Mobile-Phone Cloning Tools Need to Be Subject to Oversight — and the Constitution

The claim by U.S. border officials that they can, with no grounds for suspicion, look through and copy travelers’ cell phones and other electronic devices is creating justified consternation. But it’s important to realize that police are also doing such searches domestically, sometimes without a warrant. Whether at the border or internally, the technology that is often used for those searches is called “mobile forensic data extraction devices”—portable machines that can download exact copies of a phone’s entire memory. A company called Cellebrite is the most prominent maker of these devices; its products are sometimes described as the most advanced, and they are in wide use across U.S. law enforcement agencies.

This is an enormously powerful technology, and it needs to be subject to careful checks and balances. The use of these devices is already regulated by the Constitution, but additional protections ought to be enacted, ranging from tight internal law enforcement controls to prevent abuse, to close legislative monitoring and, if appropriate, regulation of law enforcement use.

The technology

Cellebrite and other mobile forensic extraction devices allow access to an enormously broad and intrusive range of data from cell phones. That information can include:

• Call activity
• Phone book directory information
• Stored voicemails and text messages
• Photos and videos
• Apps
• Passwords
• Geolocation history, including cell towers and WiFi networks with which the cell phone has previously connected.

Cellebrite boasts that its devices can download “hidden, and deleted phone data” including “call history, text messages, contacts, images, and geotags.”

These devices also claim decryption capabilities. We don’t know their precise limits, but it is safe to assume that the more advanced versions for sale have a state-of-the-art ability to break anything that it is poorly encrypted, where passwords are not strong (such as pins), or where software bugs not known to the public (so-called “zero-days”) may allow it.

Furthermore, a Cellebrite product called “UFED Cloud Analyzer” allows police to access not only the information on a phone, but also all the information stored on cloud services, “utilizing login information extracted from the mobile device.” Cellebrite boasts that this product can overcome “roadblocks and red tape by cloud service providers” (read: procedural safeguards and other checks and balances) and “provides forensic practitioners with instant extraction, preservation and analysis of private social media accounts.”

Much of the extensive data that Cellebrite can access on a phone would be impossible for the government to obtain from a suspect’s cellphone carrier.

These devices do not provide police access to a phone’s data unless they can access the phone, either to plug in a cable or to accept a Bluetooth wireless connection on the phone. In other words, they cannot suck data off a phone remotely and in secret as is sometimes portrayed in television and the movies.

Need for a warrant for domestic use

Domestic cell phone searches should never be performed without a warrant based on probable cause. There is no difference between searching a cell phone and searching a personal computer, and the latter always requires a warrant. The Supreme Court has already ruled (in Riley v. California) that despite longstanding rules allowing police searches incident to arrest, the police may not search cell phones incident to arrest without a warrant because of the unprecedented amount of information now held on modern phones.

We have received reports that police in some places are routinely using Cellebrite without a warrant under the justification that the threat of remote wiping of seized phones constitutes an “exigent circumstance.” This rationale does not hold water and was expressly rejected by the Supreme Court in Riley. Where police are worried about remote wiping they can, pending a warrant, simply put a phone inside a metallic “Faraday bag,” which blocks all electromagnetic signals from reaching or emanating from the phone and thus prevents remote wiping or other alteration of a phone’s content. (The police should have Faraday bags available for this purpose, but should they not have one they might be able to justify accessing a phone for the purpose of putting it into airplane mode.)

Like search warrants for desktop or laptop computers, any warrant to access a phone should particularly and narrowly describe the data that law enforcement have probable cause to believe is related to a crime. Just like a warrant for a person’s business records in a fraud case shouldn’t authorize police to look through their family photographs or medicine cabinet, a warrant looking for text exchanges with a particular number shouldn’t allow police to look through photos or financial information stored on your phone, or in the cloud.

Nor should access through a phone to data stored in the cloud be carried out without specific, explicit authorization in a warrant.

Other points:

• Searches should not be based on the fiction that consent from a citizen is “voluntary”—that individuals are free to refuse to cooperate with police officers asking to clone their cell phone data. Police officers have significant power and discretion in their encounters with civilians and few such police requests will be uncolored by coercion. Officers should be directed by policy not to make such requests.
• Police should be open and transparent about their usage of and policies and practices with regard to this technology.
• Some have proposed state laws creating an “implied consent” for cellphone searches in the aftermath of a serious automobile accident, so that the authorities can check whether use of a phone while driving contributed to an accident. This was proposed in the 2016 session in New York state as something called “Evan’s Law,” though the legislature did not pass it. The existing warrant framework is the proper way to approach such situations, and the ACLU opposes such laws.

At the Border

Customs and Border Protection claims the authority to search cell phones and seize data at the border for any reason or no reason at all—and is currently doing so—but we do not believe this is constitutional. It is true that customs officials have long had the power to search through people’s belongings. But people rarely cross international borders with a lifetime of personal paper correspondence, photographs, reading matter, purchase records, travel history, article clippings, audio recordings, videos, and personal writings in their possession. Yet people routinely carry such materials on their laptops and phones. The traditional powers of customs agents did not evolve based on that reality and as a result do not today adequately balance the government’s need to exclude contraband with individuals’ privacy rights.

Indeed, the Supreme Court accepted exactly this logic in Riley. That case is highly relevant to border searches because it also considered the limits of a longstanding government search power in light of the mega-storage capabilities of today’s personal electronic devices. While the government protested that police had long had the power to search people when they are arrested, and therefore should not need a search warrant to search arrestees’ cellphones, the Supreme Court said no. Writing for a unanimous court, Chief Justice John Roberts explained that

One of the most notable distinguishing features of modern cell phones is their immense storage capacity. Before cell phones, a search of a person was limited by physical realities and tended as a general matter to constitute only a narrow intrusion on privacy. Most people cannot lug around every piece of mail they have received for the past several months, every picture they have taken, or every book or article they have read—nor would they have any reason to attempt to do so. And if they did, they would have to drag behind them a trunk of the sort held to require a search warrant in Chadwick.

Roberts’s last reference is to a previous case (U.S. v. Chadwick) that found that a 200-pound, locked footlocker could not be searched incident to arrest.

Part of the reason the Court ruled as it did in Riley is that it looked to the original purpose of the Fourth Amendment exception that had evolved. In the case of search incident to arrest, those purposes were to protect police officers from those who might be hiding a weapon later used to attack an officer or escape, and to prevent the destruction of evidence. Similarly, when it comes to border searches of U.S. citizens’ devices we must remember the reason officials have the powers they do: to keep contraband goods out of the country. CBP officials have tried to frame the device-search issue in that light.

It is true there is such a thing as contraband data (such as child pornography), but it is very rare. More importantly, when it comes to CBP’s stated goal of excluding illegal content from the United States, it seems silly to turn Americans’ lives into an open book at the border so that CBP can search for digital contraband in their devices, when CBP rightly doesn’t attempt (as it plainly lacks the authority) to examine all digital “goods” that cross our nation’s borders via the Internet—in people’s emails, downloaded from overseas web or FTP sites, etc. Checking data on devices while ignoring the Internet is like trying to monitor the trickle of water in a gutter while the Mississippi river flows nearby, unattended.

In reality, this issue isn’t about CBP’s right to search for and seize contraband goods at all. It’s actually about border agents assuming sweeping new powers to peer into the lives of individuals crossing the border—to an extent agents have never been able to do in the past, especially for U.S. citizens, for whom admissibility is not at issue (all U.S. citizens having a right to return to their country) and contraband exclusion is the only possible rationale for searches.

In addition, insofar as CBP officials are now leveraging devices to search connected data held in the cloud, the “contraband exclusion” rationale is even weaker, because such data does not cross the border in any meaningful way. If I live in Virginia, and I upload photos to a cloud service provider based in California, why should customs be able to search those photos when I return from Paris? Similarly, if I live in Paris and am visiting the States, neither are my photos stored on servers in France crossing the border with me.

As we have argued in legal briefs, border searches of electronic devices using tools like Cellebrite should be permitted only with a warrant (or at a minimum, a demonstration of probable cause).

My colleagues have discussed border device searches in greater detail and offered advice for those entering or exiting the United States with electronic devices. We also offer an online form where anyone who has experienced a device search at the border can report their experience to us.