Appendix 4: Note of visit to Metropolitan
1. On 18 October 2012 we visited the Metropolitan
Police Communications Intelligence Unit (CIU) and met Assistant
Commissioner Cressida Dick, Superintendent Paul Jervis, Superintendent
Neil Hibberd, Chief Inspector Kenny McDonald, Detective Inspector
Steve Carter, Inspector Anthony O'Sullivan, and Roger Smart, barrister.
The purpose was to see the Single Point of Contact (SPoC) unit
processing applications for authorising access to communications
2. We were shown a number of case studies. The
first was of a robbery where a man was targeting women in a linked
series of robberies in a small area. The suspect would normally
steal mobile phones. A breakthrough came when he took a photograph
with one of the stolen mobile phones and, because of the setting
the owner had on her phone, the photo was automatically uploaded
to her internet account. Through this the police were able to
make a communications data request which enabled them to narrow
down his location. Further evidence was obtained using cell site
technology on a phone number obtained by a witness to one of the
robberies. This evidence was vital to identify and track the man's
activity and link him to six other robberies which he had originally
denied being involved in. This case involved multiple separate
applications for different types of communications data and that
each application had to be justified on the basis of proportionality
and necessity and had to be authorised by a senior officer not
involved in the case.
3. It was explained that communications data
is used sparingly, because it is costly and resource intensive,
and because of the need specifically to justify each application
and consider the impact of collateral intrusion on innocent people.
However in some types of crime, such as suicide, missing children
and missing persons it was likely to be the first port of call.
4. The second case study was of a television
producer whose website was being bombarded with anti-Semitic abuse.
The police suspected that the abuse all stemmed from the same
person, who would change their online identifier each time they
were blocked. This case could not be pursued because the overseas
provider which held the necessary communications data refused
to supply it to UK law enforcement. There was an increasing problem
of harassment through social media which could not be investigated
because overseas CSPs could not or would not provide the necessary
communications data. All communications data resulting in a charge
would end up in court; the police were increasingly finding that
courts were expecting to be presented with this data.
5. Where data rules someone out of an inquiry,
it is kept as it is disclosable information in a court case at
a later date. Its retention is usually reviewed every 7 years.
Under the national data retention scheme implemented following
the Soham murders communications data could be retained for 6
6. A further case study was of a recent violent
attack on an individual where an iphone was dropped at the scene.
This enabled police officers to track 15 suspects from 5am-5pm
during a fast moving investigation as they travelled from London
to the Midlands. The gang realised what was happening, and started
to switch sim cards but could still be tracked because their handsets
had been identified. Without this ability they would not have
been in a position to make an arrest. Another example was of a
gang member gunned down in their car. The police were able to
use CCTV, witness evidence, forensic evidence, telephone data
and house to house enquiries linked together. They were looking
at a rival gang, but using other evidence they were able to identify
individual suspects rather than requesting communications data
on the entire gang.
7. It was emphasised that no one in the investigating
team authorises an application for communications data. An application
is sent to someone outside the team to be checked, then submitted
for authorisation. In this case, there were two people suspected
of being involved. Data was obtained and used to rule them out
as it showed they were elsewhere. Subsequently data was obtained
on five of the rival gang members. This showed them making contact,
coming together and going away again. It linked up with CCTV evidence
that showed the car to prove they were there. The data formed
part of the wider investigation. There were approximately 500
applications made for different types of data on five people.
Suspects often swapped sims but not handsets. Sim swapping led
to a large number of applications so that the call data could
be attributed to the suspect. To find one sim card it was necessary
to apply to each network. If the card was then ditched in two
hours, fresh applications to each network would need to be made.
Location data only showed that the sim was in that area, so attribution
was vital. The data was provided through disclosure in any subsequent
court case and could be used to confirm or refute a defence, especially
if it relied on the suspect's location at the time.
8. Data was useful both for the investigation
and as evidence in a trial. In a kidnapping case the data would
be a central line of inquiry in recovering the missing person,
and would then be analysed to identify what could be converted
9. We saw a demonstration of an app on an iPad
that allowed direct communication with another person, while the
only information shown would be that the internet was accessed
via GPRS. The application listed countries where there were available
servers and allowed a choice to be made, for example, of a server
in the Czech Republic to have a conversation with someone in the
10. In response to a question on public concerns
about access and safeguards, we were told that the independent
authorising officers saw their role as akin to that of a magistrate.
They would not want to be the authorising officer who got it wrong
and caused a case to collapse. The authorising officer often did
not know the person making the application. They were liable to
internal examination and external audit. They were also likely
to be called to court to justify the access authorisation. The
training programme dealt with both defence and prosecution use
of communications data and with the inspection of the authorisation
11. We split into small groups to watch individual
SPoC officers at work. Different groups saw different applications.
- an example where an overseas CSP
operating an international dating website was closed over a weekend
and as result a rape investigation was hampered;
- an example where a SPoC turned down a communications
data request for call logs in the case of a domestic abuse. The
SPoC was concerned that a subscriber check had not been run to
confirm that the call logs related to the right suspects, the
collateral intrusion of accessing call logs had not been properly
assessed and the necessity of the request had not been proved.
This SPoC thought he probably referred requests back about 5%
of the time.
- an urgent oral request where a written form was
not available but where the request had been authorised by a superintendent
working on the ground. A verbal case had been made as to necessity
and proportionality and a subscriber check had been authorised.
- an example of a request for communications data
around delivery of a firearm. The authorisation form was demonstrated,
with details of the information required and the process the SPoC
would go through to check if the request was justified.
- an example of a computer misuse investigation
where a check was being run of the IP address used. The officer
explained that often providers used dynamic IPs, some of which
were not resolvable. Some could be resolved if ISPs were willing.
She explained that she would always advise investigating officers
to use such data with caution, as, for example, someone could
be using an unsecured wifi access and the owner of the internet
connection could be unaware of this.
12. We received a presentation on making use
of communications data in evidence from a barrister who had acted
both for the prosecution and for the defence in murder, kidnap,
paedophile and corruption cases where communications data evidence
had been important.
13. In the case of kidnaps, hostages were usually
disoriented and did not know where they were or how much time
had elapsed. Use of mobiles and cell site analysis gave a narrative
of the part played by the different participants. Usually this
supplemented other evidence, but there were cases where no prosecution
could have been brought without communications data evidence.
An example was a case where a kidnapper used both a 'clean' and
a 'dirty' phone; however the 'clean' phone revealed where he was,
and this connected him to the 'dirty' phone, thus showing that
he had been at the kidnap.
14. Communications data was very important for
the prosecution of serious fraud. We had been told that criminals
would move towards further encryption of their data, but this
was not happening in practice. There were examples of supposedly
sophisticated individuals who had already been prosecuted using
communications data evidence, but still continued to use mobiles.
In one case the FSA had used Blackberry data to prove the purchase
of shares; in another a message from the head of a kidnap team
to a supposed friend had been used in evidence (though this was
not communications data evidence).
15. In cases of attempting to pervert the course
of justice, communications data had been used to prove the presence
of the person threatening witnesses. Where the pressure on witnesses
was successful and the witness declined to testify, an application
could be made under s.116 of the Criminal Justice Act 2003 for
a statement to be admitted in evidence.
16. The prosecution was under a duty to share
all evidence with the defence, including communications data evidence.
It could be used as much in support of a defendant's case as in
support of the prosecution. Where there were concerns about the
credibility of a witness, communications data might be used to
support or undermine the witness's testimony. In the course of
a trial the judge might ask for additional information from communications
data sources, usually to help the defence case.
17. Mutual Legal Assistance Treaties (MLAT) could
be used as an alternative route to seek evidence from abroad,
but this depended on relations with the particular country. Some
were helpful in theory but not in practice. There were also issues
of delay and cost.
18. It was very difficult to measure the volume
of data which enforcement agencies were unable to access, but
there was no doubt that it increased as one moved from telephony
to the internet, and further still when one moved to foreign internet.
Officers knew very well what data they could access and what they
could not access. When mobiles were first used it was feared that
they would frustrate reliance on communications data from landlines.
On the contrary, they had proved highly beneficial.