Baltimore Brings Back Controversial Cellphone Hacking System

A year after a court told Maryland police that Cellebrite searches were too broad, Baltimore quietly resumed using the software.


Cellebrite is a dream come true for police surveillance. Plug in any cellphone, even a locked one, and get a full report of every file on its hard drive. Cellebrite, along with its main competitor, Grayshift, is one of the few companies offering this service. No wonder the Baltimore Police Department, like 6,900 other law enforcement agencies, bought a subscription.

Where police saw a dream, however, courts saw a constitutional nightmare. In September 2022, the 5th Appellate Judicial Circuit in Maryland ruled that police must stop using "general and overbroad warrants" to scrape the entire content of people's cellphones. After the ruling, Baltimore police announced that they would suspend their use of Cellebrite and work with lawyers "to ensure the current search warrant template is in line with all requirements."

Less than a year after the ruling, Baltimore cops re-upped their Cellebrite subscription, Reason has learned. In response to a Maryland Public Information Act sent through the website MuckRock, the Baltimore Police Department disclosed a $112,940 contract for Cellebrite services from March 2023 to March 2024, and another $6,100 contract from September 2023 to September 2024.

The Baltimore Police Department did not respond to a request for comment.

The contracts also shed light on how Cellebrite services work. The March 2023 contract includes a license for using the Cellebrite software for an unlimited number of scans over one year and a physical kit for conducting the scans. The September 2023 contract is an additional subscription to the "UFED 4 PC Ultimate" service, which allows police to run the cellphone extraction software on their office computer.

Cellebrite "probably provides the device and then has something on the device that— after the subscription expires—will lock the device, so that [police] need to renew the subscription," says William Budington, a senior staff technologist at the Electronic Frontier Foundation, a digital civil liberties nonprofit. "So they'll have this specific device that's provided to the law enforcement agency, and then they'll have to get a contract for a certain amount of time."

The device works to bypass the "secure enclave," the hardware that prevents a phone's storage from being read while it is locked. Then the software generates a report, sometimes thousands of pages long, listing all of the information stored on the phone. Police can specify what specific parts of the phone's storage they would like to search, although they are often loath to limit their searches.

"When you have a cellphone and you suspect it's used as an element of a crime, you don't know where those elements are going to be stored," digital forensics expert William Folson told the Baltimore Sun in response to the 2022 court ruling. "Let's say, for example, I send a threatening letter to somebody. I can type that out on my phone, I can send it as an email, or I can type it out on my home computer, set it out on my desk, and take a photograph."

The court ruling also noted that "some perpetrators purposely mislabel electronic files or hide evidence in unusual places" and that broader search warrants may be justified in cases of child pornography or financial crimes, but suggested that courts should apply this exception "rarely" and "consider requiring the inclusion of search protocols to restrict how the searching officers conduct such an analysis."

In the past, police had to send the cellphone or a copy of its data to the Cellebrite headquarters for analysis, according to Budington, which raised serious privacy concerns. A foreign private firm—Cellebrite is owned by a Japanese company and based in Israel—was given the run of the house on citizens' most sensitive personal information.

And the company is far from transparent about how its system works. In a leaked training video, company representatives told police to keep their use of Cellebrite devices "as hush hush as possible" and avoid letting Cellebrite's techniques "leak in court through disclosure practices, or you know, ultimately in testimony."

Cellebrite's marketing materials emphasize its role in stopping crimes against children. Yet the company's international clientele also has a much darker side. Cellebrite has provided phone scraping services to police states like China, Russia, Saudi Arabia, Venezuela, Belarus, Bahrain, and Myanmar. Even after Cellebrite claimed to back out of Russia and China, those countries' governments continued to use Cellebrite products.

"Cellebrite has developed a strong compliance framework, and our sales decisions are guided by internal parameters, which consider a potential customer's human rights record and anti-corruption policies," the company told The Intercept in response to the revelations about Chinese police. "Cellebrite remains committed to safeguarding human rights and has developed strict controls ensuring that our technology is used appropriately in legally sanctioned investigations."

Baltimore's most recent contract states that "the Product is an on-premise solution used and operated solely by Buyer without the involvement of Cellebrite" and that "Cellebrite is not engaged in any processing of 'personal data' (as this term is used in Laws governing data privacy and data protection) that flows through the Product." In other words, all of the data is supposed to be processed on the police station's own computer.

"Leakage of data exists," Budington says. "Just because the document says that doesn't mean it's actually doing that, but it does indicate that they have taken some steps in order to make sure that it's all locally processed within law enforcement's walls."

In the end, though, the largest threat to privacy may be the police themselves. "The effort that went into traditional police legwork served as some barrier to police abusing this power" in the past, Budington adds. "Today, this extraction process is routine and used on countless devices for minor offenses for which a suspect is alleged. This level of easy access has grave impacts on our privacy and civil liberties."