If you’ve followed my blogging over the years, you know that I have written about law enforcement battles with smartphone manufacturers (usually Apple) over access to locked iPhones a few times. There was the gunman in the San Bernardino terrorist shooting back in 2016 in which the FBI, after disputes with Apple over providing back door access to law enforcement, was able to use an “unnamed third party” to gain access to that iPhone. And, earlier this year, experts indicated that they could also do it without Apple’s help. Apparently, getting into locked phones happens more often than you might think.
According to Wired (How Police Can Crack Locked Phones—and Extract Information, written by Sidney Fussell), a new report from the Washington, DC-based research nonprofit Upturn finds 50,000 cases where law enforcement agencies turned to outside firms to bypass the encryption on a mobile device. 50,000! Law enforcement in all 50 states have contracted with vendors like Cellebrite and AccessData to access and copy data from locked phones, according to the report. While police have relied on the evidence uncovered from these phones to close high-profile cases, the authors of the Upturn report say the practice is largely secretive and risks an “unacceptable threat to Fourth Amendment protections” against overbroad searches.
Between 2015 and 2019, Upturn found almost 50,000 instances of police using mobile device forensic tools (MDFTs). The report’s authors argue the tools provide information about people’s lives far beyond the scope of any investigation, and few police departments limit how or when they can be used. The team sent public-record requests to state and local law enforcement agencies across the country and found that more than 2,000 agencies have at some point used an MDFT.
“The justification we often see is: People who sell drugs or use drugs [also] use phones,” says Logan Koepke, the report’s lead author. “But, of course, everyone uses phones.”
Police can ask someone to unlock their phone in connection with a case. This is called a “consent search.” Their success varies greatly by region. Upturn found that people consented to 53 percent of the more than 1,500 extractions conducted by the Harris County, Texas, Sheriff’s Office (which is the county where I live, by the way). In Atlanta, however, only about 10 percent of the nearly 1,000 extractions were done with the owner’s consent.
Of course, when the owner refuses to unlock the phone, police must seek a warrant, which is what happened in the 2016 case mentioned above where Apple objected to an FBI request to grant investigators access to a locked iPhone 5C belonging to one of the shooters believed to have killed 16 people in San Bernardino, California. As a result, the FBI turned to that “unnamed third party”, which helped law enforcement bypass the lock.
For its report, Upturn reviewed hundreds of search warrants requesting the use of MDFTs for offenses large and small, from suspected murder to shoplifting. The authors say police often provided only a tenuous justification for wanting to unlock a phone. Further, the warrants typically are not limited to the specific information that led police to the phone. Instead, the warrants, and the MDFTs, allow for police to use anything on the phone against a suspect.
While Upturn found nearly 50,000 cases where 44 police departments had extracted data from phones, Koepke thinks the true total is much higher. Some of the nation’s largest police departments fought the group’s records requests. The New York, Baltimore, DC, and Boston police departments refused to provide details on whether they use the tools. Koepke says litigation to access these records is ongoing.
I have a feeling you’re going to hear a lot more about this topic over the next few years as law enforcement and privacy advocates battle it out. Not to mention, the device manufacturers who want to keep their devices as secure as possible.
BTW, I like to give a “hat tip” when somebody brings an interesting story to me like this one. This time, it happens to be my beautiful wife Paige! Thanks, honey!
So, what do you think? Should law enforcement agencies be able to “crack” into mobile devices without consent if they have a warrant? Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the authors and speakers themselves, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.