Federal Case Shows Cops Still Have Plenty Of Options When Dealing With Device Encryption
from the you-don't-need-a-backdoor-if-the-front-door-has-been-left-open-inadvertently dept
If no one’s going to give you an encryption backdoor, maybe you just need to inconspicuously prop open the front door. That’s what one cop did in this case discussed by a federal court in Minnesota. (via FourthAmendment.com)
After being picked up by Task Force Officer (TFO) Adam Lepinski on suspicion of being involved in a shooting, Johnnie Haynes asked for some phone numbers off the phone Lepinski had taken from him. (A side note: TFO Lepinski was off-duty, moonlighting as security for a parking lot when he arrested Haynes. But he was still in his full uniform. This seems problematic.)
Lepinski gave the phone back to Haynes who unlocked it with his thumb print. Haynes told Officer Lepinski the numbers and the officer wrote them down for him. He then gave the phone back to the officer with an indication he wished to have his phone locked again. From the order [PDF]:
While reading numbers with the phone in his hand, Haynes said “This the last number right here, man. And then I’m going to turn my phone off.”
That’s not what happened. Lepinski’s testimony and his body camera footage show the officer instead made sure the phone would not return to a locked state while he sought a warrant.
After “a matter of minutes,” TFO Lepinski changed the settings on the cell phone, which was still unlocked. TFO Lepinski disabled the automatic-lock feature by changing the settings to a setting called “never lock” to prevent the screen from going to sleep or locking. TFO Lepinski believed this was the first instance where he had changed the settings on a cell phone. TFO Lepinski testified that he changed the settings because he did not have the passcode for the phone and believed that he would be able to get into the phone easier to get the data off the phone if it remained unlocked.
No one denies the suspect made it clear he wanted his phone returned to its locked state. The officer handling Haynes and his phone not only ensured it would not lock again by changing its internal settings, he also lied to Haynes about the phone’s unlocked state.
At Haynes’s request, TFO Lepinski went back inside the precinct and retrieved another phone number from Haynes’s cell phone. After writing down the phone number on a piece of paper, TFO Lepinski placed the cell phone in a manila envelope, held the envelope flat to prevent the phone from locking, and returned to the squad car. TFO Lepinski handed the piece of paper to the officer in the squad car and notified Haynes of that action. At that time, Haynes asked TFO Lepinski “Did you lock my phone back up? Is it locked up?” TFO Lepinski, carrying the phone in the manila envelope, said the phone was “right here” and would be property inventoried. Haynes responded, “But did you lock it up” and TFO Lepinski responded, “Yes, it is,” to which Haynes continued, “or did you go in it?” TFO Lepinski replied, “I got the number out of it. You asked me to, right?” and Haynes responded, “Oh, OK. Yeah.” TFO Lepinski testified that the cell phone was actually unlocked when he told Haynes that it was locked.
Once a warrant was obtained, the phone was hooked up to a GrayKey device to extract data and communications. According to the officer that performed the search, the phone being on, rather than powered down (a state called “after first unlock” or “AFU”), made it a little easier to extract data from it.
Officer Gustafson later testified that “[t]he GrayKey cannot access 100 percent of Apple devices, but I would say if the device is left on at the time it is seized, whether it is locked or unlocked, and the user has been using the device, I would say roughly 90 percent or more of Apple devices can be accessed.” If the cell phone is left on, the chances increase of being able to access it with GrayKey.
Officer Gustafson estimated that he retrieved over 95 percent of the data that was on Haynes’s cell phone.
Haynes moved to suppress the evidence pulled from his phone, arguing that TFO Lepinski’s original “search” — the one where he changed settings to prevent the phone from locking — was illegal. And if that search was illegal, so was the more in-depth search that followed.
The government argued — citing the Supreme Court’s Riley decision of all things — that Lepinski’s changing of the phone settings was nothing more than “securing the scene” of a suspected crime. The Riley decision is cited because of the judges’ speculation about how law enforcement could handle edge cases involving device encryption or remote wiping. The judges said using a Faraday cage/bag or putting the phone in airplane mode could prevent remote wiping. And encryption might not pose a problem if the device was seized in an unlocked state, allowing officers to keep it in an unlocked state until evidence could be collected from it.
But there’s a difference here. This wasn’t “securing a scene.” In fact, it diverges greatly from the hypothetical posed by the Supreme Court.
The Government argues that TFO Lepinski’s act in changing the settings was tantamount to securing a scene pending a search warrant. The Court has some concerns about this argument. TFO Lepinski did not “happen to seize a phone in an unlocked state” as contemplated in Riley. The cell phone was seized when TFO Lepinski walked Haynes to the First Precinct and searched him incident to arrest. The phone was locked when TFO Lepinski took it out of Haynes’ pocket during the search incident to arrest. It was not unlocked until TFO Lepinski retrieved it to obtain the phone numbers requested by Haynes and Haynes unlocked it with his thumbprint for that purpose.
Under these circumstances, it is not clear that the dicta in Riley suggesting that law enforcement can change settings on a phone to prevent encryption if they happen to seize a phone in an unlocked state or the case law authorizing securing a scene to maintain the status quo pending a warrant would apply to the facts of this case.
Unfortunately, even if this act was a search — which the court doesn’t expressly agree it is — it had little bearing on what happened following it. The phone was searched with a GrayKey device that likely would have pulled as much information from it even if it had been locked. What mattered most, apparently, was that the phone had been on and unlocked previously (“after first unlock”). The court says the overall success rate of GrayKey searches makes this inevitable discovery from an independent source, rather than a violation of the Fourth Amendment.
Haynes’ argument assumes that the only options TFO Lepinski had were (1) turn the phone off to prevent remote wiping or (2) place the phone in airplane mode (which he contends is an illegal search). That is not accurate. TFO Lepinski had the option of doing nothing, and leaving the phone in a powered-on, locked state—the status quo of the phone when seized. Indeed, it appears unlikely that TFO Lepinski would have turned the cell phone off due to remote wiping concerns, because that would lock the phone. If the phone had been kept in its powered-on, locked state, it would have been in an AFU state, and GrayKey would have extracted the same data that was extracted from the phone in its unlocked state. For these reasons, the Court finds that the results of the search of Haynes’ cell phone after TFO Lepinski obtained a warrant constitute an independent source of the evidence, and recommends denial of the Motion and Supplemental Motion on that basis.
This order shows there’s more than one way to approach the challenges raised by device encryption. Rather than just complain about it to legislators, law enforcement officers can keep devices unlocked or adjust their settings to keep them unlocked without worrying too much about the Fourth Amendment. But that’s only if they constrain themselves from looking at other stuff while changing settings. And that’s only in this case in this court where cops used a data extraction device that would have given them pretty much everything they got even if the officer hadn’t changed the sleep settings.
However, the Fourth Amendment could swiftly come back into play if law enforcement uses one of Grayshift’s other offerings: spyware that allows officers to keylog passcodes and PINs if they’re given an opportunity to install the software. This case shows just how easily such a thing could be done. Installing malware would be far more intrusive than simply changing sleep/security settings. Then again, at least one court has held that simply glancing at the lockscreen of a phone constitutes a search, so there’s a chance this suppression order might be overturned if it’s appealed.