Being Smart With Your Smartphone, Police Search Edition

Ryan Radia of the Competitive Enterprise Institute has a thorough explanation over at Ars Technica of the current state of the law and technology when it comes to police searching your phones when they've arrested you. Some highlights:

Last week, California's Supreme Court reached a controversial 5-2 decision in People v. Diaz (PDF)holding that police officers may lawfully search mobile phones found on arrested individuals' persons without first obtaining a search warrant. The court reasoned that mobile phones, like cigarette packs and wallets, fall under the search incident to arrest exception to the Fourth Amendment to the Constitution.

California's opinion in Diaz is the latest of several recent court rulings upholding warrantless searches of mobile phones incident to arrest. While this precedent is troubling for civil liberties, it's not a death knell for mobile phone privacy. If you follow a few basic guidelines, you can protect your mobile device from unreasonable search and seizure, even in the event of arrest.....

The takeaway from Diaz, therefore, is that you should store your mobile phone in your luggage, footlocker, or in some other closed container that's not on your person, particularly when driving an automobile....

While the search incident to arrest exception gives police free rein to search and seize mobile phones found on arrestees’ persons, police generally cannot lawfully compel suspects to disclose or enter their mobile phone passwords....

However, if you voluntarily disclose or enter your mobile phone password in response to police interrogation, any evidence of illegal activity found on (or by way of) your phone is admissible in court, regardless of whether or not you've been Mirandized.

What if you're not a criminal and think you have nothing to hide? Why not simply cooperate with the police and hand over your password so that you can get on with your life?

For one thing, many Americans are criminals and they don't even know it. Due to the disturbing phenomenon known as "overcriminalization," it's very easy to break the law nowadays without realizing it....

While police cannot force you to disclose your mobile phone password, once they've lawfully taken the phone off your person, they are free to try to crack the password by guessing it or by entering every possible combination (a brute-force attack).....

Alarmingly, in many cases, extracting data from a mobile device is possible even if the device password is not known. Such extraction techniques take advantage of widely known vulnerabilities that make it disturbingly simple to access data stored on a smartphone by merely plugging the device into a computer and running specialized forensics software. For instance, Android and iPhone devices are vulnerable to a range of exploits, some of which Ars documented in 2009.

The article details various technical security fixes for a variety of smartphone platforms, which is worth consulting. It then contemplates the legal future of smartphone privacy:

With the ascent of cloud computing, smartphones increasingly provide a window into our private lives, enabling us to access and store practically limitless amounts of sensitive personal data. As ultra-fast 4G wireless networks emerge, mobile devices will likely grow even more intertwined with our digital lives. Just as we have long stored our personal papers and effects in our desks or file cabinets at home, today we're just as likely to store such information in digital format on cloud services like Windows Live or Google. Thus, the Fourth Amendment demands that mobile phones—a primary gateway to our lives in the cloud—be treated as an extension of the home, rather than mere physical containers analogous to cigarette packs.

California Deputy Attorney General Victoria Wilson, who argued Diaz for the state, has told reporters that the matter of warrantless cell phone searches is ripe for resolution by the US Supreme Court. If that happens, let's hope the nation's high court sides with common sense and reaffirms its 2001 ruling in Kyllo v. US that the Fourth Amendment’s protections must adapt to safeguard our rights as technology evolves.

Lookout Mobile Security with a list of common-sense user techniques for smartphone security even before you end up arrested. My blogging on the Diaz decision. Julian Sanchez's always-vital 2007 Reason cover story on new technologies and the Fourth Amendment, including much on the Kyllo decision.

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  • Max||

    Call us when you get your science degree, Brian. (The police won't care.)

  • ||

    Impotent and nonsensical! You're really reaching for the stars, Edward!

  • ||

    Science degree? Are you 9?

  • sevo||

    Max|1.19.11 @ 7:25PM|#
    "Call us when you get your science degree, Brian. (The police won't care.)"

    Knock, knock..........tap, tap....
    Is there something in here? Sounds like, oh, a horse farting.

  • Bingo||

    And considering you can get arrested for almost any reason this gives cops blanket authority to search all cell phones.

    Anyone want to guess the skin color(s) and neighborhoods that Cali cops start fishing for cell phone data?

  • Hugh Akston||

    Malibu, Brentwood, Santa Monica, maybe Pasadena?

  • Spur||

    Bario Laguna Niguel?

  • GroundTruth||

    One more reason I'm glad to be a luddite and not have one of the damned things!

  • ||

    Since when do luddites use computers to go on the internet to comment on blogs?

  • Hugh Akston||

    Ludditism is a relative thing. If everyone else is using the transporter, but you insist on taking a shuttle, you're a luddite.

  • Amakudari||

    So what exactly are the limitations on this? If the police get an iPhone/Android via arrest, in addition to seeing the most recent emails, they can easily hop on Safari and access the webmail versions of Gmail, Yahoo! Mail, Hotmail, etc., which offer complete email histories. They can open a banking app and scroll through purchases. Many other applications contain history that lends itself to fishing expeditions.

    IANAL, but I could at least understand confiscation to prevent evidence tampering (which makes it a reasonable seizure but not yet a reasonable search), with a warrant required to view anything beyond unencrypted and recent emails and texts. I don't understand why that's apparently a burden on law enforcement.

  • ||

    Hopefully someone will remind the Supreme Court that cell phones are basically like miniature computers nowadays, and should be given the same privacy protections as laptops.

  • ||

    Hopefully someone will remind the Supreme Court that cell phones are basically like miniature computers nowadays, and should be given the same privacy protections as laptops.

  • Ryan Radia||

    Article author here. There's no clear answer to your question, but all the law profs I've talked to who have expertise on computer crimes tell me that courts would likely distinguish between data stored on a phone and data accessible via a phone. This is based on the concept of the "grabbing area" that's long been a part of search incident to arrest doctrine. So your gmails are probably safe, except for those cached locally on your phone (3 days is the Android default, I believe).

  • Cyto||

    A salient point, if the police were smart enough to tell the difference between a cached email and one they downloaded and honor that difference as they thumb through your data. Unfortunately, they kinda look the same from the phone UI. So you'd be left arguing in front of a judge that the evidence is inadmissible. Not as good a position as "they didn't see it because it was encrypted."

    Are they allowed to break the lock on my briefcase without a warrant? I thought a password or a locked briefcase required a warrant.

  • Binky||

    Serious question: Can the police do a "brute-force attack" on my *locked* wallet?

  • Bingo||

    I can't think of an answer either way, good question.

  • some other guy||

    so like which thread is everyone hanging out in tonight? I can't find it. Or is everyone like just watching American Idol?

  • Max's Mom||

    Well, I finally got Max to sleep. What would you like to talk about?

  • cynical||

    How do you put up with all the implications of incest that are lobbed your way here? I would be pretty upset at having to deal with that. You've got a pretty thick skin; color me impressed.

    It's not like it's your fault the way he turned out. They didn't even have genetic testing back then.

  • Max's Mom||

    I know you boys like your trash-talking fun. I don't take it to heart. Max, though, can't seem to avoid getting upset. He wasn't always like this; he used to be even worse before he discovered Hit & Run as a kind of catharsis. Oh, there's a little whimpering down the hall, so I'd better check. Good night.

  • cynical||

    Even if a court did allow cops to search your phone as a "container", I'm not sure how that would justify accessing documents stored in the cloud -- at that point, they aren't searching the phone that was on your person, they're using information on your phone to search a remote, private database.

    That isn't even close to the same as a container. By that logic, if they have the right to search your car, and the right to examine the keys on your person, they have the right to drive your car to your house, use the keys to unlock it, and ransack your house without a warrant, and consider it a part of the person/car search.

  • Bingo||

    That confuses me as well. At what point is this accessing data on the phone and at what point is this illegally accessing your phone/email records without warrant? And why are they allowed to brute-force passwords without a warrant? Can they "brute-force" the door to your house or car or glovebox?

  • Whappan?||

    Yes.

  • ||

    Logging into someone's account without their permission might be against the law.

    But cloud computing is a game changer with privacy. What you do on other people's computers can be fair game. If the owner of the data wishes to comply with the cops, or sells the data to clearinghouses to which LEO's subscribe, you're outta luck.

  • Ryan Radia||

    That's not entirely accurate. Thanks to a 1986 statute called the Electronic Communications Privacy Act (ECPA), private personal communications stored on servers owned by electronic service providers generally cannot be disclosed without the user's consent. Unless your provider's terms of service permit the disclosure of your correspondence, your provider can't disclose any of your content. If Google were to knowingly hand over your gmails to the police without a court order, the resulting statutory fines would be severe.

  • ||

    I'm sure our great statesmen in Congress will rush through an exemption so that Google wouldn't be punished for helping law enforcement track down dangerous evildoers.

  • Ryan Radia||

    Not if I, Google, Microsoft, AT&T, ACLU, EFF, ATR, FreedomWorks, and dozens of other organizations have anything to say about it: http://www.scribd.com/doc/3795.....-Liberties

  • Cyto||

    Counterexample. All based in this mess. Not that I don't support the EFF, IJ et. al. But when the guy who ran for office on an "I won't do that" platform begins arguing for "doing that"..... Well, four legs good, two legs better?

  • ||

    ""Thanks to a 1986 statute called the Electronic Communications Privacy Act (ECPA), private personal communications stored on servers owned by electronic service providers generally cannot be disclosed without the user's consent.""

    I think the P.A.T.R.I.O.T. Act or some other anti-terrorist act has fixed that.

  • some other guy||

    they will then access the history on your GPS and interrogate everyone you visited in the last year.

  • ||

    If it stores a years worth of history and they decide you're a person of interest.

  • Cyto||

    Right. Like say you are a preacher and you give a lift to this known prostitute........

  • ||

    ""By that logic, if they have the right to search your car, and the right to examine the keys on your person, they have the right to drive your car to your house, use the keys to unlock it, and ransack your house without a warrant, and consider it a part of the person/car search.""

    Not really, you don't own the data in the cloud, nor the systems where the data sits. so it's not like breaking into your private residence at all.

  • ||

    OK, so it's like using the combination written on a piece of paper in your car to open your locker at the YMCA locker room.

  • ||

    You guys do realize that any sensitive data on your phone can be accessed equally easily without a warrant by the person who steals it.

    Not saying that makes it OK for police to search it; but it does make it crazy to store sensitive info on your phone.

  • adam||

    Isn't the search incident to arrest exception supposed to be based on the safety of the officer? That is, to ensure there are no weapons or other items in close proximity. If so, how is searching a phone consistent with that rationale?

  • Cyto||

    How 1960's of you.... we've moved on from there... Something, something - "Grab Area".... it's all very technical and legal and stuff... It seems that despite the recommendations from Ryan Radia, the courts might uphold a warrantless search of locked containers inside your car. Maybe it depends on your completion...

  • Cyto||

    complexion, completion - 220, 221, whatever it takes. The bottom row on my keyboard just gave out, so I have to rely on creative spelling and spell-check this morning.

  • Rich||

  • ||

    Cue all of our resident statists: "...but, but, mobile phones didn't exist when the Fourth Amendment was written!"

  • Zeb||

    Someone should invent a self-destruct app for phones so that if you realize that your phone is likely to be seized by undesirable people you can push a button which stores data you want backed up at some external location and renders the phone inoperable.

GET REASON MAGAZINE

Get Reason's print or digital edition before it’s posted online

  • Video Game Nation: How gaming is making America freer – and more fun.
  • Matt Welch: How the left turned against free speech.
  • Nothing Left to Cut? Congress can’t live within their means.
  • And much more.

SUBSCRIBE

advertisement