Skip to main content

Accessibility controls

Contrast
Main content area

Social Media: Reasonable Lines of Enquiry

Updated: 3 August 2022|Legal Guidance, Sexual offences

Introduction

The exponential growth in the use of digital devices, together with a huge expansion in capacity for constant connectivity through online networks and platforms, presents both opportunities and challenges for criminal investigations. There is an extensive legislative and regulatory framework governing obtaining material from devices for the purposes of evidence and for disclosure in this context. The key provisions and documentation are:

The purpose of this guidance is to assist prosecutors as to what can be obtained from different devices and the most ‘common’ social media platforms installed upon them and the legal framework for doing so.

Reasonable Lines of Inquiry

The use of personal data in criminal investigations is often a source of anxiety for complainants – the public should feel confident we will always seek to balance a respect for privacy with the need to pursue all reasonable lines of inquiry; examining the digital devices of complainants and witnesses is not something that should be undertaken as a matter of course in every case. It is crucial that there is no unnecessary intrusion into a complainant’s personal life; for a line of enquiry to be reasonable there must be something beyond a purely speculative search.

The recent case of R v CB and Mohammed [2020] EWCA Crim 790 endorses the cases of R v E [2018] EWCA Crim 2426 and R v McPartland [2019] EWCA Crime 1782 and deals directly with the obtaining and reviewing of material from digital devices. The case sets out ‘Issues of Principle’ that investigators and prosecutors should consider when seeking to obtain material.

Key points to note from this judgment are:

  • Digital material is no different from any other information or record and should be handled in accordance with established principles.
  • There is no obligation on investigators to seek to review a witness’s digital material without good cause.
  • The loss of a mobile device for any period of time can amount to an intrusion into a witness or complainant’s personal life. Consideration should therefore be given to whether the relevant messages or other communications are available on the suspect's digital devices, within the witness or complainant's social media accounts or elsewhere, thereby potentially avoiding the need to take possession of the personal devices.
  • If a reasonable line of inquiry is established to examine, for example, communications between a witness and a suspect, there may be a number of ways this can be achieved without the witness having to surrender their electronic device.
  • If material on a complainant’s device needs to be reviewed as part of a reasonable line of inquiry, an important question is whether a review of a discrete part of the digital record will suffice.
  • It is necessary that a complainant is kept informed as to the use that is proposed to be made of the mobile telephone or other device and its contents, depending on the extent to which the witness wishes to be provided with updates.
  • If a witness does not provide the investigator access to their mobile telephone or other device, it is important to look carefully at the reasons for this stance and to furnish the witness with an explanation as to the procedure that will be followed if the device is made available, and to offer reassurance.
  • Where a complainant continues to decline access to their digital device and the ability for a fair trial to take place is raised, this situation is analogous to the cases in which there is a complaint that the prosecution failed to secure relevant evidence or evidence has been lost.

Timescales

As the ICO report into Mobile Phone Data Extraction observed, there are few aspects of day-to-day life that do not involve the use of a mobile device. Losing access to a device can have a very significant and detrimental impact on a witness or complainant’s life. Therefore, investigators must consider whether it is necessary to take possession of the device. Moreover, where there are good reasons to review material held on a personal device, the investigator should ensure that any review is undertaken within a reasonable period, and that the complainant or witness is kept fully informed of the likely timescales involved in undertaking the review.

When requesting digital material from investigators, prosecutors should also bear in mind the likely time it will take to obtain and review the material. This could, in certain circumstances, impact on whether a line of inquiry is reasonable and proportionate. Whilst it is not always possible to obtain a precise time frame, prosecutors should discuss with the investigator, and where appropriate, the relevant digital forensic service, the likely time it will take for the material to be obtained and reviewed. This discussion should take place at the earliest possible opportunity as much will depend on the method of interrogation being requested, the availability of resources and any backlog in existence as to how long it may take to obtain the material.

Examination of Digital Devices

Mobile devices are not standard and the ability of digital forensic services to access data varies between manufacturers, models, operating systems and even versions of the same model of a device and may also change over time.

It is not possible to obtain and examine every artefact or item of digital evidence from a device for analysis in every situation – there are constraints to the extent and depth of an examination in the circumstances of each case. It is critical that the investigator and prosecutor are aware of the opportunities presented by a device and the limitations and boundaries of an examination; including the implications of utilising one examination methodology over another if further work is required in the future.

Although capabilities vary across England and Wales, there are essentially 3 levels of data extraction and examination of mobile devices offered by the digital forensic services, namely:

  1. Level 1 - a “logical” extraction. A “logical” extraction provides the live data that is readily available on device, probably all of the data you could see if you were able to turn on the device and browse through it. A logical extraction will extract the live data that is supported by the extraction software being used. This could vary by handset, operating system and types of applications. It may not extract all of the data present and will not usually extract deleted material.
  2. Level 2 - can be either a “logical” extraction using selected tools in a laboratory environment to report that data or a “physical” extraction, capturing data that may be unallocated to a file or is associated with deleted data on a device. “Physical” downloads can extract deleted data, although again capabilities vary depending on the nature of the device, operating system, types of applications and whether they are supported by the extraction software.
  3. Level 3 - examinations are usually expert and bespoke methods to tackle complex issues or damaged devices. Examples include specialist evaluation and interpretation of digital data or Level 1, 2, or 3 data extraction.

Terms such as "Full" extractions or downloads should be avoided as they can easily lead to assumptions and misinterpretation of the actual agreed method(s) of examination. More information can be located in the ‘Disclosure – Reasonable Lines of Inquiry and Communications Evidence’ guidance.

Definition of Social Media

‘Social media’ is a catch all phrase used to describe social networking sites but also includes ‘over the top services’ (OTT) for messaging such as WhatsApp or Skype. OTT refers to applications that use existing networks such as the Internet and cellular networks, bypassing the more traditional satellite and cable networks. For the purposes of this guidance the term is typically reserved for apps such as instant messaging and video calling. All social networking sites share the common feature that they are based on an internet platform.

Whilst social networking sites are based on an internet platform, obtaining call data records from mobile networks will likely be of limited assistance; the only records of usage that mobile networks are able to provide are data usage records. This data usage is a record of contact with the network and is an indication that the handset has connected to the internet. This will not show to which site the handset has connected. Looking at the call records will not tell the investigator what use the handset has made of social media. It similarly does not confirm possession with or interaction with the handset as much of this usage can be attributed to automatic updates and the network operation, such as when a handset updates overnight when plugged in and connected to Wi-Fi.

Common Social Media Platforms

There are a variety of different social media platforms but the platforms that investigators and prosecutors commonly encounter include:

  • Facebook/Messenger
  • WhatsApp
  • Twitter
  • Snapchat
  • Instagram
  • Tik Tok
  • YouTube

It is important to remember that most social media providers are based outside of UK legal jurisdiction, for example all of the platforms detailed above are based in the United States. They are therefore not bound by the same legal requirements as the UK based mobile networks.

If prosecutors encounter a social media platform that is not one they commonly encounter, they need to be aware of the country where the platform is based and the likelihood of obtaining any information from them. Investigators and prosecutors should also consider the quality of the information that may be received from less common social media providers – the integrity of the data should be explored.

Legal Framework

The principal categories of information that investigators and prosecutors seek to obtain from social media platforms are:

  1. Details of the subscriber to a particular account;
  2. Content of any messages/photos/social media posts etc.
  3. IP Login history and geolocation (the geographical location of an object, such as a mobile phone)

Subscriber details

To obtain subscriber details, or information that may lead to the identification of the account holder, from any social media provider requires a request directly to the provider.

This request must be made by the police in the first instance. Before a request can be made to a social media platform, the investigating officer will need to obtain authority under Part 3 of the Investigatory Powers Act 2016 (IPA). These requests are always handled by an individual force’s ‘accredited communication data investigator unit’ (SPOC (Single Point of Contact) Unit). These units can also be referred to as CAB (Central Authorities Bureau) or CIU (Communications Intelligence Unit).

Once the request has been made to the relevant social media provider, it is a matter for that provider as to whether they supply the requested information. Their response will be based on that individual company’s privacy policy, not UK legislation.

The information able to be obtained varies from provider to provider and is subject to change at any time, depending on any changes to a provider’s policy. It is always worth double-checking with the investigating officer, through the relevant SPOC Unit, what is available at any particular time. Information about what will be disclosed is available to the SPOC Units through a knowledge database on a Home Office maintained platform known as CDS.

Information that is generally always obtainable is the information entered by an individual when setting up their account such as:

  • Name
  • Email address
  • Phone number
  • Address
  • Linked financial details e.g. Apple Pay

Content

On some social media platforms, such as Facebook and YouTube, it is possible to conduct ‘open source’ checks in the first instance to locate posts and their content, depending on the security settings an individual has placed on their account. Prosecutors may want to request that investigators start with such checks where appropriate before moving to more intrusive methods. Where investigators have conducted open source checks, prosecutors may want to suggest that the investigator records the searches using their body-worn camera, or takes screen-shots of what they have searched for and reviewed. This is to ensure that an accurate record exists of the line of inquiry taken, which can be demonstrated to the court if any challenge is forthcoming.

It is advisable for the investigator to consider requesting support and guidance from a Digital Forensics Specialist or DMI (Digital Media Investigator) to assist with the development of a Digital Investigation strategy.

Screenshots should be an approach of last resort when other methods have been explored or are inappropriate.

The other main method of obtaining content, such as messages, from social media is through physical examination of the phone – either a download using the one of the methods detailed above in this guidance or through manually searching/scrolling through the phone. A manual search and a ‘level 1’ download are unlikely to reveal deleted material. Both types of physical examination will depend on the ability of the investigator to access the phone, such as knowing the PIN or pattern lock for the device.

If the investigator has not been provided with the necessary information to be able to unlock the phone, you may want to consider asking the investigator to issue a notice under section 49 of the Regulation of Investigatory Powers Act 2000. A notice under s.49 requires the individual to disclose the information required. Failure to do so constitutes a criminal offence (s.53 RIPA). It would not be appropriate to issue a s.49 notice to a complainant or witness in a case but could be beneficial where a suspect/defendant is not co-operating.

Alternatively, if no information is forthcoming the prosecutor may wish to discuss with the investigator whether the phone can be accessed using any other methods. This will need to be decided on a case by case basis, where deemed necessary and proportionate in the circumstances.

It is possible for content to be obtained directly from the social media provider following the same process that is carried out in relation to obtaining subscriber details, however this is usually in ‘threats to life’ scenarios. In all other cases content can to be obtained using mutual legal assistance (MLA). Prosecutors should also be mindful that it may be necessary to make a request for preservation of such material to ensure it is retained. For further assistance as to the considerations and process required please refer to the guidance on International Enquiries.

Deleted Material

If prosecutors have decided that it is a reasonable line of inquiry to seek to obtain material believed to have been deleted from a suspect’s or witness’s social media account, more often than not a forensic examination will be required (such as a ‘level 2’ download). Again, the amount of deleted material that can be retrieved depends on the make and model of the device, whether the device is ‘synced’ to another device or to a ‘cloud’ and the software being used for the download. Prosecutors should carefully consider what material it is that they are seeking and therefore whether a forensic examination is necessary – a level 1 download or manually inspecting the device may achieve the results you are seeking.

Some social media platforms, such as ‘Snapchat’ are deliberately designed so that its principal feature is that pictures and messages are usually only available for a short time before they become inaccessible to their recipients; in effect they are deleted from the recipient’s device unless the recipient chooses to save the message. This can be problematic for investigators and prosecutors and more often than not it is not possible to retrieve what was sent by either manually examining the device or subjecting it to a forensic examination.

Social media providers are under no obligation to retain the messages/material that has been sent on their servers; most providers do retain the material but only for a very short period of time, sometimes for only as long as the conversation itself is taking place. Where it is considered that there might be relevant content held by the provider, which is at risk of deletion, the investigator should seek preservation of that data pending an MLA request from a prosecutor.

An investigator could also request, through the SPOC Unit, for a request to be made to providers such as Snapchat for information about the material they may have retained, although in most cases providers will not disclose information about content held without an MLA request. It is best, when seeking information about material held on a particular account, to phrase the request in general terms, to ensure an accurate response. Suggested wording of a request can be: “could an application be made to Snapchat via the SPOC Unit as to what material they still retain and are prepared to disclose in relation to account holder Adam Smith”.

Prosecutors should consider carefully whether making such a request is reasonable and proportionate in the circumstances of the case and whether the material/information they are seeking would be capable of having an impact on the case. There is no guarantee that the material has been retained. Where it has been retained it will usually only be disclosed through MLA.

IP Information

An IP (Internet Protocol) address is a particular address within the internet. These can be static or dynamic, public and private. A static IP is an address which is always going to be the same and usually associated with a company.

Other IP addresses are dynamic; they are assigned by the CSP each time the user connects to the internet. Most domestic routers will be dynamic. So the address of the router will be different at different times and on different days.

A domestic router such as a BT Home Hub will have a public facing dynamic address however the router then has a number of inward facing connections to the devices using it. Each of these has their own dynamic address which they use to connect to, and is seen only by the router. This is a private IP address.

The only method of determining these private IP addresses is by physical examination of the router. This must be done quickly and whilst the router is in situ by a suitably qualified forensic examiner. This means that when resolving an IP address, one must be mindful that the data trail is only to the router and not the device. In order to ascertain the user, you must consider additional material available, and to prove the link evidentially a physical examination of individual’s device must be made.

It must be borne in mind that not all domestic routers are secure, and some may be open to passing traffic and unknown users. It is also worth remembering how common it is to share ‘the Wi-Fi password’ with friends and visitors to an address.

The situation becomes more complex with the provision of public Wi-Fi hotspots. The provision of Wi-Fi on trains and at public venues can give you accurate time and location. You should liaise with the investigator where public Wi-Fi is being considered as a reasonable line of inquiry. The investigator will need to discuss this with their digital forensic SPOC who will be able to advise on which WIFI providers to approach.

Admissibility of Material Obtained

Material received from social media platforms

Any material obtained by the investigator is capable of being used as evidence provided the service provider can provide a statement or affidavit and where specific restrictions have not been placed on the material by the service provider. Where specific restrictions have been placed on the material’s use in criminal proceeding and/or where a statement or affidavit is not provided by the provider, the material can be sought through MLA. For further assistance as to the considerations and process required please refer to the guidance on International Enquiries. Advice on legal requirements for specific countries can be sought from CPS Liaison Prosecutors. Prosecutors should continue to liaise with investigators in these situations.

Obtaining this material could take a significant amount of time. Prosecutors should consider whether there are alternative method of obtaining the material required, such as conducting a physical examination of the phone or other evidence that has been gathered that may reveal the same information.

The IPA authority and any material received should be scheduled on the appropriate unused schedule (ordinarily this should be the non-sensitive scheduled unless there is a reason to assert sensitivity e.g. a Directed Surveillance Authority) and consideration given to whether the information obtained is disclosable.

The Crime (Overseas Production Orders) Act 2019 (COPO) received Royal Assent in February 2019. The COPO Act provides UK law enforcement and prosecutors with the ability to apply to a domestic court for an Overseas Production Order (OPO) seeking electronic content (not subscriber data) directly from service providers based outside the UK for the purposes of investigating and prosecuting serious crime without the need for MLA. A relevant designated international cooperation agreement needs to be in force to enable an OPO application to be made. An agreement with the US was signed on 3 October 2019. However, it is not expected that the OPO will be operational until 2021. Further guidance will be provided prior to commencement.

Material obtained from a download of a device

Material obtained from a download of a device can be exhibited by the investigating officer and served as evidence (redacted where necessary), or alternatively, scheduled on the non-sensitive unused schedule if not relied upon and provided to defence if deemed disclosable.

If a forensic examination of the device (such as a level 2 or 3 download) has been carried out it will be appropriate to obtain a statement from the technician as to the how the download has been conducted – the software used, what has been searched for and any limitations on the results of the download, i.e. ‘it cannot be guaranteed that all deleted messages have been retrieved’. This will ensure all parties understand the benefits and limitations of the material that has been provided.

Material obtained from manual examination of a device

As with material obtained from a download, the officer who carried out a manual examination of the phone should provide a statement exhibiting any information found, including any screenshots taken during the examination. Any material obtained that is not being relied upon should be scheduled on the non-sensitive unused material schedule and considered for disclosure purposes.

Any queries that investigators and prosecutors have about the potential to obtain material from social media platforms or through physical examination of a device should be directed to SPOC teams and police digital forensic laboratories who should be able to provide some assistance. Deciding on your digital forensic strategy at the outset of a case is crucial to ensuring you have the best opportunity to gather and consider all material relevant to the case. The ‘Think Digital’ toolkits are a useful aid when considering digital forensic strategy and case management.

Communicating the Reasonable Lines of Inquiry Pursued

It is important that prosecutors are fully informed of the lines of inquiry pursued or not pursued by investigators to ensure that the Full Code Test can be applied when making charging decisions and in order to fulfil our disclosure obligations. Where a Disclosure Management Document is being used in a case, this information is required to be completed on that document and served on defence and the court.

If prosecutors are unclear or are not aware of the lines of inquiry pursued they should request this information from the investigator. Prosecutors may want to request: 

  1. A list of all the devices seized (should be on the MG12 or equivalent);
  2. Confirmation of the devices that have been interrogated and those that haven’t, and why;
  3. Of the devices that have been interrogated:
  • What method was used to interrogate the device i.e. manual examination, level 2 download and why this method was used;
  • Are there limitations of the method used i.e. it does not access deleted material, it has not accessed browser history;
  • Were any date/time or other parameters used when interrogating the device – what were they?
  • Were any search terms used when interrogating the device – what were they?

In addition to prosecutors being clear as to the methods employed to interrogate the device, defence should be encouraged at an early stage to engage with the digital strategy being adopted, suggesting reasonable lines of inquiry, search terms and date parameters etc. The defence are under a duty pursuant to the rule 3.3 of the Criminal Procedure Rules to assist with case management, including identifying issues in the case and advising of any further information required. Tools such as the DMD can play an important role in holding defence to account and demonstrating the transparent approach that the prosecution has taken to the investigative strategy.

Further reading

Scroll to top