A doorbell camera caught it all.
The footage showed three men climbing the stairs to the third floor of an apartment complex in far south Louisville earlier this year. One of the men stooped to snatch a package and then disappeared into his then-girlfriend’s apartment across the hall, according to a search warrant affidavit from a Louisville Metro Police detective.
With the warrant, the detective set his sights not on the apartment, or the suspected thief.
Instead, he wanted the girlfriend’s phone.
Modern day cell phones store a trove of data, and the detective was sure the device would help him catch the man who stole the package, according to the affidavit filed with the Jefferson Circuit Court clerk.
Cell phone searches are becoming increasingly commonplace by police agencies across the country. With specialized software, law enforcement can extract data from the devices that often hold the most intimate information — photos, passwords, messages and more.
The practice worries privacy advocates, civil liberties proponents and technology experts, because it gives police vast potential to create virtual dossiers on citizens — even those who aren’t being investigated for crimes. Police agencies often use the tools with little guidance from policies that mandate what data is extracted, how long it’s kept, and who has access to it.
Also troubling, experts say, is when police departments refuse to disclose how they use the tools.
City records obtained by the Kentucky Center for Investigative Reporting show LMPD has spent more than $205,000 since 2020 on a powerful, yet controversial, cell phone data extraction tool called Graykey that’s made by the Atlanta-based company Magnet Forensics. The technology lets police create a copy of a phone’s data to get an unfettered view into the private and oftentimes far-reaching information held on a person’s cell device.
KyCIR requested records that detail the agency’s use of the Graykey tool and copies of any search warrants obtained by police to use the tool. The records could provide a window into how often the agency uses the tool, who they target and why, but LMPD officials denied both requests.
The agency cited an exemption in the state’s open records law that allows some investigative records to be withheld from public disclosure. KyCIR is appealing the decision to the state’s attorney general.
An LMPD spokesperson declined to make a police official available for an interview to discuss the agency’s use of cell data extraction tools. In an emailed statement, a spokesperson said “Graykey is one of many tools at LMPD’s disposal regarding crime mitigation.”
A spokesperson for the company that makes Graykey did not respond to an interview request.
Louisville’s police force is under intense scrutiny after investigators with the U.S. Department of Justice found officers have a pattern of violating people’s civil rights by using excessive force, discriminating against Black people, and conducting unlawful searches. Louisville Metro officials are negotiating the terms of a coming consent decree.
In response to the DOJ probe, Louisville Mayor Craig Greenberg often promises LMPD will be the nation’s “most trained, trusted and transparent” police force in the nation.
Asked Tuesday if LMPD should disclose details about how it uses cell data extraction tools, Greenberg said he “can’t comment specifically on that.”
Technology experts say that it's impossible to be transparent when officials refuse to disclose details about or discuss how they use intrusive surveillance tools.
Cell phones are like a “portal into our souls'' due to the scope of data they keep on where people move, who they communicate with and what their interests are, said William Budington, a senior staff technologist at Electronic Frontier Foundation, a San Francisco-based nonprofit focused on digital civil liberties. And any police agency with the tools to pry data from the devices should be forthcoming about how they use it, to help ensure they’re not abusing their power, he said.
“The ability and role of police in our society should be determined by citizenry,” Budington said. “How are you going to judge what role they actually have if you don’t know what they’re doing?”
Just too powerful
LMPD policy requires officers to get a search warrant or written consent when they want to extract data from cell phones. The agency’s spokesperson said the Graykey tool is used “primarily for violent felonies” and for assisting neighboring police agencies with investigations.
Though LMPD refused to provide copies of search warrants for cell phone extractions, KyCIR obtained nearly two dozen of the warrants from the Jefferson Circuit Court clerk. The warrants, signed by judges between early December 2023 and February 2024, show detectives used cell phone searches to investigate robberies, carjackings, drug dealing, child abuse, shootings and the package theft. Five of the warrants relate to homicide investigations.
The warrants detail the scope of what officers want from a phone — often requesting access to passwords, encryption keys, bluetooth settings, hotspot identifiers, connection dates, contact lists, phone logs, notes, calendar information, reminders, messages, photos, videos, Siri requests, browser history, bookmarked webpages, location data and any other metadata from social media or third-party applications that would help crack the case.
LMPD’s spokesperson said the agency has a data retention protocol for evidence collected through cell data extraction. That policy says that LMPD’s Digital Forensic Unit will “maintain custody of evidence (e.g., cellular device, laptop, media, software, and related peripherals) submitted for forensic examination.” The policy does not limit cell data extractions to specific types of investigations or restrict how long police can keep a person’s data.
“Many police departments don't have a policy related to this, but they should,” said Alex Marthews, the national chair of Restore the Fourth, a nonprofit that advocates for protections against unconstitutional mass surveillance.
Use of data extraction tools raises several questions that Marthews said elected officials should consider and discuss with the public: What do police do with data that’s not relevant to the crime being investigated? Do they use the tools on phones of victims or witnesses? How many people within an agency can access the extracted data? What are the consequences if someone abuses the data?
“Police are members of the public who have been chosen to be armed and trained to provide public safety functions,” Marthews said. “And we've trusted them with these special powers and special discretion, and in exchange for that their policies and their practices should be subject to public review.”
Police use of cell phone data extraction tools has exploded across the country in recent years. A 2020 report from Upturn, a Washington, D.C.-based nonprofit that advocates for equity in technology, found more than 2,000 police agencies in all 50 states have purchased cell data extraction products.
The type of systemic inequity identified in the Department of Justice’s report on Louisville police is what leads Urmila Janardan, a senior policy analyst at Upturn, to believe communities of color will be disproportionately targeted by invasive cell data extraction surveillance technology like Graykey.
That’s a problem, because the tools go beyond collecting data on the person who owns the phone, Janardan said. Instead, a person’s entire network of contacts can be implicated when police scrape a phone’s data.
Janardan doesn’t think police should use cell data extraction tools, at all.
“They’re just too powerful,” Janardan said.
Greenberg, however, sees them as useful tools for local police.
“If we can lawfully obtain information from people’s cell phones, then I think we should do that,” he said during a press briefing this week. “We need to resolve crimes to make our city safer.”
A digital arms race
As the popularity of the tools grows, cell phone makers are scrambling to design devices that can withstand the sophisticated surveillance software, said Albert Fox Cahn, the executive director of the Surveillance Technology Oversight Project, a New York City-based nonprofit that advocates for privacy and against mass surveillance.
“There's a global arms race going on, that most people never think about, to pour billions of dollars into technology all designed to break into your phones,” he said.
The technology gives local police departments unprecedented access to information that, in the past, only federal agencies could access, Cahn said. And, oftentimes, police use these tools with little public discourse about what technology they’re buying, how they use it and — most importantly — if they should use it, he said.
“With great power comes great responsibility,” he said. “And comes genuine need for genuine oversight.”
LMPD is investing in surveillance technology beyond cell data extraction.
Mayor Greenberg detailed his proposed budget last month and wants to increase the police department’s budget by more than 8%, in part, to help pay for new license plate readers and surveillance cameras across the city. The agency also pays for the controversial Shotspotter gunshot detection tool.
And cell data extraction isn’t the only way police in Louisville use mobile devices to aid investigations. In 2021, KyCIR reported on LMPD’s use of geofence warrants — a tactic that allows police to cast a net over a specified area in hopes of getting information about people within the boundary via their cell phone data.
A March 2022 purchase quote for Graykey products obtained by KyCIR shows a premium subscription with unlimited extractions from iOS and Android devices would cost LMPD $45,995. Eight months later, the city mailed a check to the Atlanta-based company for that exact amount — the first purchase of Graykey tools, according to city records obtained by KyCIR through an open records request. By February 2024, the annual cost had increased to more than $54,300, records show.
Greenberg said last month that he did an exhaustive “line by line, item by item” review of the city’s budget and “asked lots of questions” about the need for certain spending. But he said he did not question the cost of the police department’s cell data extraction tool.
On Tuesday, he said he didn’t know about the specific tool the agency used.
Once police get a phone, they can plug it into the Graykey tool to initiate the extraction, according to reports on the technology. The tool can bypass security protections and repeatedly guess passcodes, a process known as brute force, to get to encrypted data. The company’s website boasts that the tool can break into phones within an hour, regardless of the device’s condition.
The woman who had her phone seized by police for the package theft earlier this year did not want to be identified for this report for fear of retribution. But she told KyCIR that she was surprised when a detective came to her at work wanting to seize her phone for a stolen package.
She said she gave him the phone and its passcode because she wanted to comply — she feared getting arrested if she didn’t.
He kept the phone for two weeks, she said.
In the end, she doesn’t know what, exactly, the detective found on her phone. She said he returned the device to her supervisor at work and said there wasn’t any evidence that she took part in the crime.
The phone works just the same, she said, but she wonders just how far the surveillance goes.
“I don't know if they're still looking at my phone,” she said. “Like, if they can see me on the phone with somebody right now. I don't know.”