Smartphones 'remotely wiped' in police custody, as encryption vs. law enforcement heats up

British police are warning that smartphones in custody for forensics and ongoing investigations are being remotely wiped, potentially killing vital evidence.
Written by Zack Whittaker, Contributor
Image: stock photo

British police forces have complained that as many as six smartphones seized have been remotely wiped in the past year, potentially killing vital evidence as part of ongoing investigations.

The somewhat comical angle from the BBC News on Thursday was that Cambridgeshire, Derbyshire, Nottingham, and Durham police "don't know how people wiped them."

Here's a hint, police: "Find my iPhone."

The issue stems around the technology that allows users to remotely wipe their device, and potentially corporate secrets and personal information, in cases where their devices have been lost or stolen.

Most modern phones come with this technology: Apple iPhones, Android and Windows Phone devices all do. In many cases, like with BlackBerry handsets, company IT administrators can also remotely wipe data.

But this poses a problem for the British bobbies. The report said, citing one forensics expert, "If a device has a signal, in theory it is possible to wipe it remotely."

Police often use radio-frequency shielded bags, or even microwave ovens (so long as they're never turned on) to prevent cell service from getting through. However, in some cases, even that short period of time after a device has been seized can be enough to send through a remotely-activated data kill switch.

Law enforcement in the U.S. over the past few weeks have complained at Apple and Google's move to encrypt data on their devices by default, forcing police and federal agents to go to the device owner, rather than to the company themselves.

Apple's "Find my iPhone" can remotely find, and wipe, an iPhone or iPad.
Image: CNET

Many U.S. federal agencies, including the FBI and the NSA, complained that Apple and Google's encryption efforts will hamper investigations. Drug dealers, pedophiles, identity thieves, and other violent criminals will be able to evade capture, they say, with the FBI Director James Comey criticizing Apple for allowing its customers to "place themselves beyond the law." 

That was, on the most part, just scaremongering. The Guardian's Trevor Timm described the cacophony of complaints as a "misleading PR offensive."

Now that same Apple, Google vs. U.S. law enforcement effort may be slowly making its way across the pond.

There are some issues to take into account regarding the U.K.'s case.

Firstly, failing to hand over your encryption keys — in many cases for smartphone owners, that's your passcode — can land you in prison for up to two years. Under the U.K.'s surveillance laws, dubbed RIPA (Regulation of Investigatory Powers Act), a court can force the handover of these keys, or face contempt charges. This is a massive breakaway from the U.S., which has the Fifth Amendment right to protect a U.S. person against self-incrimination.

Also, remotely wiping a device that's in (or about to be in) police custody can also land U.K. persons in trouble. Prosecutors could easily argue that data stored on a smartphone could help an investigation, and interfering with that could lead to additional charges landing at a person's feet.

The problem lies with this delicate balance between privacy and the need to appease law enforcement. Crimes are committed all the time. There's little doubt in anyone's minds that smartphones and the vast amount of data they hold can be crucial to police efforts. But it doesn't mean they should automatically have access to them.

The U.K. is a little more flexible with its laws, thanks to a uncodified constitution, which precludes the British public from such U.S.-style laws, such as the protection against self incrimination and the protection against unwarranted searches and seizures.

What's next?

While the U.S. plays a game of cat-and-mouse between law enforcement efforts and the smartphone makers, the U.K. could — and probably will — act legislatively. 

Which, don't be surprised at. This, after all, is the country that passed new data retention powers into law just weeks after the European Court of Justice ruled that such laws were unlawful

Editorial standards