With the advances in technology over the past 10 years we now carry so much information in our laptops or smartphone. Much more information than we would have carried previously. Jonathan Wall of Burton Copeland Solicitors explains what type of data we hold, how it might not be as secure as you think and how it can be obtained and used against you by law enforcement agencies.
Can the police get into my phone or electronic device if they don’t have a password?
The answer is, probably. It depends on whether the data behind the password is encrypted and how secure that encryption is. Encryption essentially turns data into an unintelligible mess unless you have a password, but let’s look at some examples and look at ways that investigators can potentially get in through the back door.
1. PC’S OR LAPTOPS
The latest versions of windows have the option to password protect folders or areas of the hard drive. This encrypts the data within and ties the password to the user’s account, so you only have access to the files if you’re logged in as the right user. In most cases there is simply a password to allow access onto the PC. Investigators or computer forensic examiners would use software to bypass the password function and gain access to the software behind it. Even if particular files, folders of partitions are protected with high level encryption it does not guarantee that law enforcement (or anybody else who gains possession of the item) cannot gain access to the data. Most electronic devices such as tablets, computers and phones contain a dictionary or keystroke or keywords register. This means that everything that has ever been typed on the device is recorded in a file on the drive. This file is usually used by the device for things like predictive text or even spell checking, but allows an individual wanting to gain access to encrypted areas without a password to import this list of words into other software in order to perform a “dictionary attack”.
If there was no such list it is still possible to gain access by using a “brute force” attack. This is where software is used to hack into the device. Starting at “a”, then “aa” and using every letter of the alphabet, number and keyboard symbol the software runs until such time as the password is cracked. The time is takes, is clearly dependant on the password, when people talk about the use of “strong passwords” this is exactly the reason why. The more complicated the password the more difficult it is and the longer it takes and may not be worth doing.
2. MOBILE PHONES & TABLETS
Most smartphone have the facility for a password, fingerprint or even facial recognition to lock out unwanted users. Many devices have anti-brute force attack mechanisms which automatically wipe all data if an incorrect password is repeatedly entered. One such case of a phone in this category took place in February last year when a Court in California was requested to order Apple to create new software that would enable the FBI to unlock a work-issued iPhone 5C which was recovered from a terrorist involve in an attack in December 2015 in San Bernardino, California which killed that killed 14 people and injured 22. The phone was protected by a 4 digit pin but had software capable of wiping all data if incorrect code was entered 10 times. The case was scheduled to be heard on 22nd March 2016 but the day before the case was dropped when the FBI announced that they had hacked and gained access to the phone.
Clearly the more up-to-date the software or operating system the harder it is to gain access to. I am reliably told that unless they have the latest software updates, many older devices are accessible even with a very strong password.
Do I have to give the police passwords or pin code to my computer or phone?
The short answer is no, as per the caution given by police when people are suspected of committing an offence; “you do not have to say anything” so no, you do not have to provide the pin codes or passwords. In certain circumstances you may get yourself into further trouble by not doing so, but these situations are very rare. For example, if you are served with a notice contrary to S49 Regulation of Investigatory Powers Act 2000 (S49 RIPA Notice) (part iii), this requires that you do provide such passwords or “keys” to open such devices and failure to do so is a criminal offence for which you could receive up to 2 years imprisonment or 5 years imprisonment for cases involving national security or child indecency. It should be noted however that these notices cannot be issued by ordinary members of a police force and must be issued either by officers from the National Crime Agency (NCA), Her Majesty’s Revenue & Customs or the Security Services (GCHQ, M15 or M16).
The other power that authorities have falls under schedule 7 of the Terrorism Act 2000. The act and Codes of Practice allow Police, Immigration and Customs Officers the power to detain individuals at borders (either entering or leaving the UK) and request that they provide any information they wish, even in circumstances where they have no prior suspicion that a person is a terrorist or carrying unlawful material. All they are required to consider is that the person may be involved in terrorism. The power has been interpreted as allowing the authorities to demand passwords from traveller and also to copy the content of their phones or other electronic devices. The power also allows the detention and questioning (without access to legal advice) for up to 9 hours.
This power was used in 2013 against David Miranda, the partner of the former Guardian journalist Glenn Greenwald who was stopped at Heathrow Airport on 18 August 2013. He was alleged to have been carrying encrypted GCHQ files and was detained and had a number of digital storage devices seized from him. In a challenge to the high court he alleged that the authorities had acted unlawfully , but this challenge was rejected by the Divisional Court who confirmed that the Metropolitan Police had acted within the legislation.
What information can the police get from a phone?
Smart phones nowadays hold absolute masses of information, some of the most common pieces of data of interest to investigators are:
- Keyword / keyboard strokes – they will know what you have ever typed, every word in every text or whatsapp message, email, document, password or internet search.
- GPS data – can show not only where you’ve been, but also how fast you travelled. Used by police routinely following road traffic collisions. As is the “events log”, so if you were reading an email whilst driving down the motorway, it’s likely that the authorities will find out.
- Internet history – what you have searched for, what you have seen and when you saw it.
- WIFI data – similar to GPS this can be used to locate where the phone was at any given time and is often used to track the movements of a phone.
- WhatsApp – you might think these are encrypted, but they are only encrypted whilst they are being transmitted, if the police have gained access to your phone, they can read your messages.
- Call data, who you spoke to and when.
Of course they’ll also have access to photos, videos, text messages even if they are deleted, most people will confess to having either taken or received a dodgy pic at some point on their phone.
What is the most common way to gain access to a locked phone or computer?
1. ASK YOU FOR IT
In the majority of cases that is what we see, the police or other law enforcement agency obtains the password by people simply being asked and voluntarily handing it over. I’d suggest that those people fall into a number of categories;
- i) Those that believe “there is nothing incriminating on my phone” which might incriminate them. But, a person might be arrested for a drugs offence and the police discover other data such as video or GPS data showing that they have driven dangerously and vice versa somebody may have been arrested following a road traffic collision and police discover an involvement in drugs. This prompts other question; do you know exactly what is stored on your phone? What about if you were told that even if you delete a photo or text, you don’t actually delete it, only the route to it and it is likely to be recoverable. What if I told you that if you downloaded the entire memory from a modern smart phone with an average memory and printed it, it would amount to several thousand pages, could you actually say what was on each page? I doubt it.
I have acted for clients in these situations on many occasions, where they have not taken advice and police have gained access to sensitive private images or evidence relating to other crimes that the police had no prior knowledge of.
- ii) Those who know “there is nothing incriminating on my phone” – even though you may not have been involved in criminal activity. Ask yourself this, do you want to share everything on your phone with the world and his dog? Intimate photographs or messages. Even if you are not prosecuted in relation to the offence for which you were arrested, somebody else may be, and the contents of your phone may be disclosable to parties involved in those proceedings.
- iii)Those that are bullied or are psychologically weak due to the circumstances they find themselves in. Officers will often simply ask for details of the pin codes and passwords in the hope that they will be volunteered. I have then heard clients tell me of situations whereby officers’ questions has become more oppressive…
- “Why won’t you tell me, what have you got to hide?”
- “We have the power to force you to tell us, we don’t want to go down that route, because you’ll be guilty of another criminal offence, so just tell us”.
People in those situations feel vulnerable and when faced with authority, it is not surprising that people hand them over. Remember an ordinary police officer cannot issue a S49 RIPA notice; it must be an officer from the NCA.
2. THEY’LL GUESS IT
In many criminal investigations, the police will seize other items which may give a clue to the password. People often write their passwords down in diaries, and even when written down in code form (as below) they are not hard to crack. Law enforcement agencies can use other things like social media to gain access to other information such as names of a wife or child or their birth dates which people also often use. They may also gain access to other devices where the password is the same.
3. GAIN ACCESS TO A BACK UP INSTEAD
You may have facial recognition, a 16 digit password and the latest in IOS operating systems on your new iPhone 8, but it is of absolutely no use if it was synced to your laptop and the police have that.
Similarly people often use external hard drive to create backups of hard drive on PC and laptops ensuring that family pictures are not lost forever should the computer be lost or stolen. Many of the software solutions used will copy a lot more than the family albums.
If you are affected by any of these types of issues then it is important that you obtain legal advice which may be free of charge from a solicitors firm with a legal aid contract.