Whoop-whoop: It’s the sound of the police extracting your data


The French parliament made waves last week when it allowed police to remotely activate cameras on citizens’ phones and other connected devices. But other countries have been doing this – and more – for some time now.

French police will now be able to remotely activate the camera, microphone, and GPS of suspects’ phones, laptops, and other connected devices.

The so-called spying provision, included in a wider justice reform bill, is frowned upon by both left and right, and criticized by digital privacy advocates and lawyers. However, it’s been amended and now seems quite proportionate – any such surveillance will have to be approved by a judge, and suspects will not be spied on for longer than six months.

Moreover, when you look at it, France isn’t doing anything that other advanced Western countries aren’t already, and authoritarian powers like China or Russia are on another level anyway.

Privacy organizations keep raising the alarm, but the fact remains that cops can almost freely extract any data from your device – at any time. There’s an unsurprising exception, though.

Many Germans endured years of government-enforced spying by the Stasi surveillance machine in the former communist state of East Germany. With this painful memory still fresh in the minds of the now united country, it pays a great deal of attention to defending individual rights and liberties from the embrace of the Orwellian Big Brother.

Germany, the home of data privacy

This is why it’s not really surprising at all that in February 2023, Germany’s Federal Constitutional Court declared as unconstitutional regulations in the states of Hesse and Hamburg that allow police to automatically process personal data using special software to prevent crime.

"Given the particularly broad wording of the powers, in terms of both the data and the methods concerned, the grounds for interference fall far short of the constitutionally required threshold of an identifiable danger," the judges said.

In other words, it’s all about proportionality: yes, automated data analysis can be justified, but the seriousness of possible crimes must be taken into account. Obviously, if the police have information about a looming terror attack, the use of modern technology would be deemed as necessary.

To be fair, the court analyzed the tech that doesn’t exactly help the police extract data from the suspects’ devices. The software, provided by the CIA-backed Palantir Technologies, networks information already stored in various police inventories with each other and helps to establish relationships between people, groups, or places.

Germany historically cares a lot about data privacy and protection – nowhere in the world are there stricter requirements for information security.

It helps to investigate the far-right networks in the country, for example. In the state of Hesse, a suspected ATM bomber was detained after the software showed that a certain car was near several crime scenes.

However, the group challenging the use of the software, the German Society for Civil Rights, argued that the software used innocent people's data to provide leads and could also produce errors – as well as impact people at risk of police discrimination.

This was not even the first time when Germany’s top court provided a similar verdict. In 2020, the Constitutional Court said that police access to personal data from phone and internet users was unconstitutional.

Back then, the plaintiffs argued that the then-current telecommunications act gave police easy access to personal data. Investigators could, for example, often circumvent the need for a judge's approval in accessing email account passwords or the PIN numbers of mobile phones.

The American dream

Germany, of course, historically cares a lot about data privacy and protection – nowhere in the world are there stricter requirements for information security. To a lot of Germans, it doesn’t really whether it’s Facebook or the police gorging on their data.

Alas, the situation in other countries is much worse. Take the United States. Obviously, each of the 50 states live under slightly different laws and the police use diverse tech in their work – but the overall tendency is worrying.

Already in 2020, a report from Upturn, a Washington-based non-profit focused on technology, equity, and justice, ominously warned that “every American is at risk of having their phone forensically searched by law enforcement.”

The report paints a picture of US law enforcement agencies that are not only stocked with advanced phone extraction tools but are also very eager to use them, even in situations where it is not legally appropriate or necessary.

To search phones, law enforcement agencies use mobile device forensic tools (MDFTs), a powerful technology that allows police to extract a full copy of data from a cellphone. All emails, texts, photos, location, app data, and more, can be accessed and programmatically searched.

We all know how much sensitive information we store on our smartphones today. Unsurprisingly, experts say that these tools allow the police to essentially look into your soul. And it doesn’t have to be a case involving major harm or danger – forensic searches are executed for graffiti, shoplifting, car crashes, vandalism, and marijuana possession offenses.

Upturn’s research documents more than 2,000 agencies that have purchased these tools, in all 50 states and the District of Columbia. Hundreds of thousands of cellphone extractions have been performed since 2015, often without a warrant.

There are a lot of firms specializing in cracking phone passcodes and exploiting vulnerabilities, and they’re getting better and better at what they do. Among these, Universal Forensic Extraction Devices (UFEDs) from Cellebrite, an Israeli company, are especially popular as they can extract data even if it has been deleted.

cellebrite-ufed
Cellebrite's data extraction device. Courtesy of Cellebrite.

Cellebrite devices are also used in the United Kingdom where calls for reforms of police powers to conduct “digital stop-and-searches” as opportunistic “fishing expeditions” have been heard.

Naturally and unfortunately, Cellebrite and other such firms care about profits first. But the fact of the matter is that their tools are regularly used to prosecute dissent in non-democratic countries such as Cuba or Venezuela. China also scans and stores data from citizens’ phones.

Ways to defend yourself

So far, we’ve mostly looked at physical data extraction, meaning that officers have to get their hands on the device themselves, even if for a few seconds. For example, Cellebrite’s devices, used in more than 100 countries, require physical access to the phone.

But what about remote surveillance or scans? Well, cell phone tracking devices are obviously the norm, and they’re legal, but US law enforcement also uses “Stingrays,” or IMSI (international mobile subscriber information) catchers.

These are devices that masquerade as legitimate cell-phone towers, tricking phones within a certain radius into connecting to the device rather than a tower.

“What happens then is that all of the metadata on your phone, that is the non-voice call data can then be read,” journalist Jon Fasman, author of We See It All: Liberty and Justice in an Age of Perpetual Surveillance, told NPR in 2021.

“That includes texts you might send, websites you might browse, who you called and how long you talked for, even without knowing the actual substance of the conversation. It connects to the phone and it geolocates you.”

Yes, the tool is increasingly deployed by court order – but not always, according to Fasman. Besides, even if it is used against a specific subject, the data from every other phone is also hoovered up so then it becomes the question of how long this extra data is retained. Again, regulation varies state-by-state in the US, but the tech is used in the wider world, too.

What can you do? One could say not committing crimes is a solution but then what is a crime in Russia or China? Or, actually, in America if the system collapses? Who decides? And even if you stole a candy once, does the police really need all your data?

The advice of experts is multifold. For instance, if you’re active politically and have plans to go out and protest, you should think about not bringing your primary smartphone to the demonstration. “Stingrays” can give cops the individual mobile subscriber identity number of everyone at a protest.

“The device in your pocket is definitely going to give off information that could be used to identify you,” Harlo Holmes, director of newsroom security at the Freedom of the Press Foundation, told Wired in 2020.

Obviously, using end-to-end encryption helps – as does using disappearing messages on apps like Signal which is highly encrypted and called by experts one of the most secure and private ways to communicate. Yes, it’s only chat content, and the police could still hoover up your other data – but it’s something.

In 2020, Cellebrite claimed that it could decrypt messages from Signal’s chat, but Signal later described the company’s post as “pretty embarrassing” and “amateur hour.”

“The device in your pocket is definitely going to give off information that could be used to identify you,”

Harlo Holmes.

Also, know your rights. In the US, the Fifth Amendment says that you can’t be compelled to give self-incriminating testimony – in this case, defined as revealing the contents of your own mind. Civil rights advocates say this means the government cannot force you to tell them your phone password.

Finally, you can try LockUp – an app that can detect signs for attempts to image the device using Cellebrite tools, for example, and then turn the device off and wipe it. However, the creators of the app admit that LockUp doesn’t provide in-depth defense.

And if you’re ok with the police using invasive tech because it’s supposedly effective, here’s what Fasman has to say:

“When we think about these technologies and what we are willing to accept, we shouldn't just think about whether to help police solve more crimes, because almost all of them will – at least on the margins.”

“The question is: is it worth the cost to our privacy and liberty to implement this technology?”