Skip to main content
Geopolitics & DefenseGovernment & Policy

Met Police Surveillance Exposes Data Requests Surge

Police officer at desk with laptop in neutral setting.

“The information provided helps our officers gather intelligence, solve crimes and find missing people.” That is how the Metropolitan Police summed up a record of requests that, according to figures obtained under the Freedom of Information Act, saw London’s force ask tech companies for access to private communications data more than 700,000 times in 2025 alone.

Scale and legal channel: OCDA, IPCO, and what “communications data” means

The Met frames these requests as routine operational work. It told reporters that companies “have a legal obligation” to cooperate because of the powers of the Office for Communications Data Authorizations (OCDA), now part of the Investigatory Powers Commissioner’s Office (IPCO). The figures released under FoI cover communications data (CD) — metadata such as account payment details and, in some cases, IP addresses — rather than the content of messages.

But how those authorizations are granted is significant. Dr Bernard Keenan, a law lecturer and surveillance researcher at University College London, warned that communications data is treated as “a less severe intrusion than intercepting or accessing the content of a message,” and that while police need an authorization, the decision may be delegated to designated senior officers, making it “something that the police can do operationally, more-or-less autonomously.”

Encrypted services and contested disclosures: Proton, ProtonVPN and Signal

The Met’s returns include data it says was acquired from privacy-focused services. Since 2024 the Met reports obtaining communications data from Proton’s mail service 139 times. Proton characterises its approach as operating under a “strict legal framework,” saying all requests must go through Swiss authorities and that it refuses requests that do not meet its legal and human rights requirements.

The Met also claims to have acquired data results from ProtonVPN, a point Proton called “highly dubious and inconsistent with our technical reality […] because Proton VPN does not log user activity, there is no data to provide.” Proton added: “We engage with every request in good faith, but we simply cannot hand over what we do not collect.”

Similarly, the Met’s data suggests Signal supplied user data once since 2024. Signal’s spokesperson disputes that, saying: “Signal collects very little data about its users to begin with and publishes the requests we respond to at signal.org/bigbrother. We have not shared any user data in response to a legal request originating from the United Kingdom.” The record notes that if Signal were to provide data in such a case it could only be limited items such as phone numbers and timestamps for account creation and last access.

The Met declined to comment on the specifics of how it acquired disputed material.

LycaMobile spike: 500 percent increase and immigration questions

One of the most pronounced shifts in 2025 was the volume of requests to the mobile virtual network operator LycaMobile. The Met’s returns show requests rose from 15,702 in 2024 to 93,527 in 2025 — an almost 500 percent year-on-year increase. The surge was not mirrored for other UK providers named in the data, such as Vodafone, O2, Three, or Lebara.

Observers note the composition of LycaMobile’s user base — its focus on low-cost, overseas calling — raises questions about who is targeted. Fizza Qureshi, chief executive of Migrants’ Rights Network, said: “A 500 percent surge in data requests from the Metropolitan Police to a network used largely by migrants and racialized people makes clear that the digital border is expanding through policing.”

The context the source provides includes recent legislative change: the Home Office said immigration enforcement officers can now, under the Border Security, Asylum, and Immigration Act 2025, search the mouths of undocumented migrants for hidden SIM-cards as part of new powers to seize phones and gather digital intelligence. Those powers came into force in December 2025, and the report also recalls a 2022 High Court ruling that found the Home Office’s seizure and retention of over 2,000 migrants’ mobile phones to be unlawful.

The Met denied the LycaMobile increase was specifically immigration-related, suggesting it could reflect growth in the operator’s popularity — a claim observers say would imply a fivefold growth in subscribers for the numbers to be consistent. LycaMobile did not respond to requests for comment in the reporting.

Delivery apps, Counter Terrorism Policing procurement, and arrests

The Met requested data from ride- and food-delivery services — Uber, Bolt, JustEat, Deliveroo, and Dominos Pizza — a total of 768 times in 2025. Counter Terrorism Policing, part of the Met, ran a procurement last year for software described as a Communication Exploitation Data Tool whose initial requirements included processing Uber rides and deliveries “to be used for intelligence analysis.” A CTP spokesperson said a routine tender process had been under way but declined to provide further public details on systems and use.

The record also ties to enforcement: hundreds of delivery drivers were arrested last year in immigration operations shortly after gig firms pledged facial-recognition checks and fraud detection technology to clamp down on illegal working.

What this means for Migrants’ Rights Network, journalists, and technologists

  • Migrants’ Rights Network: The organisation views the LycaMobile surge as evidence of “the digital border” expanding into everyday services and has warned of pre-emptive criminalisation and privacy infringements for migrants and racialised people.
  • Journalists and legal professionals: IPCO’s 2024 annual report showed communications-data authorizations affected lawyers 219 times and journalists on 157 occasions; 106 separate warrants in 2024 were issued specifically to identify journalists’ sources, and those authorizations can include communications content under different powers. Tim Dawson of the National Union of Journalists said statutory protections exist but are “not sufficiently robust,” citing unlawful spying cases that reached the courts.
  • Technologists and privacy-focused vendors: Proton and Signal’s public responses stress technical limits and legal frameworks — Proton saying it refuses non-compliant requests routed through Swiss authorities, Signal emphasising it holds minimal data and publishes transparency reports — underscoring disputes between provider transparency and police records.

The numbers released to the Register sketch a policing model that leans heavily on metadata harvested from mainstream and niche services alike. The Met defends the practice as crime‑fighting and life‑saving work; critics warn the balance between operational agility and individual privacy — especially for vulnerable groups such as migrants and journalists — is under strain. The public record now includes detailed tallies, disputed handovers from encrypted services, a dramatic operator-specific spike, and a procurement line item pointing to the expanding technical ambition of surveillance teams — all facts that leave one tangible question: how will legal oversight, accountability mechanisms, and vendor transparency align around a surveillance footprint of this scale?

Original story — The Register