Apple promises that iPhones are safe from snooping. Police in Oklahoma have tools for breaking into them anyway.
When attendees arrived at the 2019 Consumer Electronics Show in Las Vegas, they were greeted with an ad stretching across the face of a SpringHill Suites hotel that stood 24 floors high.
“What happens on your iPhone stays on your iPhone,” the ad boldly promised.
Also known as CES, the electronics show is one of the biggest of its kind in the world. Leading technology companies like Apple carefully time the release of new products and image campaigns to coincide with the show in the hopes of exciting consumers.
The declaration marked the opening shot of a new advertising campaign by Apple to brand itself as the privacy-focused alternative to competitors like Google and Facebook.
Apple CEO Tim Cook has since seized on opportunities to portray privacy as an essential feature of the company’s products. Sophisticated encryption, Apple argues, protects its customers from identity theft, hackers, sneaky ad trackers … and the prying eyes of the government.
The company has gone so far as to publicly clash with law enforcement over whether investigators should be given special permissions to penetrate the otherwise powerful encryption built into Apple devices.
Apple and Google both have increasingly asserted that their rigid encryption standards make it impossible for them to access the smartphone data of customers on behalf of law enforcement.
That’s prompted outcry from investigators everywhere who say the smartphones of criminal suspects are gradually “going dark.” Better encryption, they say, is making it easier for criminals to escape justice.
But the truth is that law enforcers – including here in Oklahoma – have long used secretive technologies to gain access to phones with or without help from manufacturers.
The hidden history of smartphone cracking
Perhaps the loudest law enforcement agency to warn of the risk of “going dark” is the FBI. After mass shootings in California five years ago and Florida last year, the FBI publicly denounced Apple for its refusals to help with accessing the phones of the killers.
Yet the story quietly fizzled after agents eventually broke into the phones on their own without assistance from Apple. It’s unknown what technology the FBI used. What is known is that a constellation of companies unfamiliar to most people has sold advanced technologies to law enforcement agencies for years promising independent access to smartphones.
The Israeli company Cellebrite, for example, was founded in 1999 and today boasts of having 7,000 customers in 150 countries. Cellebrite promises that its products can “bypass pattern, password, or PIN locks, and overcome encryption challenges quickly on popular Android and iOS devices.”
Cellebrite’s leading rival is Grayshift, a company based in Atlanta and co-founded by a former Apple engineer. Grayshift says that its customers can enjoy “same-day extractions from locked iOS devices,” as well as the ability to “extract the full contents from iOS devices.”
New report sheds light on digital forensics tools
Just how widely used smartphone extractors and other surveillance technologies are by the thousands of law enforcement agencies in the United States is difficult to determine.
Investigative reporters and public-interest groups for years have used open-government laws in an effort to learn new details about what eavesdropping and surveillance technologies law enforcers were using.
An organization in Washington called Upturn has now published the most exhaustive look yet at the prevalence of “mobile device forensics tools,” such as those sold by Cellebrite and Grayshift.
Using public-records laws, Upturn researchers contacted over 100 of the largest law enforcement agencies in the nation. They sought policies governing the use of the devices, records of how they were used (e.g. as described in warrant requests to judges), and purchasing agreements and invoices.
The group defined mobile device forensics tools in the request letters as “any software, hardware, process, or service that is capable of extracting any data from a mobile device, recovering deleted files from a mobile device, or bypassing mobile device passwords, locks, or other security features.”
The results of the request letters are astonishing.
At least 2,000 law enforcement agencies now have technologies that enable access to locked and encrypted phones and reveal their data. Virtually all of the largest police departments in the country had the tools, according to the records, but numerous smaller agencies and sheriff’s departments were utilizing the devices also.
A landmark Supreme Court ruling in 2015 now requires that police first obtain a warrant from a judge before using such technologies. But that’s done nothing to slow their use. Upturn found that since the ruling, use of cell-phone data extractors by investigators has exploded in some cities anywhere from 250 percent to an eye-watering 550 percent in Honolulu.
Where local law enforcers can’t afford the technology, they can often send a locked phone to a state or federal crime lab that can crack it. Police can also send locked devices to private contractors for a fee and have them returned with access enabled.
Police in Tulsa, according to the Upturn report, have contracts with Cellebrite, as well as Susteen, a company based in California. Susteen vows that its products “can acquire immediate evidence off of thousands of phones in real-time. Collect images, texts, and application data from suspects or witnesses with ease.”
Oklahoma City, meanwhile, has made purchases with Cellebrite, Grayshift, and two more companies offering similar products called Magnet Forensics and AccessData.
Mission creep and the War on Terror
Interest among law enforcers in advanced surveillance technologies like cell-phone extractors accelerated after the Sept. 11, 2001, terrorist hijackings. Many experts in public safety felt the attacks could have been unraveled in advance through greater data and intelligence sharing and improved surveillance methods.
State and local agencies used hundreds of millions of dollars in newly available Federal “homeland security grants” to make major investments in surveillance devices of all kinds.
They deployed sprawling networks of high-powered surveillance cameras. They armed patrol cars with license-plate readers that automatically capture data on passing motorists and compare it to police databases. They created facial recognition databases and used spy planes to stitch together detailed images of areas as large as Compton, California.
Statistically, however, terrorist attacks are rare. Law enforcers are using these powerful surveillance and forensics innovations intended for the most desperate and dire of circumstances in everyday, mundane crimes.
Upturn found that police in Fort Worth, Texas, used cell-phone extractors in a case involving $220 worth of cannabis. In Coon Rapids, Minnesota, extractors were used in a dispute at a local McDonald’s over $70. In Colorado and Maryland, police were found to be primarily using the extractors in drug cases.
Upturn also learned that the devices were routinely used in cases involving public intoxication, petty theft, auto accidents, graffiti, prostitution, shoplifting, and marijuana possession.
“Many logged offenses appear to have little to no relationship to a mobile device,” Upturn concluded, “nor are the offenses digital in nature. In fact, for many of these alleged offenses, it’s difficult to understand why such invasive investigative techniques would be necessary, other than mere speculation that evidence could be found on the phone.”
And the beat goes on
Cellebrite announced in January that it was purchasing the Silicon Valley company BlackBag Technologies for $33 million. The buy signaled that Cellebrite was eager to move beyond mere smartphone extractions and into the future of police surveillance and digital forensics.
The provaticely named BlackBag Technologies can penetrate a broader universe of Windows, Apple, and Google products. Forbes called the merger “an Apple-hacking powerhouse” for law enforcement agencies.
Grayshift, meanwhile, announced a major infusion of $47 million from investors in October. Revenues, customers, and employees have all doubled for the company over the past year, Grayshift said in a press release announcing the investment.
While these tools have legitimate uses, unchecked use of these technologies threatens to relegate digital privacy as we know it to the ash heap of history. It’s more important than ever that their use be publicly known, highly regulated, and subject to enhanced judicial scrutiny.