Court documents unsealed Tuesday reveal the breadth of technical information federal investigators were permitted to collect on President Donald Trump’s former fixer Michael Cohen.
Notably, the FBI made use of Cohen’s use of Touch ID and Face ID on his Apple devices, which allow users to quickly log into iPhones and computers by scanning their face or fingerprint rather than typing in a password. Those features are marketed as faster and more secure ways to securely log into one’s devices, as it’s harder, though not impossible, to replicate someone’s fingerprint or appearance.
But that gives law enforcement an additional means to access those devices. In one warrant application for Cohen, an FBI agent requested authorization “to press the fingers (including thumbs) of Cohen to the Touch ID sensors of the Subject Devices, or hold the Subject Devices in front of Cohen’s face, for the purpose of attempting to unlock the Subject Devices via Touch ID or Face ID.”
While the issue has never come before the Supreme Court, tech civil liberties experts warn that a warrant can compel a suspect to use their face or fingerprint to give up access to an otherwise locked device.
“I hear all the time now how location data is sought by police in a broad, sweeping way,” said John Bergmayer, the senior counsel at Public Knowledge, a nonprofit that focuses on technology and legal issues. “I think any of the electronic debris that people leave online on these services is all potentially subject to being used against you”
One warrant requested not simply access to three of Cohen’s Gmail accounts, as well as other email accounts, but also some of the wide array of information Google keeps for its users by default, including search history, web cookies associated with an account, device information, and a host of other metadata categories.
One affidavit describes how the FBI narrowed down Cohen’s temporary location at the Loews Regency Hotel in New York through his cell phone location data. Agents then used a “triggerfish” — a reference to a stingray, or IMSI catcher, a suitcase-sized device that mimics a cell tower to convince a cell phone to connect and reveal its location.
Prosecutors also made use of a new law that Trump recently signed.
Investigators in the Southern District of New York compelled Google to turn over some documents on Cohen, but the tech giant initially “declined to produce data that it stored on computer servers located outside of the United States,” according to an affidavit submitted to the court by an FBI agent working on Cohen’s case.
Weeks later, Trump signed the CLOUD Act into law, which gave US law enforcement more legal pathways to pursue data stories overseas. The provision was tucked into the $1.3 trillion spending bill Trump signed to avoid a federal government shutdown.
With the new law on the books, federal prosecutors went back to court in and asked for another warrant to get the materials that Google refused to turn over. In an April 2018 affidavit, the FBI agent argued that “providers are required to disclose data even if it is stored abroad” under the new law. The judge approved the new search warrant later that day, giving investigators access to additional information from Google, including Cohen’s emails, attachments, address book and files stored on Google Drive.