 Ffiscima huluduniais falchia. Gda'r affoddiw nhw, wrth gwrs, ac rydyn ni'n gweithio y twelf-meeting o'r Justus Sub-Committee on Policing of 2018. We have apologies from Daniel Johnson. Agenda item number one is cyber-kiosks. Our business today has taken an evidence session on Police Scotland's proposed use of digital device triage systems more commonly referred to as cyber-kiosks. I refer members to paper one, which is a note by the clerk on paper two, which is a private paper. I welcome to the meeting Diego Kiros, Policy Officer of the Scottish Human Rights Commission, Detective Chief Superintendent Jerry McLean, Head of Organised Crime and Counter-Terrorism Police Scotland, David Freeland, Senior Policy Officer of the United Kingdom Information Commissioners Office and Claire Connolly, advocate who is representing the faculty of agin advocates. I thank members for their written submissions. As always, that is very helpful. If I kick off questions to Mr McLean, the sub-committee first considered this matter on 10 May. This is now our fourth occasion of considering it. The initial questions were all around the legal basis in which this would take place. It is somewhat surprising and disappointing that we do not have something definitive in front of us regarding the legal position that Police Scotland believes supports the deployment of those devices. Can you update us on that, please? Yes, I can, convener. First of all, thank you very much for inviting me along to give evidence today. When I last gave evidence in front of the committee, there were a number of substantive points. As you have said, convener, one of them was around establishing the legal basis as well as some other matters that we will discuss later. We are confident of the legal basis in which Police Scotland applies the law in relation to digital forensics at that time. In part, I tried to give that assurance at the committee at the last time. Since that date, we have written to Crown Office and that was addressed from one of our chief officers, who is the senior responsible officer for the cyber programme, which this is part of the delivery of. We have also taken legal advice in telling within Police Scotland from the legal services department. We still await a response from Crown Office. I have spoken with representatives as recently as yesterday. My understanding is that that has been considered at a senior official level within Crown Office, both across their policy division, their cyber crime division and their serious crime unit. On the basis that I articulated to the committee before, we put that to our own legal services team and they support that position. In summary, that is the powers that I have described to the committee before, but I accept, across some of the document sets to this committee and wider, that we have to be clearer in terms of how we articulate that. Those powers are such that, when we take devices, when we search, seize and retain devices under a warrant, power is conferred by the court and also under some statutory provisions and I think I have provided some examples to the committee around the types of legislation that is available to us, for example, the Firearms Act, the Missus of Drugs Act. More particularly, the advice that was given to us is that it is really important for us to make that distinction to all concerned of the different categories. Distinctions between what is a victim and a witness, where there is no compulsion in the part of those individuals to hand over their devices, and that needs to be on a voluntary basis. Where we do have some powers, which, as recently as 2016, I think were enacted by this building, in terms of the criminal justice act 2016, which allows for arrested persons, so suspects were accused, but arrested now under that piece of legislation for us to search and seize any items in their possession at that time. That is the statutory provision that underpins some of the other statutory provisions open to us. In relation to all the arrested persons, the Criminal Justice Act allows us to search and seize items from those individuals if it is not powers conferred by the court in terms of a warrant. The investigation of crime in Scotland is undertaken—the Lord Advocate is in charge of that—and the Police Scotland undertakes it on behalf of the Lord Advocate. Is it not somewhat surprising that, given that, and everyone wants to facilitate the thorough investigation of crime, there is not something as simple as a letter here confirming your understanding of the position? People will make the clear distinction between statutory authority to investigate under some of the legislation that you have mentioned, the common law, and most of the concerns are about complainers' witnesses. Are you not surprised, given that we commenced this on 10 May, that a committee of the Parliament has nothing to confirm that the Crown Office Procurator of Fiscal Service supports your position? I recognise the frustration of the committee about that. I think that the position may well be described as not being a binary position of whether there is legislation or not, but that Scottish law is based on a number of principles and often competing principles. What I tried to describe in front of the committee here before is some of the statutory provisions that are allowed to police, some of those that were conferred through warrants, as well as some of the competing demands around that and how we are trying to apply the law available to us at this time. It is a complex issue. Some of it is examined in the courts through case law. I think that we have referred to that previously at this committee room. Again, that is what supports the legal basis that we think we are empowered to undertake digital forensics and thereby the potential roll-out of kiosks in the future. Have you had individual discussions? Have you discussed matters with the Crown Office, Mr McLean? Not discussions, but really just follow-up discussions about when we may well get some direction or response from Crown Office. The answer to that was, please. It is under consideration. Okay. Mr Kiros. Thank you. I hope that the committee is not tired to hear from me. Thank you very much for inviting us. I think that I totally agree. I think that it is a very complex issue. That is why we are asking for the clarity. There is a need for clarity. I think it is important to state from the beginning that the lawfulness of this technique is highly fact dependent. However, we can say that there is no legal basis where it is outside of the context of a warrant. This is because it entails a significant interference with article 8 rights, which is not accompanied by the required legal certainty and the adequate safeguards against abuse and arbitrariness. I think that is important to acknowledge. These techniques and the legal basis argued by the police appears to be founded on a wide number of context and statutory provisions arising on many different circumstances. This makes the legality highly fact dependent. It is quite reasonable and foreseeable to say that therefore we do not have legal basis for such examinations on mobile phones. I also have some sympathy for Police Scotland and Crown Office for being able to present to you a robust legal framework that legitimises what is proposed here. We are not the first jurisdiction to face this problem. In 2013, Mr Dust's Cromwell, a Canadian Supreme Court judge, highlighted that the traditional legal framework that would surround search of individuals and their property, requires updating in order to protect the unique privacy interests that are at stake in computer searches. The reason for that is that the search of a computer and, of course, smartphones are computers is not the same as searching a cupboard or a filing cabinet. A warrant that is granted to allow, for example, an office to be searched has the ability to set very strict parameters on that. When you access a person's mobile phone, you do not only access what is contained within the device in your hand, but that is a gateway to the cloud and to external sources of information. I think that the challenge here—perhaps the fact that Police Scotland has returned a number of times and they do not have that clear legal framework that you are looking for—is in fact reflective of the complexity. What we have seen in case law so far is that the Scottish courts, when it comes to, for example, examining mobile devices, rely on the traditional legal approach. In my respectful submission, that traditional legal approach is not fit for purpose. That is a matter that requires to be looked at again. I wonder whether the complexities might be susceptible to trying to granularise the issue. I want to do it in a particular way. Is there a different set of law that applies to the seizing of a phone and then the subsequent searching? Clearly, I can logically—this is not a legal statement—see that it makes sense to seize a phone to protect it because it would be interfered with under some circumstances, even if there might have to be a legal process to allow it to search of that phone, just as the police might secure premises but not have a right to enter and search them to create the model? Is that a reasonable way to look at this problem that it is not a single problem? It is a sort of sequence of different legal competencies or questions that need to be asked. I think that seizing and searching sounds like two useful headaches. Am I right or am I wrong in looking at it that way? I think that that would be a reasonable approach. What underpins both of them is that we are dealing with current technology. The legal regulation of that is the application of laws that, when they were developed, could not have envisaged that we would have this level of technology. Another difficulty is that, when it comes to those who are perhaps making determinations about admissibility of evidence, they are old people like me who use their phone to telephone people and perhaps a push managed to send a text as opposed to my teenage children who use those devices in a very different way. If you were to ask someone who's mobile phone usage reflected my own, I would say that it's probably not that much of an invasion of my privacy compared to doing other things that have always been done, but there is a huge gap, a generational gap in how those devices are used also. Therefore, there is a difficulty in assuming that there is a safety around investigation of those devices because they don't really hold very much information. I'm picking up on Ms Connelly and I suppose Mr Keros's responses there. We've entered into this debate in relation to kiosk, but it strikes me that what we're discussing could be equally applicable in the sense to what's been happening traditionally in relation to hubs. Is that a fair assumption to make? I think that it's slightly different. When, for example, a computer tower goes to a hub, the tower itself isn't switched on, so what happens is that the hard drive of the tower is imaged and there's interrogation and search around that image. It only allows you to search what is contained within the memory of the tower. At no point would you switch on the computer because there's an interference process going on. The difficulty with the kiosks—one of the difficulties in my respectful submission—is that the kiosks turn the phones on. Therefore, you have a gateway to not only what is stored on the SIM or equivalent memory device within that electronic mobile phone or whatever it is, but you can access externally stored data in a way that you can't from the imaging of a computer tower. Having had this process and the difficulties arising from it in a fraud trial, I know very well that when the imaging was done and we were given the imaging, we had to say, what do we do with this? You have to then use programmes to be able to read the image. John McLean was shaking his head about some aspects, so it might be helpful. That would be helpful. If it's helpful for the committee and others, it's just some points of accuracy about that. If I may, and I'm trying not to say too much time, but to come back to Mr Stevenson's point about is there a bespoke piece of legislation that covers this eventuality, I think collectively what we're saying is, no, there's an absence of that. That's why I describe that landscape as being quite complex, but a set of principles and my refer to the 2016 piece of legislation, the Criminal Justice Act, I suppose that's to cover most eventualities for an arrested person, but it does give the power to search and to seize. Now, when you start to question that, you question, seize any material about a power to examine it. In terms to Mr Stevenson's colleagues' piece about a filing cabinet or storage, as a point of accuracy, the kiosk when examining devices, that device will be switched off, and if it has a SIM card, that SIM card will be removed. So it will only be stored data, which then brings it very much in line with the case law, which has looked at stored data on devices and found it to be that the police acted to correct at those times in terms of using the powers to search those devices. But I accept the point about what devices and modern society bring, and one final thing, if I may convener. So we've talked about the article 8 implications. That's something that police work with every day, along with the other various articles, probably more particularly the right to life. In terms of article 8, without going into a legal debate, it's important to note that that's not an absolute right. So there's the importance about the rule of law and the administration of law, and that can be an exception to the article 8 rights. So when I talk about powers conferred by a warrant or by statutory for persons who have been arrested, then I think that we can take consideration of the article 8, but as I say, it's not an absolute right. Okay. I think that we've a number of people wanting in here. Liam, do you wish to come back in? Just to remember, most of Mr Freeland and Mr Goodhouse were both kind of nodding along in agreement. Is the view that the issue around the legal basis extends beyond simply the functioning of the Kiosk process? Yeah, absolutely. I think it's even more serious and significant in terms of interference when it comes to the haps. And the reason for that is because there is extraction of the data, there is retention, and there is management issues. So it involves certainly the right to privacy, but of course data protection laws. So I would certainly agree with you. I think that the issue of the conversations that have been had with Crown Office suggests that what comes back by way of a formal response will capture what Mr Goodhouse has just indicated in relation to the legal basis for the hub process, as well as the Kiosk process. So, with respect, Mr MacArthur, I wasn't supposed to speak on behalf of Crown Office, but I think that it's a valid point. Actually, I would support what Mr Goodhouse is saying there. The intention about introducing the cyber kiosk is about introducing a triage process to stop so many devices going to the cyber hubs. But again, the legal basis for either of those systems is, as in the laws that I've described previously. Mr Feiland and then Mark. Absolutely, I agree. If the more devices are filtered out, less of a privacy intrusion, but that doesn't then get away from some of the data protection risks that are inherent in the hub itself. With the volume of data and questions over the relevance of all the data that is then processed in the cyber hubs themselves, that's a question that we're looking into, as I said in our previous committee meeting, as part of our investigation across the UK into these types of technology. Colleagues have also given evidence on this in Westminster that, concerned about the volume and the relevance of the information that the police are processing from modern smartphones and mobile devices. If I could ask Mr McLean, are you saying that the existing case law is sufficient to be able to back police Scotland's power to both seize and the process of looking at the data once the phone is seized? I think I was asked the question before at this committee where not I felt that there was a legal basis and would I keep that under consideration? From the legal advice that we have taken internally, and we won't suppose what Crown Office would tell us, but from others, we are satisfied ourselves that there is a legal basis from the powers that are described for us to search and seize those items. I think that there's a general agreement across colleagues who have supported some of the reference groups, but a modern society should always keep its laws under review, and perhaps we would be accepting of that. There's a number of complex issues that police have to manage within that legal basis, but we are satisfied at this time that the legal basis that is there has been tested through the criminal justice system. Then you would see no difficulty at present of passing the legal test of foreseeability and accessibility. Yes, but what I would say about that is that we have to be more explicit and I accept that with colleagues through the various groups and consultations that we've done, we may have been to the point that I've been ambiguous about what those powers are, so that's absolutely something. In terms of the quality of law, we need to be more explicit in what those powers are and who they're applicable to so that people have that foreseeable view of what the expectations of what the law can or cannot do to them and what rights they have around about that. That's that distinction, I suppose, and sometimes that distinction between a victim and a witness or a suspect that are unaccused and what powers are available to the police. Whichever the situation is, if there is some ambiguity there, I suggest that there isn't the necessary clarity on the law that is absolutely essential surrounding this whole issue. I think that there's a question about the clarity of the law, but I still think that the legal basis is there to search and seize for the devices. To search all the data and I think that there are some... Well, I'll bring Mr Kuros in here because I think you have, or the Human Rights Commission, certainly has doubts about that and considers that there should, for example, be an oversight, an independent oversight of the use of NPP. Thank you very much. I think that because exactly what we are, all of us are saying incredibly complex framework and which applies in different circumstances. So from that, it's quite difficult, if it's not impossible, to discern the legal powers that the police have to use this technique by self, as the member said, by just applying logic. So there is a lack of specificity of the current law. One of the things that we are asking is that there is a need for that framework. The second point that I wanted to come back was your point about the seizure of evidence. I think the point here from a Human Rights perspective is that the items, the traditional items that are seized by the police cannot be considered and that application of those powers cannot be considered and applied in the case of mobile forms. So there are no separate powers for the examination of seized items and most of those provisions that you're referring are parasitic on other powers. So they have different, that means that they have different meanings and different purposes. And this seems to be all merged into one single legal basis for the use of cybercurses here. So this is particularly different when we are talking about electronic devices and that goes back to the point of the Canadian Supreme Court cases and the U.S. Supreme Court cases, which actually they clearly state and say, and they are thinking that when there are searches and examinations of mobile phones, they should be done within a framework, a legal framework, and that legal framework is a warrant. And there are only very, very narrow circumstances when that, in the case of Canada, when that search is going to be done without a warrant, but it is the pending of the criminal offence. And certainly, in the immediacy of the circumstances, and certainly minor offences will not allow, and the Canadian Supreme Court is quite clear, minor offences will not allow the rational use of mobile extraction or browsing without a warrant. If I could ask the other witnesses that same question, do you think that the legal basis is sufficient? And in particular, Mr Freeland has been suggested that the roll-out should be postponed in DCHR, have suggested that because of their concerns, and I know that ICOs say that there should be no roll-out before other documents, and the data protection impact assessment, I suppose, information is fairly in place? Well, we've now seen a copy of the data protection impact assessment and provided substantive comment back to Police Scotland on a number of the issues, which Mr McLean is taking that on board, and hopefully we'll have a revised version of that. One of the questions was around the legal basis. It was not sufficiently clear to us what that basis was, not an expert in criminal law, so we do need Police Scotland in this case to spell it out for us what that is. Until that's there, we can't be clear that it's lawful, and therefore, if it's not lawful, data protection law says that processing of personal data needs to be lawful, and if we can't quite clearly evidence that, then there is still that question. I would question whether it can go ahead. I'm not to be an expert in human rights law either, but I will note that the law enforcement directive, the EU law enforcement directive that sets out the rules for processing personal data for law enforcement purposes, contains in its recitals or reiterates that member state law must be precise, clear, foreseeable and accessible as well to echo and in compliance with the rulings of the EU courts and the European Court of Human Rights. I think that the 2016 act certainly empowers police officers to stop and search, but that doesn't necessarily give the protections, the articulate protections, that are clearly of concern across this panel and clearly of your own concern. For that reason, I would say that we do not have a fit for purpose legal framework in place at this moment to allow the rollout of this policy and the use of cyber kiosks without the articulate rights of individuals being interfered with. Is it the position that the December rollout date is looking like a very suspect, certainly from the human rights commission, the human rights position and also from the commissioners position in terms of the impact assessment data and other documents still to be received? I think that we need clarity on a number of the key issues that we have all identified to Police Scotland, so I don't think that necessarily we should put in dates on it more as these issues are resolved, then that's the gateway to rollout is resolving these issues. Mr McLean, is there a possibility that you think that they can be resolved by December? I would have thought that that was a very tall order. I think that before I was very ambitious but perhaps that stretches the level of my ambition I think that, convener and committee, Police Scotland is trying to be as transparent and try to consult as best it can with a range of partners. We are extremely grateful for the contributions that they have made towards the considerations that we have to do ahead of any planned rollout of cyber kiosks. I think that there are still some substantive issues, I think that clarity is one of the key things in terms of either how we've positioned or articulated that. In short, there's a real opportunity to try and get this right, but we have to do it in a very measured approach and try and get it right to the best of our ability in a very complex legal landscape. I would probably concur with your view that December is very ambitious and there's still more work to be done. It's not the position of Police Scotland that it's rollout the kiosks at any cost, it's about trying to get all the document sets and allay the concerns of the people of Scotland and the people who have engaged with the stakeholder and reference groups. I would very briefly put it another way rather than to get it right. I think that there are dire consequences if you get it wrong, which would jeopardise the whole project. It might be a little bit of not so much in haste and get it right so that it's absolutely tight the authority to look to see and both to look at the data. My question is really for Ms Connelly, but it probably applies to everyone. You were saying about old legal framework being applied to new technology. In your opinion, do you think that it needs new legislation or amended legislation at this point? I think that it probably does, to be honest, because I don't think that it is possible or, indeed, reasonable to expect the common law, case law that exists to be developed in court process for something as important as this that's been flagged up in advance. The point here is to provide police Scotland and the police and other authorities with enforcement authorities with the adequate framework so that they can do their work, the really important work that they do, which, as I said before last week, is very much about protecting our human rights in a way that doesn't interfere with that job. What we think is that there are significant issues in terms of lawfulness, the legal certainty, the foreseeability of the law, and safeguards that the convener touched upon, the safeguards in the law, which are not adequately provided in the current framework. So there is a need for providing that framework to the police and, of course, the parliament and government are the source of that. I think that it is similar that we could apply here as well with a similar context, is the Investigatory Powers Act 2016, when the UK parliament looking at interference of communications and data-related issues, personal data, they look at all the legislation and say, actually, this is not enough, they certainly in terms of common law, it is unlikely that that was or it can be considered as a legal basis and they said we need to develop a framework and they develop a quite comprehensive framework through the IPA 2016, which is not perfect and has been challenged a couple of times even in the Supreme Court, but it's a framework that gives that legal certainty and provide enough safeguards. So probably as you know, there is an investigatory powers commission between these, the intelligence and security committee of the UK parliament has an oversight of the legislation and there is an investigatory powers tribunal, there are cultural practice, there are like four or five different conduct practice and the legislation has also incorporated the wills on the train and the protection of journalists, doctors and lawyers, so personal data is not flowing everywhere and as you know, a judge serving within the IPC reviews the warrants, so that's something that it could illustrate what is happening right now and how the parliament has reacted to these challenges on modern technology to provide the police with the adequate tools to do their job. Can I just ask Mr McLean, I know we've covered the issue of assessments in previous sessions quite a bit. In hindsight, I don't know how honest you can be here, but in hindsight, do you not think that Police Scotland perhaps, you know, we're a bit premature, jumped the gun with all this, having the roll-out without all these issues having been considered and I know that that comes down to assessments? Yeah, I think the issue of cyber chaos as was alluded to earlier has opened up a much wider discussion about that complex landscape that the police is trying to operate within. I think the ambition and the sentiment behind kiosk was about a better service delivery and actually trying to minimise some intrusion. What's caused is a much wider discussion around that. My personal view is even our view of impact assessments at the very start of this journey still wouldn't have been sufficient for where we are at the moment because I think we're learning every day on the job, if you will. The contributions that are made by people around the table here and the other contributors to the reference groups really enrich that discussion and certainly are considerations about the wider privacy, safeguards and considerations, so I think that it's a journey that we're on. Given that the kiosks are essentially doing the same investigatory task, as the hub is, in a broad sense, does this discussion apply equally to what's going on in the hubs? As I said before, yes, we have... I think that cyber kiosk has brought this to public light and it's then led us to look at it as one part at the chain of how evidence is obtained in criminal cases and looking along that chain there are questions in other parts, including at the cyber hubs. Just following on, I think, from Ronas's line of questioning, obviously, I appreciate your candor at a number of sessions now and I think it's probably only fair to put on record the statement from Open Rights Group, which welcomes the openness and engagement in the consultation process that Police Scotland have undertaken. I think that notwithstanding the seriousness of the concerns, I think the approach that's been taken by Police Scotland since those concerns came to light has been, I think, encouraging. In terms of the legislative change that you were referring to there, Mr Keros, is this something that the Scottish Law Commission should be looking at? I think that there's always a risk in leaping to pull the legislative levers that you end up putting in place something that's fairly rigid, and when you're dealing with technology advancing in the way that it is, you may find by the time the legislative process is completed, you're already behind the eight ball again. Is this something that we should be inviting the Scottish Law Commission to look at, or is it something that's more straightforward that may require a more streamlined legislative fix? I don't think it's straightforward at all. This is a Pandora's box, and it's particularly complex both because of the legal side and the legal aspects of making such interrogations lawfully compliant with the convention and with laws, but we are also trying to keep up with our rapidly expanding technological process body that is almost, it's ahead and we're running behind. Therefore, I think, considered and fully researched considerations around all possible manifestations in terms of future technological developments by something like the Law Commission would certainly at least give an opportunity for any legislation to have some longevity attached to it and not, as you say, to essentially be out of date by the time it's on the statute. That takes us into a whole different buck moment. It was, I think, entirely fair in saying that a roll-out from December is fairly ambitious if we're going down the route that you're suggesting it will be December and pick a year. Absolutely, and this issue, the cyber chaos, I think, as many people have said, has highlighted a much broader issue. This isn't just cyber chaos, this is the use of dash cams in criminal prosecutions, it's the use of the hub. Time is of the essence. So, I think that there's a quandary here. This is something that should be carefully considered and carefully looked at, but we're up against time, both to make sure that the existing practices are compliant with our convention responsibilities and also to ensure that we don't have further infringement of people's rights taking place through the use of, for example, reliance on dash cam evidence, et cetera, which raise similar, very similar points. So, from what you're saying, that would seem to suggest that caring attention in terms of what is being done at the moment will need to be obviously applied and perhaps a review of that, but the rolling out of cyber kiosks would not be sensible until that legal framework is in place. I'm saying that that's absolutely correct and there's currently reliance on evidence before the courts that, certainly, it's compatibility and its interference with the article eight rights of the individuals involved in the article six rights is of quite grave concern. So, an intense expert group to look at this in depth, but quickly, is perhaps what is needed prior to a legislative process being commenced? Do others have views on that, Mr Kiros? I think that's a different question, different from the legality of the cyber kiosk and the technique and the particular technique. We are discussing, but I think it's an important one and I would say it's up to the Parliament and government to decide on that. There are different paths that can be taken, so there are a number of issues that are not only related to cyber kiosk, but use of camera, computers and other devices. So, there could be a piece of legislation that covers all forensic digital media, so a piece of broad comprehensive piece of legislation, or there could be a different path that develops a code of practice for this specific issue and is laid before the Parliament for your oversight. So, there are different ways to go ahead with this, but I think it's important that the Parliament keeps the oversight of the process and the scrutiny, as it has been done so far. Just a very quick point. I don't disagree with anything that's said. As a police officer and as a police force, we only apply the law that's provided to us. It's probably important to say that, but I did say earlier on that Scottish law is principally a set of principles, and if you make one change in one area, that will adjust those sets of principles. I think that we have to consider the unintended consequences and, by that, what I mean is, if we take a decision or if a decision is made on cyber kiosk, what are the unintended consequences of that in wider digital forensics, but in other parts of the criminal justice system, because those principles that are applied to cyber kiosks, if adopted and supported by way of review, will be interpreted in other parts of criminal investigation and criminal prosecution. I think that we have to be cautious and consider every option, as Diego said. Exemplify that. Where would you see an obvious read across in the criminal justice system? So, if we say that because of the potential infringements and lack of safeguards for cyber kiosks, that would stop all digital forensics, most cases that we go in front of a court of criminal justice system these days will, in some ways, describe our lives and our lives are surrounded by those digital devices. That is a consideration. We have the article 2 right to life, so in those high-risk situations, such as missing persons or crimes in action, we would denude ourselves of that capability and thereby be unable to respond or at least limit ourselves on some of our article 2 obligations. It may well be much wider than the digital forensics, because where do you draw the line in terms of sensitive or personal information? That may not just be in the digital format. There will be other aspects of the criminal justice system where, if you have adopted one set of principles, there may be unintended consequences and applicable elsewhere. Mr Clemm, of course we come to be looking at this not because of the hubs, but because of the issue that this was a different approach that was being taken and we were trying to understand the wider implications of that. I wonder if I can ask you two or three specific questions, please. Heard you correctly, you said that the cyber kiosk does not turn on the phone. At our last meeting, Mr Keror said that cyber kiosk can access texts, photos, web browsing and biometric data, like the finger that it used to turn on the phone. Is that correct? It may be correct, so what happens with a cyber kiosk is that the mobile device—let's call it a phone in this instance—is switched off and the SIM card is removed. It is not connecting to any external source of information through a network, wi-fi, internet. It is isolated and what the cyber kiosk then allows some search parameters for you to ask a series of questions about the data that is stored on the device, the phone, if that is what it is. That sounded like a yes, but that information can be accessed. Web browsing history, for instance. It may be possible, but it is dependent on the device. I do not mean to not take a position. It very much depends on the technology that is plugged into the kiosk, but yes, it is possible. That would include a fingerprint used to activate the phone. We have asked that question specifically, and I think that Mr Keros was present, and we said that it is extremely unlikely that it has the capability to do that. I think that we can, with some consistency, know that it wouldn't do that. Mr Keros. That's a technical question. The explanation I got with this is quite interesting, is that your fingerprint when it is locked into your phone is not a picture of your fingerprint, but it is a mathematical formula of that fingerprint. So I asked exactly that question when I was with the police. So it would be very difficult to match that mathematical formula to do actual fingerprint. So it's a very complex transition that it has to go from that decoding of a picture to your picture. Is that correct? I think that Mr Stevenson is going to give us some of his knowledge. Well, just as banks don't need to know your pin number and they don't to be able to validate whether you've put the right one in, in phones, and that sort of thing, it is a one-way algorithm, takes the image and produces an answer from which you cannot derive the original data, and that is repeated every time you offer it, so you cannot take the data and work out what it's come from, because it's what's termed the one-way algorithm, using a matrix transformation corner to corner, if you want the technical explanation. I will do that, sure. Thank you very much for that. Thank you for that enlightenment, but it doesn't make it less intrusive obviously because they saw the type of biometric, obviously, that it can be downloaded and voiced and also pictures, so other material that is incredibly personal about the individual, his or her personal relations and identity, and even third parties. Mr McLean, I wonder if I could try an example and forgive me if we've run this example before, but it's an easier concept for me and that's the notion of consent, so to some extent an accused and a suspect will have a measure of protection. A witness, if someone, for instance, who is a complainer is to say, I've been sent an offensive image in order to present themselves as a police station, we're one of these cyber chaos. Would the cyber peak chaos be used to establish if indeed there wasn't an indecent image? In the process of so doing, would it be able to look beyond if they said that I've just received it, within the last hour someone sent me an offensive image? Could the parameters of the search be limited to that timeframe? The straightforward answer is yes, and that is the whole intention of the kiosks, is a triage process. Officers, the thin blue line is very stressed, as you know, convener. They want to ask the question and get the answer on it, so the whole intention of the kiosks is to try and eliminate the devices at an early stage if they can and return them to the owners and thereby provide a much better service to the investigation at the front end and the public and the owners of the devices where they be witnesses or victims or where they even be accused or suspects as to try and get them off our shelves and back in the hands of the right owner. To answer your question more specifically, what the kiosk allows you to do is ask at that specific question. In that time parameter, between those dates, was an offensive image or a text message or whatever the matter is under investigation, was that delivered and it will then throw up the results. It is limiting in terms of its capability, as are the officers, to look through the whole catalogue of images and data on the device. The intention is to interrogate the phone by asking it a series of questions via the kiosk. The wide concern that would be about the appointment of these might be that police could go on a fishing expedition, if you like. I have heard that position put. One of the checks and balances and safeguards that we are putting in is through the training programme with the operator, so it will not be the actual investigator who may be unduly influenced or has a desire to try and prove the case, if you will. Those safeguards are in part by the supervisory checks that will be in place, the operators, and they will consider many of the articles that need to be thought about proportionality, necessity, collateral intrusion, understanding the matter that has been investigated, what is it that the investigating officer wants to try and get from the device, and then it is those separate officers that will interrogate the device and come back with the results for the investigating officer. We think that we have put in some checks and balances around that. Ms Gornley, do you care to comment on that? I think that my concern remains that there are parameters of search that are going to be put in. It cannot be targeted at the single thing that is being looked for. In many cases, one would anticipate. Although there might not be a fishing exercise being carried out, the way in which the law operates is that when a search is taking place, it should incriminating material come across by-police officers in the course of a search, even if that is out with the limits of a search warrant, for example, that becomes admissible. The question of fishing exercise, although strictly speaking, is not allowed in law where incriminating material has come across by accident or in the process of carrying out a search. That is deemed to be admissible evidence. On that particular example than Ms McLean, I do not know if someone were to receive two images that might be deemed indecent. They are unhappy because the sender of one, but they are not bothered about the other. Could that turn a complainer into an accused? I suppose that I cannot judge in every eventuality. I think that the point is about self-incrimination. That goes back to an accused person that I sense and perhaps more about a victim or a witness. The fact that we have no compulsion over victims or witnesses to give over digital devices for examination would have to be a voluntary element. The quality of law and some of the things that we talked about earlier is that we need to be more explicit in what that means and what their expectations are in that. Clearly, if there is content in that searching process—this is true of many others where you are actually searching a failing cabinet, let alone a digital device—if you were to come across something that indicated other criminality, perhaps of a grave nature, then as a police officer, you have some responsibilities towards that. It is at that point that it becomes extremely complex in terms of what powers were you utilising at that time and did the Empowery to take a course of action in terms of that new material or at that point you should just stop and give it much wider consideration, which is ordinarily what the guidance is to police officers. On one level, it can be very simple, but then there are all these qualifying conditions. I get that. Were you able to share the internal legal advice that you got from Police Scotland with the committee? Can you advise what format that took, please? That was a memo that I can take under consideration. We are not—it can be sure that the committee because, obviously, there is a question about legal advice to ourselves, but, in effect, re-itering some of the things that I have said before is that the legal advice is that there is a lawful power, that there is a statutory power under the criminal justice act that I have talked about before and, again, that is supported by case law within the last 10, 11 years. There are two points of case law that I think we have already alluded to before from about 1997 and 2014, which seem to support the powers that police have used at that time to examine digital devices. That was the advice that was given to us that the assurances that I have given here before are as the legal view internally within Police Scotland. I am not sure that I understand how you would share legal advice provided by Crown Office, but you would not share your internal legal advice. Why would that be? I would probably have to take some direction at that, if you wouldn't mind, on that convener. If you could, Mr McLean, and come back to us, because I think that it would be very helpful. I recognise the importance of a convener case. Can I ask about any assessment that has been done of the potential for any retrospective claims when the trial period was on-going without all the supporting framework that is now in place, or discussions at least? Has anyone come forward and complained? Not to my knowledge that I am aware of, but I am sure that there are many people who are watching with interest. A lot of the discussion is about what police officers are or not doing and are they infringing the various articles, which probably takes me back as to why I might take some advice of where not we can share some of that legal piece. To my knowledge and answer to your question, not that I am aware of. Mr Kieras, thank you. Thank you, convener. I just wanted to go back to your point on official expedition. After the previous meeting with the committee, Mr McLean invited me to go and see how the cybercars worked. I would say that the issue of operational proportionality is something that the police has considered quite carefully. So these parameters that he mentioned. So I have a bit less concern for the evidence that I received about that, the legal certainty and the requirement of lawfulness. But certainly that point that you raised relates back to the point of oversight. That's why we recommend that prior judicial authorization or independent body should be seen as the best preferable practice for the use of cybercurses. Because then there is that independent oversight that is required to ensure that there is no this type of practices or what is called fishing expeditions. And this, by the way, seems to be the prefer approach of the interception of communications by both the European Court of Human Rights and that was the case quite recently a month ago in the Big Brother Watch case against the UK. But also by the Court of Justice of the European Union in the Watson and Telethraud case where it seems that they favor clearly independent oversight and authorization process. Could I do down a little bit in the independent oversight? Clearly it's not a blanket one for every every mobile phone browsing example or exercise. How would it work in practice? Would it only be when something was flagged up as being unsuitable that the mobile phone browsing exercise has covered or how would the independent oversight work in practice? Mr Keros. I think that there are different ways how it can work. It could be prior or post, as you are saying, and so prior is a de-authorisation that is given and all post is a review of the authorization that they are giving, similar to what happens with the protection orders in relation to the Investigatory Powers Act, which is that the order are given by a chief superintendent of the police but is the commission who reviews that validity and adequacy of the orders post they are an issue. There is a big issue here given that we are looking at the police act just now. We are looking at, if you like, the shifting, the initial looking at whether there is a complaint here, whether it's right to have the mobile phone browsing exercise. Would that be not a strong indication that it should take place prior as opposed to after? The exercise is taken out and therefore it was dependent on some issue being raised. That is the preferable option. It seems that both the European Court of Human Rights and the Court of Justice of the European Union are signalling that that is what should happen in the European context. Yes, Mr McLean, you have mentioned a couple of times that the device has to be provided voluntarily. I am just curious to know if an individual says to you, if you approach individually and say, no, you're not going to get my phone. Is that as far as it goes, or is that person then marked out as being suspicious because they've refused? I'm just curious to know what procedure would be in that case. I think that we'll ask the question, would we be carrying these devices down the street and stopping people and browsing their phones? That's absolutely not what they're intended for. The principle is being intended for where a matter has been reported to the police, a crime or some sort of investigation. I want to talk about compulsion, what I mean is that the victims are the witnesses in those sets of circumstances. We have no powers to require those devices other than perhaps going through a court and getting a warrant if we thought it was such a grave matter. I just found out that you have the power, so it's not voluntary. Is that the difference? Exactly. I just wanted to see if there was a parallel, and I'm not so fully familiar with the act to be certain about the question that I'm asking. Under the Regulatory Investigations Powers Act, one of the things that people can be required to provide is their encryption keys so that data could… Even an innocent person who refuses to provide the key that would de-encrypt then will become someone who's committed an offence under that. I'm getting on so… I'm really just trying to explore whether there are… In that, there is a principal capture that we can look at that we might think about for other domains such as we're now discussing. I would love to be able to give you a very specificity if I can even say that answer to that question, Mr Stevenson, which is… The Regulatory Investigations Powers Act is a lot of covert activity. You're right, we can require an order for the PIN number. I think that it's difficult to cover every eventuality. When we talk about Caos, as Mr McArthur mentioned, it's a much wider set of principles. It's very difficult to give one set of circumstances that meets every scenario. I go back to some of the article 2 obligations that policing have about right-to-life and those very high-risk situations. Those options that we have discussed have a degree of time wrapped around them, and often that's the complex situation that police are trying to operate with them. The more we take evidence on these Caos, the more concerning it becomes. I think that there probably is. There probably would be good procedures in place through the Work and On Justice Committee in other areas. I believe that that would be the case, but I think that there's also a public perception there that we've talked about. Some of the other evidence we're taking, there's some real progress being made in people coming forward around certain types of offences, where maybe they wouldn't have previously, and we don't want to go back the way in these issues. I think that if a committee of MSPs are concerned with these, I think that the public would be concerned as well, and you might get situations where people go and say, I want to report this, but I don't want my whole phone checked, that sort of thing. With that in mind, I wanted to follow on that theme and ask about the training. I believe that the police are carrying on the training of officers under use of cyber chaos, but do you think that that's a good use of police time just now, given the concerns that have been raised and that this may be stalled until further safeguarded or put in place? I take your point. I think that in terms of the public concerns, that comes back to the quality of law peace, and we recognise that it's really important to set out those principles and articulate them clearly so that people understand what their expectations would be, whether they have been arrested for a crime or whether they are a victim or a witness to an incident. In terms of the training piece, that was a careful balance in terms of logistical challenges in training over 400 people. I think that I said before that this committee would set out a timeline, so while we are very considered, we are in about an operational deployment, or a go live, if you'd wish to call it that, at the same time, we are trying to minimise the disruption to our local policing resources. That is not without its challenge. One of the decisions and probably the defining factor about commencing the training was so that we could do a proper evaluation to see how the training product was fit for purpose, and where we are addressing a lot of the matters that we have discussed here today and in the margins of this meeting and what was the experience of those officers that were training that they felt they were adequate. For me, that was the primary driver about commencing the training, till I was to do a full evaluation, which has started this week, and we are doing a full debrief of those officers within the next two to three weeks to get our feedback to see whether we even think that we have got this right in terms of the training and are we catering for all the safeguards, checks and balances and considerations that we have talked about here today and elsewhere? Thank you very much. Can I maybe just conclude with one question? I think that we have heard from Police Scotland that perhaps there would go about things slightly different and some of the issues having a pilot acquiring that significant capital sum to acquire the equipment. Each of the witnesses in turn is probably just a simple yes or no, please. Are you content that the cyber chaos should be rolled out in December, or should we await a definitive yes from Crown Office and, importantly, a sign-off from the members of the current stakeholder group? I don't think that we should be rolled out in December, it's premature, and I think that more than just the response from Crown Office is required. The law has to be reassessed, re-evaluated and perhaps redrafted to make the challenges of not only the cyber chaos but the use of technology in the modern world. We need to be clear on the lawful basis that needs to be expressed to us in clear and straightforward terms, and until such times that happens, I can't see that the processing of personal data would be lawful. I think that there's a lot of ground to be covered if we could even project a roll-out in December, but I don't think that the discussion is hen is just running about cyber chaos. I think that it's a much wider discussion and possibly review and recommendation, so I don't think that we should frame the discussion just running about chaos, but could we roll out in December? At this time, that looks unlikely. We need to take a very measured approach to this. Can we ask you then, Mr McLean? Police Scotland wouldn't roll that out without a definitive opinion given from Crown Office. I note that, in one of the responses that Police Scotland talks about, it might reasonably expect that Crown Office's procurative fiscal service to consider the legal basis for the use of cyber chaos as, quote, an operational matter for policing. I'm sure that you accept it as broader than a policing interest. I think that, convener, I'm here to represent Police Scotland that will be for the force to make that decision, and that will probably sit somewhere at chief officer level and perhaps the SRO for the programme. Clearly, it will take cognisance of what Crown Office is response to that as well as all the other contributions that have received to date. You can say that it won't go ahead unless we get to go ahead from the stakeholder group and Crown Office. I don't think I could make that commitment here today nor could you know. Okay, thank you. Mr Keros? No, the answer to that is no. The current law is not clear. There is no clear basis in domestic law and that relates again to lawfulness. The law doesn't have a sufficient quality as to be accessible and foreseeable, and that relates to legal certainty. There are no adequate safeguards in place in the law, because I would argue that the legislator never thought about those situations of seizure and search in this context. Okay, can I thank all the witnesses very much indeed for their written submissions for coming today. I know that there were challenges with you, so thank you for making the time available. That has been very helpful. If you could share the information that we discussed or examined that, Mr McLean, that would be appreciated. We are now moving to private session. Thank you very much.