Slashdot Mirror
Encrypt Your Smartphone — Or Else
pin0chet writes "Modern smartphones contain ever-increasing volumes of our private personal data — from text messages to images to emails — yet many smartphone security features can easily be circumvented by thieves or police officers equipped with off-the-shelf forensics equipment. Worse, thanks to a recent California Supreme Court ruling, police officers may be able to search your smartphone for hours without a warrant if you're arrested for any reason. Ars Technica has an article exploring the legal issues surrounding cell phone searches and explaining how you can safeguard your smartphone from the prying eyes of law enforcement officers."
You ever seen Deliverance?
I read this yesterday and it basically says "No apps can actually encrypt your entire phone, so buy a Blackberry". They point to some apps that will selectivly encrypt parts of your data but none seem to do all of it. I found myself wondering about the headline if for %99 of the phone sout there it's actually impossible.
Normal people worry me!
I use TextSecure by Whisper Systems for text messaging. It's currently in beta, but secure sessions are easy to set up, and the whole application, in general, is working out quite well for me. Better than the stock messaging application in CyanogenMod, at least.
vos nescitis quicquam, nec cogitatis quia expedit nobis ut unus moriatur homo pro populo et non tota gens pereat.
What part of this Supreme Law do they not understand? "The right of the people to be secure in their persons, houses, papers[data], and effects[cellphones], against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things [phones] to be seized." It was adopted as a response to the abuse of the British Writ of Assistance, which is a type of general search warrant, during the 1760s and 70s and their use forbidden in 1776 when the Colonies declared themselves independent States.
Cellphones should not be searchable until a police officer stands before a judge and obtains a warrant, and swears an oath that he, the officer, is telling the truth (and punishable with Perjury if not).
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
TFS:
Worse, thanks to a recent California Supreme Court ruling, police officers may be able to search your smartphone for hours without a warrant if you're arrested for any reason.
First, not all Americans live in California. Other States can (and have) interpreted their 4A equivalents to provide more or less protection than the Federal one.
More to the point, it's probably not true that they can search your cellphone if you are arrested for any reason. Rather, the US Supreme Court explained recently in Gant[1], the idea is that the police can search for things "reasonably believed to contain evidence of the offense of arrest". So searching the cell phone of the CA drug dealer might come out differently than searching the cell phone of (say) a parole violator or a drunk driver.
To be fair, Gant was an automobile search and the court might distinguish a cellphone from a car in some important sense. Nevertheless, the blanket statement in the summary is not likely to hold up if the police do not have some nexus between the arresting crime and the cellphone.
And of course, Gant might be wrong as a matter of policy, although Orin Kerr has a very good writeup[2] of the extensive history of search incident to arrest in Anglo-Saxon law that's worth reading for some historical context.
[1] http://www.law.cornell.edu/supct/html/07-542.ZO.html
[2] http://volokh.com/2010/12/14/the-origins-of-the-search-incident-to-arrest-exception/
Sounds about right to me. Using technology to subvert immoral laws (and immoral law-enforcement).
This is my sig. There are many like it but this one is mine.
That's what I do. My phone is just a phone and I don't have anything stored on it, mainly because of fear that I might lose the phone & sensitive information. And now: Because of fear of search by police or Homeland Gestapo or the Airport SA.
I was already stopped once because Homeland Insecurity wanted to search my car w/o a warrant. Made me stand in the hot Texas sun over an hour before finally letting me go. The last thing I need is for these Stazi to peruse my phone, and charge me with something stupid, like transporting nudie pics over state borders, or having illegal MP3s, or whatever.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
How about you have data required to do your job on a device supplied by your employer that also happened to have you sign a NDA?
How would this play out with a cellphone or a laptop now that you have two distinct laws you have to abide by.
Should the govt be able to request your password for information stored on your (or a company) device that you have signed contracts to keep secret?
) Human Kind Vs Human Creation
) It'd be interesting to see how many humans would survive to serve us.
as a person who does not currently have a smartphone, I think I just decided not to EVER get one - until this kind of privacy invasion is nullified at the state (maybe even fed) level.
until then, I can EASILY do without carrying another computer with me. I spend enough time in front of an actual pc (work and home) that its somewhat of a relief NOT to have to carry yet another 'bother me' device while I'm out.
even if you have done 'nothing wrong' the fact that some thug in a badge can ruffle thru your correspondence for NO good reason - just ends the conversation on getting a smart phone.
thanks - you just saved me close to $100/mo for a 2yr minimum.
--
"It is now safe to switch off your computer."
It doesn’t only affect smartphones they will be able to search all your messages to make sure you weren’t planning something illegal check you don't talk to any known criminals. Also by taking your phone off you it stops you from contacting legal help, which could shut down their operation very quickly.
Rocket Surgeon.
It would probably be trivial to write a lockscreen program with a pair of passwords: One that you use personally to unlock it and another that silently wipes text messages / e-mail / saved data for selected applications (e.g. saved login for facebook, IM) for cases where you are compelled to provide a password.
But I would expect that as warrantless cell phone searches gain popularity software will be available to just about anybody to bypass any security at the application level.
> as a person who does not currently have a smartphone, I think I just decided not to EVER get one - until this kind of privacy invasion is nullified at the state (maybe even fed) level.
As a person who does not currently have a smartphone, I think I just decided not to EVER get one - until this kind of privacy invasion can be nullified [[BY ME having the ultimate control over my own device, rather than Apple or whichever telecom]].
That's the *only* way to trust it. Laws cannot accomplish that. If nothing else, the law cannot protect you from the government that made the law.
FTFY.
What you're basically saying is that we don't need no stinking privacy, if you've done nothing wrong you got nothing to hide.
As the laws are now, the citizen has to take steps to prevent unjustified invasion of privacy by the state, which is completely backwards.
As per the article, difficult to do when there are tens of thousands of laws that are on the books. What if your phone's accelerometers show you were traveling greater than the speed limit? The data is captured and you didn't even know.
The police/feds can do more than just read your IMEI number now. The sneak has been removed from "sneak and peek".
The peek is now more a search too. Add in "they are free to try to crack the password by guessing it or by entering every possible combination (a brute-force attack)" - how strong is your average MS (patch on the way some time)/Apple(optional ?)/Google(3rd party/soon?) OS NSA allowed crypto effort?
If its strong, what about a useful plain text like backup database back on your desktop/laptop?
Bookmarks and that autocomplete cache that never gets wiped?
Will a country have an encrypted container detection software kit? Could you be held on not providing a pw when requested?
The smart thing to do is have a very dumb phone and just give up a list of numbers. Back to pen register vs your online life in plain text.
Domestic spying is now "Benign Information Gathering"
Well, for starters, we have the right to privacy; apparently, though, that right is not respected anymore, so we really need to be taking matters into our own hands and reminding the government that we do not want them spying on us.
Second, and probably the more practical reason, how do you know whether or not you are doing something illegal? There are a lot of laws on the books, and people can be arrested for all sorts of things that do not seem illegal but which actually are. I very strongly doubt that you can accurately claim to follow every law; you may even have committed felony offenses without realizing it. All it would take is a police department under pressure to engage in a crack down, or a cop who just does not like you, and you could find yourself arrested and in court (but they would never do that, right?).
Palm trees and 8
We've moved out of the US to a third world country. Either you have influence or you don't. The US is a big mess now with too many dangerous criminals. The government variety doing their [illegal] supposed job are the most common hazard.
Don't be such a downer. Instead, develop software that makes your phone look completely unlocked (and mostly vanilla and innocent data on it) if you don't swipe the screen unlock thing the correct way.
Not only could it hide/wipe personal data when the pigs are trying to rummage through your phone, it could also record them talking to each other about it - with a false data transfer icon showing low or no bandwidth use (lying) as it uploads their chatter to a server they could never hope to reach, even if they knew about it. Not only while they screw with your phone, but the whole time they have it near them. Trying to unlock it wrong would trigger the recording, but only the battery dying (or extended silence) would stop it. You would have to turn this decoy mode off once you got your phone back.
Imagine how useful this insider knowledge could be to you! This thing cuts both ways. Pigs might have physical might/intimidation, but they tend to not have a lot of brains. A smart enough person could easily trick some pigs into revealing a lot about themselves, while the pigs learn nothing (and suspect nothing) of the phone owner.
P.S. I don't hate police (one of my best friends is one). I do hate (and unfortunately, know some) pigs.
seriously, this is the near definition of 'chilling effect'.
don't want to reveal your whole life to some badged thug? guess you cannot HAVE a portable computer with you.
lets tell this to the smartphone companies and carriers. lets pit the economic interests of those behemoths to the thugs in blue. maybe if the carriers and vendors realize that smartphone sales are plummeting they'll get the laws changed.
wait - what am I saying?! you folks are like crack addicts with your cellphones and the lawmakers KNOW IT. you'll never give them up, sadly.
--
"It is now safe to switch off your computer."
Let's assume for argument's sake that I'm stopped by the police and I'm arrested. My phone is unlocked and they start to search it.
Are they entitled to data only ON the phone, or are they allowed to use an application on the phone which allows access to data stored elsewhere on the phone?
In theory, an email client setup for IMAP doesn't store data on the phone -- messages are retrieved from the server. This glosses over caching, butassume the device could be setup to NOT cache messages locally (or background erase them after N seconds/minutes), the data isn't "on the phone" it's only being *presented* on the phone.
My vague understanding of searches when arrested is that proximate searches are OK, but with an always-connected network device, what's proximate, especially if (like almost all IMAP clients, even ones with very limited caching) there's no perceptible difference between data that's local and data that's on some server somewhere else?
Is the limit some dump of flash (and RAM, if they could do that)?
And why stop at smartphone application data? What if I have an RDP or a SSH/telnet app on my phone that gives them access to dozens of machines (which, in turn, may ALSO offer dozens of machines)? Are those remote systems, because they can be accessed as if local, also eligible for a search?
I guess what's scary is that it's not hard to see a slippery slope where anything the phone allows them into they have access to.
no cell phone is trackable if the BATTERY IS REMOVED.
simple things sometimes work wonders.
and yes, when I used to carry a phone, I would remove the battery when I didn't need the phone on. lots of reasons, really.
--
"It is now safe to switch off your computer."
To my knowledge, no court has addressed that particular issue to date. Professor Adam Gershowitz argues in his 2008 UCLA Law Review article http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1084503 that courts addressing warrantless cell phone searches might consider distinguishing between data that is stored locally on a cell phone and data that is accessible via a cell phone. The rationale for such a distinction is rooted in the notion of the "immediate grabbing space" which police are allowed to search incident to arrest.
Have you actually tried this? I just did. I intentionally biffed the passcode 6 times and it locked the phone for 1 minute. After the minute was up I intentionally biffed it again. It then locked the phone for 5 minutes. I did not bother to complete the experiment.
You can't get rid of your data that quickly. It makes sense. Otherwise some joker at work could get hold of your phone and cause you instant grief for the rest of the day.
http://www.rootstrikers.org/
Here's the argument from the article again, we all break the laws several times a day without knowing, but the police know and will put us all in prison or worse for crimes we didn't commit or for things that shouldn't be "crimes" in any non-fascist society.
This accusation of unjust incrimination for everyone and everything is the crucial difference between the Police and the Gestapo, yet no one bothered to name a single situation, example or proof, where this could happen.
If there are 10.000 laws in the US which everyone is breaking 5 times a day without knowing, it shouldn't be that hard to name a few so us average Joes can learn to avoid breaking that law in the first place and/or organize a petition to get rid of them.
If you're really paranoid, yank the SIM out and disable Wifi.
Also, leave the phone at home at all times.
To have a right to do a thing is not at all the same as to be right in doing it
Laws are written vaguely, with the express purpose of "keeping us in line"; if we fear that we're breaking the law constantly then we will behave better, I guess, or more cynically, "Find me six lines from the most honest of men and I will find something in there to have him hanged."
I feel fantastic, and I'm still alive.
The link in the article, "how you can safeguard your smartphone" actually has zero information about how to safeguard your smartphone. It's all about explaining why you should, not how.
Sarbonn's blog: http://www.sarbonn.com/blog
There is a program called SecuBox, http://aikosolutions.com/ it creates virtual encrypted disk on Windows-powered handhelds. You can keep your sensitive data there, in encrypted form.
Your phonebook, SMS and other data are still kept in the phone using regular methods though. On the bright side - at least you get to control where your files are kept.
The saddest poem