Law enforcement agencies are increasingly using extraction technology to access data saved to the cloud, according to Privacy International citing a YouGov investigation it commissioned. PI further warns that emotion and facial recognition technology can be applied to extracted data such as photos.

When law enforcement confiscates a smart device, officers can easily extract tokens or passwords to access sensitive personal data stored in iCloud or apps such as Uber, Instagram, Slack, Gmail, Alexa and WhatsApp. This technique affects not only the phone owner’s data, but also that of their friends. This practice creates a security risk for vulnerable data saved on third-party servers.

Although services such as WhatsApp promise end-to-end encrypted messaging to secure conversation, extraction technology deployed by law enforcement successfully bypasses this encryption.

YouGov found that 45.6 percent of Brits haven’t given much consideration to what happens to app-generated data stored on their phone, while 44.3 percent are unaware that phone apps use cloud storage. Most concerning is that 47 percent of respondents said they don’t really understand what cloud computing is.

Cloud extraction technologies allow law enforcement to run emotion and facial recognition on media stored in the phone, explains Camilla Graham Wood, solicitor at Privacy International, further adding that these methods can also be used “to conduct continual monitoring of an individual’s social media without them ever knowing.” While there is some transparency around the use of mobile data extraction, almost no information is offered about cloud extraction technology available for law enforcement, she says.

Once police officers gain access to user credentials, they have access to all the data including posts, likes, events and connections.

Surveillance tech company Cellebrite announced in its Annual Trend Survey that almost 50 percent of police investigations involve cloud data and that “[t]ypically, this data involves social media or application data that does not reside on the physical device.”

In 2018, Cellebrite revealed it had developed technology to unlock most, if not all, devices running iOS, as well as many Android devices.

Privacy International fears big tech companies are not genuinely interested in protecting customer data. It is now publicly urging the 17 tech companies targeted by extraction surveillance to come forward by January 17 with their position on the matter. These companies are Amazon, Apple, Dropbox, Facebook, Fitbit, Google, Huawei, Instagram, Lyft, Microsoft, Samsung, Slack, Snapchat, Telegram, Twitter, Uber, WhatsApp and Yahoo.

“Much of this data is uploaded to the cloud, often without our knowledge, by the big tech companies. These risks making our personal data more vulnerable, not more secure. There is an urgent need for the companies who we entrust with our data to ensure they protect it from the tech which can be operated by unskilled operatives at the push of a button,” added Graham Wood.

“It is a matter of urgency that law enforcement act with a greater degree of transparency in relation to the new forms of surveillance they are using, and that laws which are designed to protect against abuses are updated.”

Article Topics

access management | biometrics | cloud services | data protection | data storage | emotion recognition | facial recognition | law enforcement | Privacy International