It’s been going on for more than two years, and the department implemented the technology without notifying the City Council, San Diego-based NBC 7 reported Tuesday evening. The city’s police foundation, not the department itself, laid out the money for the initial purchase.
The move has raised cybersecurity, privacy and ethics concerns. Critics said it could be abused or could create additional risks if it falls into the wrong hands.
“I can tell you that the city attorney herself doesn't know how many surveillance technology devices that our city is using, and that is problematic,” Genevieve Jones-Wright, a defense attorney and civil rights activist told NBC 7. “No City Council person can tell you that. And so when I hear stories like this one, it really just reinforces the need to have rules that ensure transparency and oversight.”
The city’s police foundation issued a $15,030 check to the Atlanta-based GrayShift in 2018, the outlet reported.
GrayShift makes GrayKey, the phone unlocking tool. On its website, visitors are met with a form that asks for their contact information, job title and other personal information below a message that reads, “GrayKey is not for everyone. We kindly request that you tell us a bit about yourself and your organization.”
The Chula Vista Police Department, in San Diego County, became the first law enforcement agency in the area to start using the spyware in 2018, according to NBC 7.
That same year, the cybersecurity firm Malwarebytes said the GrayKey software posed “serious security concerns” after claiming to have analyzed it with help from an anonymous source. Particularly, security experts were worried that hackers could reverse engineer it and make it available on the black market.
GrayKey plugs into an iPhone and cracks its passcode. After the software breaks in, which can take between two hours to more than three days, all of the information on the phone can be accessed through the GrayKey, according to Malwarebytes. The data reportedly includes passwords stored in the user's iCloud Keychain.
It was available in two versions in 2018: as a $15,000-per-year tool that requires internet access and can only be used on the network it is initially set up on, and a $30,000 version capable of unlimited use. Both options are quite a bit cheaper than the reportedly $10 million supercomputers the NYPD uses to crack accused criminals' iPhones in the Big Apple.
Motherboard reported in March that the cheaper version’s price had increased to an annual fee of $18,000, citing a 2019 email exchange between GrayShift and a Bakersfield, Calif., detective. This version permits 300 uses a year.
At some point, San Diego police paid a subsequent $18,000 to GrayKey, according to NBC 7.
A San Diego Police spokesperson said the department has used and plans to continue to use the spyware within the boundaries of the law, the outlet reported.
GrayKey is marketed to law enforcement agencies only.