Sophos Cloud Optix
An investigation into a chain of paedophiles has revealed the first known case of law enforcement forcing a (living) suspect to unlock his iPhone by using his face with Apple Face ID facial recognition technology.
Forbes dug the case out of an affidavit for a search warrant issued on 19 September that mentioned using Face ID to unlock an Ohio man’s iPhone X.
Forbes staffer Thomas Brewster notes that this isn’t just a first for US law; this is a first for any law enforcement outfit in the world.
The iPhone X belongs to Grant Michalski, 28 – one of six Ohio men who, according to the Department of Justice (DOJ), met on Craigslist to talk about the sexual abuse of at least two 10-year-old girls. In August, the six were charged with crimes related to producing sexual abuse images and repeated sexual abuse of at least those two girls.
Larry McCoy, a task force officer with the FBI, had begun the investigation in January 2018 by posting a Craigslist ad titled “Taboo Dad chat.” Posing as a recently divorced father, McCoy’s ad said he was looking to chat with others regarding “taboo stuff.”
He got a response from somebody later identified as William G. Weekley, 34, of Newark, NJ – one of the men mentioned in the DOJ’s announcement from August. Weekley allegedly proceeded to send McCoy child abuse images via the Wickr messaging app. He was arrested in January and admitted to communicating with others on Craigslist. According to the affidavit, the suspects also used the chat app Kik Messenger to discuss abuse of minors.
Craigslist and Gmail provided investigators with enough information to find Michalski, allegedly one of Weekley’s correspondents.
With search warrant in hand, investigators searched Michalski’s house on 10 August, demanding that Michalski use Face ID to unlock the iPhone X that they found. He complied, which gave the FBI access to photos, videos, correspondence, emails, instant messages, chat logs, web cache information and more on the iPhone.
Or, at least, that’s what the search warrant authorized investigators to seize. However, they couldn’t get everything that they were after before the phone locked. A device can be unlocked by using Face ID, but unless you know the passcode, you can’t do a forensic extraction. The clock starts ticking down, and after an hour, the phone will require a passcode.
During that window of time, investigators could manually look through files and folders and take photos of what they found, but it was slow going. Hooking up a phone to a computer and using a passcode would have enabled faster, more complete forensic data download, including of the data within apps and even deleted data.
That doesn’t mean the data is now entirely out of investigators’ reach. As the FBI noted in the affidavit, there are “technological devices that are capable of obtaining forensic extractions from locked iPhones without the passcode,” and Ohio law enforcement agencies have access to them – specifically, the Columbus Police Department and the Ohio Bureau of Investigation.
In Apple’s 11.4.1 update, which it delivered in July, users could turn on USB restricted mode in response to those techniques, which are believed to be used by GrayShift and Cellebrite to bypass the iOS lock screen. That option is turned on by default in iOS 12, but users who enabled automatic updating could have had it two months prior to that.
Michalski’s lawyer, Steven Nolder, told Forbes that the FBI wanted to use Cellebrite tools to get more data from his client’s phone, but in spite of using Face ID unlock, they haven’t been successful. Hence, the bureau hasn’t found contraband, his client didn’t suffer as a result of being forced to unlock his phone using this particular biometric feature and as such, there’s no need to challenge the warrant’s inclusion of it.
However, Nolder told Forbes that the cops were now using boiler plate language in warrants to allow them to access iPhones via Face ID:
Law seems to be developing to permit this tactic.
If precedence is any guide, Fifth Amendment challenges to compelled face unlocking would likely have little luck. As it is, biometrics tend to be interpreted as constituting “what you are,” versus passcodes, which constitute “what you know,” and that’s a crucial distinction when it comes to Fifth Amendment protections.
Courts have tended to lean toward granting Fifth Amendment protection against self-incrimination when it to the contents of our minds – as in, our passcodes. When it comes to our biometrics, courts have tended to consider biometrics to be outside of the scope of the Fifth Amendment.
Weekley and Michalski are still awaiting dates for the start of their trials.
Man, I’m super torn on this one. Grab pedophiles, check. Save the lives of many children, check. Using this type of facial recognition to force people to unlock their phones… Not sure about that one at all. Again and again, slippery, slippery slope.
Not really. If people are worried about this kind of thing there is really 3 choices 1) turn your phone off before people get your phone. 2) don’t use FaceID or 3) DON’T HAVE THINGS ON YOUR PHONE THAT YOU DON’T WANT INVESTIGATORS TO GET THERE HANDS ON.
I couldn’t imagine what someone would have that they don’t want investigators to get, but i like my privacy, so I don’t use FaceID
Here in the UK we’ve had this debate. The result – a Section 49 Notice issued under the Regulation of Investigatory Powers Act means you are required by law to pass over ANY encryption keys, passcodes, biometrics (or make the data legible) if required to do so by law enforcement, Security services and HMRC (equivalent to IRS). Max. 2 years in jail for failure to comply (5 years for paedophiles or issue of national security). You are also prevented from informing anyone that you’ve been issued with a Section 49 notice.
Self incrimination was debated in some detail (including under the European Convention on Human Rights) and the arguments were similar to a ‘what you are’ versus a ‘what you know’ scenario. A Judicial or Secretary of State authorised warrant is required, specifically relating to protected data, and a judicial tribunal independent of government has the power of oversight over complaints. There are also a number of different commissions with oversight of the process (although how effective these are I have no idea).
The number of Section 49 Notices being issued seems to increase each year – we’ve had this for 10 years. The conviction rate for failure to comply is small, so presumably the courts are providing the checks & balances – even if after the event. Every year there appears to be at least one person jailed for failure to comply.
Regardless of the merits of either side, the most important point is to have the debate and continue having the debate.
That’s a pretty scary thing to trust. An agency that can investigate you, but you can’t tell anyone your being investigated, secret over site, and you only get stats they decide to give out that nobody can verify because its all a secret. Someone older than me might call that the SS. Now if there was public oversight, at least you would know something, rather than trusting blindly.
Like Riggerrob, I ‘m glad that paedophiles are caught, but I was wondering whether this is really the first case this type of using this facial technique. It seems handy for the government legals that this type of case, the catching of a paedophile, comes at the start of their push to reduce Fifth Amendment rights, meaning that objectors can be “shown” to be shielding the bad guys.