Police to gain powers to grab online data when they seize phones and laptops
Last-minute amendments to a parliamentary bill will give police sweeping powers to access people’s online services and data, including bank accounts, encrypted messaging services, email accounts, and mobile phone apps, without the need for a court order or independent judicial authorisation.
Under the proposed changes to the Crime and Policing Bill, a senior officer will be able to authorise police investigators to extract information from any online account, email services, mobile phone apps or cloud storage, accessed from mobile phones, laptops or tablets seized by police.
Civil liberties groups and academics have warned that the powers will allow police to access huge amounts of highly personal data from individuals’ mobile phones, laptops or iPads, without the need for a court-authorised warrant.
The amendments will provide the police with a “legal frontdoor” to access encrypted communications, such as Signal or WhatsApp messages, or online encrypted email services such as Proton Mail.
Police will also have powers to intercept authentication codes to gain access to online accounts that are protected by two-factor authentication.
Jim Killock, executive director of the Open Rights Group, said the amendments would give police access to all information stored by every app on a phone, including information from dating apps, banking apps and messaging services.
“The police cannot be allowed to mark their own homework when it comes to using such intrusive powers,” he said. “The whole regime regarding seizures of devices needs an overhaul to ensure that, at the very least, there must be sign-off by an independent judge or judicial commissioner.”
Last-minute amendments will avoid parliamentary scrutiny
Legal experts have also questioned why the government has waited until the report stage of the bill in the House of Commons to introduce the amendments (clauses 63 to 70), a move that means they will not receive proper parliamentary scrutiny.
Micheál O’Flynn, a senior lecturer in law at the University of Glasgow, said law enforcement has been discussing the need for greater legal clarity around online searches for seized devices for years.
The question was addressed – in the context of search warrant powers – in a report by the Law Commission in 2020, raising questions as to why the government has left it so late to bring its amendments.
“It really does seem like they’re trying to limit scrutiny,” he said. “And I think there are major questions to be asked about process here as a result.”
Extraterritorial powers
It is not clear if the government has considered the potential international law implications of police officers accessing foreign, remotely stored data from seized devices – a move that could potentially breach international agreements or international law more generally.
Attempts by the Home Office in January to order Apple to facilitate UK access to encrypted communications and data stored by its customers on the iCloud anywhere in the world have provoked diplomatic rows between the UK and the US.
According to O’Flynn, international law governing the rights of law enforcement to access data stored in another jurisdiction is “unsettled”, and it is not hard to imagine police investigations provoking a diplomatic incident.
Police could use stop and search powers to examine the phones and social media accounts, and other private data, of people arriving in the UK, for example, to investigate whether they might have committed communications offences by posting messages that demonstrate racial hatred.
If a traveller is arriving in the UK on business, police could download confidential material from their employers’ cloud services as part of their investigation.
“The fact that the UK appears to be going ahead with this without any real analysis of the potential international law implications here is quite remarkable,” said O’Flynn.
Are the safeguards enough?
The amendments will give police powers to carry out online searches to prevent, detect, investigate or prosecute crime, to protect members of the public from terrorism risks under the Terrorism Act or for restricting an individual’s involvement in threats from a foreign power under the National Security Act.
The amendments may also permit police to take over people’s accounts by changing a password, allowing them to conduct covert conversations with, for example, suspected criminal collaborators.
The police can only use these powers if it is not reasonably practicable to obtain the information by other means, and if doing so is “necessary and proportionate” according to the proposed amendments.
O’Flynn told Computer Weekly that in practice, in a fast-moving investigation, these safeguards may not offer real protection.
“We should not be too quick to accept that the safeguards are going to be sufficient to prevent wide trawls of material accessible to phones and computers,” he said, adding that it was easy in practice for police to make an argument that “it is not reasonably practicable to obtain the information by other means”.
In contrast to most western liberal democracies, the UK has a history of allowing law enforcement to effectively self-authorise for access to communications data – which includes records of calls or emails made and received, the identity of the sender and recipient, and the times they were sent, but not the content of the communication.
Following decisions by the Court of Justice of the European Union, the UK has acknowledged that access to some categories of communications data – such as authorisations for identifying or confirming a source of journalistic information – requires independent authorisation from a judicial commissioner.
The government introduced an approvals process in 2019 for targeted communications data requests administered by the Office for Communications Data Authorisations (OCDA), which became part of the Office of the Investigatory Powers Commissioner (IPCO) in 2024.
“The point here is that these new powers will definitely facilitate access to very sensitive data, and so the question is why a judicial commissioner, court or other independent body doesn’t also have a role to play here,” said O’Flynn. “It’s incongruous.”
Confidential journalistic material and LPP
Although the proposed amendments offer safeguards to protect confidential journalistic material, and material classed as Legal Professional Privilege (LPP), the safeguards do not apply if the protected information is mixed with other non-confidential material.
In practice, protected information will often be mixed with other non-protected material, which means that for practical purposes, police investigators will be able to ignore the safeguards.
“The duty doesn’t apply if it’s mixed data, and it’s not reasonably practicable for the confidential information to be separated from that other information without prejudicing its use in relation to a reasonable line of inquiry,” said O’Flynn. “It is not entirely clear what is permitted with the mixed data in this scenario.”
The amendments do not address other legal protections, including any foreign immunities to data being seized under the new powers. This again potentially raises the prospects of diplomatic incidents, he added.
Stop and search
Killock said the proposal was particularly concerning in the light of police stop and search powers, which have been shown to discriminate against black and Asian communities.
Privacy International warned in 2018 that police use of powers to extract data from mobile phones would create serious risks of abuse and discriminatory practices.
“The basic problem here is that if the police arrest you on stop and search, a random stop, they don’t really need to have evidence of suspicion,” he said. “The reason for seizing your device can simply be that they don’t like your behaviour, and they get a gut feeling that you’re up to something, at which point your phone becomes fair game.”
Source link
