It finally happened. The feds forced an Apple iPhone X owner to unlock their device with their face.
A child abuse investigation unearthed by Forbes includes the first known case in which law enforcement used Apple Face ID facial recognition technology to open a suspect's iPhone. That's by any police agency anywhere in the world, not just in America.
It happened on August 10, when the FBI searched the house of 28-year-old Grant Michalski, a Columbus, Ohio, resident who would later that month be charged with receiving and possessing child pornography. With a search warrant in hand, a federal investigator told Michalski to put his face in front of the phone, which he duly did. That allowed the agent to pick through the suspect's online chats, photos and whatever else he deemed worthy of investigation.
The case marks another significant moment in the ongoing battle between law enforcement and tech providers, with the former trying to break the myriad security protections put in place by the latter. Since the fight between the world's most valuable company and the FBI in San Bernardinoover access to an iPhone in 2016, Forbes has been tracking the various ways cops have been trying to break Apple's protections.
First came multiple cases in which suspects were told to unlock iPhones with their fingerprints, via Apple's Touch ID biometric login. The same technique was then used on dead subjects. Earlier this year, this publication uncloaked GrayKey, a $15,000-$30,000 tool that could break through the passcodes of the latest iOS models, including the iPhone X. Another contractor, Israel's Cellebrite, announced similar services.
Now Face ID is being used for the same purpose. Whilst the feds obtained a warrant, and appeared to have done everything within the bounds of the law, concerns remain about the use of such tactics.
"Traditionally, using a person's face as evidence or to obtain evidence would be considered lawful," said Jerome Greco, staff attorney at the Legal Aid Society. "But never before have we had so many people's own faces be the key to unlock so much of their private information."
iPhone X marks the spot
When David Knight, special agent with the FBI, obtained Michalski's cell and required the suspect to place his face in front of the device, instantly opening it, there were various items of interest inside, according to an affidavit for a search warrant of that iPhone X.
There were conversations over chat app Kik Messenger in which users discussed abuse of minors, according to the affidavit's narrative. It was later discovered that Michalski had used Kik previously to talk with an undercover officer posing as a father interested in sex with children, Knight wrote. As per a previous Forbes investigation, Kik has had to deal with a vast number of child exploitation cases involving its platform, and promised to spend millions of dollars on fixing the problem.
Leading up to the seizure of the device, Knight had learned that Michalski had posted an ad on Craigslist titled "taboo," the investigator wrote. Emails were later shared between Michalski and another defendant William Weekley in which they discussed, amongst other things, incest and sex with minors, according to Knight's telling. That included sexual acts with a Jane Doe, whom Weekley referred to as his daughter. (Both defendants await trial. No date has been set yet).
Whilst Knight may've found some evidence of criminal activity when he manually searched the device, in one respect the forced Face ID unlock of the iPhone X was a failure. It wasn't possible to siphon off all the data within using forensic technologies. That was because the passcode was unknown.
In modern iPhones, to hook the cellphone up to a computer and transfer files or data between the two, the passcode is required if the device has been locked for an hour or more. And forensic technologies, which can draw out far more information at speed than can be done manually, need the iPhone to connect to a computer.
It appears Knight didn't keep the device open long enough and so couldn't start pulling out data with forensic kits. He admitted he wasn't able to get all the information he wanted, including app use and deleted files. What Knight did get he documented by taking pictures.
But he wasn't to be frustrated entirely. In another revelation in the court filings, Knight noted he'd learned both the Columbus Police Department and the Ohio Bureau of Investigation had access to "technological devices that are capable of obtaining forensic extractions from locked iPhones without the passcode." The only two companies known to have provided such services this year are Cellebrite and Grayshift.
Both those companies have been doing big business with the U.S. government of late. Grayshift scored its biggest order to date earlier this month, scoring a $484,000 deal with the Secret Service. That followed a $384,000 contract with Immigration Customs Enforcement (ICE). The Secret Service spent $780,000 on Cellebrite in September too.
It's unclear what the forensic examination of Michalski's phone achieved. Earlier this week an executed warrant filing was signed off by Knight. In the inventory of what was taken from the device, all that was relayed in handwriting was: "Access to phone for digital info/data." (In what's likely a mistake, the executed warrant lists an iPhone 8, a model that doesn't have Face ID and doesn't appear in the affidavit). Forbes contacted the DOJ prosecutor on the case, Heather Hill, who said she couldn't talk about specifics of the case or law enforcement investigative techniques.
"I do not have any knowledge of whether FaceID has been used to unlock an iPhone in any other investigations," Hill added in an email.
Michalski's lawyer Steven Nolder told Forbes the FBI wanted to use Cellebrite tools to extract data from the device, but hadn't been succesful despite the Face ID unlock. "Consequently, at this moment, they've not found any contraband on the cellphone," Nolder said over email. "That's a Pyrrhic victory as there was contraband found on other devices but there would be no need to challenge the warrant's facial recognition feature as my client was not harmed by its use."
But Nolder said that the cops were now using boiler plate language in warrants to allow them to access iPhones via Face ID. "Law seems to be developing to permit this tactic," Nolder added.
Law behind the times
Thus far, there's been no challenge to the use of Face ID in this case or others. But Fred Jennings, a senior associate at Tor Ekeland Law, said they could come thanks to the Fifth Amendment, which promises to protect individuals from incriminating themselves in cases.
In previous rulings, suspects have been allowed to decline to hand over passcodes, because the forfeiture of such knowledge would amount to self-incrimination. But because the body hasn't been deemed a piece of knowledge, the same rulings haven't been applied to biometric information, like fingerprints or face scans. That's despite the fact that the use of passcodes, fingerprints and faces on an iPhone has the same effect in each case: unlocking the device.
Jennings thinks that as long as there's no specific legislation dealing with this apparent conflict, courts will continue to hear arguments over whether forced unlocks via facial recognition is a breach of the Fifth Amendment.
"The law is not well formed to provide the intuitive protections people think about when they're using a Face ID unlock," Jennings said. "People aren't typically thinking [when they use Face ID] that it's a physical act so I don't have this right against self-incrimination."
And with Apple's devices, it may be more difficult for defendants to argue their face is a piece of knowledge protected by the Fifth, than it is for fingers. "Arguably if law enforcement says use your finger to unlock, the knowledge of which finger [will unlock an iPhone] is still an item of knowledge being produced by the individual," Jennings explained. "Whereas with Face ID, by design it will only unlock with a very specific and obvious and body part."
Investigating the dead's iPhones
In the meantime, the technical tussle between cops and tech firms will only continue.
There are various ways in which the latest iPhones can stymie federal investigations, even if Apple didn't design features for that specific purpose. Beyond the passcode, thanks to a feature called SOS mode, it's possible to shut down Face ID and Touch ID with five quick clicks of the power button in older iPhones. In the iPhone 8 and X, the same is achieved by holding the side button and one of the volume buttons. And if the device hasn't been opened within 48 hours, a passcode is required to open it again.
"Additionally, a long and unique alphanumeric passcode will prevent any forensic imaging attempts from decrypting your phone's data," said Ryan Stortz, a security researcher at Trail of Bits. "However, SOS won't save you if the feds distract you and seize your phone out of your hand."
Apple's Face ID also requires a person's eyes to be open. Not only that, Apple's tech has "liveness detection" that attempts to determine if the visage looking at the device is alive.
So, unlike Touch ID, Face ID doesn't work with the dead. According to one source in the forensics community who asked to remain anonymous, New York narcotics cops have even tried on multiple occasions to open iPhone X devices of heroin overdose victims but to no avail.
In such cases, hacking tools like the GrayKey offer the only possible way to dig up the dead's smartphone secrets.