Hulland

Data Protection & FOI Officer

Information Management Unit / Uned Rheoli Gwybodaeth

Capability and Resources / Gallu ac Adnoddau

British Transport Police, 3 Callaghan Square, Cardiff, CF10 5BT

Heddlu Trafnidiaeth Prydeinig, 3 Sgŵar Callaghan, Caerdydd, CF10 5BT

DX 153042 Cardiff 36

Office / ffôn swyddfa 02920 525 338

Internal / ffôn mewnol 5525338

Email / e-bost [1][email address]

[2]www.btp.police.uk

 

 

Unless otherwise stated above, this e-mail is considered ‘OFFICIAL’

Oni nodir fel arall uchod, mae’r e-bost yma i’w gael ei ystyried ‘SWYDDOGOL’

 

show quoted sections

Dear British Transport Police,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of British Transport Police's handling of my FOI request 'Use of cloud analytics / extraction' reference 273-20

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/u...

In light of Covid-19 and the pressures that this may be placing on policing, we understand that a response in relation to this Request for Internal Review may be delayed.

PI’s Freedom of Information Act Request

I am aware that companies are selling technologies to law enforcement that allow them to take vast quantities of personal data from cloud-based apps and accounts.
I make the following request for documents/information under the Freedom of Information Act:
1. Do you use mobile phone extraction technology that includes cloud analytics / cloud extraction capabilities e.g. Celebrate UFED Cloud Analyser, Magnet Axiom Cloud or Oxygen Forensics Cloud Extractor
2. Do you have other technologies that allow you to access cloud-based accounts and extract this data?
3. Please provide a copy of the relevant Data Protection Impact Assessment.
4. Please provide a copy of the relevant local and/or national guidance/standard operating procedure/policy.
5. Please confirm the legal basis you rely on to conduct cloud analytics/extraction.
Your initial response to PI’s Freedom of Information Act Request is included with this email as an Annex.

PI’s Submissions

In response to PI’s Freedom of Information Act request, the British Transport Police neither confirm nor deny that you hold information relevant to this request by virtue of Section 24(2) National Security Section and 31(3) - Law Enforcement.

We believe that your arguments cannot be sustained given that:
1. The information regarding use of Cloud Extraction technologies is already in the public domain and two police forces have already confirmed use of this technology.
2. Companies openly publicise the use of this tactic by law enforcement.
3. The public are aware of the use of mobile phone extraction technologies and cloud extraction is an extension of this, rather than something completely new.
4. We further believe there is a strong public interest in disclosure.

Section 24(2) provides an exemption from the duty to confirm information is held, where the exemption is required for the purposes of safeguarding national security. Section 24 is subject to the public interest tests. It is the interests of the UK and its citizens that are of concern .

“(2) The duty to confirm or deny does not arise if, or to the extent that, exemption from 1(1)(a) is required for the purpose of safeguarding national security.”

Section 31(3) states:

“(3) The duty to confirm or deny does not arise if, or to the extent that, compliance with section 1(1)(a) would, or would be likely to, prejudice any of the matters mentioned in subsection (1).

In ICO decision notice FS50178276 the Commissioner found that the term requires: “…means reasonably necessary. It is not sufficient for the information sought simply to relate to national security; there must be a clear basis for arguing that disclosure would have an adverse effect on national security before the exemption is engaged.”

In invoking sections 24(2) and 31(3), you argue that:
• Revealing whether information is held in relation to the specific technology will in itself be revealing tactical information which would undermine the process of preventing or detecting crime and the apprehension of prosecution of offenders.
• Revealing the requested information would allow inferences to be made about the nature and extent of national security related activities which may or may not take place.
• Revealing the requested information would render national security measures less effective and compromise operations.
• Revealing the requested information would compromise law enforcement capabilities and effectiveness.
• Revealing the requested information would undermine evidence gathering processes.

We disagree with these broad assertions for the following reasons.

The information is already in the public domain

We have publicly available research which provides evidence that Lancashire Police Department UK have publicly stated that they use Cellebrite Cloud Analyser. In addition, Hampshire Constabulary confirmed in response to a FOIA submitted by Privacy International dated 10.12.2018 that they use ‘Cellebrite Cloud Analyser’.

On 12 December 2018 a member of Lancashire Police Department UK told viewers of a publicly available Cellebrite webinar that they were using Cellebrite’s Cloud Analyser to obtain cloud based ‘evidence’. In the webinar, Lancashire stated that Lancashire Constabulary Digital Investigations Unit started testing the use of cloud extraction in 2014. In March 2018 they state they explored cloud forensics in relation to sex offenders, child sexual exploitation, grooming investigation, mob crimes and homicide investigations. In July 2018 they started using Cellebrite UFED Cloud Analyzer. Lancashire stated that when they started using cloud analytics there was no national standard and no clarity on legal safeguards. They now use different powers depending on the case and context, whether it is the Police and Criminal Evidence Act 1984 (PACE), Investigatory Powers Act 2017 or Regulation of Investigatory Powers Act 2000.

Given that there is publicly available information that forces are using this technology and two forces have publicly admitted this, there is no basis to reject questions 1 – 5.

We note in particular that Lancashire Constabulary have disclosed to use their ‘DIU/DMIU Procedure for the extraction of cloud data’ . We therefore do not accept that you can refuse to respond to question 4 which requests a copy of the relevant local and/or national guidance/SOP/policy (copy enclosed).

Lancashire have also disclosed, as noted above, the legal basis for use of cloud extraction. We therefore do not accept you can refuse to respond to question 5 .

Hampshire Constabulary have also responded to our Freedom of Information request.

We further note that additional information is in the public domain including:
• Houses of Parliament ‘Digital Forensics and Crime’ Post note number 520 March 2016
• ACPO Good Practice for Digital Evidence Version 5 (October 2011) which refers on page 36 to the seizure of cloud services and virtual storage.

Your stance of neither confirm nor deny is unsustainable given that there is already information in the public domain that police forces in the UK are using this technology.

Companies openly publicise the use of this tactic by law enforcement

There is a substantial amount of information in the public domain about cloud extraction technologies including how they work and the types of information that can be extracted.

In January 2020 we published our research findings and they were covered in international media publications. Based on publicly available information the research includes how this technology works, the different commercial tools available and the types of data that can be obtained. We have also highlighted the use of facial recognition in relation to cloud extraction technologies and the ability to undertake continual tracking.

Mobile phone extraction

Privacy International revealed a number of years ago that police forces in the UK were using mobile phone extraction technologies. This has been widely publicised and in particular the use of extraction technologies against victims of rape has been a subject of considerable media reporting.

It is therefore in the public knowledge that police forces use mobile phone extraction technologies which obtain information that is on the physical phone, for example relating to social media and messaging apps, which is similar to the types of data that can be obtained using cloud extraction techniques.

Public interest

There is serious purpose behind this request given the growing use of cloud extraction technologies by law enforcement and the apparent secrecy around its use in the UK.

Cellebrite, a prominent vendor of this technology noted in its Annual Trend Survey that in approximately half of all investigations cloud data 'appears' and that 'typically, this data involves social media or application data that does not reside on the physical device.' This indicates use of cloud extraction technology.

Given this is an increasingly popular technology with law enforcement, it is in the public interest for there to be transparency around the use of this technology. Such transparency will allow for a public discussion of the necessity and proportionality of the use of cloud extraction technologies, as well as allowing for better accountability with regard to its use, including more effective regulatory oversight.

Yours sincerely,

Ksenia.