As we spend more time using social media, messaging apps, store files with the likes of Dropbox and Google Drive, as our phones become more secure, locked devices harder to crack, and file-based encryption becomes more widespread, cloud extraction is, as a prominent industry player says, “arguably the future of mobile forensics.”

“Private cloud-based data represents a virtual goldmine of potential evidence for forensic investigators.”

At Privacy International we have repeatedly raised concerns over risks of mobile phone extraction from a forensics perspective and highlighted the absence of effective privacy and security safeguards. Cloud extraction goes a step further, promising access to not just what is contained within the phone, but also to what is accessible from it.

Your phone, with all the data there for exploitation, becomes the key to unlock your online personal and professional life.

In this context, cloud extraction technologies make for disturbing reading as we grasp how much is held in remote servers and accessible to even those with limited forensic skills who nonetheless are now able to acquire push button technologies that can ‘grab it all’.

Greater urgency is needed to address the risks that arise from such extraction, especially as we consider the addition of facial and emotion recognition to software which analyses the extracted data.

There is a failure to inform the public about new surveillance technologies deployed by the state; an absence of clear, accessible legal frameworks; a lack of discernible action by governments and little to protect the public from data exploitation. The seeming wild west approach to highly sensitive data carries the risk of abuse, misuse and miscarriage of justice. It is a further disincentive to victims of serious offences to hand over their phones, particularly if we lack even basic information from law enforcement about what they are doing.

Cloud extraction technologies are deployed with little transparency and in the context of very limited public understanding: this report brings together the results of Privacy International’s open source research, technical analyses and freedom of information requests to expose and address this emerging and urgent threat to people’s rights.

Mobile phone extraction tools are devices and software that allow the police to download data from mobile phones, including:

Contacts

Call data – who we call, when, and for how long

Text messages

Stored files – photos, videos, audio files, documents, etc

App data – what apps we use and the data stored on them

Location information

Wi-fi network connections – which can reveal the locations of any place where we’ve connected to wi-fi, such as our workplace and properties we’ve visited.

Mobile phone extraction entails the physical connection of the mobile device that is to be analysed and a device that extracts, analyses and presents the data contained on the phone.

However not only does it provide what is contained on the device itself, it can be a gateway to the Cloud and to external sources of information. If you extract logins, passwords and tokens from the examined device, these can be used to validate credentials to extract cloud stored data.

Cloud extraction (or cloud analytics) is the ability to access, extract, analyse and retain data stored in the Cloud, a term widely used by technology companies to refer to the storage of data remotely, from applications or devices, typically on a third company’s servers. Examples include Dropbox, Slack, Instagram, Twitter, Facebook, Google products such as My Activity, Uber and Hotmail. We explore the types of data that can be extracted in more detail below.

As cloud storage is increasingly used for social media, internet-connected devices and apps, cloud extraction opens the door to a huge amount of personal information. In reports on the explosion of cloud-based data, it is said that by 2025, 49 percent of data will be stored in public cloud environments. Cisco Global Cloud Index forecasts the growth of global data centre and cloud-based IP traffic and predicts an increase in use of public cloud data centers by 2021.