The tools are so effective that they have largely automated the business of unlocking phones. That’s a big change from the mid 2000s. Jonathan Zdziarski, an Apple forensics expert, used to teach FBI technologists how to access data from iPhones on a bespoke basis. But law enforcement soured on that approach later in the decade, and investigators sought solutions that essentially were “push a button, data appears,” Zdsiarski told me on Listening In. Achieving that ease of search may have driven the past decade’s fights over locked phones. That is, the security protections that Apple and Google (Android’s developer) put in place to protect customer data on the phones made it harder for everyone, including law enforcement, to access private data on the phone. That’s a security improvement. But the security improvement comes with a downside: It makes it harder to have the push-and-data-appears solutions that law enforcement seems to prefer. Even when law enforcement could breach phones on an individual basis using techniques like those taught by Zdziarski, the encryption systems imposed a barrier to what law enforcement really wanted: speed and ease of search.
The widespread adoption of MDFTs changes that equation. The Upturn report shows that companies like Cellebrite and GrayShift (maker of the GrayKey tool) provide push-and-data-appears capability—but at a cost. Since 2015, Las Vegas’s police department has spent more than $640,000 on MDFTs; Miami’s police department, more than $330,000; state agencies in Michigan, more than $1 million; and Indiana State Police, more than $510,000. Put another way, Apple’s and Google’s security protections appear to be good enough to thwart casual criminals. But they don’t appear to keep out anyone with a large enough budget to pay for MDFTs.
That seems to change the going dark premise. Law enforcement has long warned that the consequences will be the increasing inability of law enforcement to investigate serious crimes. But Upturn’s report shows that maybe the problem is different: The issue is not law enforcement’s inability to get into locked phones but, rather, who can pay to enable law enforcement access.