Slashdot Mirror
Encrypt Your Smartphone — Or Else
pin0chet writes "Modern smartphones contain ever-increasing volumes of our private personal data — from text messages to images to emails — yet many smartphone security features can easily be circumvented by thieves or police officers equipped with off-the-shelf forensics equipment. Worse, thanks to a recent California Supreme Court ruling, police officers may be able to search your smartphone for hours without a warrant if you're arrested for any reason. Ars Technica has an article exploring the legal issues surrounding cell phone searches and explaining how you can safeguard your smartphone from the prying eyes of law enforcement officers."
I use TextSecure by Whisper Systems for text messaging. It's currently in beta, but secure sessions are easy to set up, and the whole application, in general, is working out quite well for me. Better than the stock messaging application in CyanogenMod, at least.
vos nescitis quicquam, nec cogitatis quia expedit nobis ut unus moriatur homo pro populo et non tota gens pereat.
How about you have data required to do your job on a device supplied by your employer that also happened to have you sign a NDA?
How would this play out with a cellphone or a laptop now that you have two distinct laws you have to abide by.
Should the govt be able to request your password for information stored on your (or a company) device that you have signed contracts to keep secret?
) Human Kind Vs Human Creation
) It'd be interesting to see how many humans would survive to serve us.
as a person who does not currently have a smartphone, I think I just decided not to EVER get one - until this kind of privacy invasion is nullified at the state (maybe even fed) level.
until then, I can EASILY do without carrying another computer with me. I spend enough time in front of an actual pc (work and home) that its somewhat of a relief NOT to have to carry yet another 'bother me' device while I'm out.
even if you have done 'nothing wrong' the fact that some thug in a badge can ruffle thru your correspondence for NO good reason - just ends the conversation on getting a smart phone.
thanks - you just saved me close to $100/mo for a 2yr minimum.
--
"It is now safe to switch off your computer."
It would probably be trivial to write a lockscreen program with a pair of passwords: One that you use personally to unlock it and another that silently wipes text messages / e-mail / saved data for selected applications (e.g. saved login for facebook, IM) for cases where you are compelled to provide a password.
But I would expect that as warrantless cell phone searches gain popularity software will be available to just about anybody to bypass any security at the application level.
seriously, this is the near definition of 'chilling effect'.
don't want to reveal your whole life to some badged thug? guess you cannot HAVE a portable computer with you.
lets tell this to the smartphone companies and carriers. lets pit the economic interests of those behemoths to the thugs in blue. maybe if the carriers and vendors realize that smartphone sales are plummeting they'll get the laws changed.
wait - what am I saying?! you folks are like crack addicts with your cellphones and the lawmakers KNOW IT. you'll never give them up, sadly.
--
"It is now safe to switch off your computer."
Let's assume for argument's sake that I'm stopped by the police and I'm arrested. My phone is unlocked and they start to search it.
Are they entitled to data only ON the phone, or are they allowed to use an application on the phone which allows access to data stored elsewhere on the phone?
In theory, an email client setup for IMAP doesn't store data on the phone -- messages are retrieved from the server. This glosses over caching, butassume the device could be setup to NOT cache messages locally (or background erase them after N seconds/minutes), the data isn't "on the phone" it's only being *presented* on the phone.
My vague understanding of searches when arrested is that proximate searches are OK, but with an always-connected network device, what's proximate, especially if (like almost all IMAP clients, even ones with very limited caching) there's no perceptible difference between data that's local and data that's on some server somewhere else?
Is the limit some dump of flash (and RAM, if they could do that)?
And why stop at smartphone application data? What if I have an RDP or a SSH/telnet app on my phone that gives them access to dozens of machines (which, in turn, may ALSO offer dozens of machines)? Are those remote systems, because they can be accessed as if local, also eligible for a search?
I guess what's scary is that it's not hard to see a slippery slope where anything the phone allows them into they have access to.
To my knowledge, no court has addressed that particular issue to date. Professor Adam Gershowitz argues in his 2008 UCLA Law Review article http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1084503 that courts addressing warrantless cell phone searches might consider distinguishing between data that is stored locally on a cell phone and data that is accessible via a cell phone. The rationale for such a distinction is rooted in the notion of the "immediate grabbing space" which police are allowed to search incident to arrest.