Slashdot Mirror
Encrypt Your Smartphone — Or Else
pin0chet writes "Modern smartphones contain ever-increasing volumes of our private personal data — from text messages to images to emails — yet many smartphone security features can easily be circumvented by thieves or police officers equipped with off-the-shelf forensics equipment. Worse, thanks to a recent California Supreme Court ruling, police officers may be able to search your smartphone for hours without a warrant if you're arrested for any reason. Ars Technica has an article exploring the legal issues surrounding cell phone searches and explaining how you can safeguard your smartphone from the prying eyes of law enforcement officers."
You ever seen Deliverance?
I read this yesterday and it basically says "No apps can actually encrypt your entire phone, so buy a Blackberry". They point to some apps that will selectivly encrypt parts of your data but none seem to do all of it. I found myself wondering about the headline if for %99 of the phone sout there it's actually impossible.
Normal people worry me!
I use TextSecure by Whisper Systems for text messaging. It's currently in beta, but secure sessions are easy to set up, and the whole application, in general, is working out quite well for me. Better than the stock messaging application in CyanogenMod, at least.
vos nescitis quicquam, nec cogitatis quia expedit nobis ut unus moriatur homo pro populo et non tota gens pereat.
What part of this Supreme Law do they not understand? "The right of the people to be secure in their persons, houses, papers[data], and effects[cellphones], against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things [phones] to be seized." It was adopted as a response to the abuse of the British Writ of Assistance, which is a type of general search warrant, during the 1760s and 70s and their use forbidden in 1776 when the Colonies declared themselves independent States.
Cellphones should not be searchable until a police officer stands before a judge and obtains a warrant, and swears an oath that he, the officer, is telling the truth (and punishable with Perjury if not).
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
TFS:
Worse, thanks to a recent California Supreme Court ruling, police officers may be able to search your smartphone for hours without a warrant if you're arrested for any reason.
First, not all Americans live in California. Other States can (and have) interpreted their 4A equivalents to provide more or less protection than the Federal one.
More to the point, it's probably not true that they can search your cellphone if you are arrested for any reason. Rather, the US Supreme Court explained recently in Gant[1], the idea is that the police can search for things "reasonably believed to contain evidence of the offense of arrest". So searching the cell phone of the CA drug dealer might come out differently than searching the cell phone of (say) a parole violator or a drunk driver.
To be fair, Gant was an automobile search and the court might distinguish a cellphone from a car in some important sense. Nevertheless, the blanket statement in the summary is not likely to hold up if the police do not have some nexus between the arresting crime and the cellphone.
And of course, Gant might be wrong as a matter of policy, although Orin Kerr has a very good writeup[2] of the extensive history of search incident to arrest in Anglo-Saxon law that's worth reading for some historical context.
[1] http://www.law.cornell.edu/supct/html/07-542.ZO.html
[2] http://volokh.com/2010/12/14/the-origins-of-the-search-incident-to-arrest-exception/
How about you have data required to do your job on a device supplied by your employer that also happened to have you sign a NDA?
How would this play out with a cellphone or a laptop now that you have two distinct laws you have to abide by.
Should the govt be able to request your password for information stored on your (or a company) device that you have signed contracts to keep secret?
) Human Kind Vs Human Creation
) It'd be interesting to see how many humans would survive to serve us.
as a person who does not currently have a smartphone, I think I just decided not to EVER get one - until this kind of privacy invasion is nullified at the state (maybe even fed) level.
until then, I can EASILY do without carrying another computer with me. I spend enough time in front of an actual pc (work and home) that its somewhat of a relief NOT to have to carry yet another 'bother me' device while I'm out.
even if you have done 'nothing wrong' the fact that some thug in a badge can ruffle thru your correspondence for NO good reason - just ends the conversation on getting a smart phone.
thanks - you just saved me close to $100/mo for a 2yr minimum.
--
"It is now safe to switch off your computer."
It doesn’t only affect smartphones they will be able to search all your messages to make sure you weren’t planning something illegal check you don't talk to any known criminals. Also by taking your phone off you it stops you from contacting legal help, which could shut down their operation very quickly.
Rocket Surgeon.
It would probably be trivial to write a lockscreen program with a pair of passwords: One that you use personally to unlock it and another that silently wipes text messages / e-mail / saved data for selected applications (e.g. saved login for facebook, IM) for cases where you are compelled to provide a password.
But I would expect that as warrantless cell phone searches gain popularity software will be available to just about anybody to bypass any security at the application level.
What you're basically saying is that we don't need no stinking privacy, if you've done nothing wrong you got nothing to hide.
As the laws are now, the citizen has to take steps to prevent unjustified invasion of privacy by the state, which is completely backwards.
The police/feds can do more than just read your IMEI number now. The sneak has been removed from "sneak and peek".
The peek is now more a search too. Add in "they are free to try to crack the password by guessing it or by entering every possible combination (a brute-force attack)" - how strong is your average MS (patch on the way some time)/Apple(optional ?)/Google(3rd party/soon?) OS NSA allowed crypto effort?
If its strong, what about a useful plain text like backup database back on your desktop/laptop?
Bookmarks and that autocomplete cache that never gets wiped?
Will a country have an encrypted container detection software kit? Could you be held on not providing a pw when requested?
The smart thing to do is have a very dumb phone and just give up a list of numbers. Back to pen register vs your online life in plain text.
Domestic spying is now "Benign Information Gathering"
Well, for starters, we have the right to privacy; apparently, though, that right is not respected anymore, so we really need to be taking matters into our own hands and reminding the government that we do not want them spying on us.
Second, and probably the more practical reason, how do you know whether or not you are doing something illegal? There are a lot of laws on the books, and people can be arrested for all sorts of things that do not seem illegal but which actually are. I very strongly doubt that you can accurately claim to follow every law; you may even have committed felony offenses without realizing it. All it would take is a police department under pressure to engage in a crack down, or a cop who just does not like you, and you could find yourself arrested and in court (but they would never do that, right?).
Palm trees and 8
seriously, this is the near definition of 'chilling effect'.
don't want to reveal your whole life to some badged thug? guess you cannot HAVE a portable computer with you.
lets tell this to the smartphone companies and carriers. lets pit the economic interests of those behemoths to the thugs in blue. maybe if the carriers and vendors realize that smartphone sales are plummeting they'll get the laws changed.
wait - what am I saying?! you folks are like crack addicts with your cellphones and the lawmakers KNOW IT. you'll never give them up, sadly.
--
"It is now safe to switch off your computer."
Let's assume for argument's sake that I'm stopped by the police and I'm arrested. My phone is unlocked and they start to search it.
Are they entitled to data only ON the phone, or are they allowed to use an application on the phone which allows access to data stored elsewhere on the phone?
In theory, an email client setup for IMAP doesn't store data on the phone -- messages are retrieved from the server. This glosses over caching, butassume the device could be setup to NOT cache messages locally (or background erase them after N seconds/minutes), the data isn't "on the phone" it's only being *presented* on the phone.
My vague understanding of searches when arrested is that proximate searches are OK, but with an always-connected network device, what's proximate, especially if (like almost all IMAP clients, even ones with very limited caching) there's no perceptible difference between data that's local and data that's on some server somewhere else?
Is the limit some dump of flash (and RAM, if they could do that)?
And why stop at smartphone application data? What if I have an RDP or a SSH/telnet app on my phone that gives them access to dozens of machines (which, in turn, may ALSO offer dozens of machines)? Are those remote systems, because they can be accessed as if local, also eligible for a search?
I guess what's scary is that it's not hard to see a slippery slope where anything the phone allows them into they have access to.
To my knowledge, no court has addressed that particular issue to date. Professor Adam Gershowitz argues in his 2008 UCLA Law Review article http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1084503 that courts addressing warrantless cell phone searches might consider distinguishing between data that is stored locally on a cell phone and data that is accessible via a cell phone. The rationale for such a distinction is rooted in the notion of the "immediate grabbing space" which police are allowed to search incident to arrest.
Laws are written vaguely, with the express purpose of "keeping us in line"; if we fear that we're breaking the law constantly then we will behave better, I guess, or more cynically, "Find me six lines from the most honest of men and I will find something in there to have him hanged."
I feel fantastic, and I'm still alive.