SPD is considering technology that can crack iPhones, but is it legal?
The Seattle Police Department is considering acquiring technology that can crack a locked iPhone, but is it actually moving through the proper channels?
It’s called GrayKey, and it has the ability to brute-force it’s way straight through a locked iPhone’s security. Gaining steam among law enforcement nationwide, the Seattle Police Department could be the next to jump on board.
Seattle’s Communications Manager Megan Erb told MyNorthwest that GrayKey is under a privacy review from the city’s IT Department Privacy Office, and has yet to be approved for purchase.
That said, it’s also has yet to go through standard approval processes that surveillance technology is required to under Seattle’s 2017 surveillance ordinance.
Seattle’s Surveillance Ordinance
Seattle’s ordinance passed in 2017 required any new surveillance technology to be opened up to public comment and scrutiny before being acquired and adopted.
“The alternative is that you have public blow ups, like what happened when SPD acquired drones without articulating a clear purpose for them,” the ACLU’s Shankar Narayan told MyNorthwest. Narayan is the organization’s Technology and Liberty Project Director.
For context, in 2013, SPD acquired a pair of drones, “without any public input, or even an announcement until they had been acquired already.” This led to the city holding a public hearing, where many citizens expressed concerns about the drones violating the privacy of citizens. Four years later, public hearings for all new surveillance technology were officially codified as a requirement.
In practice, it’s a way of providing transparency into technology that the city or law enforcement could use to monitor citizens in any way, including everything from license plate readers to traffic cameras.
So what’s going on with GrayKey and why is it not up for review? As of now, it’s not actually being defined as surveillance technology, and as such isn’t subject to any sort of public review process.
Questioning GrayKey’s legality
The next question that comes up concerns whether GrayKey is legal in Seattle — determining that, though, is exactly what Seattle’s surveillance ordinance was enacted for in the first place.
Without it, the public doesn’t get a chance to present questions about its uses and benefits, or gather information on safeguards that would potentially be put in place.
“The whole purpose of the surveillance ordinance has been for the council to emphasize that where there’s doubt, there should be public scrutiny, and allowing community groups to voice their concerns,” said Narayan.
“Part of the point of the surveillance ordinance is that we don’t know the capability of the technology,” he added.
Until it goes through the city’s ordinance, Narayan argues that it shouldn’t be cleared for use.
“Agencies need to take this seriously and really make a good faith effort to justify their use of the technology,” he said.
Why wasn’t GrayKey considered surveillance technology in the first place?
A piece of technology that has the ability to access your locked iPhone seems like something that would qualify as a surveillance device. The argument made by GrayKey’s parent company, Grayshift, runs counter to this.
Narayan noted that the company’s key privacy officer “interpreted that if the phones are acquired either under warrant or with the suspect’s knowledge, then this is not surveillance by the ordinance’s definition.”
The actual ordinance itself though doesn’t provide an exception for devices used with a warrant. In fact, undercover technology used by SPD is already included in the list of 29 separate surveillance technologies eligible for public comment. The list notes that the use of a warrant is required for both audio recording and tracking devices.
Beyond this, a second issue was raised by Narayan regarding a privacy impact assessment Grayshift submitted to the city, justifying the use of its technology.
“The documents were poorly filled out with perfunctory assertions, with justification boxes just left blank,” he said.
The justification section on a typical privacy impact report requires its submitter to describe the purpose of the technology, how the technology collects information, to describe “any routine information sharing conducted by the project/program both within City of Seattle departments and with external partners,” and to “identify any major potential privacy risks.”
The end goal is transparency
Narayan and the ACLU’s intent doesn’t seem to involve completely eliminating the use of GrayKey by law enforcement, as much as subjecting it to the same standards as any other potentially problematic surveillance technology.
“I would say that it’s certainly not clear-cut. It depends on both the specific capabilities of the technology, and what it’s being used for in a given instance,” he said. “No one has actually had the opportunity to weigh in, and part of the purpose of the surveillance ordinance is really, to the public, to get the agency’s thinking around the technology.”
For Apple’s part, it’s long fought against law enforcement’s attempts to compel the company into unlocking any confiscated phone. Tweeting Wednesday from the International Conference of Data Protection and Privacy Commissioners in Europe, CEO Tim Cook confirmed as much.
A recent iOS update could even block GrayKey from completely accessing a locked iPhone, however temporary that fix might prove to be. Forbes does note that even after the update, the program can still “draw out unencrypted files and some metadata, such as file sizes and folder structures,” implying this fight is far from over on the software development side.
As for Seattle’s own debate surrounding GrayKey, Narayan is told his concerns have Seattle City Council members “interested.” There’s still a long road ahead, as Erb noted to us that “no decision has been made” by the city as of yet.