Cops are hackers now, too. Sort of. In recent years, law enforcement agencies across the country have been buying technology dubbed GrayKey, hardware that can access password-protected iPhones. Notably, the tech was recently acquired by federal immigration authorities, who were previously sued by the American Civil Liberties Union for warrantless searching of people's phones and computers at airports and other points of entry.
For civil liberties and privacy advocates, the trend is worrisome. They point to troubling accounts of law enforcement searching personal devices without proper warrants and limited public scrutiny of cops' use of phone password-busting Universal Forensic Extraction Device (UFED) technology like GrayKey. And while Apple has repeatedly tried to upgrade its software to thwart GrayKey, the Atlanta-based company behind the tool, GrayShift, has regularly outmaneuvered the tech giant over the years.
And now, the Spokane County Sheriff's Office has the technology, too. According to records obtained by the Inlander through a public records request, the Sheriff's Office spent roughly $18,000 in April of last year to acquire GrayKey under a one-year license. And Lt. Khris Thompson, who works in the agency's investigative division, tells the Inlander that they've renewed their license.
"We've renewed our license with them, it runs from year to year," Thompson says. "So we purchased for this year and next.
"We, as in law enforcement, are always looking at ways to make our investigations more complete, better, and technology changes so quickly," he adds. "We talked to other agencies that have used it and found out how successful it has been. That's how we decided to move forward with it."
Spokane County Sheriff Ozzie Knezovich did not respond to the Inlander's request for comment. Cpl. Mark Gregory, an agency spokesman, declined to answer many questions, citing a desire to keep investigative methods secret.
"We don't reveal our investigative tools," he says. "We use whatever legal means that we can to be able to do our investigations and through aid of search warrants, etcetera, we'll continue to do that, but we don't talk about the specifics of what we do."
But it's this lack of transparency in the agency's acquisition and use of GrayKey, coupled with its potential for abuse, that has privacy advocates worried.
"[These devices] are small portable computers that can extract the entire contents of your phone. They're able to bypass passwords and other security features on your phone to get your data in seconds," says Jennifer Lee, technology and liberty manager at the American Civil Liberties Union of Washington. "This is super concerning because 90 percent of American adults carry cell phones and today's phones carry increasingly detailed information about our lives, daily habits and relationships.
"There needs to be public scrutiny before law enforcement acquires these tools," Lee says. "Agencies across the U.S. and across the world are also interested in these devices because they are such powerful surveillance tools. Law enforcement may say we want to use this for one specific purpose and that purpose only and it's a really compelling purpose, but the question is, 'What are the unintended consequences? For what other purposes can law enforcement and immigration agencies use this tool?'"
Lt. Thompson tells the Inlander that the Sheriff's Office typically errs on the side of getting a warrant before using GrayKey or Cellebrite — a similar device that the agency has used — to hack a phone.
"We think a search warrant is the cleanest route, most lawful," he says. "We're very adept at writing our search warrants."
However, Thompson adds that the agency would use the tool without a warrant in "exigent circumstances," such as a life-threatening emergency. Drug investigations, for instance, don't fall into that category, he says.
"When you're talking exigency, we do exigent entry when we believe someone could be inside the house or needs immediate aid or their life is in immediate danger," he says. "Absent exigent circumstances, we're going to always go with a search warrant or consent."
"The Fourth Amendment requires particularity in a search warrant but the general warrants are violative of that. So that's a huge concern."
While a 2014 U.S. Supreme Court ruling established that warrantless search and seizure of content on a digital phone is unconstitutional, case law in Washington state allows for cops to freely search devices that are considered abandoned.
"What's problematic in the context of cellphones, cellphones are not really like a bag, they're much more like a home," says Andrew Crocker, a staff attorney at the Electronic Frontier Foundation. "It's extremely revealing, it doesn't seem right that you can 'abandon' the physical object of the phone."
GrayKey and Cellebrite can be applied in a variety of case-types, Thompson says.
"There's a variety of cases on which it could be used, it could be used on homicide cases, robbery cases, drug trafficking, sex crimes cases, depending on the severity of certain property crimes, it could be used there as well," he says. "It could be used in just about any type of instance in which we have a criminal investigation."
Even in cases where law enforcement use warrants to search phones and seize content on them, they can still be written so broadly that they can snag more data than is actually needed for a specific investigation, argues Andrea George, head of the Federal Defenders of Eastern Washington & Idaho.
"The concern is really the general warrants, that if they get a warrant, they're not specifying specifically what it is they're looking for," she says. "But we keep everything on our cellphones, everything, our personal thoughts, everything.
"The Constitution requires that warrants be particularized," she adds. "The Fourth Amendment requires particularity in a search warrant but the general warrants are violative of that. So that's a huge concern."
Even if law enforcement agencies are lawfully using tools like GrayKey for legitimate public safety purposes, advocates argue that oversight mechanisms should be in place. Lee with the American Civil Liberties Union points to Seattle's surveillance ordinance, which requires public scrutiny of surveillance tools, such as community meetings and routine reports on the equity impacts of the tech and how it is used.
"What oversight mechanisms are actually in place? And has there actually been a discussion of the impacts of law enforcement using this technology on civil liberties and free speech and free association?" Lee asks. ♦