ICE Increases Capabilities, SIM Card Farm, NYCHA Surveillance Hearing, Fixing Broken Phones for Extraction & More

Vol. 6, Issue 10

The Digital Forensics Unit

Gregory Herrera

Joel Schmidt

, and 2 others

Oct 06, 2025

A photo of three Uber Eats autonomous delivery robots parked near a building during the day. — A Ring of Food Delivery Spies by Jerome D. Greco is licensed under CC BY 4.0

October 6, 2025

Welcome to Decrypting a Defense, the monthly newsletter of the Legal Aid Society’s Digital Forensics Unit. This month, Gregory Herrera discusses U.S. Immigration and Customs Enforcement’s increasing surveillance capabilities and decreasing transparency. Joel Schmidt reviews a recent Secret Service investigation that uncovered a massive SIM card operation. Laura Moraff summarizes the recent New York City Council hearing on the use of surveillance on NYC Housing Authority residents. Finally, Brandon Reim answers a question about extracting essential data from a broken smartphone.

The Digital Forensics Unit of The Legal Aid Society was created in 2013 in recognition of the growing use of digital evidence in the criminal legal system. Consisting of attorneys and forensic analysts, the Unit provides support and analysis to the Criminal Defense, Juvenile Rights, and Civil Practices of The Legal Aid Society.

In the News

A fragment of a stain glass window, which says "Big Brother is Watching You." — Graphic by Herman Blondeel via Wikimedia Commons licensed under CC BY-SA 4.0

Big Brother’s Eyes Grow Sharper

Gregory Herrera, Digital Forensics Staff Attorney

On Monday, September 22, 2025, independent publication 404 Media filed a lawsuit against U.S. Immigration and Customs Enforcement (ICE) in federal district court demanding that ICE disclose its $2 million contract with Paragon. According to its one-page website, Paragon supplies customers with “ethically based tools, teams, and insights to disrupt intractable threats.” But others – like journalists and members of civil society – might succinctly describe Paragon as a spyware firm. The Guardian reported back in late January 2025 that “[n]early 100 journalists and other members of civil society using WhatsApp […] were targeted by spyware owned by Paragon.” The attacked apparently involved a “zero-click” attack whereby the victims did not do anything on their part – all they received was a malicious PDF file via WhatsApp and they were compromised. Paragon’s best-known spyware product is Graphite, which permits remote and complete access to a phone including reading messages sent via encrypted mobile applications like WhatsApp and Signal. WhatsApp was able to say with “confidence” that Paragon was linked to this attack.

Paragon’s $2 million dollar contract with ICE should understood in its proper context. The contract was initially awarded in September 2024 during the Biden administration, under a special rule that allows for skipping the normal competitive contracting process if the product or service is unique and innovative. It’s currently unclear whether the contract was for Graphite or another custom tool. The contract was put on hold and under review because of a Biden executive order that restricted the federal government’s use of commercial spyware while promoting responsible use that aligned with protecting human rights. The Trump administration forged ahead with the contract.

This is only part of ICE’s growing arsenal. The agency has been amassing and integrating surveillance tools for some time, but their use and acquisition have accelerated in the last few years. U.S. Customs and Border Patrol (CBP) flew drones at least 50 times in the last year in support of ICE operations, including protests in Los Angeles back in June. ICE has also been collecting data from private companies too, including plane ticketing data from a data broker company that has sold the data to a swath of three-letter agencies. All this data can be fed, accessed, and analyzed in platforms like ImmigrationOS, Falcon, and Raven, custom tools built over several years for ICE by Palantir. ICE has also signed a contract for an AI-powered social media surveillance tool called Tangles, designed to scour the clear and dark web for information to build quasi-daily-life profiles of people. The agency even recently purchased a robot to climb stairs, open doors, and fire off smoke bombs. ICE has also been expanding its ranks, offering $50,000 signing bonuses and $60,000 in student loan repayment assistance to those who join. And this is all separate and apart from privacy concerns at other agencies, like the longtime CIA officer-turned-contractor who routinely accessed classified systems as if it were his own personal search engine.

Privacy activists and researchers are concerned about the ever-expanding dragnet that has been unleashed across our nation and world. Many are worried that the goal seems to be a world where there is no privacy and where people are little more than data mines and revenue streams. But we cannot give in. Educate yourself about surveillance self-defense so that you share only what you must or want. Privacy – like hope – is a discipline. Start practicing.

A black and white photo of a sign with a white background and the words "We Hear You" all capitalized and in black. — Photo by Jon Tyson on Unsplash

Secrets Schmecrets

Joel Schmidt, Digital Forensics Staff Attorney

If you’re like me and you read the United Nations host nation agreement [PDF] between the Untied Nations and the United States at least once a year (I know, I know) then you’re aware that the United States is obligated under international treaty not to “impose any impediments” on the travel to the United Nations in New York City on the representative of any UN member state “irrespective of the relations existing between the Governments of the persons referred to...and the Government of the United States.”

That explains why Iranian President Masoud Pezeshkian and Foreign Minister Abbas Araqchi were in New York for the United Nations General Assembly last month (though this year they were explicitly forbidden from shopping at Costco), joining 140 heads of state from around the world. The United States did revoke the visa of Colombian President Gustavo Petro but this happened after he addressed the United Nations and reportedly while he was already on the way back to Colombia, and the US was on the receiving end of significant criticism when it denied a visa to Palestinian President Mahmoud Abbas, reviving a dispute between the US and the UN on whether there is any exception at all to the host nation agreement.

When leaders from across the globe descend on the small compact area, it creates an intelligence bonanza for the world’s spy agencies. Known as the Super Bowl of U.N. spy games, the annual event has been described as “one of the most sophisticated intelligence-gathering operations in the U.S. and involves one of the FBI’s most extensive electronic surveillance programs.” Even Britain’s famed MI6 is permitted to operate (as long as the intelligence collected is shared with the U.S.).

It should therefore come as no surprise that last month the U.S. Secret Service reported the discovery of 100,000 SIM cards and 300 SIM servers at multiple locations “concentrated within 35 miles of the global meeting of the United Nations General Assembly now underway in New York City.” Secret Service Director Sean Curran said “The potential for disruption to our country’s telecommunications posed by this network of devices cannot be overstated.” (Others disagree.) The Secret Service subsequently discovered 200,000 additional SIM cards and have tied the enterprise to China.

According to FTI Consulting Global Head of Cybersecurity Anthony J. Ferrante, who previously served as the Director for Cyber Incident Response on the U.S. National Security Council, his “instinct is this espionage” and that while such a large number of SIM cards and servers near the United Nations can be used to disrupt the cellular network it can also be used to eavesdrop on it.

While the Secret Service and others linked these SIM card farms to the U.N. General Assembly, either explicitly or by implication, these types of operations are more often used by cybercriminals for spam messaging and fraud. The criminal enterprise possibility is bolstered here by the discovery of eighty grams of cocaine and illegal firearms, in addition to the SIM cards and associated technology. The potential downfall of this operation may have been that it was allegedly used to swat U.S. politicians, increasing law enforcement’s priority to uncover it.

A bright side to being a diplomat in town for the UN General Assembly last month? They were exempt from congestion pricing fees. Plus, they got to enjoy our world famous pizza and bagels as they negotiated world peace (or not).

Welcome to New York. We’re walkin’ (and listenin’) here.

Policy Corner

Screenshot of City Council Hearing showing councilmembers and the caption "Committees on Technology, Public Safety, Public Housing & Oversight and Investigations" — Screenshot of City Council Hearing via New York City Council

NYCHA Claims 20,000 Cameras Monitoring Residents 24/7 Is “Not Surveillance”

Laura Moraff, Digital Forensics Staff Attorney

Last month, we covered New York Focus’s revelation that the NYPD was using the Big Apple Connect program—which was designed to provide free Internet access to New York City Housing Authority (NYCHA) residents—to connect NYCHA’s surveillance cameras to the NYPD’s Domain Awareness System and allow the NYPD to monitor them in real time without permission from NYCHA.

Following Zachary Groz’s reporting on the matter, the New York City Council Committees on Technology, Public Safety, Public Housing, and Oversight and Investigations held a joint hearing on NYCHA surveillance. The hearing included passionate opening statements: Technology Chair Jennifer Gutiérrez emphasized that surveillance does not equal safety and asked for candid answers from the agencies that had withheld information about the Big Apple Connect program’s surveillance component. Public Housing Chair Chris Banks was troubled that NYCHA residents were unaware that their much-needed internet access also meant constant observation by the NYPD. Public Safety Chair Yusef Salaam sought to ensure that surveillance technology enhances safety and security without eroding community trust or creating unintended harms. And Oversight and Investigations Chair Gale Brewer highlighted the importance of transparency and holding the administration accountable to the public. Many of these sentiments were echoed in testimony by advocates from the Legal Defense Fund, Neighborhood Defender Services, Brooklyn Defender Services, the Surveillance Technology Oversight Project, and BetaNYC—along with The Legal Aid Society.

But representatives from the City’s Office of Technology and Innovation (OTI), NYCHA, and the NYPD told a different story. NYCHA Chief Operating Officer Eva Trimble stated: “We don’t surveil NYCHA properties, we use cameras to enforce criminal activity and help improve our safety and security for our residents.” The notion that 20,000 cameras recording people’s homes 24/7 isn’t surveillance—which might have offered some comic relief if it weren’t so disturbing to hear from a government official—is an invitation to surrender any attachment to common understandings of language. “Surveillance”—from the French “sur” (over) + “veiller” (watch) can be conducted by tools in addition to people. That is why cameras installed to record everything that happens in their range are often referred to as “surveillance cameras.” Reasonable people might disagree on the type or degree of surveillance that is justifiable, but to reject the notion that ceaseless monitoring which authorities can review at any time constitutes surveillance is to deny reality.

When the agencies weren’t denying reality, they were refusing to shed light on it. When Councilmember Tiffany Cabán asked which other agencies have cameras that the NYPD can monitor in real time, Commanding Officer of the NYPD Information Technology Bureau Anthony Mascia started to say that the NYPD has agreements with other stakeholders, but he ultimately declined to provide any examples. And when asked about guidelines to ensure that the NYPD is not using NYCHA’s cameras to monitor First Amendment-protected activity, Mascia responded that “in preparation for this hearing, that wasn’t one of the items for discussion.” He also refused to disclose which external actors—government or private—have been given access to NYCHA surveillance footage since January 1, 2025.

Still, thanks to the City Council’s efforts, we do have a better understanding of the NYPD’s surveillance of NYCHA residents. In short, roughly ten years ago, NYCHA allowed the NYPD to use fiber cable to get direct access to 7,118 cameras across 37 NYCHA sites. These cameras were connected to the NYPD’s Domain Awareness System. Then in 2023, using the Big Apple Connect program, the NYPD began to connect 68 additional NYCHA cameras (all at one NYCHA site) to its Domain Awareness System. The NYPD plans to connect 1,900 more cameras across 19 additional NYCHA sites by November of this year and then phase in additional cameras beyond that. In the future, the NYPD aims to have direct access to 17,897 NYCHA cameras across 119 NYCHA sites. Other facts that agency representatives stated on the record include:

NYCHA cameras retain footage for 14-21 days
There are approximately 17,700 NYCHA cameras, 3,100 NYPD Video Interactive Patrol Enhanced Response (VIPER) cameras, and 90 NYPD Argus cameras operating on NYCHA properties
The NYPD does not need to demonstrate its purpose for accessing NYCHA cameras before it does so
Patrol officers do not have citywide access to NYCHA feeds, but commanding officers and detective bureau personnel do have citywide access and can view the connected cameras from an app on their phones or computers
As part of NYCHA’s negotiations with the NYPD over their Memorandum of Understanding in 2023, NYCHA was informed that the NYPD was considering using the Big Apple Connect program to facilitate the NYPD’s access to NYCHA’s cameras
NYCHA residents were not told about the NYPD’s direct access to NYCHA cameras using the Big Apple Connect program
The Domain Awareness System is auditable; the NYPD can audit officers’ access to it
NYCHA does not watch its camera feeds in real time
The NYPD cannot remotely pan, tilt, and zoom NYCHA cameras
None of the NYCHA cameras capture audio
NYCHA cameras are not pointed towards doors

The NYPD also agreed to provide the City Council with additional information after the hearing, including the list of the NYCHA sites with cameras that the NYPD already has direct access to or is planning to get direct access to, and the NYPD’s criteria for choosing which sites to prioritize. The public deserves access to this information. We cannot allow those agencies charged with providing essential services and public safety to evade public scrutiny as they secretly spy on the very New Yorkers they are supposed to serve.

Ask an Analyst

Do you have a question about digital forensics or electronic surveillance? Please send it to AskDFU@legal-aid.org and we may feature it in an upcoming issue of our newsletter. No identifying information will be used without your permission.

Q. My client’s phone has essential data on it that we need for our case, but the phone is broken. What can be done?

A photo of a smartphone with a shattered screen. — Photo by Vlad on Unsplash

A. Phone repair can be as simple as a few screws and clicking a connector back into place as if it were a LEGO. Alternatively, it can be as complex as microsoldering new connections on the board to get the phone to boot, which requires advanced tools, analysis, and training. When dealing with a phone that is damaged, we want to be careful of a few things.

An orange LEGO block connected to blue flat LEGO board. — Photo by Glen Carrie on Unsplash

First, we would ideally like the owner of the phone NOT to have it repaired outside of our forensics lab before we examine it. Some electronics repair stores may attempt to provide the client with a new/refurbished phone, or even wipe the data off the phone during the repair. We want to prevent any data loss in this manner. Second, we want to avoid any further damage caused by using the phone, so having it taken to a forensics lab that can perform repairs ASAP is key because digital evidence is time sensitive.

Below, I outline a few common scenarios we encounter in our Digital Forensics Lab at The Legal Aid Society, along with some of the solutions we employ to extract data from damaged phones.

Scenario I : Phone screen is broken but I can still see stuff on the screen?

You may still be able to manipulate the phone, even though the screen is damaged. An analyst may even still be able to perform an extraction. However, a broken screen can be relatively cheap for a trained analyst to repair and eliminate risk in the extraction process. When the screen is damaged, only one part of the phone (typically) needs to be replaced, and you can access the phone’s screen assembly by checking the phone’s specs and following the appropriate steps to bring new life to it. iFixit is a great resource on how to replace screens (if you have the training to do so for a legal case).

Scenario II: Screen is damaged, but the phone also doesn’t turn on.

This scenario will require additional analysis to determine the root cause. We will likely need to disassemble the phone and inspect it for anything that appears out of place. Water damage, drop damage, missing wires, and loose connections could be the issue. Some phones may experience damage to the battery or USB connector when dropped. This causes not just the screen to be broken but more internal damage as well, this could be because the phone isn’t getting a proper charge or that the battery can’t hold a charge. In these cases, we can order parts to repair all the above. A battery repair is simple, like replacing a screen, but a USB repair can be more complex, depending on the phone's brand. It may involve removing multiple parts of the phone to access the USB port for repair. We may also not be able to fix it in this case, and it may need to be sent out to a specialty lab that can handle microsoldering repairs, such as iPad Rehab. Microsoldering requires training, practice, and proper equipment that not every digital forensic lab has access to.

Scenario III: What if we don’t know what’s broken and we really need the data but don’t want to send it out to a forensics recovery service

We have a few options for this type of data recovery/repair. We like to use the term “zombie” phone in our lab, where we buy an identical model to an evidence phone and take the vital “brain” part of the evidence phone, i.e., the motherboard that has all the data on it, and place that into a “donor” phone that we know works well. This can be a cost-effective option, as phones can typically be purchased from eBay. This method, however, does not work for all makes and models of phones, particularly iPhones, which have their motherboards integrated into the phone's body. It can also pose a risk, as you need to remove almost every part of the phone to access the motherboard, which can lead to accidental damage during the disassembly process. However, once this is done, you may end up with a fully operational phone that is ready for extraction.

There’s always hope for phones that seem to be dead on arrival, we have a lot of tools, training, and parts availability to get most phones back to working order, even water damaged ones! However, if your client brings you a phone that has been sent through an industrial shredder… You may be out of luck.

Brandon Reim, Senior Digital Forensics Analyst