Police Utilizing Private Companies, Exploits To Access Data From Suspects' Smartphones

from the brute-force-attacks-that-don't-involve-SWAT-members,-battering-rams dept

Law enforcement agencies really want to see your phone's contents. I mean, they really want to. Martin Kaste at NPR has a story on law enforcement and smartphones which contains the following quote from a Rolf Norton, a Seattle homicide detective.

"I'm thinking there's probably a wealth of information that just got tucked into your pocket," Norton says. "Something that we'd like to get our hands on."

Easy for law enforcement officers to say, but today's phones have more in common with a personal computer than they do with, say, the contents of someone's pants pockets, as the state of Texas memorably argued.

The courts have offered mixed opinions as to whether a warrant is needed to view the contents of someone's phone. This lack of a "bright line" is increasingly problematic as smartphones have become a convenient, pocket-sized data center that can reveal plenty of information that wouldn't normally be accessible without a warrant.

The NPR story deals only with access granted by warrants, but it does lead off with another Detective Norton quote which points out how officers will attempt to separate the ignorant from their (possibly incriminating) evidence.

Once he's seized a phone, Norton says, he often has to return to the owner to ask for help.

"Maybe you've established a rapport and you're getting along with this person," Norton says. "We'll reach out to that person and say, 'Hey, your phone's locked. We'd like to inspect it. We'll probably be getting a warrant. Would you give us your password?' "

Refusing to hand over a password shouldn't seem to be a problem, but like the issue listed above, the courts have been unclear as to whether the Fifth Amendment's protections against self-incrimination extends to passwords. This could lead to obstruction charges or contempt of court for the phone's owner.

Just getting a warrant doesn't necessarily make everything OK, either. There's a ton of non-relevant data on any given smartphone, all of which can easily be accessed once the phone is unlocked. Narrowly-written warrants that set limits on what officers can and can't look at are a partial solution, but one that few law enforcement agencies are likely to follow.

Blindly diving into the contents of someone's smartphone exposes a whole lot of information, and if officers aren't exactly sure where this incriminating data is located, they'll probe around until they can find it. Armed with just enough "belief and information" to be dangerous, they'll easily be able to make the case that all contents are "relevant" until proven otherwise. This obviously raises privacy concerns, but again, there's no specific protection in place for these contents, which some courts have argued contain no "expectation of privacy" thanks to constant "checkins" with third party providers and services.

Not that the lack of a warrant or permission will necessarily prevent the phone from being searched. (That "problem" can always be dealt with later in the courtroom…)

Companies such as Guidance Software and Cellebrite sell products to law enforcement that "image" smartphones. The products can pull data off in bulk for use as evidence. BrickHouse Security in New York sells products like this for iPhone and Android. CEO Todd Morris says the handset manufacturers don't support this, so it's a constant effort to keep the forensic software up to date.

As Morris notes, cellphone companies aren't cooperating in providing back doors for law enforcement to access phones without warrants. So, like our very own NSA, these companies use exploits to crack phones for curious cops.

These phone-copying systems rely heavily on what hackers call "exploits," or vulnerabilities in the phones' operating systems that can be used to get around the password or encryption.

All in all, Apple's phones are more secure than Android handsets. But either way, having to go through the warrant process can mean weeks to months of waiting (if the handset needs to be returned to the manufacturer) for the release of "rescued" data. (Courts have been more reluctant to force defendants to turn over passwords, seeing this as more of a clear Fifth Amendment violation.) Not surprisingly, this turnaround time is considered unacceptable, hence the arms race of private company vs. private company to gain (and maintain) control of a smartphone's contents.

Even considering the oft-abused Third Party Doctrine, it would seem that a warrantless search of a smartphone would be a Fourth Amendment violation. There's just too much information stored on the average smartphone to be compared to anything found on a person during a normal search. And, as a New York law student recently asked Supreme Court Justice Antonin Scalia, isn't searching someone's computer roughly equivalent to their "effects," Fourth Amendment-wise? For all intents and purposes, a smartphone is a portable computer, loaded with a person's "effects" and creating a time/date/location "event" every time it pings a cell tower.

Considering how much info can be gathered from a single smartphone, It's little wonder law enforcement wants to peek at arrestees' smartphones, but the courts need to do a bit of catching up to today's cellphone realities. And there needs to be more attention paid to the fact that law enforcement agencies are partnering with private companies to crack phones, apparently without asking for a warrant first.

Filed Under: fifth amendment, fourth amendment, law enforcement, mobile phones, passwords, police