EXCLUSIVE: Inside New York City’s Partnership With Israeli iPhone Hacking Company Cellebrite
Documents reveal the Manhattan DA subscribes to a program that lets authorities break into iPhones in-house
In June 2019, the secretive Israeli digital forensics firm Cellebrite, which works with law enforcement to unlock cell phones, announced a significant product development: For the first time, government agencies would be able to break into phones in-house using licensed Cellebrite software.
Cellebrite’s new UFED Premium program gave law enforcement the ability to “unlock and extract data from all iOS and high-end Android devices” on their own.
Previously, if law enforcement wanted to get into newer devices, they had to send the phones to one of Cellebrite’s digital forensics labs, located in New Jersey and Virginia. But Cellebrite’s new UFED Premium program gave law enforcement the ability to “unlock and extract data from all iOS and high-end Android devices” on their own, using software installed on computers in their offices.
The announcement made waves in the phone-cracking world. But documents obtained by OneZero reveal that Cellebrite had been selling this new product to law enforcement for over a year prior to making that announcement, and that New York City has been a customer since 2018.
A contract obtained by OneZero shows that the Manhattan District Attorney’s office — one of the largest and most influential prosecution offices in the country — has had UFED Premium in-house since January 2018. According to the contract, the DA’s office agreed to pay Cellebrite about $200,000 over three years for UFED Premium.
The $200,000 fee covered software licensing and installation, training for select office personnel on the platform, and an agreed-upon number of phone cracks. The contract also references about $1 million in undisclosed add-ons, but it’s not clear if the DA’s office agreed to purchase any of these additional products or services. The document also states that the DA’s office must designate a “secure room” where the software is housed, and that the room not contain any audiovisual recording devices.
Cellebrite has been a key partner for U.S. law enforcement for years. In 2016, it was reported that the company cracked the iPhone of the San Bernardino shooter for the FBI — a story that the Bureau disputed. That same year, Vice reported that the company made millions by selling its portable devices — which can unlock and extract data from older model phones — to state police forces around the country. That investigation also found that the FBI has purchased at least $2 million worth of Cellebrite products since 2012.
The Manhattan DA has not publicly revealed its new UFED Premium phone-cracking capabilities. Legal Aid Society attorney Jerome Greco — who runs the public defender practice’s digital forensics unit — says that in 2018 he received information that led him to believe that the phone of one of his clients, who was facing felony drug charges, had been accessed.
Based on the language in the warrant, Greco suspected that prosecutors had used Cellebrite to crack his client’s iPhone 6s Plus. At that time, it was assumed that if law enforcement wanted to unlock that phone model, they had to turn it over to Cellebrite so they could unlock it at one of their forensic facilities. Since the closest facility was in Parsippany, New Jersey, Greco thought this search warrant might have been unlawfully executed because, Greco says, “a New York judge can’t let that happen without another state signing off.”
He filed a motion, citing New York Criminal procedure law, Section 690.25(1) which states a search warrant “must be addressed to a police officer in that geographical area” and argued that “any data, files, or information” from his client phone must be suppressed as evidence because the court “didn’t have the authority to issue warrants executed outside the State of New York.”
In the spring of 2018, the Manhattan DA’s office filed a response in which the prosecutors informed the court that the phone in this case was “searched in New York as well.”
“Around the time this warrant was issued and executed, the New York County District Attorney’s Office gained the capability to unlock the phone, using Cellebrite technology, without actually taking the phone to New Jersey,” the prosecutors wrote in the motion, adding, “therefore, the phones never left New York.”
“We want Apple, Google, and other technology companies to maintain their ability to access data at rest on phones pursuant to a neutral judge’s court order.”
Greco confirmed that his client’s phone was unlocked during this investigation. He said the man took a plea deal in the case and is currently incarcerated.
“As someone concerned about the ever-growing surveillance state,” says Greco, “it’s concerning for law enforcement to have this power.”
The Manhattan DA’s office declined to answer several questions about its contract with Cellebrite. A spokesperson for the office told OneZero: “We do not comment on law enforcement operations or investigative techniques.” In response to the inquiry, the Manhattan DA’s office pointed OneZero to the DA’s 2017 annual report where DA Cy Vance “broadly characterized our use of third-party workarounds,” the spokesperson said.
In the report, Vance writes that in the face of greater encryption hurdles, law enforcement crime-fighting will depend “largely on a law enforcement agency’s ability to spend money on private-sector solutions.”
Vance is a vocal critic of unbreakable encryption. In July 2016, he testified before Congress on the issue of phone encryption, stating that his office was proposing a federal statute mandating that “data on any smartphone made or sold in the United States must be accessible — not by law enforcement, but by the maker of the smartphone’s operating system — when the company is served with a valid search warrant.”
“We do not want a backdoor for the government to access users’ information, and we do not want a key held by the government,” Vance said during his testimony. “We want Apple, Google, and other technology companies to maintain their ability to access data at rest on phones pursuant to a neutral judge’s court order.”
Vance’s sentiment was echoed last week by the Justice Department. In a letter to Facebook, Attorney General Bill Barr, along with officials from the U.K. and Australia, asked that the company “not proceed with its plan to implement end-to-end encryption across its messaging services without ensuring that there is no reduction to user safety.”
While those in government and the tech sector continue to debate the best way forward, private entities like Cellebrite continue to thrive. Last month, the Daily Beast reported that Cellebrite had signed a new $30 million contract with the Immigration and Customs Enforcement (ICE) agency. Cellebrite would not answer whether the contract included the purchase of UFED Premium and the installation of the software inside any ICE offices.
Cellebrite also wouldn’t answer questions about its contract with the Manhattan DA’s office. A company spokesperson did not respond to questions about what other law enforcement agencies it had discussed or sold its UFED Premium product to. It is unknown how many law enforcement agencies around the U.S. are Cellebrite customers.
“For security and privacy reasons, Cellebrite company policy prohibits us from discussing the details of our customers and clients,” company spokesperson Christopher Bacey said in a statement.
“Everything we do on behalf of our digital intelligence, law enforcement, government, and private enterprise customers is done to help accelerate criminal investigations and address the challenges of crime and security in a digital world,” Bacey said.