In the heyday of European imperialism, conquistadors and merchants bought entire islands and countries in exchange for coloured beads. In the twenty-first century our personal data is probably the most valuable resource most humans still have to offer, and we are giving it to the tech giants in exchange for email services and funny cat videos.
Yuval Noah Harari
During my first week back in uniform, and covering a new force area whose satellite images look far greener than anything I’m used to, a colleague and I took a report of a burglary. The complainant, who had a history of drug use and had been house-sitting for his brother and sister-in-law, clearly wasn’t telling us the full story. He had alleged that a couple of acquaintances, whom he had ostensibly invited over for an evening of gaming on his brother’s Xbox, had returned to the property after dropping him off at the chemist in the town centre, and had stolen the console along with some jewellery and other electrical items. He said that he had overheard the men in the car before the burglary took place, talking about how much they thought an Xbox would be worth.
The point of access had been a bathroom window on the ground floor, which the complainant asserted was always kept locked, but when he added that just before they left for town in the morning one of the men had asked to use the bathroom, I was satisfied that I had reasonable grounds to suspect the two men of having committed the offence. The following morning, none of the stolen property was present during searches at either of the men’s addresses following their arrests. Despite the inconsistent accounts given in interview, I suggested to my colleague that as forensics wouldn’t take the case any further, given that each suspect had lawfully been at the address within the week, it didn’t look like there would be sufficient evidence to charge them. “Unless these two have been stupid enough to text each other about the Xbox in the days since,” I said, “this job isn’t going anywhere.”
As luck would have it, and flying in the face of the experience-hardened criminals I’d become used to in my years within investigative roles, stupid is exactly what these individuals were. Despite living within half a mile of one another, they chose to host their conversations about how they would offload the console, laptop and jewellery on the very retrievable format of a WhatsApp message thread, which neither of them had thought to delete. Being a weekday, the in-house data-retrieval office was open, and the text messages were made available in an evidential format while the suspects were still in custody, and with plenty of time to approach the CPS for a decision. The pair were duly charged with the burglary, and I received word from their solicitors in the coming weeks that there would be no trial after all, as each had changed their plea to guilty.
The increasing use and expectation of mobile phone evidence in police investigations is unsurprisingly correlated with the proliferation of the public’s reliance on the technology. Gone are the days where personal mobile phones were used primarily to arrange real-life interactions, by making calls and sending the occasional text-speak messages. Now, we seem evermore satisfied to allow our surrogates to do the living for us online, succumbing to the pressure within our avatars’ world of incentives calibrated by binary testing and algorithmic research, evermore quick to capitalise on the proximate goals of our evolutionary history and need for social interaction and reputational maintenance. As Yuval Noah Harari wrote elsewhere in Homo Deus:
Twenty years ago Japanese tourists were a universal laughingstock because they always carried cameras and took pictures of everything in sight. Now everyone is doing it. If you go to India and see an elephant, you don’t look at the elephant and ask yourself, ‘What do I feel?’ – you are too busy looking for your smartphone, taking a picture of the elephant, posting it on Facebook and then checking your account every two minutes to see how many Likes you got. Writing a private diary – a common humanist practice in previous generations – sounds to many present-day youngsters utterly pointless. Why write anything if nobody else can read it? The new motto says: ‘If you experience something – record it. If you record something – upload it. If you upload something – share it.
This is no sermon, and I am no less guilty of this acquiescence than anybody else. It would serve us all well, however, to acknowledge that the modern world is inextricably-entwined with a competition for our attention. You may have noticed, for instance, that Netflix has recently adopted a five-second countdown before it plays the next episode in a series, barely giving us time to ask the question: “Shall we watch another one?” before the choice is made for us. As we try to make what choices we can among these competing distractions, we leave behind us a trail of data, and perhaps nowhere is there a richer source of this information, ripe for development and potentially exploitation, than on our smartphones, on which we allow (and are thankful for) the mass-storage of our lives’ detail and intricacy.
In my last role, predominantly investigating allegations of domestic abuse, I spent a vast amount of time submitting applications under the Regulation of Investigatory Powers Act (RIPA) 2000, seeking authority from the “designated person” (a police superintendent, necessarily independent of the investigation) to obtain communications data from a mobile phone network. A garden-variety investigation would involve an allegation of harassment, where a complainant suspected that their ex-partner was responsible for the stream of abusive text messages and silent calls placed during all hours of the night. Following the initial application for the telephone number’s user information (authorised by an inspector) almost invariably being returned saying: “pre-pay SIM, no user details held”, the next job would be to submit an application for call data covering the period of the harassment and perhaps some weeks either side. Having received this data—a spreadsheet showing the dates, times and telephone numbers with which the target number had had contact—I would then go to work on identifying organisations within the call list that might hold personal information against the target number. Dominos and other food-delivery companies are usually a good bet, as are taxi firms. Next would come an application to these organisations for what information they hold, usually being a name and address.
Given the frequency with which such applications are now required, most forces have now streamlined this process using IT. There is no need to speak with the superintendent directly; instead the application (a quite lengthy and time-consuming document) is submitted via a programme and the superintendent is notified via e-mail that a submission awaits their review. The feature of this process relevant to our discussion is the rightly high level of authority required to obtain these data. The information received only consists of a series of numbers on a spreadsheet, along with a name and address if the SIM is registered, and text message applications only retrieve the dates and times messages were sent and received (not their content), but given that the end-user will be able to read all of these interactions, and potentially learn whom these interactions were made with, the invasion of privacy and relevance of Article 8 (enshrining a “right to respect for [an individual’s] private and family life, his home and his correspondence”) of the European Convention on Human Rights, enacted in the Human Rights Act 1998, is reflected and sufficient safeguarding is mandated.
RIPA also covers police surveillance authorities, such as directed surveillance (requiring a superintendent’s authorisation), where specially-trained officers will follow an individual while out in public, usually in the expectation of obtaining evidence of the commission of a crime, and intrusive surveillance, where covert audio and video equipment will be placed within an individual’s home (requiring a chief officer’s authority). Incidentally, the principle in law currently being distilled in the “upskirting” debate seems to have a corollary here. The legislation stipulates that where a device being used for the surveillance isn’t actually inside the target’s residence or private vehicle, the surveillance “is not intrusive unless the device is such that it consistently provides information of the same quality and detail as might be expected to be obtained from a device actually present on the premises or in the vehicle.” Analogously, the position of a camera relative to a skirt, where it captures what would otherwise only be captured in the privacy of an individual’s own home etc., is considerably more intrusive and this ought to be reflected in law.
It may seem surprising, but the physical download of a smartphone, despite the order of magnitude by which it surpasses a spreadsheet in investigative utility and privacy-intrusion, requires no comparable authority from any rank independent of the investigation. So long as the device has been lawfully seized, as the two belonging to the men were in the opening paragraphs under s18 of the Police and Criminal Evidence Act (PACE) 1984, they can be downloaded and all their information retrieved so long as no communications are actually intercepted (wherein incoming messages, not yet received by the phone’s user, are read by the police). I for one think it rather odd that this intrusion into one’s private life, especially in the context of the wealth of information available on a smartphone, is not regulated specifically in legislation.
When a mobile device is downloaded, the software used usually generates a PDF document (often tens of thousands of pages long), which includes the phone’s contents in their entirety. This document is helpfully split into chapters (including “SMS messages”, “WhatsApp”, “image files” etc.), but the whole document is also, rather usefully, searchable by keyword (as most documents are using the CTRL+F function). I have heard recently about forces experimenting with software, where these PDF documents, as well as being sent to the officer requesting the download, are added to a searchable database. This, to me, seems inherently unethical. If I am arrested under suspicion of some domestic harassment allegation, and WhatsApp messages on my phone are used in evidence against me, it is bad enough that the officer investigating the offence may also catch sight of a conversation with my friend about his alcoholic father, his battles with mental ill-health, or even his peculiar political beliefs. It is surely worse still, however, for this information to be held on a database, so that the purpose for my phone’s initial seizure is no longer relevant and these conversations are made available for the perusal of any other officer who happens to type a search term which brings them to these conversations.
The subject of this piece is a particularly expansive one, but before getting dragged down a tangent any further, it is worth emphasising the point that any subsequent or ultimate use of these data is no necessary criterion for the invasion that Article 8 was enshrined to offer protection against. The state’s collection and mere sight of these data is alone sufficient to constitute the intrusion into one’s private life.
These competing goals, privacy and justice, are nowhere more difficult to reconcile than when considering the investigation of allegations of rape and other sexual assaults. The data in question here pertains not to a suspect, however, but a complainant. Is it right that a complainant should have little or no hope of the justice in seeing their alleged rapist or assailant successfully prosecuted unless they are willing to surrender their mobile phone, and all the irrelevant but deeply personal information that it contains, to the investigating officer for tooth-comb scrutiny? This is the key question, and it has no straightforward answer. I do not hold the technicality that the state does not force the complainant to surrender their phone, as it has no lawful power to do so, as a sufficient distinction which addresses the invasion. Such a freedom—to not surrender one’s phone and privacy—seems meaningless if it comes at the expense of justice for so ghastly a transgression.
I have written previously that it is worth considering and accounting for the themes of sexual assault when crafting an investigative policy. Given the gross breach of trust alleged, no policy should commit a further breach by dictating that complainants’ trust should be breached further by myopically lying to them, promising them they will be “believed”, when no such thing can (or should) be guaranteed. Another pertinent theme, naturally, is invasion. Given the horrendous invasion alleged during any sexual assault, particularly involved in one having taken place in a complainant’s own home, it would surely be right to protect complainants where possible from further breaches of privacy.
Such a protection, however and perhaps regrettably, may not be possible. A notable example was the case of Liam Allan, whose exoneration at trial arrived thanks to the complainant’s own text message conversations with her friends, completely undermining her allegations against him. But for the existence, seizure and eventual recognition for what these messages constituted (by Allan’s barrister overnight, no less) who can know what the outcome of that trial might have been? This case alone demonstrates the need for evidence of a complainant’s correspondence. What’s more, it can accurately be said that this trawl through her messages was a fishing expedition. As I understand it, Allan had no specific inkling that his accuser’s mobile phone would be his saving grace, and his barrister Julia Smart conducted the enquiry herself after learning that the police had failed to.
Comparisons to other types of crime are not helpful. While it is true that complainants in cases of burglary or grievous bodily harm are seldom asked to surrender their phones for such intrusive enquiries into their honesty, two crucial features set rapes and other sexual assaults well apart. First, with almost any other type of offence, the question as to whether a crime has actually taken place is not in issue; instead, the pertinent question concerns who is responsible, and specifically, whether the accused is responsible. Burglaries bring with them evidence of broken windows, footprints, ransacked rooms and absent valuables; serious (non-sexual) assaults often yield witnesses, physical injuries and medical reports confirming their gravity. Rapes and sexual assaults seldom yield anything like these kinds of corroborative evidence. Second, rapes and sexual assaults often turn not on the act, but the mindset. The prosecution must prove not only that the complainant did not consent, but that the defendant knew they didn’t consent, or did not reasonably believe that they did. The mindsets of both parties are thus crucial and acutely consequential. Evidence pertaining to these mindsets, naturally inferable from the wealth of information on their mobile phones, is therefore much more probative than in almost any other area of criminality.
Each case must be handled on its own merits, so in answering a question as to whether a complainant’s refusal to surrender their phone alone constitutes sufficient justification to discontinue an investigation or prosecution, I submit that it shouldn’t in all cases, but in the vast majority should. Where there is ample corresponding evidence, demonstrative not only of the fact of the offence but of the offender’s identity, such an intrusion may not be necessary, but as mentioned, this is seldom the case. Absent any suitable compromise, and with the firm knowledge of how consequential such data on a complainant’s phone can be, I find it incredibly difficult to conceive of a variable which would mean complainants’ mobile phones should not be routinely downloaded and scrutinised in allegations of rape and sexual assault. This is not good news for complainants, who, as mentioned, allege already to have suffered a gross invasion of their privacy. It must be somewhat humiliating to have to undergo further invasive processes (especially when following the medical procedures offered in cases reported within the forensic window).
Having long-recognised the difficulties faced by complainants of sexual offences in the criminal justice system, policy-makers have been too quick to implement well-meaning but unprincipled strategies. There are better options available. First, an acknowledgment of the increasing demand of evidential downloads simply must be met with a corresponding supply. (In my force, the current waiting period in low-risk cases for an evidential hard-drive download is in excess of eight months.) We must lift our vision and understand that this demand is only going to get steeper, and have the foresight to equip our forces appropriately to deal with it. The short-term cost of this implementation in technology and staff will repay the investment in a higher proportion of detected crimes, prosecuted offenders, and consequently, fewer future complainants. The clear and unsightly discrepancy between levels of authority for communications data and phone downloads (given that the latter is arguably far more intrusive than the former) should also be addressed with comparable regulation.
Next, continuity of contact between complainants of sexual offences and the police is a necessity. The Met’s Sexual Offences Investigative Trained (SOIT) officers provide a single point of contact for such complainants, and this office ought to be implemented in other forces. The detectives and officers in charge (OIC) of investigations often don’t have the time to maintain this crucial contact, and the neutrality of their role is also best-preserved by managing dealings with the suspect without necessarily having such frequent contact with the complainant. Most importantly, however, complainants should be placed under no illusions of the implications of their choice to proceed with their allegation to prosecution.
We have spent too long and compromised too many principles in trying to find quick and easy answers to what is a very difficult problem. We should acknowledge that there are no easy answers, and not pretend that the path to justice will always be a simple one. Nothing worth seeking isn’t worth the effort involved in seeking it, and justice is no exception. If there must be a trumping value between privacy and justice, it can only be the latter. For if justice is undermined, the institutions which protect privacy (and an assembly of other freedoms) will be undermined too and by that very fact.