Exclusive: U.S. Cops Have Wide Access to Phone Cracking Software, New Documents Reveal
While the FBI requests ‘backdoor’ iPhone access, documents indicate law enforcement already has easy access to encrypted devices
The situation echoes another high profile case involving an iPhone used by a shooter in the 2015 terrorist attack in San Bernardino, California. In both cases, Apple has refused to provide a means for investigators to break through the encryption on its devices.
Barr recently complained that Apple had not provided “any substantive assistance” to officials and that the Pensacola case “perfectly illustrates why it is critical that investigators be able to get access to digital evidence once they have obtained a court order based on probable cause.” The Department of Justice (DOJ) insists that it has been unable to open the phones of the Pensacola shooter.
OneZero sent Freedom of Information Act requests to over 50 major police departments, sheriffs, and prosecutors around the country.
But many police departments across the United States already have the ability to crack mobile devices, including the iPhone. While Apple may not provide official support to law enforcement agencies to access iPhones, third-party companies have stepped in to fill the void, allowing police to unlock and access information on encrypted mobile devices at a relatively low cost.
Over the past three months, OneZero sent Freedom of Information Act (FOIA) requests to over 50 major police departments, sheriffs, and prosecutors around the country asking for information about their use of phone-cracking technology using requests developed by Upturn, a nonprofit focused on technology and justice. Hundreds of documents from these agencies reveal that law enforcement in at least 11 states spent over $4 million in the last decade on devices and software designed to get around passwords and access information stored on phones.
OneZero obtained documents from law enforcement agencies in New York, California, Florida, Texas, Washington, Colorado, Illinois, Ohio, Michigan, New Mexico, and Massachusetts. These agencies included district attorneys’ offices, local police departments, and county sheriffs’ offices.
The number of offices with access to phone-cracking tools across the country is likely far greater than what OneZero uncovered. Not all agencies responded to OneZero’s request for documents. Some departments and offices claimed the records were exempt from public release. Others told OneZero they would need several months and thousands of dollars to provide the information.
Below is a list of agencies that have purchased technology designed to crack smartphones, including iPhones, based on documents obtained by OneZero:
- Alameda County Sheriff, California
- Los Angeles County District Attorney, California
- Oakland Sheriff, California
- San Bernardino County Sheriff, California
- San Diego County District Attorney, California
- San Diego Police Department, California
- San Francisco City Attorney, California
- San Francisco District Attorney, California
- San Francisco Police Department, California
- San Jose Police Department, California
- Santa Clara County District Attorney, California
- Denver Police Department, Colorado
- Jacksonville Sheriff, Florida
- Miami-Dade State Attorney, Florida
- Cook County District Attorney, Illinois
- Cook County Sheriff, Illinois
- Boston Police Department, Massachusetts
- Detroit Police Department, Michigan
- Bernalillo County District Attorney, New Mexico
- New York County District Attorney, New York
- Suffolk County District Attorney, New York
- Columbus Police Department, Ohio
- Dallas County District Attorney, Texas
- King County District Attorney, Washington
The documents range from contracts, requests for proposals (RFPs), invoices for payments by law enforcement, quotes from forensic companies, and emails traded between officials discussing vendor approval. They suggest that most law enforcement agencies bought forensic investigation products from a small group of companies that include Cellebrite, Grayshift, Paraben, BlackBag, and MSAB. In addition to selling the software and hardware needed to unlock phones, these companies also charge thousands of dollars each year to upgrade the software in their products. In addition, their customers spend thousands on training sessions to teach personnel in their offices how to use the tools.
OneZero reached out to all of the companies named in these documents. Only Cellebrite and Paraben responded. Amber Schroader, the CEO of Paraben Corporation, told OneZero, “The largest struggle for investigators today is dealing with locked devices.”
“As a primary tool provider in digital forensics, we spend more time researching bypass options than any other function in the tool,” Schroader said. “The premise of digital forensics is seeking the truth in the data, and that benefits anyone involved in an investigation.”
Of the companies currently selling phone-cracking technology, the Israeli company Cellebrite has the highest profile. When Apple refused to unlock the phone linked to the suspected attackers in the San Bernardino shooting, the DOJ reportedly turned to Cellebrite to break into the shooters’ iPhones. Documents suggest it charges over $100,000 a year for software that the company claims will unlock and extract data from iPhones and Android phones.
Other offices spent considerably more to use the technology. For example, Alameda County in California spent $208,000 in 2018 on a package that included Cellebrite’s top-tier software and analytics package.
Some agencies provided documents outlining internal policies for how and when phones can be broken into. For example, the Detroit police have a policy stating that by law, officers “cannot search the digital contents of a cellular telephone device or track any telephonic device without securing a search warrant.”
As Barr and the Trump administration continue to push for legislation that would grant them special access to phones, these policy documents suggest that police have found a lawful way to access phones by first getting a warrant before they deploy the technology.
“Our technology is used by thousands of organizations globally to lawfully access and analyze very specific digital data as part of ongoing investigations.”
Asked if they had been contacted about the Pensacola investigations, a Cellebrite spokesperson said, “As a matter of company policy, we do not comment on any ongoing investigations.”
“Our technology is used by thousands of organizations globally to lawfully access and analyze very specific digital data as part of ongoing investigations,” the spokesperson said in the statement to OneZero. “This aids in unearthing evidence to bring understanding and resolution to cases.”
The ongoing Pensacola investigation is reminiscent of Apple’s first standoff with the DOJ over unlocking suspects’ phones.
After two terrorists killed 14 people in San Bernardino, the FBI was unable to unlock a password-protected and encrypted iPhone owned by the shooters. The FBI secured a court order instructing Apple to hand over software that would allow the FBI to disable a function on the phone that erases all data after a number of unsuccessful password attempts.
At the time, Apple CEO Tim Cook responded in a letter saying the company has “great respect” for the FBI, adding, “We have done everything that is both within our power and within the law to help them.”
“But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create,” Cook added. “They have asked us to build a backdoor to the iPhone.”
The fight between the feds and Apple fizzled after the FBI reportedly turned to Cellebrite to crack a phone used by one of the San Bernardino attackers. Afterward, rumors swirled that the FBI had paid Cellebrite around $1 million to hack into the attacker’s phone. At a Senate hearing, Sen. Dianne Feinstein said publicly that the government spent “$900,000 to hack it open.” Cellebrite has never admitted to cracking the phone of the San Bernardino shooter. The company declined to comment on reports that they worked with the FBI in this case.
The Pensacola investigation has revived the fight between the government and phone makers like Apple over whether the companies need to provide a “backdoor” for law enforcement to get around encryption and get into suspects’ phones in criminal investigations.
Apple and other companies fear that nefarious actors might use these backdoors to steal photos, medical records, bank account information, and other data from its customers’ devices. Still, Barr and others in law enforcement argue that this capability is increasingly critical to conducting law enforcement.
At a congressional hearing in December 2019, Manhattan District Attorney Cy Vance, who was tapped to represent law enforcement at the hearing and has long called for tech companies to work with authorities on a backdoor, said, “The single most important law enforcement challenge in the last 10 years, in my personal opinion, is the expanded use of mobile devices by bad actors to plan, execute, and communicate about crimes.”
He added, “Just as we ordinary citizens rely on digital communication, so do people involved in terrorism, cyber fraud, murder, rape, robbery, and child sexual assault.”
But OneZero’s investigation reveals that law enforcement agencies across the country already possess the capability to break into suspects’ devices. Security experts have also said that these tools make it easy for investigators to crack iPhones and other mobile devices already. Last year, Vance’s own office spent at least $200,000 on Cellebrite’s phone-cracking tools.
The documents obtained by OneZero also shed new light on Cellebrite, an Israeli cybersecurity firm that has become an industry leader in digital forensics. Intensely secretive, the company’s website states that only law enforcement can request information about the company’s products.
However, one of the documents obtained from our public records requests — a Cellebrite response to an RFP from March 2018 — provided a unique window into how the company operates. In the RFP, the company writes that it has worked with federal, local, and state law enforcement customers.
Another document from Alameda County shows how Cellebrite is expanding its offerings to law enforcement customers. In a June 2018 presentation to the Northern California Sheriff’s Office, Cellebrite pitched its analytics package, which includes a data analysis program that allows users to compare media it extracts from devices. This includes data found through “facial similarity recognition.” According to a 2018 invoice, Alameda spent $95,000 on a license for Cellebrite’s analytics software.
As news broke about Barr’s difficulties with the Pensacola phone, Cellebrite announced it was acquiring another forensics company that does business with law enforcement and specializes in analytics: BlackBag Technologies. In a press release tied to the $33 million purchase, Cellebrite said that acquiring BlackBag would “accelerate the delivery of new Digital Intelligence solutions and services that will empower our customers and allow them to maximize the efficiency and accuracy of their digital investigations.”
While the DOJ and others in law enforcement seem eager to publicly debate Apple over access to phones, OneZero’s reporting shows that at least some local departments believe they are entitled to keep using third-party tools in secret.
Several police departments asserted they were exempt from FOIA requests according to their state public records laws because providing the information would reveal secret investigatory practices. At the same time, some law enforcement groups appeared to want to consult with the forensic companies themselves before deciding to turn over documents.
In New York City, the Queens District Attorney’s office — which prosecutes the largest borough in the city — claimed that handing over records of its digital forensics usage would give criminals a roadmap on how to thwart their efforts.
The New York City police department initially said that responding to the request could take up to five months. A month later, a representative of the NYPD wrote back saying they were unable to locate any records based on the way we had described the vendors. OneZero appealed this denial on the grounds that police departments around the country had been able to locate records based on identical requests.
On appeal, the NYPD once again denied the request, claiming it asked them to locate “needles in a haystack.” Since then, the NYPD has been sued for similar information about its possible use of phone-cracking tools by Upturn, a Washington D.C.-based civil rights and technology nonprofit, and the Surveillance Technology Oversight Project (STOP), a New York-based privacy group.
In Texas, the San Antonio Police Department responded to our request by reaching out to its vendor, Grayshift, to see if the company would approve the SAPD handing over records. A month later, SAPD sent OneZero a second letter stating that Grayshift had signed off on the request, but the SAPD denied the request because it believed they were exempt from FOIA requests.
Six years after San Bernardino, observers are speculating that Barr will drop his feud with Apple and once again turn to a third-party company like Cellebrite to unlock the Pensacola shooter’s phone.
“The Justice Department, and our components agencies, continue to seek access through all lawful means to the shooter’s two iPhones recovered from the terrorist attack on our service members in Pensacola last month,” DOJ spokesperson Marc Raimondi told OneZero.
He added, “To date, we have been unsuccessful.”
Update: This piece has been updated to reflect that FOIA requests used to gather information were based on language originally authored by Upturn.