The FBI Should Stop Attacking Encryption and Tell Congress About All the Encrypted Phones It’s Already Hacking Into

Federal law enforcement has been asking for a backdoor to read Americans’ encrypted communications for years now. FBI Director Christopher Wray did it again last week in testimony to the Senate Judiciary Committee. As usual, the FBI’s complaints involved end-to-end encryption employed by popular messaging platforms, as well as the at-rest encryption of digital devices, which Wray described as offering “user-only access.” 

The FBI wants these terms to sound scary, but they actually describe security best practices. End-to-end encryption is what allows users to exchange messages without having them intercepted and read by repressive governments, corporations, and other bad actors. And “user-only access” is actually a perfect encapsulation of how device encryption should work; otherwise, anyone who got their hands on your phone or laptop—a thief, an abusive partner, or an employer—could access its most sensitive data. When you intentionally weaken these systems, it hurts our security and privacy, because there’s no magical kind of access that only works for the good guys. If Wray gets his special pass to listen in on our conversations and access our devices, corporations, criminals, and authoritarians will be able to get the same access. 

It’s remarkable that Wray keeps getting invited to Congress to sing the same song. Notably, Wray was invited there to talk, in part, about the January 6th insurrection, a serious domestic attack in which the attackers—far from being concerned about secrecy—proudly broadcast many of their crimes, resulting in hundreds of arrests. 

It’s also remarkable what Wray, once more, chose to leave out of this narrative. While Wray continues to express frustration about what his agents can’t get access to, he fails to brief Senators about the shocking frequency with which his agency already accesses Americans’ smartphones. Nevertheless, the scope of police snooping on Americans’ mobile phones is becoming clear, and it’s not just the FBI who is doing it. Instead of inviting Wray up to Capitol Hill to ask for special ways to invade our privacy and security, Senators should be asking Wray about the private data his agents are already trawling through. 

Police Have An Incredible Number of Ways to Break Into Encrypted Phones

In all 50 states, police are breaking into phones on a vast scale. An October report from the non-profit Upturn, “Mass Extraction,” has revealed details of how invasive and widespread police hacking of our phones has become. Police can easily purchase forensic tools that extract data from nearly every popular phone. In March 2016, Cellebrite, a popular forensic tool company, supported “logical extractions” for 8,393 different devices, and “physical extractions,” which involves copying all the data on a phone bit-by-bit, for 4,254 devices. Cellebrite can bypass lock screens on about 1,500 different devices. 

How do they bypass encryption? Often, they just guess the password. In 2018, Prof. Matthew Green estimated it would take no more than 22 hours for forensic tools to break into some older iPhones with a 6-digit passcode simply by continuously guessing passwords (i.e. “brute-force” entry). A 4-digit passcode would fail in about 13 minutes. 

That brute force guessing was enabled by a hardware flaw that has been fixed since 2018, and the rate of password guessing is much more limited now. But even as smartphone companies like Apple improve their security, device hacking remains very much a cat-and-mouse game. As recently as September 2020, Cellebrite marketing materials boasted its tools can break into iPhone devices up to “the latest iPhone 11/ 11 Pro / Max running the latest iOS versions up to the latest 13.4.1” 

Even when passwords can’t be broken, vendors like Cellebrite offer “advanced services” that can unlock even the newest iOS and Samsung devices. Upturn research suggests the base price on such services is $1,950, but it can be cheaper in bulk. 

Buying electronic break-in technology on a wholesale basis represents the best deal for police departments around the U.S., and they avail themselves of these bargains regularly. In 2018, the Seattle Police Department purchased 20 such “actions” from Cellebrite for $33,000, allowing them to extract phone data within weeks or even days. Law enforcement agencies that want to unlock phones en masse can bring Cellebrite’s “advanced unlocking” in-house, for prices that range from $75,000 to $150,000. 

That means for most police departments, breaking into phones isn’t just convenient, it’s relatively inexpensive. Even a mid-sized police department like Virginia Beach, VA has a police budget of more than $100 million; New York City’s police budget is over $5 billion. The FBI’s 2020 budget request is about $9 billion. 

When the FBI says it’s “going dark” because it can’t beat encryption, what it’s really asking for is a method of breaking in that’s cheaper, easier, and more reliable than the methods they already have. The only way to fully meet the FBI’s demands would be to require a backdoor in all platforms, applications, and devices. Especially at a time when police abuses nationwide have come into new focus, this type of complaint should be a non-starter with elected officials. Instead, they should be questioning how and why police are already dodging encryption. These techniques aren’t just being used against criminals. 

Phone Searches By Police Are Widespread and Commonplace

Upturn has documented more than 2,000 agencies across the U.S. that have purchased products or services from mobile device forensic tool vendors, including every one of the 50 largest police departments, and at least 25 of the 50 largest sheriffs’ offices. 

Law enforcement officials like Wray want to convince us that encryption needs to be bypassed or broken for threats like terrorism or crimes against children, but in fact, Upturn’s public records requests show that police use forensic tools to search phones for everyday low-level crimes. Even when police don’t need to bypass encryption—such as when they convince someone to “consent” to the search of a phone and unlock it—these invasive police phone searches are used “as an all-purpose investigative tool, for an astonishingly broad array of offenses, often without a warrant,” as Upturn put it.

The 44 law enforcement agencies who provided records to Upturn revealed at least 50,000 extractions of cell phones between 2015 and 2019. And there’s no question that this number is a “severe undercount,” counting only 44 agencies, when at least 2,000 agencies have the tools. Many of the largest police departments, including New York, Chicago, Washington D.C., Baltimore, and Boston, either denied Upturn’s record requests or did not respond. 

“Law enforcement… use these tools to investigate cases involving graffiti, shoplifting, marijuana possession, prostitution, vandalism, car crashes, parole violations, petty theft, public intoxication, and the full gamut of drug-related offenses,” Upturn reports. In Suffolk County, NY, 20 percent of the phones searched by police were for narcotics cases. Authorities in Santa Clara County, CA, San Bernardino County, CA, and Fort Worth, TX all reported that drug crimes were among the most common reasons for cell phone data extractions. Here are just a few examples of the everyday offenses in which Upturn found police searched phones: 

• In one case, police officers sought to search two phones for evidence of drug sales after a $220 undercover marijuana bust. 
• Police stopped a vehicle for a “left lane violation,” then “due to nervousness and inconsistent stories, a free air sniff was conducted by a … K9 with positive alert to narcotics.” The officers found bags of marijuana in the car, then seized eight phones from the car’s occupants, and sought to extract data from them for “evidence of drug transactions.” 
• Officers looking for a juvenile who allegedly violated terms of his electronic monitoring found him after a “short foot pursuit” in which the youngster threw his phone to the ground. Officers sought to search the phone for evidence of “escape in the second degree.” 

And these searches often take place without judicial warrants, despite the U.S. Supreme Court’s clear ruling in Riley v. California that a warrant is required to search a cell phone. That’s because police frequently abuse rules around so-called consent searches. These types of searches are widespread, but they’re hardly consensual. In January, we wrote about how these so-called “consent searches” are extraordinary violations of our privacy. 

Forensic searches of cell phones are increasingly common. The Las Vegas police, for instance, examined 260% more cell phones in 2018-2019 compared with 2015-2016. 

The searches are often overbroad, as well. It’s not uncommon for data unrelated to the initial suspicions to be copied, kept, and used for other purposes later. For instance, police can deem unrelated data to be “gang related,” and keep it in a “gang database,” which have often vague standards. Being placed in such a database can easily affect peoples’ future employment options. Many police departments don’t have any policies in place about when forensic phone-searching tools can be used. 

It’s Time for Oversight On Police Phone Searches

Rather than listening to a litany of requests for special access to personal data from federal agencies like the FBI, Congress should assert oversight over the inappropriate types of access that are already taking place. 

The first step is to start keeping track of what’s happening. Congress should require that federal law enforcement agencies create detailed audit logs and screen recordings of digital searches. And we agree with Upturn that agencies nationwide should collect and publish aggregated information about how many phones were searched, and whether those searches involved warrants (with published warrant numbers), or so-called consent searches. Agencies should also disclose what tools were used for data extraction and analysis. 

Congress should also consider placing sharp limits on when consent searches can take place at all. In our January blog post, we suggest that such searches be banned entirely in high-coercion settings like traffic stops, and suggest some specific limits that should be set in less-coercive settings.