MSAB response to ICO Report on MPE
In 2018 the Information Commissioner’s Office in the UK instigated an investigation into Mobile Phone Extractions (MPE) by police forces in England and Wales when conducting criminal investigations.
The investigation report was published on 18 June 2020. It challenges the appropriateness of some of the current police practices in MPE and provides further clarity about data protection legislation for those responsible for processing personal data.
Mobile phone data extraction by police forces – Investigation report June 2020 Version 1.1
The report adds further clarity for stakeholders in the field. Mobile forensics and data processing is a complex area, where multiple interests and laws have to be balanced. The ICO’s recommendations include calls for improved practice and additional steps such a national consortium of relevant organizations. As a leading OEM of digital forensic and analysis solutions, MSAB continues to support law enforcement agencies on best practice for MPE and the implementation of practical solutions to meet these recommendations.
The report contains a number of proposals which combined will have a significant impact on those responsible for and working with MPE solutions in their organizations. A key conclusion from the report is the need to ensure the police take account of data privacy obligations to keep the data secure. In this document we offer further guidance on how to minimize intrusion and maximize data privacy, where possible, by using technical features in our existing product suite to meet the recommendations in the report.
Recommendation 10 highlights the need for customers to constantly review their process and technologies to ensure “privacy and thus security by design” is a default consideration – something MSAB is focused on ensuring our solutions always deliver.
MSAB offers you the only truly secure end to end mobile forensics solution on the market. We have constructed a complete eco-system solution for MPE designed to keep extracted data as secure as possible. We provide a range of options to ensure that users can perform proportional searches for data that takes into account data privacy responsibilities.
MSAB Professional Services can advise customers on all of these topics in a consultancy position. We can offer guidance on the various features and functionality available in our tools that support a full ‘privacy & security by design’ approach, as well as enabling many of the other ICO report recommendations.
Here are ten different ways that MSAB technology and services can assist you:
1. Technology Refresh
Recommendation 10: The technology used by police forces in extracting data should be updated and future procurements should take account of privacy by design principles to ensure it supports the forces in complying with their legal obligations.
Privacy by design is built into XRY. The unique extraction functions in XRY such as the “Specify file categories and time span” option in the XRY step by step extraction process, helps meet the principles of data privacy for MPE.XRY Triage Settings can be pre-configured by administrators or dynamically used by examiners in this step, to extract only specific data categories (e.g. Pictures only) or for a limited time period (e.g. last 30 days). This limits collateral intrusion and reduces the need for excessive data retention. The feature helps protect sensitive personal data, where possible and also has the benefit of potentially reducing extraction times.
2. Privacy information
Recommendation 8: To meet the standards required for fair processing, police forces should make improvements to their engagement with individuals whose phones are to be examined, to ensure they fully inform those individuals about what is being proposed and what their rights are. This will involve providing detailed privacy information and working to improve the current notices given to those whose phones are to be examined.
XRY allows for targeted precise individual file extractions as part of the built-in privacy by design principles. There is a ‘File Selection’ only extraction option to allow users to extract individual files which allows LEAs to demonstrate that they have taken all reasonable steps through policy and technology to mitigate the risks associated with holding sensitive personal data taken from mobile phones, that was not relevant to the investigation.
Witnesses and victims can see the contents of their mobile devices in the technology and advise examiners which individual files, such as a specific picture or video is relevant for extraction from the device. This process will then only recover the selected files as part of extraction process. This also allows for quicker evidential extractions at crime scenes and allows victims and witness to have their mobile devices returned immediately.
3. Processing Limitation (Section 4.6, page 56)
Recommendation 6: Early engagement between the police & prosecutors in order to allow the extraction, further processing and disclosure of mobile phone data to be more targeted such that privacy intrusion is minimised.
XRY data files can be saved as sub-set of the original extraction in our XAMN analysis and review platforms.
For example, certain items identified from an original MPE of a device can be selected and saved into a new XRY subset file to minimise privacy intrusion. For example, if the case relies on just a few key data artifacts for example: 2 pictures, 3 contacts, 1 location.
An XRY file containing only that information can be generated for safe onward transmission with other key stakeholders in the case, such as the prosecution and defence to ensure data privacy principles are maintained.
An XRY sub-set file is clearly marked as such and this feature allows examiners to review and remove ‘sensitive data’ as defined under data protection regulations to minimize data intrusion as recommended on page 33, section 2.4.2 of the report.
4. Non-Relevant Materials (Section 4.5, page 56)
Recommendation 5: Police forces should put in place more robust policies and procedures to ensure the appropriate handling and deletion of data that has been extracted but that is not relevant to a particular investigation.
The XRY forensic file format has built in protection and encryption with a secure forensic file container by design, to ensure a secure chain of custody of digital data. Coupled with built in encryption and password protection options it provides evidential security and privacy controls.
This helps to avoid the risks associated with MPE data stored in open file formats e.g. HTML/XML/PDF style reports, which are inherently insecure and can be read by anyone with access. XRY requires a dedicated application to read the contents, which helps ensure important safeguards remain in place by default, to protect the data at every stage. LEAs need to demonstrate sensitive processing takes place only when strictly necessary, and effective safeguards are in place to prevent unauthorised access or disclosure. XRY allows forces to demonstrate that they are taking all reasonable steps via technology to mitigate the risks associated with holding personal data taken via MPE.
5. Logging (Section 3.6, page 51)
Controllers (or processors if they are processing personal data on behalf of the controller) must keep accurate logs for collection processing operations (Section 2.2.8). This is particularly the case where forces are yet to implement any form of digital asset management system and a number of disparate systems are used. In this case, there is a reliance on contemporaneous notes and statements made by officers. In the absence of an end to end system, forces are reliant on an investigation officer’s notes or records as the log. Depending on the accuracy and thoroughness of this record, it will make it more difficult for forces to demonstrate compliance with the legislation and may make it harder for data subjects to exercise their rights.
A fully accessible and open forensic audit log file is created for every MPE extraction performed in XRY. This documents all the processes and actions taken on the device in atomic detail, to generate the MPE and it is automatically built into every XRY report by default.
Whilst embedded in the report, it can also be produced separately as an independent report document as required to show compliance.
6. Standards and accreditation (Section 4.4, page 55)
Recommendation 4: Certification to ISO/IEC17025 international laboratory standard. It is important that there is confidence in the integrity (and hence accuracy) of the data extracted from devices. Police should complete their work to ensure that they are conforming to the standards underpinning the integrity of MPE, as required by the Forensic Science Regulator.
To support ISO 17025 standards and Streamlined Forensic Reporting (SFR) guidance, we now offer XRY frontline solutions (Kiosk/Tablet/Express) with built in functionality in the workflow to aid with automated Forensic Statement generation.
Data entry is captured in the workflow and integrated into the SFR template to ensure automatic generation, aligned to UK national standards. This aids early engagement and focus on reasonable lines of enquiry and is consistent with the report recommendations.
7. Consistency (Executive Summary, page 8)
Recommendation 3: LEAs should collaborate to improve the consistency of authorising data extracts. This should be implemented countrywide, to increase public confidence in the accountability of the police and the criminal justice process when undertaking these intrusive actions.
The investigation found that the ways the different laws governing data protection, police investigation and evidence gathering intersect in MPE operations provide challenges to police forces in achieving consistent and compliant practice.
MSAB offers powerful solutions to ensure consistency and compliance across the board. Turnkey configuration for Kiosk/Tablet/Express solutions include a pre-defined workflow process. This is customised to specific organisation business processes, to ensure consistency of use and alignment to force policies and ISO forensic standards requirements.
This allows adherence to Level 1 and 2 extractions as defined on page 38 of the report in the Overview section and ensures all users perform MPE in exactly the same way.
8. Security Principles (Section 3.3.6, page 48)
There must be adequate measures in place to ensure the appropriate security of data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, according to the sixth principle. In order to undertake a data extraction, staff are required to identify and authenticate themselves with the extraction devices, and this provides a basic level of assurance.
Credentialed access and controlled permissions are built into our frontline solutions: Kiosk/Tablet/Express. These include full login controller access and configurable role-based permissions to ensure users are only accessing the capability, and functions that they are approved and trained for in their organizations. This meets the requirement for data security, that in order to undertake data extraction, staff are required to identify and authenticate themselves.
In addition, when combined with our XEC Director Management Tool there is capacity to log all user access and activity across an entire digital forensic network. Data Protection Officers can centrally approve and monitor all user access to ensure security of data.
9. Security Principles (Section 3.3.6, page 49)
There is the potential for kiosks to be networked and for extracted data to be transferred to a server, in which case the transfer would take place through a secure and encrypted channel. This would be positive from an information management perspective to ensure the integrity of the data, and minimise the exposure of data, notwithstanding any cyber risks that could arise.
The MSAB Ecosystem combination of Kiosk with XEC Director offers the most secure networked MPE solution available in the marketplace.
Our technology has been tried and tested in largescale operational environments for well over 5 years with a number of global law enforcement agencies. MSAB offers the only truly secure end to end mobile forensics solution on the market.
We have constructed a solution for MPE designed to keep extracted data as secure as possible. We offer hardened network security protection mechanisms and our technology has been subjected to penetration testing. It is fully equipped for secure network connectivity on modern LEA IT networks.
XEC Director allows for encrypted channels, secure file transfer and hash checking of file delivery. Features that enable safe encrypted data transfer are recommended in the ICO report as a positive step forward from an information management perspective, to ensure the integrity of the data and minimise the exposure of data.
10. National Training (Section 4.9, page 58)
Recommendation 9: A national training standard should be introduced to ensure all those involved in mobile phone extraction are aware of their legal obligations.
MSAB offers fully certified user training, either online, on-demand or onsite. We offer a full suite of Train-the-Trainer programs available to forces ensuring that users are properly trained, certificated, and refreshed on the latest technology and procedures.
In addition, MSAB is involved in the FORMOBILE project which aims to define a new dedicated MPE standard together with a new universal training curriculum. This new training curriculum will help forces meet their obligations of Recommendation 9 to ensure there is a national training standard to ensure all those involved in MPE are aware of their legal obligations.
MSAB solutions are in a continual state of ongoing development, just like mobile device technology which itself, is constantly developing. As a result, it is vital that LEAs keep up to date on the current MPE technology solutions.
We are proud to have supported our customers for the last two decades and we will continue that work to constantly evolve our digital forensic capabilities in the future. MSAB will ensure that we offer users the most secure and technically capable solutions in the industry.