For more than two years, the San Diego Police Department has quietly used a controversial piece of technology capable of unlocking iPhones without the owner even knowing it.
The department has done so without public input and without notifying the city council, a spokesperson confirmed to NBC 7 Investigates.
According to documents unearthed by NBC 7, the city, through a donation from the San Diego Police Foundation, entered into a one-year agreement with Atlanta-based Grayshift, the maker of the Graykey, a spyware tool that captures iPhone passcodes when their owners open their phones and then stores the passcode for officers to use to unlock the phones without the owner’s knowledge.
A May 2020 report by NBC News reported that although the spyware has been used by law enforcement agencies for more than a year, details of the technology are just now coming to light.
The same news report featured quotes from law enforcement officials about how the technology works. NBC News reported that officers have to gain access to a person’s phone and then covertly download the software onto the phone. Law enforcement officials must then return the phone to the owner. The next time the owner unlocks it, the software logs the code, granting access to the phone. As reported by NBC News, strict NDA agreements prevent users from going into specifics about the spyware.
Also reported were concerns from civil rights groups and even law enforcement officials about the use of the technology and lack of public notification, with one officer describing the spyware as, “borderline unethical.”
Comparing that timeline with city documents obtained by NBC 7 Investigates shows the San Diego Police Department was among one of the first agencies to use Graykey.
On Aug. 17, 2018, the San Diego Police Foundation issued a check on behalf of the San Diego Police Department to Grayshift LLC to pay for a year’s contract.
In the months that followed, San Diego Police Department’s Crime Lab was busy looking to upgrade the system, later getting the City Attorney’s Office and city departments to sign off on a new contract at a cost of $18,000.
The contract amount prompted Crime Lab Supervisor Lisa Merzwski to email former manager of San Diego’s Crime Lab, Jennifer Shen, a humorous meme in regards to Graykey’s price tag.
To which his boss Shen responded, “lol.”
But for police transparency advocates, the use of the spyware technology is far from a laughing matter. Instead, says one local advocate, the use of GrayKey is only additional evidence of a pattern of the San Diego Police Department and the city attorney’s office to forgo public notification on controversial policing tools.
“Before agencies like the San Diego Police Department acquire technology, it has to be vetted,” said civil rights advocate and former Deputy Public Defender Genevieve Jones-Wright. “These are the types of discussions that we have to have. I can tell you that the city attorney herself doesn't know how many surveillance technology devices that our city is using, and that is problematic. No city council person can tell you that. And so when I hear stories like this one, it really just reinforces the need to have rules that ensure transparency and oversight.”
In recent months, Jones-Wright and the group known as Trust SD has lobbied the city council for an ordinance aimed at improving police transparency. The coalition used the example of the city’s Smart Streetlight Program as a prime example of the need for transparency. As reported by NBC 7 Investigates, what was touted as a tool to improve traffic and pedestrian mobility turned into an expensive surveillance tool for police to keep a watchful eye over the public.
Jones-Wright says the use of the iPhone unlocking tool is a further example of why such an ordinance is needed. She added that adequate public notification is needed to make sure those who are impacted most can voice objections.
“How can we expect to have a thriving democracy if the people aren't even aware that there should be a conversation around something?” asked Jones-Wright. "Many people, many different groups, are vulnerable to being disenfranchised and marginalized. These are the folks who are normally the most impacted by the use of such surveillance.”
But a San Diego Police representative said the department has used the spyware according to the law and will continue to do so.
“SDPD uses this technology related to criminal investigations, as authorized by court orders and warrants, as well as with the consent of property owners,” said Captain Jeff Jordon, who is with the department's Legislative Affairs Unit.
As for public notification, Jordon said he was unaware of any mandate requiring the department to inform the city council or the public.
“I am not aware of any formal mandate by the city council which requires the department to notify them of the acquisition of this technology,” said Jordon. “Since documents related to this technology have already been released publicly and posted on the city’s web page, it’s possible city council members may be aware of it.”
Public rights advocates are not the only group fighting the use of spyware tools. Apple has been battling similar technology for years, including the FBI’s efforts to have a backdoor into iPhones. Apple did not respond to NBC 7's request for acomment.
NBC 7 Investigates also reached out to GrayShift for comment. That company also declined to comment.