Cybersecurity & Tech Surveillance & Privacy

Law Enforcement Is Accessing Locked Devices Quite Well, Thank You

Susan Landau
Monday, December 7, 2020, 8:01 AM

A new report shows the widespread use by law enforcement of tools that circumvent encryption barriers.

"Smart Cities" by Khahn Tran. (https://cybervisuals.org/visual/smart-cities/; CC BY 4.0, https://creativecommons.org/licenses/by/4.0/)

Published by The Lawfare Institute
in Cooperation With
Brookings

Apple introduced the iPhone in 2007—and discovered it was a great target for street theft. The device was small and expensive, and it could easily be grabbed from someone’s hand. Apple worked to secure the phone, developing Find My iPhone. Thefts dropped. But criminals are nothing if not creative, and it soon became clear that street theft was the least of Apple’s security problems. Hackers in China used data from the devices to commit identity theft. And later the criminals started selling instructional videos to other criminals, showing how to do these hacks themselves.

Apple’s response was to secure the phone’s data. Beginning with the iOS 5 operating system in 2011, Apple encrypted sensitive files such as email and a user’s address book with a key that combined the user’s PIN with the phone’s hardware key. Apple made the phone’s data even more secure with iOS 8 in 2014; after that update, more than 90 percent of the phone’s data was secured in this way. The end result? More than 90 percent of the data on the phone can be unlocked only by the user.

Not everyone was enamored with the new protections. Law enforcement argued that the tools didn’t just keep out criminals; it also prevented them from doing their jobs. “Are we no longer a country governed by the rule of law, where no one is above or beyond that law?” then-FBI Director James Comey asked during a 2014 speech, referencing the bureau’s difficulty in accessing locked phones and encrypted communications. “New smartphone technology is rendering our laws insufficient to protect public safety,” Manhattan District Attorney Cyrus Vance Jr. wrote in the Washington Post in 2015.

But a new report shows the widespread use by law enforcement of tools that circumvent those technical barriers. The report from Upturn, a Washington, D.C.-based civil society organization, zeroes in on law enforcement use of mobile device forensic tools (MDFTs). These hardware and software tools collect forensic data from mobile phones: the texts, emails, and photos stored on the phone; data regarding when the texts and emails were sent and where the photos were taken; the locations—if location tracking tools are turned on—where the phone and, presumably, the user have been; and when they were there. According to the report, 2,000 of the United States’s 18,000 law enforcement agencies, including 50 of the nation’s largest police departments, either have purchased MDFTs or have access to these tools.

Law enforcement has repeatedly talked about the need for access to locked phones to solve serious crimes such as terrorism, murder and child pornography. But it’s hardly the case that law enforcement uses these tools only when investigating such crimes. In fact, these highly invasive tools are also used to investigate a host of lesser crimes. The report cites the following examples: “graffiti, shoplifting, marijuana possession, prostitution, vandalism, car crashes, parole violations, petty theft, public intoxication, and the full gamut of drug-related offenses.”

To be clear, the use of MDFTs is not yet deeply entrenched in police procedure. They’re relatively new, and only a minority of police departments use them. But the tools have brought about a big shift in the “going dark” debate and pose daunting civil liberties challenges that will only become more widespread as the tools proliferate among departments across the country.

These forensic tools are quite sophisticated. FBI Director Christopher Wray once complained that “warrant-proof encryption,” like that used on iPhones, prevents law enforcement access to crucial evidence. But Upturn found that the forensic tools copy all the data found on a cellphone. The tools then sort the data so that law enforcement can easily search through it. And MDFTs include some features that make law enforcement’s job even easier. For example, Cellebrite, perhaps the most sophisticated MDFT, can compare a facial image, such as from a police database, to any of the faces in photos stored on the phone. Others MDFTs classify text conversations by topic, such as drugs, money or family.

The MDFTs work on a variety of sophisticated phones. Cellebrite says it can extract data from “all iPhone devices from iPhone 4S to the latest iPhone 11 / 11 Pro / Max running the latest iOS versions up to the latest 13.4.1.” The company claims to be able to handle even locked iPhones and Android devices.

The tools are so effective that they have largely automated the business of unlocking phones. That’s a big change from the mid 2000s. Jonathan Zdziarski, an Apple forensics expert, used to teach FBI technologists how to access data from iPhones on a bespoke basis. But law enforcement soured on that approach later in the decade, and investigators sought solutions that essentially were “push a button, data appears,” Zdsiarski told me on Listening In. Achieving that ease of search may have driven the past decade’s fights over locked phones. That is, the security protections that Apple and Google (Android’s developer) put in place to protect customer data on the phones made it harder for everyone, including law enforcement, to access private data on the phone. That’s a security improvement. But the security improvement comes with a downside: It makes it harder to have the push-and-data-appears solutions that law enforcement seems to prefer. Even when law enforcement could breach phones on an individual basis using techniques like those taught by Zdziarski, the encryption systems imposed a barrier to what law enforcement really wanted: speed and ease of search.

The widespread adoption of MDFTs changes that equation. The Upturn report shows that companies like Cellebrite and GrayShift (maker of the GrayKey tool) provide push-and-data-appears capability—but at a cost. Since 2015, Las Vegas’s police department has spent more than $640,000 on MDFTs; Miami’s police department, more than $330,000; state agencies in Michigan, more than $1 million; and Indiana State Police, more than $510,000. Put another way, Apple’s and Google’s security protections appear to be good enough to thwart casual criminals. But they don’t appear to keep out anyone with a large enough budget to pay for MDFTs.

That seems to change the going dark premise. Law enforcement has long warned that the consequences will be the increasing inability of law enforcement to investigate serious crimes. But Upturn’s report shows that maybe the problem is different: The issue is not law enforcement’s inability to get into locked phones but, rather, who can pay to enable law enforcement access.

To be fair, MDFTs don’t do a perfect job. They can’t open all phones, and they can’t always get all data off the phones that do get opened. That’s not surprising or new. Law enforcement investigations always have to work around missing information. What the Upturn report demonstrates is that MDFTs are powerful investigative tools that provide much of what law enforcement has been seeking. The impact of the report is significant: It ends the going dark debate about locked phones. Law enforcement is not going dark, not while it has MDFTs.

But the report looks beyond just MDFTs and explores the broader context in which law enforcement searches of mobile phones occur. Upturn’s investigation showed that phone searches were frequently problematic from a civil liberties perspective. Searches were often conducted for inconsequential crimes; there were minimal legal controls over searches, and often the searches were conducted in situations of duress where due process can sometimes be an afterthought. Upturn found that “state and local law enforcement agencies have performed hundreds of thousands of cellphone extractions since 2015,” many without a warrant.

The report sheds light on a pattern of uncontrolled and indiscriminate searches conducted by law enforcement using MDFTs. Virtually every police department that responded to Upturn recognized the need for a clear legal basis for searching a phone, yet most don’t yet have a clear policy.

The need for such policies is overwhelming. The report found that many searches occurred without a warrant. Many happen, for example, through “consent” obtained through dubious means. During an arrest, police would pocket a suspect’s phone asking to search it while warning “otherwise, we’ll get a warrant to do so.” That’s not consent; it’s a search conducted without oversight. Given the extent of personal information on an individual’s phone, such searches have been found to contravene Fourth Amendment protections; in Riley v. California, the Supreme Court held that a warrant is required to search a cellphone incident to an arrest. Given the extent to which mobile phones are an essential tool of modern lives, the searches are, as Upturn observes, “a dangerous expansion of law enforcement’s investigatory powers.” That’s especially the case for Black and other minority communities that are often the targets of such searches.

Problems lie deeper than consent searches. Upturn’s report highlights many additional issues, including failure on behalf of police departments to adopt search policies for the digital age. Phones are qualitatively different from previous objects of police searches. They hold chats and texts that users send—and record when they sent them. They hold photos and often provide a treasure trove of information about a user’s locations. Data stored on mobile phones is extensive and includes highly personal information—and the MDFTs are similarly far more extensive than the search tools they replace. Yet police search policies have not kept pace with the search tools.

The report singles out, for example, the plain view exception, which permits a law enforcement officer to seize objects not described in a warrant when conducting a search if such objects are in plain view. This exception, in my view and in the report’s, is unreasonable when searching a digital device. MDFTs have been designed to assume all files are in “plain view,” an extension of the doctrine that renders it meaningless.

The report highlights an additional set of issues based largely on the failure to adopt search policies for the digital age. The complexity of digital searches worsens the problem, complicating oversight as well as the ability of defense counsel to ensure proper measures were taken during a search.

Police searches must be done in a way that enables such oversight. Proper chain of custody is also crucial. Upturn’s report makes a number of recommendations:

  • Ban the use of consent searches of mobile devices.
  • Abolish the plain view exception for digital searches.
  • Require easy-to-understand audit logs.
  • Enact robust data deletion and sealing requirements.
  • Require clear public logging of law enforcement use.

Controlling the use of MDFTs is critical for keeping a proper balance between security and liberty. As the Supreme Court observed in Riley, phones are really “cameras, video players, rolodexes, calendars, tape recorders, libraries, diaries, albums, televisions, maps [and] newspapers” with a huge storage capacity. Failing to control the extent of a search or to document how it is conducted transfers power from an individual to the state. The Upturn report illuminates a problematic dynamic that is fortunately not yet deeply entrenched in police procedure.

The report provides a meta-lesson as well, namely, a compelling need for enacting civil liberties protections simultaneously with adopting increasingly powerful digital surveillance tools. It’s a digital age lesson that the country has repeatedly failed to follow. Given the capabilities of digital search tools, such costs can quickly grow too high for a democracy to bear. The time to act on Upturn’s “Mass Extraction” report is now.


Susan Landau is Professor of Cyber Security and Policy in Computer Science, Tufts University. Previously, as Bridge Professor of Cyber Security and Policy at The Fletcher School and School of Engineering, Department of Computer Science, Landau established an innovative MS degree in Cybersecurity and Public Policy joint between the schools. She has been a senior staff privacy analyst at Google, distinguished engineer at Sun Microsystems, and faculty at Worcester Polytechnic Institute, University of Massachusetts Amherst, and Wesleyan University. She has served at various boards at the National Academies of Science, Engineering and Medicine and for several government agencies. She is the author or co-author of four books and numerous research papers. She has received the USENIX Lifetime Achievement Award, shared with Steven Bellovin and Matt Blaze, and the American Mathematical Society's Bertrand Russell Prize.

Subscribe to Lawfare