Apple recently confirmed the introduction of a new feature called “USB Restricted Mode” in the latest version of the iPhone’s mobile operating system, iOS 12. If enabled in the user’s settings, USB Restricted Mode will disable data transfer from the iPhone over the Lightning cable once the phone has been locked for an hour unless the phone’s password is entered. I previously posted to the Stanford Center for Internet and Society blog about the many sound security reasons Apple has for implementing this feature. Yet in making it harder for anyone, including police, to access encrypted iPhones, this development may prompt the Justice Department (DOJ) to argue law enforcement does not need a warrant to search a seized iPhone thanks to the “exigent circumstances” doctrine.
Federal, state, and local U.S. law enforcement agencies have been using third-party forensic devices made by vendors Cellebrite and Grayshift (whose product is known as GrayKey) to get data off locked, encrypted iPhones. Those devices work by extracting data via the Lightning cable connecting the target phone to the device. Thus, starting with iOS 12, USB Restricted Mode will ostensibly preclude such devices from working on iPhones—at least until, as I explained in my previous post, those vendors inevitably update their tools to overcome this setback. (Apple announced a number of iOS 12’s features at its recent Worldwide Developers Conference (WWDC), but not this one, unsurprisingly.)
In the meantime, law enforcement agents may try to use USB Restricted Mode’s narrow one-hour time window as justification for warrantless searches of iPhones they seize. The Fourth Amendment generally requires a warrant in order for a police search of someone’s property to be considered reasonable. But that requirement is rife with exceptions. One exception is the “exigent circumstances” doctrine. “‘[E]xigent circumstances,’ including the need to prevent the destruction of evidence, permit police officers to conduct an otherwise permissible search without first obtaining a warrant.” Kentucky v. King, 131 S. Ct. 1849, 1853-54 (2011).
Prosecutors may argue that this exception allows police to attach a just-seized iPhone to a GrayKey or Cellebrite tool and extract data from it without first getting a warrant. They’ll assert that police seizing iPhones in the field won’t be able to tell how recently the phone was locked, or whether it’s running iOS 12 with USB Restricted Mode turned on. So, just in case it is, and just in case the hour isn’t up, they need to be allowed to forensically extract the data from the iPhone ASAP, without waiting for a warrant—otherwise the data port will be disabled, putting the evidence on the phone beyond their reach.
Read the full post at Just Security.