The State Police Want to Crack Your Phone

TEXTS, EMAILS, PHOTOS, social media activity and messages, contact lists, phone logs, and minute-by-minute location data — the State Police want it all.

The New York State Police use powerful hacking tools that allow them to download full, searchable copies of a cell phone’s data, New York Focus has learned. The department’s embrace of the notorious technology known as mobile device forensic tools, or MDFTs, was previously undisclosed to the public.

And it’s looking to upgrade: Procurement documents reveal that the State Police are seeking to purchase additional products, services, and trainings offered by the Israeli company Cellebrite, whose tech is able to break into some of the highest-security phones and rapidly analyze their contents.

“At no point in human history have we collected and stored so much information about our lives in one place,” said Emma Weil, policy analyst at the technology research and advocacy organization Upturn. “This is unprecedented law enforcement power.”

Watchdogs and civil liberties groups have raised alarms about the phone-cracking technology as it has risen to prominence in recent years, not least because it’s connected to a slew of human rights abuses. They also warn of a widespread lack of oversight and regulation to ensure that agencies that have MDFTs don’t misuse them.

“Technology moves so much faster than anything in the law or politics,” said Jerome Greco, supervising attorney at the Legal Aid Society’s digital forensics unit. “There are very few procedural limitations and guides for law enforcement agencies on how they use these tools and what they do with the data afterward.”

The impending purchase will add to the State Police’s already hefty arsenal of invasive tools, from fake accounts used to monitor social media to more than 120 dronescapable of conducting aerial surveillance.

And the Cellebrite procurement is part of a significant expansion in New York police surveillance resources under Governor Kathy Hochul, who announced $20 million in new funding for the technology this fall — after quietly slipping tens of millions of dollars for law enforcement surveillance and investigative tools into this year’s state budget. The budget items, first reported by New York Focus, included $5.3 million to “modernize” investigations by “linking digital devices to crimes,” which experts surmised was likely a reference to MDFTs. The State Police told New York Focus that its Cellebrite purchase — expected to cost around $120,000 — will come from its existing budget, not from the governor’s initiatives.

The governor’s office did not respond to New York Focus’s requests for comment.

The Cellebrite embrace puts the State Police among a vast global network of subscribers. The company has serviced repressive authorities around the world, including Bahrain’s ruling regime, which used it to prosecute a tortured dissident, and police in Botswana, who used it to access a journalist’s list of sources. Last year, as the Israeli firm prepared to go public in the US, Cellebrite touted the end of its operations in countries with poor human rights records, including Bangladesh, Belarus, China, and Russia. But The Intercept uncovered that Chinese police were still buying Cellebrite products from brokers, which the company had left mostly unchecked.

In the United States, Cellebrite is everywhere: Thousands of local, state, and federal agencies nationwide have used the company’s products. In New York, cops and prosecutors in Manhattan, Suffolk County, and Nassau County have used Cellebrite, among other MDFTs. But until now, the State Police hadn’t disclosed that they use the tools. State comptroller reports list no active contracts with Cellebrite or other known MDFT companies, though agencies can acquire the tech through a number of third-party vendors.

“Do the State Police currently use any MDFTs?” New York Focus asked State Police spokesperson Beau Duffy.

“Yes,” Duffy responded. He did not answer follow-up questions about which products.

A Long Wish List

On October 21, the State Police began soliciting bids: According to procurement documents, they hope to enter into a five-year contract with a Cellebrite vendor by the beginning of 2023.

The bid request sought price estimates for between 20 and 80 subscriptions to nearly every known Cellebrite product and service. The items included hardware and software that can break into most US smartphones and download their data — products against which some consumer tech companies have tried to protect. Apple, for example, has upgraded its iPhone operating systems in an attempt to foil such hacking, but Cellebrite’s “premium” products, also on the State Police wish list, can access many of the highest-security phones. (Normally, customers would have to send those phones to a Cellebrite lab for processing.)

Once a mobile device has been cracked using Cellebrite, other programs the company offers — and for which the State Police have also sought estimates — can accesssocial media, email, web and search histories, and other internet-based information. Cellebrite’s analytics and project management software can employ facial recognition to find people across devices; compare minute-by-minute location data from several phones to figure out where people went and with whom; use artificial intelligence to identify drugs, tattoos, weapons, and other items; and automatically sift through massive amounts of data to come up with new, computer-derived leads.

Finally, the bid request sought estimates for dozens of Cellebrite-run training packages, including several focused on Apple phones, video analysis, social media monitoring, and cryptocurrency transactions.

Altogether, the request, which listed a bid due date of November 17, sought price estimates for some 225 product, service, and training packages — including some duplicates, which suggest that the State Police are soliciting more estimates than what they plan to buy.

Whatever the State Police’s current MDFT capabilities, the Cellebrite purchase would likely expand them: Duffy asserted that the department currently doesn’t use the Cellebrite product — included in the bid request — that enables hacking social media and other internet-based data.

Wild West for Police Hackers

While MDFTs have proliferated widely among US law enforcement in recent years, policies limiting their use haven’t had time to catch up — a dynamic watchdogs warn creates an anything-goes scenario for cops’ prying eyes.

Normally, police departments can only use MDFTs on someone’s phone if they get a judge to sign a warrant or if the device’s owner consents to a search. But advocates argue that so-called “consent searches” are far from truly consensual, since few realize just how powerful the forensic tools are.