For years, the Seattle Police Department (SPD) has been using technology that can extract information from your phone via a wired connection, bypassing most security measures, including the lock screen. Now, the city’s IT department is reviewing the technology, commonly referred to as Mobile Device Forensic Tools (MDFTs), to assess the full privacy implications of the technology.
Privacy and civil liberties advocates warn the technology is extremely wide-reaching, especially considering the lack of limitations on its implementation.
“Mobile device forensic tools are far too powerful to be in the hands of law enforcement,” said Urmila Janardan, a policy analyst at Upturn, a nonprofit organization based in Washington, D.C.
According to a 2020 report by the organization, MDFT use by cops is widespread, with more than 2,000 police departments in the United States purchasing the technology across all 50 states and the District of Columbia. Upturn researchers said that SPD has spent more than $240,000 on MDFTs from at least four vendors: Cellebrite, MSAB, Magnet Forensics and Grayshift. The report also said that many smaller police departments can also afford MDFTs and that at least 32 police departments in Washington have used the tools.
The technology can work in a few different ways but generally involves hooking up a cell phone, laptop, hard drive or other device to a box-shaped gadget, which then exploits a variety of vulnerabilities in the operating system to read the data. Sometimes SPD ships the phone to the company office, which extracts data and returns the device in the mail a few weeks later.
Some MFDTs are advertised to easily locate end-user data from social media apps and encrypted services such as ProtonMail and Signal. They can extract passwords to email accounts, allowing police to read data from cloud services that are located on remote servers rather than on the phone itself.
Cynthia Spiess, a local security researcher and privacy advocate, said that companies that develop MDFTs are known as “black hat hackers,” i.e. hackers who find security vulnerabilities and, instead of reporting them so that they can be fixed, keep them hidden so that they can be exploited for profit. According to Spiess, the companies employ a team of hackers to constantly find new vulnerabilities to remain ahead of the big operating system developers like Apple, Google and Microsoft.
The companies SPD purchases MDFTs from have been criticized for unethical business practices. Cellebrite, which is based out of Israel, has sold its technologies to repressive regimes around the world including Russia, Bangladesh, Hong Kong and Saudi Arabia. Last year, SPD shot multiple promotional videos with the company advertising the cell phone extraction tools.
In March 2020, NBC News reported that Grayshift began marketing a new product named “Hide UI” to law enforcement agencies, which is a keylogger. Keyloggers are a common form of malware that tracks user input on computers and mobile devices in order to gain access to passwords and other sensitive information. It’s unclear how many police departments have used the keylogging software or if SPD has purchased it.
In the draft surveillance impact report compiled by the IT department, SPD said it uses MDFTs to investigate internet crimes against children. It also said that officers and detectives can request MDFTs to be used in other investigations. The department said that it only uses the tools with a warrant or a copy of consent from the device owner.
The review is being conducted under the surveillance ordinance, first passed in 2013 and strengthened in 2017, which authorizes the city to review and determine the impact of surveillance tools which it uses.
According to public records obtained by Upturn, SPD has used MDFTs to investigate a variety of crimes “spanning from murder to robbery, violation of pretrial conditions of release, gun possession, and drug charges.”
ACLU Washington tech policy lead Jennifer Lee said that consent-based searches are a key point of concern due to the coercive nature of police-civilian interactions.
“Given that police are armed and act with state authority and that imbalance is definitely greater when that interaction is between police and Black people or people of color who are disproportionately the targets of violent police practices and may feel pressure to, you know, quote-unquote consent to a phone search because a fear of being harmed by police if they don’t consent,” she said.
“So in this case, you could argue that consent is obtained under duress and is not, actually, truly voluntary.”
Spiess worried that people don’t actually know the breadth and scope of the information police have access to when people consent to having data from their device extracted.
“I don’t think people really understand, when they are consenting, what they’d be consenting to,” she said.
She said that the data MDFTs can access includes not only calls and texts but also location and search history, passwords to apps and websites, files stored on the cloud, deleted files and apps, Wi-Fi and Bluetooth connection history, app usage history and even files that are not normally available to the end user.
Janardan said that the technology can also involve people not under investigation, flagging them for future surveillance by law enforcement.
“One capability of MDFTs is that they can provide a networked graph of all of your social connections based on your interactions on your phone,” they said.
“And so not only is that individual whose phone was searched is being brought into the criminal legal system, so is their entire network.”
Given the amount of data cell phones track about their users, the fact that they could be turned over to the police has a chilling effect.
“This technology allows police to conduct an excessively broad and intrusive search,” Lee said.
“It provides access that’s disproportionately invasive compared to the scope of evidence being sought.”
Lee said this is particularly important in the context of constitutionally protected protests.
“We’re especially concerned about MDFT use by SPD to surveil and ultimately chill constitutionally protected First Amendment activities, like freedom of protest, religion, freedom of expression and assembly,” she said.
Many activists have warned protestors not to bring their phones to actions in case they get arrested. Lee says that activists should be aware of the risk that SPD or other law enforcement agencies could search their devices.
“If you’re bringing your phone to a protest, I think folks should assume they’re at risk of having their phone searched,” she said.
“So, if possible, it’s best to not bring a cell phone. But that’s really difficult, right? Because we use it as a means to connect and coordinate with folks,” Lee said. “That’s why these tools are just so problematic and concerning.”
For people who are at risk of having their phone searched by SPD, it may be important to know that they can refuse to have their phone searched and affirm their Miranda rights, including the right to not incriminate themselves.
The IT department recently finished collecting public comments for the surveillance impact report on MDFTs and five other SPD surveillance technologies. The reports are then expected to make it to the City Council, which will ultimately decide whether to implement more guidelines or allow the technology to continue to be used by SPD.
Privacy advocates hope that policymakers will take steps to address the issue of police use of MDFTs by either banning the technology entirely or at least adding more limitations on its use. At the very least, Spiess suggested, a lawyer representing the accused party should be present before signing off on any consent forms. Lee and Janardan said that they want to see consent-based searches banned altogether.
Janardan said that they would like to see easily auditable and publicly available logs of what detectives are searching to ensure that they are not conducting an illegal search by looking for information not pertinent to the investigation. They also said that the city should ensure robust data collection and deletion standards so that data extracted from devices isn’t being searched indefinitely.
Spiess said that, so far, public engagement with the surveillance ordinance process has been low, especially since public meetings shifted to remote.
Lee stressed the importance of community members engaging with local governments and advocating about police surveillance.
“If you’re in a jurisdiction like Seattle, where you’re able to weigh in on law enforcement’s use of these tools, it’s really important that members of the public do weigh in and express concerns that law enforcement is using such an invasive and broad tool and advocate to their council members [to pass] restrictions on how SPD is using this tool or [put] a stop to it altogether,” she said.
Read more of the Jun 15-21, 2022 issue.