The Growing ALPR Threat, Crypto Meets Traditional Crime, Border Search Decision, Celebrating Our 5th Anniversary & More

Vol. 6, Issue 6

Jun 02, 2025

A still from a secretly recorded NYPD surveillance video, showing the unfurling of a gay rights banner at an anti-Vietnam War protest. — A still from a surveillance video of a gay rights banner unfurled at an anti-Vietnam War protest, secretly recorded by the NYPD Bureau of Special Services on August 2, 1969, *See also Handschu v. Special Services Division*, 605 F. Supp. 1384 (S.D.N.Y. 1985)

June 2, 2025

Welcome to Decrypting a Defense, the monthly newsletter of the Legal Aid Society’s Digital Forensics Unit. This month, Shane Ferro discusses the growing threat to privacy from Flock safety and a nationwide network of automated license plate reader cameras. Allison Young reviews the recent crossover of cryptocurrency related crimes and traditional crimes, and its effects on digital forensic evidence. Laura Moraff analyzes a recent federal district court decision on border searches of cell phones. Finally, Jerome Greco celebrates the fifth anniversary of the Decrypting a Defense Newsletter.

The Digital Forensics Unit of The Legal Aid Society was created in 2013 in recognition of the growing use of digital evidence in the criminal legal system. Consisting of attorneys and forensic analysts, the Unit provides support and analysis to the Criminal Defense, Juvenile Rights, and Civil Practices of The Legal Aid Society.

In the News

landscape of asphalt road — Photo by Michael Shannon on Unsplash

Cops Flock to Nationwide Location Data A Little Too Easily

Shane Ferro, Digital Forensics Staff Attorney

One of the scariest forms of technology the police have is automated license plate readers. Recently, 404 Media reported that a sheriff’s office in Johnson County, Texas—an exurb adjacent to Dallas/Ft. Worth—searched a nationwide database of license plates to try to find a woman after she had an abortion.

The story, according to Texas authorities as relayed by 404, is that a woman “self-administered” an abortion and her family called the police because they were “worried” about her. The sheriff told 404 Media that “her family was worried that she was going to bleed to death,” though there is no information as to why that would be the case, especially if she was well enough to be thought to be driving her own car. The complication rate of self-managed abortions is less than 1 percent.

It seems that law enforcement immediately turned to a nation-wide search of automated license plate readers. The Texas sheriff searched more than 80,000 Flock cameras in nearly 7,000 different Flock networks, from as far as Washington State and Illinois (both states where abortion is legal). Despite this vast search, the Flock network returned only “a couple hits on her” locally in Dallas, and ultimately was not responsible for finding her.

The story said that the Sheriff’s Office was “able to establish contact” two days later, which, to make a rational leap, means that AFTER they performed a nation-wide search of location information they tried calling her and she picked up the phone.

Although the abortion angle here gives the story its bite, the larger issue is that police anywhere in the country can search more than 80,000 cameras that are constantly capturing license plate data, over whatever period they want. They don’t have to do any other kind of investigation first. They don’t need a warrant. They don’t even really need a reason. A combination of Flock and car-centric policy in all 50 states has ensured that freedom of movement within the United States is gone. It simply doesn’t exist anymore. Anywhere you drive, you can and will be surveilled by the state. There’s no longer any question. Your location data will be seized, to be searched at any later date a random Sheriff’s office looking for a woman engaging in healthcare.

Meanwhile, on the same day the 404 Media story came out last week, Judge John Broomes in the Federal District of Kansas ruled that Flock isn’t yet pervasive or intrusive enough to make Carpenter applicable. U.S. v. Jackson, 2025 WL 1530574 (May 29, 2025) [PDF]. To be fair, the Flock search at issue in that case was not the entire network. Wichita’s system appears to be a closed system not shared with the Flock network, with retention of data for only 30 days. In a personal affront to this Digital Forensics Unit, the Court’s decision also hinged on the fact that Flock is distinguishable from other kinds of unconstitutional surveillance because there is not enough evidence of a “public outcry” against it.

Consider this public outcry for the future.

Handcuffs and Bitcoins — Photo by Kanchanara on Unsplash

Crypto-Motivated Kidnappers May Throw a Wrench in Your Summer Vacation Plans

Allison Young, Digital Forensics Analyst

Corruption, drugs, torture, and greed: it was only a matter of time before New York – home of “the crypto mayor” – got its own violent crypto drama to gab about.

On May 23^rd, an Italian Bitcoin investor escaped a $21 million luxury townhouse after allegedly having been kidnapped and beaten by fellow crypto enthusiasts John Woeltz and William Duplessie. The purported captors allegedly sought access to the man’s digital assets – possibly after already having stolen a fraction of them to lure the man to NYC. As of this newsletter’s writing, members of the NYPD who provided private security to Woeltz and Duplessie are being questioned in an internal investigation.

The Wall Street Journal published an article on the rise of crimes like these, dubbed “wrench attacks,” only a week prior to the man’s escape. In a wrench attack, crypto thieves use threats and violence to coerce victims into giving up funds or security codes to their wallets. The term “wrench attack” is sourced from a famous XKCD webcomic published in 2009 (one month after Bitcoin’s first mined block), that makes the point that the strongest encryption (math) is no match for traditional interrogation techniques (wrench). Like other crypto crimes, it’s often an uphill battle to recover or freeze funds after they are stolen. However, physical attacks do not require hacking methods like other crypto crimes (such as ransomware), lowering the barrier to entry.

Original alt text from the website reads: "Actual actual reality: nobody cares about his secrets. (Also, I would be hard-pressed to find that wrench for $5.)" — Security by xkcd is licensed under CC BY-NC 2.5

Experts have warned cryptocurrency users to be careful who they share information with, suggesting that “influencers” in the space are high value targets for attacks. While this is true, data breaches – like one recently disclosed by Coinbase – may make anyone a target. Government regulations may require crypto service providers to gather home addresses and photos of IDs that can then be stolen by bad actors despite individuals’ best efforts to keep a low profile (a risk identified by Cambridge researchers in a study on wrench attacks).

So, what digital evidence might a wrench attack leave behind? First, there are the “traditional” digital artifacts like location history (GPS and cell site location inforamtion) and text messages that we already see in criminal cases. In the case of the NYC complainant, an AirTag may have been used by the kidnappers to track his location, potentially leaving additional evidence in logs on their Apple devices. Wallet files can be stored in the cloud but can also be saved to a computer or flash drive. Users who manage digital currencies from smart phones might keep seed phrases in screenshots (don’t do this), and there are various crypto wallet apps that, like other “3rd party apps,” will leave artifacts you would find in a mobile device forensic extraction.

Finally, if funds are successfully stolen from an individual, tools like Chainalysis that analyze public blockchain transactions may be used by investigators to trace attempts to transfer cryptocurrency. As with all digital evidence, this data can be used to incriminate an individual… or it can be analyzed for an alternative interpretation or even questioned as to its reliability.

A recent study [PDF] suggests that 1 in 5 Americans hold crypto, and that while wealthy tech traders are the stereotype for cryptocurrency adoption, many asset holders belong to middle-class households. A growing number of people are affected by legal and privacy issues in the Web3 space, which is no longer a sandbox for early adopters and techno-heads. Cryptocurrency also remains relevant for individuals who seek less-regulated alternatives to traditional banking, including individuals engaged in illegal activities. Defense attorneys may soon see an increase in cases where cryptocurrency has been seized or analyzed if they have not already.

In the Courts

A photo of the U.S. Supreme Court building. — Photo by Claire Anderson on Unsplash

Phone Searches at JFK Require a Warrant

Laura Moraff, Digital Forensics Staff Attorney

As the federal government, aided by tech giants, ramps up its deportation efforts and works to centralize sensitive information about the population for easier weaponization, travelers are wondering: what digital privacy rights do we have at the border? While neither the Second Circuit nor the New York Court of Appeals has squarely addressed whether a warrant is required to search digital devices at the U.S. border, a federal court in New York recently held (and not for the first time [PDF]) that agents must obtain a valid warrant before searching a cell phone at the border.

The defendant in the most recent case, United States v. Robinson [PDF], is a United States citizen who lives in Pennsylvania and went to Egypt on vacation with his spouse. When he returned to JFK airport, he was asked routine questions, and then referred to secondary inspection because of a three-year-old report indicating he was linked to the purchase of child sexual abuse material (CSAM). In secondary inspection, a U.S. Customs and Border Protection (CBP) officer asked the defendant what electronic devices he had with him, and he produced his cell phone, laptop, and a Nintendo Switch gaming device. The CBP officer told the defendant that CBP had the authority to examine the devices, and she gave him a “tear sheet” saying the same. The CBP officer directed the defendant to provide his passwords, and he did so. She manually searched his laptop for half an hour and found nothing of interest. But then, when she manually searched his phone, she found CSAM. At that point, she alerted Homeland Security Investigations, which retained possession of the defendant’s devices and later got a warrant to conduct a forensic search of them.

There is no question that this search would have required a warrant if it were not conducted at the border (or at JFK, which is treated like the border for Fourth Amendment purposes). The U.S. Supreme Court made clear over a decade ago that cell phones contain a wealth of highly sensitive information, and that law enforcement generally cannot search them without a valid warrant. But some courts have held that the warrant requirement does not apply to searches of digital devices at the border—at least in some cases.

As in her prior decision, United States v. Sultanov [PDF], Eastern District of New York Judge Nina Morrison relied on U.S. Supreme Court precedent distinguishing between routine border searches—which are conducted to protect the integrity of the border and do not require a warrant—and nonroutine border searches, which are conducted for other purposes or involve a greater degree of intrusion. The court recognized that searches of cell phones are incredibly intrusive and don’t necessarily prevent contraband from entering the country (as contraband is likely stored on other devices—including devices already in the country—as well). The court reaffirmed in United States v. Robinson that the search of a cell phone at the border—regardless of whether it is conducted manually or using forensic tools—is a nonroutine search. And, again referencing Sultanov, the court concluded that before conducting such nonroutine searches at the border, agents must get a warrant supported by probable cause.

While federal courts often decline to suppress evidence based on the “good-faith exception” even where searches were unconstitutional, the court in Robinson held that the evidence obtained from the unconstitutional border search must be suppressed because there was no binding appellate precedent condoning warrantless device searches at the border, and the government failed to show even reasonable suspicion to search the phone. Finally, purported good-faith reliance on the warrant could not salvage the unconstitutionally obtained evidence because the agent who applied for the warrant knowingly and intentionally omitted key facts from the application. The application did not even mention the reason that the defendant was referred to secondary inspection in the first place: the three-year-old report allegedly linking him to CSAM. And the application stated that the defendant “voluntarily” provided his passcode without mentioning that he was given a tear sheet stating that CBP could compel him to submit to the search.

Of course, this opinion doesn’t guarantee everyone’s digital privacy as they travel internationally—far from it. But it is an important step towards protecting constitutional rights at the border, as well as a good example of the judiciary faithfully applying constitutional rules and principles to check executive abuses of power.

Behind the Scenes

Celebrating Five Years of the Decrypting a Defense Newsletter

Jerome D. Greco, Digital Forensics Director

The Decrypting a Defense Newsletter has come a long way over five years. Initially inspired by The Legal Aid Society’s DNA Unit’s newsletter, the Digital Forensics Unit’s first newsletter issue was “published” on June 15, 2020. It was called the very imaginative “Digital Forensics Unit Newsletter” and was only distributed internally as a PDF email attachment to Legal Aid Society attorneys. The initial design was created by then Digital Forensics Analyst Shannon Lacey, using Canva. Then Staff Attorney Benjamin Burger was the head editor and remained in that position until his move to The Perlmutter Center for Legal Justice years later. We had four articles: Surveilling Protestors and Phone Passwords, both under the In the News section, Van Buren v. United States under the In the Courts section (we would later cover the U.S. Supreme Court’s decision in Van Buren), and Historical Cell-Site Location Information Alibi Win under the In the Society section.

The fourth issue was the first under the new title “Decrypting a Defense Newsletter”, adopting the same title we had used for our first day-long conference, which we would become an annual event – except during the COVID years. From before the first issue was written, we were already discussing how to make the Newsletter available to the general public, but it wasn’t until May 3, 2021 that it would become a reality. We have been running strong ever since, publishing the first non-holiday Monday of every month without fail.

The intent of our Newsletter has always been a combination of educating readers, entertaining others, and an opportunity to vent. We made a conscious decision from the beginning to encourage each contributor to develop their own style and voice, while maintaining the goals of the publication and its general direction. At times the Newsletter can range anywhere from feeling like a ‘90s punk zine, particularly in the Canva days, to a scientific journal on forensic techniques. Some of us bring a sarcastic or even sardonic tone, some a more academic approach, and others adhere closer to a traditional reporting style. After reading multiple issues, you can probably start to guess who wrote each article without needing to see their names. I believe that this freedom and the continued dedication from DFU members has led to an interesting and informative issue hitting your inbox or app every month.

Behind the scenes, it can be chaotic at times. Throughout the month, we share articles and ideas, research issues, keep track of upcoming events, and sometimes we even need to do our own testing, but most of the final editing is done the weekend before the issue will be released and the articles are often submitted at the end of the week leading up to that weekend. Part of it is an effort to remain timely; we want to have the most up to date information on an evolving topic before the issue is distributed. Another part of it is just the nature of our work, and the work of all employees at public defender and civil rights offices – there is always a new fire to put out and the only thing you can count on is that it will be ignited at the most inopportune time. Despite that fact, we are always able to find enough time to create this labor of love each month and I think I can safely speak for myself and the other members of DFU that we are proud of our work. I hope that we can continue to bring the same quality and interest to our readers for another five years, evolving as needed or desired but always staying on point.

Thank you to all past and current contributors and thank you all for reading.