Keeping police out of your smartphone is a tough propostion.
By Chris Soghoian:
Smartphones can be a cop's best friend. They are packed with private information like emails, text messages, photos, and calling history. Unsurprisingly, law enforcement agencies now routinely seize and search phones. This occurs at traffic stops, during raids of a target's home or office, and during interrogations and stops at the U.S. border. These searches are frequently conducted without any court order.
Several courts around the country have blessed such searches, and so as a practical matter, if the police seize your phone, there isn't much you can do after the fact to keep your data out of their hands.
However, just because the courts have permitted law enforcement agencies to search seized smartphones, doesn't mean that you—the person whose data is sitting on that device—have any obligation to make it easy for them.
The Android mobile operating system includes the capability to lock the screen of the device when it isn't being used. Android supports three unlock authentication methods: a visual pattern, a numeric PIN, and an alphanumeric password.
The pattern-based screen unlock is probably good enough to keep a sibling or inquisitive spouse out of your phone (providing they haven't seen you enter the pattern, and there isn't a smudge trail from a previous unlock that has been left behind). However, the pattern-based unlock method is by no means sufficient to stop law enforcement agencies.
After five incorrect attempts to enter the screen unlock pattern, Android will reveal a “forgot pattern?” button, which provides the user with an alternate way method of gaining access: By entering the Google account email address and password that is already associated with the device (for email and the App Market, for example). After the user has incorrectly attempted to unlock the screen unlock pattern 20 times, the device will lock itself until the user enters a correct username/password.
What this means is that if provided a valid username/password pair by Google, law enforcement agencies can gain access to an Android device that is protected with a screen unlock pattern. As I understand it, this assistance takes the form of two password changes: one to a new password that Google shares with law enforcement, followed by another that Google does not share with the police. This second password change takes place sometime after law enforcement agents have bypassed the screen unlock, which prevents the government from having ongoing access to new email messages and other Google account-protected content that would otherwise automatically sync to the device.
Anticipatory warrants
As The Wall Street Journal recently reported, Google was served with a search warrant earlier this year compelling the company to assist agents from the FBI in unlocking an Android phone seized from a pimp. According to the Journal, Google refused to comply with the warrant. The Journal did not reveal why Google refused, merely that the warrant had been filed with the court with a handwritten note by a FBI agent stating, "no property was obtained as Google Legal refused to provide the requested information."
It is my understanding, based on discussions with individuals who are familiar with Google's law enforcement procedures, that the company will provide assistance to law enforcement agencies seeking to bypass screen unlock patterns, provided that the cops get the right kind of court order. The company insists on an anticipatory warrant, which the Supreme Court has defined as “a warrant based upon an affidavit showing probable cause that at some future time, but not presently, certain evidence of crime will be located at a specific place.”
Although a regular search warrant might be sufficient to authorize the police to search a laptop or other computer, the always-connected nature of smartphones means that they will continue to receive new email messages and other communications after they have been seized and searched by the police. It is my understanding that Google insists on an anticipatory warrant in order to cover emails or other communications that might sync during the period between when the phone is unlocked by the police and the completion of the imaging process (which is when the police copy all of the data off of the phone onto another storage medium).
Presumably, had the FBI obtained an anticipatory warrant in the case that the Wall Street Journal wrote about, the company would have assisted the government in its attempts to unlock the target's phone.
For real protection you need full-disk encryption
Of the three screen lock methods available on Android (pattern, PIN, password), Google only offers a username/password based bypass for the pattern lock. If you'd rather that the police not be able to gain access to your device this way (and are comfortable with the risk of losing your data if you are locked out of your phone), I recommend not using a pattern-based screen lock, and instead using a PIN or password.
However, it’s important to understand that while locking the screen of your device with a PIN or password is a good first step towards security, it is not sufficient to protect your data. Commercially available forensic analysis tools can be used to directly copy all data off of a device and onto external media. To prevent against such forensic imaging, it is important to encrypt data stored on a device.
Since version 3.0 (Honeycomb) of the OS, Android has included support for full disk encryption, but it is not enabled by default. If you want to keep your data safe, enabling this feature is a must.
Unfortunately, Android currently uses the same PIN or password for both the screen unlock and to decrypt the disk. This design decision makes it extremely likely that users will pick a short PIN or password, since they will probably have to enter their screen unlock dozens of time each day. Entering a 16-character password before making a phone call or obtaining GPS directions is too great of a usability burden to place on most users.
Using a shorter letter/number PIN or password might be good enough for a screen unlock, but disk encryption passwords must be much, much longer to be able to withstand brute force attacks. Case in point: A tool released at the Defcon hacker conference this summer can crack the disk encryption of Android devices that are protected with 4-6 digit numeric PINs in a matter of seconds.
Hopefully, Google's engineers will at some point add new functionality to Android to let you use a different PIN/password for the screen unlock and full disk encryption. In the meantime, users who have rooted their device can download a third-party app that will allow you to choose a different (and hopefully much longer) password for disk encryption.
What about Apple?
The recent Wall Street Journal story on Google also raises important questions about the phone unlocking assistance Apple can provide to law enforcement agencies. An Apple spokesperson told the Journal that the company "won't release any personal information without a search warrant, and we never share anyone's passcode. If a court orders us to retrieve data from an iPhone, we do it ourselves. We never let anyone else unlock a customer's iPhone."
The quote from Apple's spokesperson confirms what others have hinted at for some time: that the company will unlock phones and extract data from them for the police. For example, an anonymous law enforcement source told CNET earlier this year that Apple has for at least three years helped police to bypass the lock code on iPhones seized during criminal investigations.
Unfortunately, we do not know the technical specifics of how Apple retrieves data from locked iPhones. It isn't clear if they are brute-forcing short numeric lock codes, or if there exists a backdoor in iOS that the company can use to bypass the encryption. Until more is known, the only useful advice I can offer is to disable the “Simple Passcode” feature in iOS and instead use a long, alpha-numeric passcode.
“About 90% of Americans are walking around with a portable tracking device all the time, and they have no idea.” – Christopher Calabrese, lawyer with the American Civil Liberties Union’s Washington office, “What Your Cell Phone Could Be Telling the Government,” By Adam Cohen, 2010.
“I can tell you that everybody that attended an Occupy Wall Street protest, and didn’t turn their cell phone off – and sometimes even if they did – the identity of that cell phone has been logged, and everybody who was at that demonstration, whether they were arrested, not arrested, whether their photos were ID’d, whether an informant pointed them out, it’s known they were there anyway. This is routine.” – Privacy SOS
“The most common characteristic of all police states is intimidation by surveillance. Citizens know they are being watched and overheard. Their mail is being examined. Their homes can be invaded.” – Vance Packard, American journalist.
“Every object the individual uses, every transaction they make and almost everywhere they go will create a detailed digital record. This will generate a wealth of information for public security organizations, and create huge opportunities for more effective and productive public security efforts.” – EU Council Presidency paper.
http://www.aclu.org/blog/technology-and-liberty-national-security-free-speech/keeping-government-out-your-smartphone
http://endthelie.com/2012/09/28/big-brother-is-already-here/
Fifth Circuit Magistrate Judge Smith responds to cell phone privacy and how it affects every American.
By Orin Kerr:
Although I wasn’t planning to post any more on the Fifth Circuit cell-site case, I happened to notice that Magistrate Judge Smith recently posted a new essay on SSRN that is in significant part a response to my amicus brief and my criticisms of his decision. I thought it only fair to point readers to his paper and explore Smith’s argument in some detail. I’ll then offer my thoughts in response at the end.
In his essay, Standing Up for Mr. Nesbitt, forthcoming in the University of San Francisco Law Review, Smith argues that magistrate judges must “stand up” and protect ordinary citizens from “an increasingly surveillance-happy state” because “Congress and the Supreme Court have yet to do so.” None of the three branches of government are standing up to protect the ordinary citizen, Smith argues. The Executive Branch can’t regulate itself, and Congress has not addressed some important issues effectively. The Supreme Court has failed to step in, too, as it has hardly touched electronic privacy and it has expressed caution about its own role in recent decisions. With all three branches failing to protect the ordinary citizen, Smith argues, magistrate judges must step in and “play goalie for the missing side.” That is, magistrate judges must correct for the failures of the three branches by representing the side of the target of the investigation. He explains:
Almost by default, then, these matters have been left to the lowest limb of the Judicial Branch, the magistrate judge. Unlike the Supreme Court we don’t have the luxury of picking and choosing our cases, waiting until various appellate courts have weighed in with their considered judgment on difficult or novel issues of law. We are on the front lines, grappling hand to hand with the various, novel, and creative surveillance technologies deployed by law enforcement. . . . Under these circumstances, it necessarily falls to the magistrate judge to ensure that the target’s legal rights are respected. [The magistrate judge's] role is not that of an umpire calling balls and strikes, but more like a referee in a one-sided soccer match forced to play goalie for the missing side.
Smith acknowledges that it is difficult to to decide cases in ex parte proceedings with no actual factual record, but he reasons he can do so under the legislative fact doctrine. The Supreme Court has relied on legislative facts outside the record in its major rulings on applying the Fourth Amendment to new technologies such as Berger v. New York, Smith v. Maryland, and Kyllo v. United States. If the Supreme Court can rely on legislative facts outside the record, Smith reasons, then magistrate judges should be able to create a record in an ex parte proceeding by doing their own Internet research and announcing the results of their research as “the facts”:
A magistrate judge forced to decide such questions as a matter of first impression need not hesitate to use the same tools, extra record or not, that appellate courts regularly employ for the same task. And the digital revolution has made that tool more powerful than ever, with massive amounts of information “just a Google search away.”
Smith then turns directly to my criticism of his decision. He begins by saying that I argued that “magistrate judges are never permitted, much less forced, to decide constitutional questions unless a statute expressly confers such authority.” I haven’t made such an argument, so I’m not sure exactly what he has in mind. Smith then directly addresses my argument that the issues are not ripe at the time of the application. Although Smith calls this argument “profoundly misguided,” he unfortunately does not address any of the case law or mention the Fifth Circuit’s ripeness standard. Instead, Smith makes three broader arguments for why he believes he has the power to rule on the constitutionality of the execution of the search at the time of the application for a 2703(d) order.
First, Smith argues that warrant applications are inherently prospective, so the fact that magistrate judges can rule on probable cause and particularity in warrant applications implicitly confers power to rule prospectively in Fourth Amendment cases generally. Second, Smith argues that the Supreme Court’s scheme of remedies are inadequate to protect privacy if magistrate judges don’t rule prospectively: Supreme Court doctrines limiting the scope of the exclusionary rule mean that appellate courts are not in a place to adequately protect privacy. Third, Smith argues that the absence of any other legal actor and the judicial oath requires magistrate judge to “stand up” for targets of investigations:
Magistrate judges swear an oath to uphold the Constitution, the same judicial oath taken by Article III judges. When a federal agent walks into our chambers to request an electronic surveillance order, there is nobody there but us to make sure the Constitution is followed. If we sign a warrant that in our considered opinion violates the Fourth Amendment, then we have violated our solemn oath.
I think Judge Smith’s perspective is fascinating, and I appreciate his response and attentiveness to academic criticism. At the same time, I think his perspective is deeply misguided. Judge Smith assumes that if none of the three branches of government created by the Constitution are protecting privacy in ways that he finds sufficient, then he has an inherent power to intervene and restore balance. He thus envisions magistrate judges as a kind of Fourth Branch that can and should step in when the other three branches of government are not doing enough. They can “stand up” for privacy when the three branches of government haven’t acted yet. I have a lot of respect for the hard-working magistrate judges in our federal system, but Smith’s understanding flips the tripartite scheme of the United States Constitution on its head. Magistrate judges are only adjuncts to Article III judges. They don’t have the power to enact corrective rules in response to Supreme Court decisions that they personally find inadequate or statutes that they don’t think have been amended by Congress with appropriate speed.
I’ll go into more detail on the problems with Judge Smith’s analysis below the fold...
First, Judge Smith appears to misunderstand the difference between legislative facts and adjudicative facts. In Judge Smith’s telling, adjudicative facts are facts about a particular case, while legislative facts are “generalized facts about the world.” Smith thus uses the ex parte nature of the application process to take the adjudicative facts as to how the Fourth Amendment will apply and to just re-label all the facts as legislative facts. That is, since Smith doesn’t actually know the facts of this particular case, he applies the law to a generalized set of facts that he images are the usual facts. Because the generalized set of facts are not based on any specific case, he calls those facts “legislative facts” and he applies the law to the legislative facts to reach his holding. But this is just sleight of hand, not legal analysis. Under Fifth Circuit precedent on the distinction, legislative facts are facts that are universally true, while adjudicative facts are facts that can vary from case to case. See United States v. Bowers, 660 F.2d 527, 531 (5th Cir. 1981). By denying the order because the Fourth Amendment will be violated based on the facts he has announced, Judge Smith is obviously treating those facts as adjudicative facts — that is, facts that are being taken as the facts in this case but that might be different in other cases. Because then facts he announces are treated as the factual record in the case, and the facts over which the law is applied, they are adjudicative facts rather than legislative facts.
Second, Judge Smith’s argument about search warrants being prospective is also erroneous. Smith ignores the critical difference between the facial validity of an application for an order and the lawfulness of the order’s execution. See United States v. Grubbs, 547 U.S. 90, 97–99 (2006) (holding that ex ante restrictions on searches pursuant to warrant must be limited to the facial requirements of particularity and probable cause, with an ex post right “to suppress evidence improperly obtained and a cause of action for damages” based on the unlawful execution of the search). Facial validity is an ex ante check of the government’s interest in the case that is clear from the four corners of the application. In contrast, the lawfulness of an order’s execution requires an ex post fact-specific analysis of specifically what the police did in when they carried out the order. See Kerr, Ex Ante Regulation of Computer Search and Seizure, 91 Va. L. Rev. 1241 1291-2 (2010). Of course magisrtrate judges have to ensure that applications are facially valid ex ante. Thus, in the case of a warrant, they need to determine if the affidavit establishes probable cause and the proposed warrant is sufficiently particular; in the case of a 2703(d) order, they need to determine if the application established specific and articulable facts; and in the case of a pen register order, they need to determine if the required certification has been made. But these ex ante checks are not prospective. Rather, they are limited to whether the application satisfies the relevant facial requirements of the order, regardless of how the order will be executed.
Third, Judge Smith’s point about the judicial oath and the need to follow the Constitution misses the point entirely. The limits of Article III are just as much a part of the Constitution as the Fourth Amendment is. Indeed, the limits on Article III are the parts that regulate judges directly: They make it a violation of the U.S. Constitution for judges to rule on disputes that are not ripe. The idea that Judge Smith cannot be cabined by ripeness doctrine in his efforts to protect the Fourth Amendment is akin to arguing that Judge Smith must violate the Constitution in order to save it. Surely that can’t be right.
http://www.volokh.com/2012/09/28/fifth-circuit-cell-site-case-magistrate-judge-smith-responds-and-defends-his-decision/
For more info read: "Do Users of Wi-Fi Networks Have Fourth Amendment Rights Against Government Interception?"
http://www.volokh.com/2012/09/24/fourth-amendment-rights-for-users-of-wi-fi-networks-both-encrypted-and-unencrypted/