What Does Texas Shooting Case Tell Us About Subpoenas / Warrants for iPhone & iCloud Information?

4th Amendment


On November 5, 2017, 26-year old Devin Patrick Kelley allegedly shot and killed 26 people at the First Baptist Church in Sutherland Springs, Texas.  Mr. Kelley’s body was reportedly recovered from a Ford Expedition; he was found deceased from a single bullet wound (entering above right ear and exiting rear left of skull) and a bloodied iPhone SE was located on the vehicle’s floorboards.  A photo of the shooter’s iphone (above) was attached to the probable cause affidavit.  Investigating a state charge of capital murder, the Texas Rangers sought and obtained a November 9, 2017 warrant seeking the alleged shooter’s iPhone and iCloud data from Apple.  Their response presumably is due on or about Monday, December 11, 2017.

The probable cause affidavit and the search warrant tell us several things about the sophistication of law enforcement in making these requests but it also provides some insight as to what data on your iPhone or in the iCloud is encrypted and possibly unavailable to law enforcement barring exceptional means.

[The following discussion applies to iDevices operating on iOS 8.0 and later.  That version of the operating system was released more than three years ago so and iPhones starting with iPhone 6 came with that version pre-installed.  More succinctly, if your phone is less than three years old and/or you’re running 8.0 or above, the following applies to you.  Earlier phones/iOS versions are less secure.  The shooter’s phone, an iPhone SE, is a fairly sophisticated 2016 device which was roughly contemporaneous with the iPhone 6 (smaller screen but it had Touch ID).]


The Search Warrant specifically seeks “iCloud accounts identified by the below listed identities, information, and/or devices” and then provided Kelley’s name, DOB, address, phone number, and IMEI/ESN numbers.  From January 1, 2016 – November 9, 2017 (notably, the date of the subpoena which was four days after the event), law enforcement sought a list of 14 items you can read here.  The highlights include:

  • All account information, including IP logs and associated devices
  • Photo Stream content and metadata
  • iCloud content
  • Bookmarks, reading lists, tabs, backups of all Apple devices stored on the iCloud
  • Email, Contacts, Calendar, Notes, Reminders
  • All activity, connection, and transaction logs (with IP addresses) for any use of FaceTime, iCloud, iTunes, IM, and other services, including Game Center
  • “All files, keys or other information necessary to decrypt any data produced in encrypted form, when available to Apple (including, but not limited to keybag.txt and fileinfolist.txt files)”

[the keybag.txt apparently holds the device password and the encryption key while fileinfolist.txt appears to be a device file directory]

A few minor notes: law enforcement was given everything they requested by the court; there was little discussion about the phone itself in the PC affidavit except to claim that they believed Kelley’s information was synced to iCloud (unclear why they believe so) and that the data “could help identify additional witnesses with pertinent information as well as possible motives…”


According to Apple’s Legal Process Guidelines (June 2017), they list approximately twenty data points which could be produced in response to a proper law enforcement warrant or subpoena.  Here are some of the more interesting data assets that Apple may (or may not) produce:

  • Device registration – Apple admits that it does not verify this customer information
  • iTunes purchases / interactions
  • iCloud – “all iCloud data stored by Apple is encrypted at the location of the server.  [Apple gives third party vendors the keys except for backup information]  Apple retains the encryption keys in its U.S. data centers.”
  • Find My iPhone – device location services information is stored on the phone and is unavailable to Apple.  However, Find My iPhone connection logs are available to Apple for a period of 30 days.
  • Passcode Locked iOS Devices – “Apple does not possess the encryption key.”
  • FaceTime / iMessage – “Apple has no way to decrypt Facetime [or iMessage] data.  Apple cannot intercept Facetime [or iMessage] communications.”  Apple does maintain call and message logs for 30 days.


Users who wish maximum protection for iDevice content should avoid or significantly limit what data is backed up to the iCloud since Apple has the encryption keys and may be compelled to produce that information in response to a valid subpoena or warrant.  Content on an iDevice should be password protected (and thereby encrypted) with the password safely stored or memorized.

Current versions of iOS allow for quick disabling of FaceID and TouchID so that users can enjoy the convenience but swiftly disable that feature (see here).  Be mindful that recent court decisions suggest that courts can compel production of passwords (or hold the person in contempt) and, for more serious crimes like the Texas or San Bernadino shootings, it appears that FBI and intelligence agencies may have the resources to overcome phone encryption.  However, setting aside extreme examples, maintaining good password protection AND leaving content on the phone appears to be the current best method to maintain privacy.

Image credit: San Antonio Express-News




4th Amendment
When Can You Withdraw Consent for a DUI Blood Draw in Florida? (Florida v. Jennifer Ivie)

A Florida driver was involved in an accident, taken to the hospital, and interviewed by police who were conducting a DUI investigation. The officer spoke with the driver, advised her of her Miranda rights, conducted at least one visual test, and otherwise detected signs of intoxication. The officer asked the …

Florida Wiretap Act — Reasonable Expectation of Privacy in Someone Else’s House? (Smiley v. Florida)

Corey Smiley was at someone else’s home with an invitation when the discussion turned argumentative, and the other person “began recording the argument on her cell phone… position[ing] the phone in front of Smiley’s face… Smiley questions her about the recording and grabs the phone…” He later was arrested and …

1st Amendment
“Valid Grounds for Employment Action” Deemed Not Enough for Stalking Injunction under F.S. 784.048 (Klenk v. Ransom)

Florida’s First District Court of Appeal held today that a respondent’s behavior may be enough for an “employment action” (presumably, for termination due to sexual harassment) but, in this case, was not enough for the “exacting standard” for an injunction against stalking under Florida Statute 748.048. The case is Joseph …