U.S. Schools Are Buying Phone-Hacking Tech That the FBI Uses to Investigate Terrorists

Drawers of cell phones stored at Israeli firm Cellebrite’s research lab in Petah Tikva in 2016.
Drawers of cell phones stored at Israeli firm Cellebrite’s research lab in Petah Tikva in 2016.
Photo: Jack Guez/AFP (Getty Images)

In May 2016, a student enrolled in a high-school in Shelbyville, Texas, consented to having his phone searched by one of the district’s school resource officers. Looking for evidence of a romantic relationship between the student and a teacher, the officer plugged the phone into a Cellebrite UFED to recover deleted messages from the phone. According to the arrest affidavit, investigators discovered the student and teacher frequently messaged each other, “I love you.” Two days later, the teacher was booked into the county jail for sexual assault of a child.

The Cellebrite used to gather evidence in that case was owned and operated by the Shelby County Sheriff’s Office. But these invasive phone-cracking tools are not only being purchased by police departments. Public documents reviewed by Gizmodo indicate that school districts have been quietly purchasing these surveillance tools of their own for years.

In March 2020, the North East Independent School District, a largely Hispanic district north of San Antonio, wrote a check to Cellebrite for $6,695 for “General Supplies.” In May, Cypress-Fairbanks ISD near Houston, Texas, paid Oxygen Forensics Inc., another mobile device forensics firm, $2,899. Not far away, majority-white Conroe ISD wrote a check to Susteen Inc., the manufacturer of the similar Secure View system, for $995 in September 2016.

Advertisement

Gizmodo has reviewed similar accounting documents from eight school districts, seven of which are in Texas, showing that administrators paid as much $11,582 for the controversial surveillance technology. Known as mobile device forensic tools (MDFTs), this type of tech is able to siphon text messages, photos, and application data from student’s devices. Together, the districts encompass hundreds of schools, potentially exposing hundreds of thousands of students to invasive cell phone searches.

While companies like Cellebrite have partnered with federal and local police for years, that the controversial equipment is also available for school district employees to search students’ personal devices has gone relatively unnoticed—and serves as a frightening reminder of how technology originally developed for use by the military or intelligence services, ranging from blast-armored trucks designed for use in war zones to invasive surveillance tools, keeps trickling down to domestic police and even the institutions where our kids go to learn.

“Cellebrites and Stingrays started out in the provenance of the U.S. military or federal law enforcement, and then made their way into state and local law enforcement, and also eventually make their way into the hands of criminals or petty tyrants like school administrators,” Cooper Quentin, senior staff technologist at the Electronic Frontier Foundation, said in a video interview. “This is the inevitable trajectory of any sort of surveillance technology or any sort of weapon.”

Advertisement

In 2016, the FBI reportedly cracked the iPhone of the San Bernardino shooter thanks to help from an unnamed “outside vendor” and without the cooperation of Apple, sparking the “new Crypto Wars” as the federal government pushed for encryption backdoors—a fight that is still going on today. A Vice investigation from that year found that the FBI has purchased at least $2 million worth of Cellebrite products since 2012 and has sold its portable devices to state police forces around the country.

Since then, this technology has spread dramatically. According to a December report from Upturn, a Washington, DC-based civil society organization, at least 2,000 U.S. law enforcement agencies, including 50 of the nation’s largest police departments, have access to these tools.

Advertisement

We’ve reached out to Cellebrite, Oxygen Forensics, and Susteen for comment on their tools being used in schools and will update when we hear back.

An engineer demonstrating an older generation of Cellebrite’s UFED technology in the Israeli city of Petah Tikva in 2016.
An engineer demonstrating an older generation of Cellebrite’s UFED technology in the Israeli city of Petah Tikva in 2016.
Photo: Jack Guez/AFP (Getty Images)
Advertisement

The term “mobile device forensics” can mean many things, but the type of devices and software seemingly being purchased by schools were designed for one primary purpose: satisfying police, security, and intelligence agencies’ desire for quick and easy extraction of data from phones, tablets, and other handheld devices.

Cheaper tiers from services like Cellebrite might be able to siphon unencrypted information from newer cell phones but only crack security on older devices with publicly known exploits. More expensive versions of the tools might give the user access to private exploits, vulnerabilities in encryption techniques or implementation that allow deeper penetration of newer devices or perhaps even bypass passcodes entirely. Some MDFT manufacturers offer cloud analysis tools that use login credentials stored on the target device to download data from linked services.

Advertisement

Gizmodo analyzed a random sample of 5,000 public school or school district websites across the United States and found that eight district websites mention Cellebrite or another MDFT technology. Because our sample is a relatively small portion of the total number of high schools in the United States—and the ones that stood out did so because they published the purchases as line items in public budget reports—many other school districts may have access to this technology.

The Los Angeles Unified School District, the second-largest school district in the country with over 630,000 students enrolled in over 1,000 institutions in the 2018-2019 school year, has a Cellebrite device it says is used by a team that investigates complaints of employee misconduct against students. Its listed description for the job of Digital Forensics Investigator states, those with that role assist with “student safety issues, fraud, collusion, and/or conflicts of interest,” specifically mentioning expertise with Cellebrite as a qualification.

Advertisement

The Fourth Amendment protects people in the United States from unreasonable government searches and seizures, including their cell phones. While a search without a warrant is generally considered unreasonable, the situation in schools is a little different.

In the case New Jersey v. T.L.O, the U.S. Supreme Court ruled that schools do not necessarily need a warrant to search students so long as officials have a reasonable belief a student has broken the law or school policy, and the search is not unnecessarily intrusive and reasonably related in scope to the circumstances under which the search was originally justified. The “reasonableness” standard is extremely broad, largely deferential to the whims of school officials, and can serve as the basis for fishing expeditions; courts have only rarely ruled that school searches violate the Fourth Amendment.

Advertisement

“The problem is as much with the legal standards as with the technology,” said Barbara Fedders, an assistant professor of law at University of North Carolina at Chapel Hill, who focuses on the intersection of criminal law and school discipline. “Schools take student’s cell phones for all kinds of reasons, not because they think they are doing anything pernicious; you can see where racial bias could factor into this.”

Cell phones are deeply personal items, and it’s easy to imagine how embarrassing and potentially catastrophic it would be if an administrator or school resource officer used a Cellebrite to download students’ private text messages, photos, social media posts, location history, and more.

Advertisement

“Every teenager is going to have something vaguely incriminating on there,” Quentin said. “That’s just part of being a teenager. I’m concerned about the teachers, you know, just kind of pulling out students they don’t like and deciding to run their phones to look for reasons to take them out of class, right?”

Gizmodo reviewed student handbooks from four school districts with access to mobile extraction devices, and we found that none of the student handbooks inform students that administrators or resource officers are prohibited from carrying out warrantless searches of personal electronic devices without explicit consent. We further reviewed additional policies regarding the search of student devices by both school officials as well as peace officers or other members of law enforcement.

Advertisement

For instance, the Los Angeles Unified School District parent/student handbook contains a lengthy section on student searches, noting that students are protected by the Fourth Amendment but that the “the law allows school officials to conduct searches of students under certain limited circumstances.” Specifically, the rules state an administrator must be able to articulate their reason for suspicion of the student in connection to a “specific incident,” “reasonably connect the student to a specific incident, crime, rule, or statute violation,” and has “recent, credible information” to back up those claims. The handbook also states that searches must not be “excessively intrusive.” The policy specifically governing conduct of the Los Angeles School Police Department requires officers to obtain consent to search a device or a search warrant.

Barbers Hill ISD, near Houston, Texas, listed Cellebrite as a vendor in documents from the years 2013 to 2016. Its handbook states that officials may “search students, their belongings, and their vehicles in accordance with law and district policy” based on “reasonable suspicion or voluntary consent.” It adds that “any searches of personal electronic devices will be conducted in accordance with law, and the device may be confiscated to perform a lawful search,” and said devices may be turned over to police to investigate whether crimes have been committed.

Advertisement

The North East ISD allows officials to “search a student’s outer clothing, pockets, or property by establishing reasonable suspicion or securing the student’s voluntary consent.” Further, the district’s Acceptable Use Policy for students maintains, “A student’s personal technology device may be subject to search by campus administrators in connection with determining if a student has committed a violation of this Policy and/or the Student Code of Conduct.” The district’s website adds that students’ devices may be “subject to search when school personnel have reasonable suspicion that a student has violated or is violating either the law or school/district rules/policies or procedures.”

Conroe ISD’s code of conduct only directly mentions searches of a student’s person, vehicle, locker, and desk, as well as “temporary confiscation of items that disrupt the educational process.” Its Secondary Handbook further explains that, “In limited circumstances and in accordance with law, a student’s personal electronic device may be searched by authorized personnel.”

Advertisement

Barbers Hill, North East, and Conroe are all governed by the Texas Association of School Boards, which requires that school officials have either “reasonable cause” or obtain consent to search without coercion, “such as threatening to contact parents or police,” before performing a search. Peace officers, meanwhile, must obtain consent or a search warrant to search a student’s device, except in unusual circumstances.

As Fedders explained, students often lack the ability to refuse to cooperate in school-led investigations in the same way a suspect outside of school might. “A lot of schools have these codes of conduct that say, basically, if you don’t follow the order of an administrator, it can be grounds for school discipline,” Fedders said. “And so while, in theory, you might have the Fifth Amendment right to not want to participate in like an interrogation, or you might want to say, ‘no, I don’t give consent, I’m not letting you do any of this.’ If they can reasonably interpret that as insubordination, then yeah. Then kids are put in a really bad position.”

Advertisement

Ultimately, Gizmodo’s investigation turned up more questions than answers about why school districts have sought these devices and how they use them. Who is subject to these searches, and who is carrying them out? How many students have had their devices searched and what were the circumstances? Were students or their parents ever asked to give any kind of meaningful consent, or even notified of the phone searches in the first place? What is done with the data afterward? Can officials retain it for use in future investigations?

Most of the school districts did not respond to our inquiries. However, a spokesperson for Cypress-Fairbanks ISD confirmed that they indeed use Oxygen Forensics’ mobile extraction tools, saying that the devices are “used to extract data from cell phones for evidentiary purposes.” The spokesperson declined to provide specific details about the searches.

Advertisement

“Los Angeles Unified’s Student Safety Investigation Team uses Cellebrite software to extract information and data from cellular phones as a part of forensic investigations,” a spokesperson for the school district said in a statement, referring to its team that investigates accounts of misconduct by employees ranging from financial fraud to sexual abuse. When asked whether such a search would require a warrant, the spokesperson declined to comment.

While it is common and widely accepted that schools have the right to search students’ lockers or even their cars, phones contain far more about their lives than any physical space ever could.

Advertisement

“Your phone contains things pertinent to your entire life off-campus as well as on. It really contains the most intimate map of who you are as a person, what your thoughts are and what you’re doing, what your daily life is like,” Quentin said. “And that is a much more invasive search, of things not pertaining to school, than a search of a locker or of a backpack.”

If you are a high school student who thinks their phone has been searched using a Cellebrite device or similar phone-inspection tools, or a parent or guardian of a student whose phone has been searched, please reach out to dmehrotra@gizmodomedia.com and tom.mckay@gizmodo.com.

Advertisement

Clarification: While an Israeli newspaper reported that the FBI used Cellebrite technology to crack the San Bernadino shooter’s locked iPhone, the Washington Post reported that was not the case. However, the Intercept reports that Cellebrite has become “the FBI’s go-to hackers for mobile forensics.”

Advertisement

Update 10:30pm ET, Dec. 11: Added additional contextual information regarding policies governing the searches of student devices at LAUSD, Barbers Hill, North East, and Conroe.


Advertisement

"... An upperclassman who had been researching terrorist groups online." - Washington Post

Data Reporter - Investigations with Technology

Share This Story

Get our newsletter

DISCUSSION

quantity-question
nopenopenopenopenopenope

I’m curious — Can these things snoop WatchOS the same way, since watches have no port for them to access? If I were a parent who valued my kids’ privacy, I wouldn’t give them a phone to take to school at all, I’d give them a cell-enabled watch.