To answer these questions, investigators at the nonprofit Upturn, in partnership with the Legal Aid Society and with financial support from the Ford Foundation among others, set out to discover the truth about the police capacity to search smartphones, the extent to which this capability is spread across the various levels of law enforcement around the country, the manner in which police use these tools, and what type of public oversight these practices are performed under. To that end, the Upturn researchers sent over a hundred records requests to a variety of law enforcement agencies, mined publicly available databases that track police activities and government spending, and analyzed the literature and websites of companies that provide electronic services to police. This process, which began in February 2019, yielded more than 12,000 pages of documents from record requests and discovered mountains of publicly available data.
The resulting report, released in October 2020, came to the following conclusions: (1) Police agencies across the U.S. either possess or have easy access to extraordinarily effective mobile device forensic tools (“MDFTs”) that allow them to breach the security of and search nearly any phone or tablet on the market; (2) the ubiquity of mobile devices and relatively low cost of MDFTs has led to an extraordinarily wide proliferation of these tools at every level of policing; (3) despite the impression given in the media when reporting on high-profile cases, MDFTs are in routine use on all sorts of investigations from drug possession to graffiti; and (4) there is very little public awareness about these tools and almost no oversight of their use.
The Upturn report exhaustively details the data upon which these conclusions were based and offers a series of policy ideas to better align how police use these powerful tools with the interests of the public they are pledged to protect.
Technical Capacity of MDFTs
Mobile device forensics is essentially a three stage process: security breach, data extraction, and analysis. An MDFT helps police do all three. MDFTs are essentially a program that is plugged into a mobile device in order to defeat password protection, copy all the data on the device, and then perform a series of sorting or search routines to allow investigators to sift through all the data.
MDFTs allow police to use a variety of tools to circumvent the security features built into almost all phones. According to Upturn, these tools include “guessing a password, exploiting a vulnerability or developer tool, or even installing spyware.”
So-called “brute force attacks,” which repeatedly try random passwords until guessing the correct one, can be very effective.
The report cited an estimate by Professor Matthew Green that brute-forcing a password on an iPhone would take “no more than 13 minutes for a 4-digit passcode, 22 hours for 6 digits, and 92 days for 8 digits.” The newer iPhones released since 2018 limit the effectiveness of brute force tactics, but MDFT manufacturer Cellebrite claimed in September 2020 that its products could “perform a full file system extraction of all iPhone devices.”
Even when brute force fails, other breach techniques are available. Cellebrite has a tool that can cause most Samsung phones to skip the password step when turning on. Another company, GrayShift, offers spyware tools called HideUI that allow police to monitor the phone after it is returned to its user and record the subsequent password entry. When these tactics fail, many MDFT companies offer advanced services at their labs for stubborn devices. The inescapable conclusion is that in all but the rarest cases, police are able to gain access to all the data on any device.
Once a phone’s security is breached, data extraction begins. MDFTs allow for several techniques that copy varying amounts of data. Investigators can use manual extraction to copy pieces of data or files that they bring up like a normal user or a logical extraction, which is an automated process that copies all data normally presented to a user. Both these methods limit the copied data to what a user would normally see. Other methods, like file system extraction, copy everything on the device, including data not normally displayed to users and any “deleted” data from memory space that has not yet been written over.
Investigators can also use account credentials gained from extraction to access account-based data stored in the cloud by using password information gleaned during extraction. MDFTs also allow police to access the data stored in Google’s location history, which according to the Upturn report, stores precise records spanning years and can be used to create a timeline or map of a user’s location.
After extraction, the process of analysis is also facilitated by MBFTs. Police can “sort data by the time and date of its creation, by location, by file or media type, or by source application,” according to documents obtained by Upturn. This allows police to analyze gigabytes of data using keywords or search parameters and obtain results in minutes, as opposed to the countless hours required to process data manually.
MDFTs like Cellebrite’s Pathfinder create visualization features to help organize extracted data and sync together data extracted from multiple phones to paint a more complete picture. These programs also run a variety of a mapping routines that can track the spatial relationships of multiple phones, common contacts, or similar purchase data.
In short, the report conclusively shows that despite the protestations to the contrary by various police agencies, law enforcement has access to extraordinarily effective and efficient tools that allow for the extraction and analysis of all the data stored on mobile devices.
Proliferation of MDFTs
When law enforcement agencies have publicly acknowledged the existence of MDFTs, there is a tendency to portray the technology as prohibitively expensive and therefore available to only the most well-heeled of police forces. The Manhattan District Attorney’s Office, when commenting on MDFTs, assured the public that “This office, with our relatively considerable resources, is one of the few local agencies that can afford to pursue this kind of solution.”
The research published in the Upturn report tells a different story. The researchers found MDFTs deployed in jurisdictions across all 50 states and the District of Columbia. Of the 18,000 police agencies in the U.S., at least 2,000 have purchased some sort of MDFT product, according to documents obtained by Upturn. The report’s authors added, “We believe many more agencies in the U.S. have purchased MDFTs than the ones we were able to identify.”
Even the data the researchers collected paints a remarkable picture. Agencies at every level of law enforcement are represented, including local police departments, sheriffs, public schools, housing authorities, prisons, and more. Every one of the nation’s 50 largest police departments have purchased some form of MDFT, as have state police in all 50 states, 25 of the 50 largest sheriff’s departments, and 16 of the 25 largest prosecutor’s offices. On the other end of the scale, information obtained by Upturn from GovSpend, a database of government contracts and purchase orders, shows MDFT purchases by small jurisdictions as varied as Pearland, Texas, and Shaker Heights, Ohio.
Many of these purchases are driven by the availability of federal grant money. Funds for MDFTs are available from the Justice Assistance Grant program, the Internet Crimes Against Children taskforce, and the Forensic Science Improvement Grants Program. Agencies can receive hundreds of thousands of dollars for these purchases, as the Miami-Dade Police Department did when it received $283,000 of Justice Assistance Grant money to buy Cellebrite tools.
If a small agency cannot obtain funding for an MDFT purchase, the technology is still likely available to them. The Upturn report cataloged a host of interagency agreements that give small agencies access. In addition, the FBI is said to operate MDFT kiosks at 84 locations nationwide. These kiosks performed 31,000 data extractions between 2013 and 2016.
Clearly, MBFTs have been adopted at every level of law enforcement across the U.S., and there is no reason to conclude that their cost limits their availability to police.
Routine Use of MDFTs
In 2015, the Supreme Court held in Riley v. California that police must obtain a warrant to search a cellphone. That requirement has created a records trail that partially illustrates how MDFTs are used. Upturn received only 44 responses to records requests relating to how MDFTs are used, but those responses showed police “use mobile device forensic tools tens of thousands of times, as an all-purpose investigative tool, for an astonishingly broad array of offenses, often without a warrant. And their use is growing.”
Despite the police narrative that phones are hard to open and MDFTs are used mainly in serious cases, the Upturn report showed the use of MDFs in investigations of graffiti, vandalism, shoplifting, petty theft, public intoxication, and a wide array of other minor incidents. It is true that these tools were used in major investigations as well, but considering that the researchers at Upturn concluded, “It’s safe to say that state and local law enforcement agencies collectively have performed hundreds of thousands of cellphone extractions since 2015,” the obvious conclusion is that minor crimes make up a big share of MDFT applications.
The warrants obtained by police are often intentionally broad or vague, despite the “particularity requirement” of the Fourth Amendment. Police justify the need for broad warrants by claiming that a systemic search of the whole phone is necessary to be able to collate any data retrieved, and thus far, courts have been reluctant to apply strict limits to phone searches.
Warrants appear to be necessary in only about half of phone searches because police regularly rely on the user’s consent as the legal basis to search the phone. In Harris County, Texas, the sheriff’s office conducted 1,583 cellphone extractions from 2015 to 2019; only 47% of these searches required a warrant.
The same statistic is observable in Denver and Seattle. It is unclear how aware the user was of what the search entailed, nor is it clear how much the power-differential between police and people of color influenced the decision to consent to the search.
The data brought to light by the Upturn report is troubling not just in the facts it reveals but also in how much it exposes a lack of publicly available data and community oversight of police use of MDFTs. Not only is there a lack of public approval of MDFT policies, the report found that more often than not, no polices exist.
For example, New Mexico recently enacted standards that require police to destroy data obtained in a search that is unrelated to the warrant within 30 days. Few other jurisdictions, however, have any limits. This allows police to build massive databases collating all the data they extract, even without evidence of criminal activity. Across most of the U.S., there is no avenue for a citizen to contest this data retention, nor is there any method for external or public review.
In the rare cases where public oversight of MDFT use has taken place, it is often hindered by police secrecy or obfuscation. In Rochester, New York, for example, when the city council debated the purchase of a GrayKey system by the city police, the department was keen to assure council members that systems would be put in place to assure MDFT technology was only used in “the most serious crimes.” Despite these assurances, no restrictions were put in place. Similarly, in Davis, California, police responded to a city council request for statistics on the use of MDFTs by inexplicably stating “use of the device is still the most effective way to access electronic information of a cellphone.”
Even in this age of growing demands for police transparency, the use of MDFTs remains shrouded in secrecy, and there it will remain until effective oversight of the use of these invasive tools is compelled by the public.
The researchers at Upturn concluded their report with a series of policy suggestions designed to make the use of MDFTs more consistent with the broader framework of American civil liberties. The first is a reordering of the legal basis used for searches, including a ban on consent searches, more stringent parameters on search warrants, and an elimination of the “plain view” exception to warrant requirements. Second, Upturn recommends the creation of standard and easily audited logs to record when, why, and how an MDFT was used. Finally, strong data deletion and records sealing requirements should be enacted to prevent the creation of permanent databases built on data not related to any crime.
The Supreme Court observed in Rileythat “a cellphone search would typically expose to the government far more than the most exhaustive search of a house.” Despite this reality, police employ MDFT technology in a broad range of cases with little or no oversight. The Upturn report has exposed this truth; it remains to be seen what the public response will be.
As a digital subscriber to Criminal Legal News, you can access full text and downloads for this and other premium content.
Already a subscriber? Login