Police Utilizing Private Companies, Exploits To Access Data From Suspects' Smartphones
from the brute-force-attacks-that-don't-involve-SWAT-members,-battering-rams dept
Law enforcement agencies really want to see your phone's contents. I mean, they really want to. Martin Kaste at NPR has a story on law enforcement and smartphones which contains the following quote from a Rolf Norton, a Seattle homicide detective.
"I'm thinking there's probably a wealth of information that just got tucked into your pocket," Norton says. "Something that we'd like to get our hands on."Easy for law enforcement officers to say, but today's phones have more in common with a personal computer than they do with, say, the contents of someone's pants pockets, as the state of Texas memorably argued.
The courts have offered mixed opinions as to whether a warrant is needed to view the contents of someone's phone. This lack of a "bright line" is increasingly problematic as smartphones have become a convenient, pocket-sized data center that can reveal plenty of information that wouldn't normally be accessible without a warrant.
The NPR story deals only with access granted by warrants, but it does lead off with another Detective Norton quote which points out how officers will attempt to separate the ignorant from their (possibly incriminating) evidence.
Once he's seized a phone, Norton says, he often has to return to the owner to ask for help.Refusing to hand over a password shouldn't seem to be a problem, but like the issue listed above, the courts have been unclear as to whether the Fifth Amendment's protections against self-incrimination extends to passwords. This could lead to obstruction charges or contempt of court for the phone's owner.
"Maybe you've established a rapport and you're getting along with this person," Norton says. "We'll reach out to that person and say, 'Hey, your phone's locked. We'd like to inspect it. We'll probably be getting a warrant. Would you give us your password?' "
Just getting a warrant doesn't necessarily make everything OK, either. There's a ton of non-relevant data on any given smartphone, all of which can easily be accessed once the phone is unlocked. Narrowly-written warrants that set limits on what officers can and can't look at are a partial solution, but one that few law enforcement agencies are likely to follow.
Blindly diving into the contents of someone's smartphone exposes a whole lot of information, and if officers aren't exactly sure where this incriminating data is located, they'll probe around until they can find it. Armed with just enough "belief and information" to be dangerous, they'll easily be able to make the case that all contents are "relevant" until proven otherwise. This obviously raises privacy concerns, but again, there's no specific protection in place for these contents, which some courts have argued contain no "expectation of privacy" thanks to constant "checkins" with third party providers and services.
Not that the lack of a warrant or permission will necessarily prevent the phone from being searched. (That "problem" can always be dealt with later in the courtroom…)
Companies such as Guidance Software and Cellebrite sell products to law enforcement that "image" smartphones. The products can pull data off in bulk for use as evidence. BrickHouse Security in New York sells products like this for iPhone and Android. CEO Todd Morris says the handset manufacturers don't support this, so it's a constant effort to keep the forensic software up to date.As Morris notes, cellphone companies aren't cooperating in providing back doors for law enforcement to access phones without warrants. So, like our very own NSA, these companies use exploits to crack phones for curious cops.
These phone-copying systems rely heavily on what hackers call "exploits," or vulnerabilities in the phones' operating systems that can be used to get around the password or encryption.All in all, Apple's phones are more secure than Android handsets. But either way, having to go through the warrant process can mean weeks to months of waiting (if the handset needs to be returned to the manufacturer) for the release of "rescued" data. (Courts have been more reluctant to force defendants to turn over passwords, seeing this as more of a clear Fifth Amendment violation.) Not surprisingly, this turnaround time is considered unacceptable, hence the arms race of private company vs. private company to gain (and maintain) control of a smartphone's contents.
Even considering the oft-abused Third Party Doctrine, it would seem that a warrantless search of a smartphone would be a Fourth Amendment violation. There's just too much information stored on the average smartphone to be compared to anything found on a person during a normal search. And, as a New York law student recently asked Supreme Court Justice Antonin Scalia, isn't searching someone's computer roughly equivalent to their "effects," Fourth Amendment-wise? For all intents and purposes, a smartphone is a portable computer, loaded with a person's "effects" and creating a time/date/location "event" every time it pings a cell tower.
Considering how much info can be gathered from a single smartphone, It's little wonder law enforcement wants to peek at arrestees' smartphones, but the courts need to do a bit of catching up to today's cellphone realities. And there needs to be more attention paid to the fact that law enforcement agencies are partnering with private companies to crack phones, apparently without asking for a warrant first.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: fifth amendment, fourth amendment, law enforcement, mobile phones, passwords, police
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Amendment IV
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
i simply CAN NOT fathom how ANYONE -judge, jury, kop, citizen- can interpret this in any other way but that phones (read: small computers) fall under the 4th as 'papers and effects'...
IF they try to aver that silicon is not 'paper', then fuck them, that is bullshit...
i understand how they WANNA make all the exceptions in the world to snatch OUR shit; but they want NO sort of similar accountability for THEIR shit...
this 'diode justice' (only works one way) is going to be their downfall... stupid shits
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
This is only possible because people are idiots. If your phone automatically logs you into any third party services, automatically fills in any passwords for you, or if you're using the same password for multiple services, then you're counting on a locked screen door to keep the bad guys out of your house, whether those bad guys are cops, identity thieves, or crackers.
Don't do that.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Also, a good technique is to use passwords that you can compute. For example, passwords for web site logins could be of the form <site initials><random characters>
What I do is use a password keeper app to store my password list in an encrypted file. That is unlocked by a passphrase that is not used for anything else. I use my brain to remember passwords I use frequently, so those don't have to be recorded anywhere at all.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Not necessarily. As Mr. Fenderson said, passwords written on paper can be encoded or obfuscated, such that what's written is not, by necessity, what gets inputed to a computer. Please note that I am being intentionally vague and not offering examples on purpose. Use your imagination. ;)
[ link to this | view in chronology ]
Re:
And IIRC, that can lead to jail time.
Rock .. meet hard place
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Just off the top of my head, Google Maps. That little app in and of itself was worth the purchase price of the phone and more a while back when I found myself lost in an unfamiliar city I was visiting and the cheapo GPS the rental car company gave me broke down, while I was on the freeway! It enabled me to get to my destination and then back to my hotel safely and on time.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
* It doesn't have a built-in database of addresses (you have to already know where you're going to find out how to get there)
* It doesn't have a routing algorithm (even if you know where you are and where you're going, it's up to you to figure out how to get from point A to point B)
* It tends to show roads and political boundaries, but not things you'd actually be interested in such as final destinations. (If I'm trying to get to a hotel, it's a lot easier to remember the name of the hotel than its address.)
* Once it's printed, it's set in stone (as it were). It can't receive updates, either regarding new roads and final destinations or current traffic conditions.
* It can't read itself to you. This is particularly significant when you don't have a passenger along.
In light of all this, there's really no good reason not to use a GPS these days.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Print out the relevant bits, and at relevant scale from Google maps or OpenStreetMaps, and have an up to date paper backup, lacking only traffic conditions. If all else fails, it is usually possible to ask directions.
And pray there are not two or three of the same name in different parts of the same town.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
If you're getting your maps electronically, why not also carry them electronically? Printing them out seems like wasted time, effort, and trees.
"pray there are not two or three of the same name in different parts of the same town."
This is not a problem, actually. I've used three different mapping services, and they all have done the same thing about this: if I search for something that exists in multiple places, I am presented with a list of all the possible matches and their addresses. I just select the one that I want.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
No, it's not. A paper map is a substitute for sure, and better than nothing, but it is highly inferior to the electronic versions.
[ link to this | view in chronology ]
Re:
If security is your concern, you don't have to carry a dumb phone to have it (and a dumb phone doesn't protect you against some of the worst surveillance activities). It is possible to carry and use a smartphone without leaving yourself wide open to these types of intrusions. It's all a matter of where on the convenience/security scale you are the most comfortable.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
The is no expectation of privacy for things I do inside my home with the doors locked, lights off and shades drawn because I do other things in public.
Anything I tell my bank is also public knowledge, including my PIN. Because they're a third-party provider or service.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Just because the applications on my phone might "checkin" with third party providers/services, doesn't mean that the data on the phone shouldn't be protected.
The mentality of the courts on that particular thing is just... wrong.
[ link to this | view in chronology ]
Re:
uhm. no.
*smh*
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Modify the phone?
Then just get two batteries for power and alternate between them, using a separate charger.
How many imaging machines will the police lose to short circuiting before they stop trying?
Just a thought. Not legal advice.
[ link to this | view in chronology ]
Re: Modify the phone?
[ link to this | view in chronology ]
This isn't just happening in the US
Of course many people will stubbornly and foolishly insist that because they run XYZ on their smartphone they're immune to this. Bullshit. These sniffing/dissection/decryption devices are already massively capable and they're not going to get worse.
[ link to this | view in chronology ]
I thought was mentioned
BUT, you may need to understand something about this..
GOT any MP3 data?? GOT a few movies for the kids to watch??
Internet connections that CONNECT to such data??
I HOPE you have you can SHOW you PAID for that..
Got a 8gig Card in your phone/pad/??? FULL of music and video?? Going into CANADA..? they can erase it..its part of our IMPORT clause..even tho they are in SAME AREA 1..
Can someone tell me how to get around this CONVOLUTED bunch of Garbage laws??
With the laws and regs the way they are...you COULD be staying in jail longer then Carrying DRUGS..
[ link to this | view in chronology ]
Re: I thought was mentioned
That used to be called the constitution free zone, but they have since just said the constitution no longer applies to them and the entire universe is subject to their whims.
When are they going to begin construction on the death star?
[ link to this | view in chronology ]
Re: I thought was mentioned
[ link to this | view in chronology ]
Please do not believe this is so. While I'll grant because carriers refuse to update Android OS on phones that they do become vulnerable, I also truly feel that this is actually criminal negligence on the carrier's part. A properly updated Android phone may in fact be more secure than an iPhone, in that releases do occur more frequently to the repo than developer releases on Apple.
All in all, if you really have something to hide, buy a Nexus and use the developer repo to constantly update for flaws is probably your best bet.
[ link to this | view in chronology ]
Re:
Instead it means that Android devices are easier to access using third party forensic tools than Apple devices.
Though this is true in some instances I can guarantee you that I have more ability and ease of access with iOS devices than with the multitude of Android ones out there, mainly since iOS (in all its versions) is actually the same so the same process can basically be used for all its iterations.
Android devices (and this includes Windows phones.. though Win Phones have there own peculiarities) is sometimes dependent on the situations a LOT harder to access, image and analyse. In fact if someone has rooted there phone (which is becoming more and more common actually with criminal cases) they are more likely to add some non standard Rom like CyanogenMod which then using some of the new framework structures and 'root' apps allows complete and absolute control over all low level parts of the phone (bluetooth, access of apps to networks and caching etc) plus the ability to instantly wipe cache's (including Dalvik cache) plus encrypt the whole or parts of any SD card plus its own internal storage.
Basically if someone doesn't want you to access your phone without a LOT of effort and full warrants to search for SPECIFIC things they can now make life a LOT harder for most forensic investigations.
Or do what some are now doing.. Don't use smart phones, use dumb Chinese digital phones that just... you know... Ring!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
oh wait... they did on android.. Google themselves call it "Android Device manager" .It's actually quite good.. though there are other services that allow full low level wipes on rooted phones that basically destroy ALL data (internal, ROM, and external) doing complete zero fill or even DoD 5220.22-M Standard sanitation.
Luckily for my professional sanity Apple devices don't have this ability (yet???) using there "Find My iPhone" service.
[ link to this | view in chronology ]
Re: Re:
I have nothing to hide (ha!) but should I ever be arrested, or even detained, I doubt I'll be able to ask for a connection to my confiscated phone so I can spoliate whatever evidence might be there.
Were I paranoid, I'd likely root my phone and install a mod that executes different routines, based on my screen unlock code:
1234 gives me access as me
5678 gives me access to a subset suitable for a child or friend
2468 performs a "factory reset" such that the phone isn't damaged, but I can reinstall my apps and backed-up data
9753 performs a 5220-level wipe, then triggers some hardware exploit that leads to a melted phone.
In fact, if such a mod were available, I'd pay for it. Just because it would be nice to have. In case, you know, I need to carry some Scentsy across town, or stand with my buttocks clenched the wrong way.
[ link to this | view in chronology ]
Re: Re: Re:
I'm not doing anything wrong, but the constitution allows me to not have to PROVE i'm doing nothing wrong... And it seems we've forgotten it. and too many are concerned that a bad guy might go loose, that they are happily giving up the rights of the rest of us...
And frankly, even the so-called bad guy has constitutional rights.
*smh*
Whatever happened to innocent until proven guilty?
My hubbs was telling me tonight about some encryption program that would at least slow them down...
because, you know, civil rights.
And he has already been told that I'm not giving up my phone OR my password and should I ever be requested to, he should make sure to have bail money... because I WILL take it as far as I can....
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
CHEAP
PHONE, PAD and cell...USe SD cards and PULL them near any location that could do anything..
JUST dont load the cards unless you KNOW you are in private..
[ link to this | view in chronology ]
[ link to this | view in chronology ]
cellphone please
Rather than "papers please", it will be "cellphone please".
[ link to this | view in chronology ]
Good article until...
All your credibility gonenin one swoop! Don't get me wrong, neither are secure but that statement is beyond belief!
[ link to this | view in chronology ]
Police and Your Cell Phone
[ link to this | view in chronology ]
Re: Police and Your Cell Phone
Accessing a phone that instead is password protected and accessing, imaging (exact copying), then analysing at leisure ALL the information whether it is relevant to an investigation, or worse still 'evidence fishing', is an entirely different ultra vires matter than what you have described above.
Its interestingt hat you refer to the chain of evidence since that chain has to use procedurally compliant rule sets that a court ultimately oversees, whereas again in the example of the article. That is non existent and would absolutely break any evidence chain or if not give one a reliability and probity problem whenever the evidence was used in a court.
[ link to this | view in chronology ]
Re: Police and Your Cell Phone
That's LUDICROUS.
Otherwise, how about we also search you bodily when you walk out of walmart because you might be a shoplifter. Let's run you thru an xray machine as you walk into the bank in case your carrying a weapon, unless you live in Texas, where you'd only be letting the yahoos with guns know who to take as hostage...
If they can't ask the person CARRYING A SEMI-AUTOMATIC WEAPON INTO CHURCH if they have a LICENSE for that weapon then they sure as sam HELL are not getting hold of my phone...
end. of. story.
[ link to this | view in chronology ]
The only thing to say to a police officer
[ link to this | view in chronology ]
However, after more consideration, it occurs to me that it is impossible to give someone safe, reliable access to another individual's phone's file system in an adversarial setting (such as a cop taking and examining a phone at an arrest) without also giving them access to that person's networked information--Which I have a hard time coming up with a 1700's analogue for. The documents stored at home in a safe? Maybe, but you can't access those while walking. Your thoughts?
Good thing I'm not a supreme court justice.
[ link to this | view in chronology ]
[ link to this | view in chronology ]