By: Cory Doctorow, BOING BOING |
Muckrock filed Freedom of Information Requests with multiple US police forces to find out how they were using “mobile phone forensic extraction devices” — commercial devices that suck all the data out of peoples’ phones and make it available for offline browsing.
They discovered that the practice of sucking up the entirety of arrestees’ phones was incredibly common, and that often, cops sucked up this data without a warrant, after first obtaining “consent” from arrestees.
Mobile phones are troves of sensitive personal information, which is presumably why the police are so interested in them. But the same data-richness that interests police departments should also give us pause: it’s never been the case that a cop busting a low-level, nonviolent offender would be allowed to probe that person’s entire network of friends and relations; read all the correspondence between the arrestee and their doctors, lawyers, kids and spouse; get a neat list of all the places the person had visited; and be able to look at everything from bank balances to spending history.
The major provider of mobile forensic tools is the Israeli firm Cellebrite, who made headlines when the FBI revealed that they’d used a Cellebrite tool to crack the San Bernadino shooters’ phones, and then again when a hacker dumped 900GB worth of internal Cellebrite info, revealing that the company routinely repackaged hacking tools from the darkweb and sold them to police departments without first verifying that these weren’t leaking data to third parties or otherwise creating risks for their users and their targets.
The kicker really is how often these are being used – it is simply really hard to believe that out of the 783 times Tulsa Police used their extraction devices, all were for crimes in which it was necessary to look at all of the phone’s data. Even for the 316 times Tucson PD used theirs in the last year, it is still a real stretch to think that some low-level non-violent offenders weren’t on the receiving end. There are some days where the devices were used multiple times – Tulsa used theirs eight times on February 28th of this year, eight again on April 3rd, and a whopping 14 times on May 10th 2016. That is a whole lot of data that Tulsa was able to tap into, and we aren’t even able to understand the why.
One “preview sheet” we received from Tucson had a column for whether they received a warrant to crack into the phone, or whether the user gave them consent. It is easy to imagine a scenario where someone doesn’t want to risk angering police by refusing consent, or even just didn’t fully understand what they were consenting to.