The American Civil Liberties Union‘s quest for records from a Federal Bureau of Investigation unit could shed light on law enforcement’s ability to work around a clash with tech companies over encryption.
Records revealing to what extent the FBI can access encrypted information on its own raise questions about whether tech companies should build into their devices a so-called backdoor for law enforcement to gain access for investigative purposes, as some officials have argued.
“If they don’t need a backdoor, then their argument gets undercut,” said Riana Pfefferkorn, a research scholar at Stanford University’s Internet Observatory who focuses on encryption.
The ACLU is suing for records from the FBI’s Electronic Device Analysis Unit, which is believed to be capable of bypassing encryption to access the contents of mobile phones.
The unit is seen as a response to the resistance of companies like Apple Inc. to helping law enforcement access information on locked iPhones in recent years, including after the 2015 San Bernardino mass shooting. The issue has sparked a debate over the privacy and security tradeoffs of encryption.
The ACLU’s lawsuit, filed last month in the U.S. District Court for the Northern District of California, comes after the FBI unit declined to turn over records in response to a Freedom of Information Act request. The FBI told the ACLU that it can’t confirm or deny the existence of the records, according to the group’s complaint.
The ACLU argues in its suit that there are already public records on the FBI’s phone-unlocking capabilities. The records request is seeking more details on policies that govern the FBI unit and its forensic capabilities.
“The lawsuit is really about transparency,” said Arianna Demas, a fellow with the ACLU’s Speech, Privacy, and Technology Project, who is applying to serve as pro hac vice in the case.
The suit points to FBI contracts with mobile phone forensics firm Grayshift, which makes a tool that extracts encrypted or otherwise inaccessible data from mobile devices. Grayshift declined to comment on its customer relationships.
The FBI also posted in August a job opening for a position involving forensic extractions and data recovery from locked and damaged devices, according to the ACLU’s suit. An FBI spokesperson declined to comment on the job posting or on the records request in general.
Court records in a case concerning law enforcement access to a mobile phone likewise suggest that the FBI’s unit is capable of bypassing encryption, the suit says.
Law enforcement typically needs a warrant to search a mobile phone, unless the phone user gives consent.
Public records requests made at the state and local level show that more than 2,000 law enforcement agencies across the U.S. have purchased forensic tools for searching mobile devices, according to research from the nonprofit Upturn. Some of the tools can circumvent a device’s security features to access data.
“A lot of this conversation gets abstracted to: ‘What does this mean for encryption?’” said Logan Koepke, a senior policy analyst at Upturn. “This is not just an abstract question of whether police can get into locked phones.”
Koepke added that although much of the encryption conversation at the federal level focuses on cases of child exploitation or terrorism, Upturn’s research showed that forensic tools are often used to review phones in cases involving graffiti, shoplifting, or similar offenses.
The case is: American Civil Liberties Union Foundation v. Department of Justice, N.D. Cal., No. 3:20-cv-09284, 12/22/20.