TEXTS, EMAILS, PHOTOS, social media activity and messages, contact lists, phone logs, and minute-by-minute location data — the State Police want it all.
The New York State Police use powerful hacking tools that allow them to download full, searchable copies of a cell phone’s data, New York Focus has learned. The department’s embrace of the notorious technology known as mobile device forensic tools, or MDFTs, was previously undisclosed to the public.
And it’s looking to upgrade: Procurement documents reveal that the State Police are seeking to purchase additional products, services, and trainings offered by the Israeli company Cellebrite, whose tech is able to break into some of the highest-security phones and rapidly analyze their contents.
“At no point in human history have we collected and stored so much information about our lives in one place,” said Emma Weil, policy analyst at the technology research and advocacy organization Upturn. “This is unprecedented law enforcement power.”
Watchdogs and civil liberties groups have raised alarms about the phone-cracking technology as it has risen to prominence in recent years, not least because it’s connected to a slew of human rights abuses. They also warn of a widespread lack of oversight and regulation to ensure that agencies that have MDFTs don’t misuse them.
“Technology moves so much faster than anything in the law or politics,” said Jerome Greco, supervising attorney at the Legal Aid Society’s digital forensics unit. “There are very few procedural limitations and guides for law enforcement agencies on how they use these tools and what they do with the data afterward.”
The impending purchase will add to the State Police’s already hefty arsenal of invasive tools, from fake accounts used to monitor social media to more than 120 drones capable of conducting aerial surveillance.
READ MORE: The State Police Sent You a Friend Request
And the Cellebrite procurement is part of a significant expansion in New York police surveillance resources under Governor Kathy Hochul, who announced $20 million in new funding for the technology this fall — after quietly slipping tens of millions of dollars for law enforcement surveillance and investigative tools into this year’s state budget. The budget items, first reported by New York Focus, included $5.3 million to “modernize” investigations by “linking digital devices to crimes,” which experts surmised was likely a reference to MDFTs. The State Police told New York Focus that its Cellebrite purchase — expected to cost around $120,000 — will come from its existing budget, not from the governor’s initiatives.
The governor’s office did not respond to New York Focus’s requests for comment.
The Cellebrite embrace puts the State Police among a vast global network of subscribers. The company has serviced repressive authorities around the world, including Bahrain’s ruling regime, which used it to prosecute a tortured dissident, and police in Botswana, who used it to access a journalist’s list of sources. Last year, as the Israeli firm prepared to go public in the US, Cellebrite touted the end of its operations in countries with poor human rights records, including Bangladesh, Belarus, China, and Russia. But The Intercept uncovered that Chinese police were still buying Cellebrite products from brokers, which the company had left mostly unchecked.
Technology moves so much faster than anything in the law or politics.
In the United States, Cellebrite is everywhere: Thousands of local, state, and federal agencies nationwide have used the company’s products. In New York, cops and prosecutors in Manhattan, Suffolk County, and Nassau County have used Cellebrite, among other MDFTs. But until now, the State Police hadn’t disclosed that they use the tools. State comptroller reports list no active contracts with Cellebrite or other known MDFT companies, though agencies can acquire the tech through a number of third-party vendors.
“Do the State Police currently use any MDFTs?” New York Focus asked State Police spokesperson Beau Duffy.
“Yes,” Duffy responded. He did not answer follow-up questions about which products.
A Long Wish List
On October 21, the State Police began soliciting bids: According to procurement documents, they hope to enter into a five-year contract with a Cellebrite vendor by the beginning of 2023.
The bid request sought price estimates for between 20 and 80 subscriptions to nearly every known Cellebrite product and service. The items included hardware and software that can break into most US smartphones and download their data — products against which some consumer tech companies have tried to protect. Apple, for example, has upgraded its iPhone operating systems in an attempt to foil such hacking, but Cellebrite’s “premium” products, also on the State Police wish list, can access many of the highest-security phones. (Normally, customers would have to send those phones to a Cellebrite lab for processing.)
Once a mobile device has been cracked using Cellebrite, other programs the company offers — and for which the State Police have also sought estimates — can access social media, email, web and search histories, and other internet-based information. Cellebrite’s analytics and project management software can employ facial recognition to find people across devices; compare minute-by-minute location data from several phones to figure out where people went and with whom; use artificial intelligence to identify drugs, tattoos, weapons, and other items; and automatically sift through massive amounts of data to come up with new, computer-derived leads.
Finally, the bid request sought estimates for dozens of Cellebrite-run training packages, including several focused on Apple phones, video analysis, social media monitoring, and cryptocurrency transactions.
Altogether, the request, which listed a bid due date of November 17, sought price estimates for some 225 product, service, and training packages — including some duplicates, which suggest that the State Police are soliciting more estimates than what they plan to buy.
Whatever the State Police’s current MDFT capabilities, the Cellebrite purchase would likely expand them: Duffy asserted that the department currently doesn’t use the Cellebrite product — included in the bid request — that enables hacking social media and other internet-based data.
Wild West for Police Hackers
While MDFTs have proliferated widely among US law enforcement in recent years, policies limiting their use haven’t had time to catch up — a dynamic watchdogs warn creates an anything-goes scenario for cops’ prying eyes.
Normally, police departments can only use MDFTs on someone’s phone if they get a judge to sign a warrant or if the device’s owner consents to a search. But advocates argue that so-called “consent searches” are far from truly consensual, since few realize just how powerful the forensic tools are.
New York’s search warrant statute was written more than 50 years ago, before the proliferation of modern computers.
“Consent searches are a huge problem,” said Weil of Upturn, which in 2020 published an expansive report on law enforcement’s use of MDFTs. “Just on principle, because of the power dynamic between police and regular people.”
Weil described MDFTs as “an escalator,” meaning that the tools can probe far beyond what the cops’ initial investigation called for. And agencies often lack policies dictating how long police can store data and with whom they can share it. In one case in Wisconsin, a hit-and-run suspect told officers they could search his text messages, then signed a generic consent form. The police used an MDFT to extract all of his phone’s data, which they kept and later shared with another police department — without a warrant or consent — for a separate investigation.
Among the 81 law enforcement agencies Upturn studied, nearly half admitted to having no internal policies related to MDFT searches — and most of the rest had policies that were “remarkably vague.” The data set did not include the New York State Police, which declined to send Upturn its MDFT policies. A New York Focus public records request for the policies has been pending since March.
Duffy told New York Focus that “the parameters of a search are dictated by the warrant or the consent agreement.” He said that the department requires written consent for MDFT searches, and that “data would be maintained as long as it is needed for a particular case.”
Legislatures have so far failed to step in to fill the policy void. In New York, as in most states, consent search procedures are dictated by a smattering of legal decisions. And the state’s search warrant statute was written more than 50 years ago, before the proliferation of modern computers — leading to a free-for-all in applying the law to MDFTs.
“The procedures in our state are woefully inadequate,” Greco said.
That’s not to say he opposes the MDFTs categorically. As head of Legal Aid’s digital forensics unit, Greco was one of the first to use them for legal defense, finding exonerating evidence for his clients. But having seen how powerful the tools are, he favors stricter regulations on how they can be used.
Courts have attempted to bring some order to this procedural chaos: In New York, downstate appellate judges have issued rulings that provide some guidance on how broad cell phone search warrants can be.
But those are limited stopgaps. The courts are “not supposed to go beyond what is presented in front of them,” said Greco. “So they can’t address all these things.”
And with dozens of technologies on offer, it’s unclear what, exactly, they’ll need to address.