
Warrantless cell phone search gets a green light in California - shawndumas
http://arstechnica.com/tech-policy/news/2011/01/warrantless-cell-phone-search-gets-a-green-light-in-california.ars
======
tptacek
The police do not require a warrant to search your immediate person (also your
bags and your car) incident to an arrest.

They can't search you _without_ arresting you, and they can't arrest you for
literally no reason and have that stand (and, apparently, they generally won't
arrest you for no reason if you don't provoke them while being detained _and_
sound like you know enough to tell a lawyer what's happened). "Arrest" has a
very specific meaning and is a big deal.

This guy got arrested, apparently during a hand-to-hand drug sale to an
informant. He was screwed no matter what.

There are grey areas at play here, but if your phone has no security and they
can literally just push a button to see your text messages, I'm not even
remotely surprised that what they find there is admissable as evidence. They
had the contents of your pockets and your bag. If you had "4 for 80" written
in a piece of paper (and, damn, X is expensive!) in a notebook in your bag,
that would _clearly_ be admissable after an arrest. Why is your phone
different?

If you don't want this to happen to you, PIN-lock your phone. They'll ask you
for the PIN. You'll refuse. They'll get a warrant almost instantly, and then
you won't be able to refuse anymore. So, also, if you don't want this to
happen to you, _don't get arrested._

This headline is extremely misleading. The police in California cannot simply
dragnet cellphones. They have to arrest you first.

~~~
ryanwaggoner
_If you don't want this to happen to you, PIN-lock your phone. They'll ask you
for the PIN. You'll refuse. They'll get a warrant almost instantly, and then
you won't be able to refuse anymore._

I was under the impression that in the US you can't be compelled to disclose
your password or encryption key, even with a warrant.

<http://en.wikipedia.org/wiki/Key_disclosure_law>

~~~
tptacek
It looks like you're totally right to point this out, but the situation is not
"you have the right to refuse to disclose a key"; its, "you may or may not
also be charged with obstruction if you refuse a warrant that demands a key,
and the case law isn't settled".

Since we're talking about PINs here, by the way, this is a moot point;
presumably any major LEO can contract out "recover data on PIN-protected
phone".

~~~
phuff
Having worked for a computer forensic software company I can tell you that
these days they most likely don't have to contract it out even... It's cheap
enough that a lot of departments have people on staff who can recover data
easily from all kinds of devices.

~~~
gst
If you use the SIM cards SMS storage (on a GSM phone) it's not that trivial to
obtain the PIN. However, it's very likely that your mobile provider is able to
gain access to the card (e.g., by using the PUK code to reset your PIN code).

Other means would be to use an application such as TextSecure (for Android)
that uses public key encryption to immediately enrypt all incoming SMS and
that requires a password to unlock the private key needed to decrypt the SMS.

In the long-term what I'm waiting for is some open-source Android fork that
provides full-root encryption using LUKS. This should suffice in preventing
others from reading your messages.

------
techsupporter
I wonder how this would fare if the device had been secured with a PIN or some
other password. Are we now back around to a situation similar to the
warrantless searches US Customs and Border Patrol can do when crossing a
border?

Edited to add: I just perused the decision linked to in the article[1] and it
doesn't appear that the court addressed that issue. The majority's decision
does make reference to a "locked footlocker" that was opened without a
warrant, and that the US Supreme Court ruled that the search was invalid
because it was "distant from the arrest." It doesn't seem to address breaking
open the lock.

1 - <http://www.courtinfo.ca.gov/opinions/documents/S166600.PDF>

~~~
tptacek
No. If you had read the article carefully, you'd find that the person who had
been searched had already been arrested (and with very strong PC). Every ACLU-
style "Know Your Rights" video makes this distinction clear: it is _not_ like
at the US border, where you can be searched for no reason; there are very
specific cases where you can and can't refuse searches.

Unlike --- I might add --- large stretches of Europe, where police have far
stronger rights to search personal property.

~~~
techsupporter
I understand that the person had been arrested and was in custody. The
question I have is whether or not the police could have demanded the password
from his phone if one existed, and what consequences would result from his
refusal to provide it. The reference to CBP's searches is that there is some
question as to whether or not someone must provide the password to a secured
device during an otherwise-legal search.

~~~
gst
I was under the impression that there is no law in the US that requires me to
surrender my password. Has there been any court decisions requiring people to
surrender passwords?

~~~
jrockway
No, there haven't been. There is always unencrypted evidence, so nobody really
cares.

------
dantheman
This seems quite dangerous, as we push more and more data into the cloud and
use cell phones as the a way to access it. Does this mean when you are
arrested, they can read all your emails, get your bank information, amazon
shopping history, etc as long as the access is on your phone? If you have a
laptop can they do the same thing?

~~~
tptacek
There's going to be an interesting Supreme Court case when the police bother
to recover a Gmail session cookie from someone's phone or laptop and use it to
dive into their email. My guess is the Gmail account owner will win, because
when you seize my housekey during an arrest, you do not get to search my
house.

The reason this hasn't happened already, though, is that the police aren't
generally trawling through the Gmail accounts of drug suspects. They have more
drug suspects on eyewitness and hand-to-hands than they can deal with; read
_Cop in the Hood_ for examples of state prosecutors refusing to pursue cases
because drugs seized from suspects "could, for all the apprehending officer
knew, have been an Oreo cookie".

This is mostly just a fun topic to chatter about.

------
tibbon
Can they compel you to give your phone's password? Otherwise, when in Cali I'm
just going to use a password to lock my iPhone

~~~
tptacek
Password locking your iPhone is not a forensically secure technique. A better
idea would be to keep anything incriminating off it, and (obviously) not to
get arrested.

~~~
liuhenry
I know that the iPhones are notoriously bad at securing data when the device
is on, but what about the remote wipe option? It's my understanding that 3GS
and 4 phones have encrypted HDDs, with the remote wipe clearing the keys. I'm
no expert, but wouldn't that be equivalent to any other disk encryption
technique (which, to my knowledge, is practically unbreakable if keys are
unavailable)?

~~~
Xuzz
If they power it off, using the same exploits as the iPhone jailbreaks (and
using forensic tools by Jonathan Zdziarski; <http://twitter.com/JZDZIARSKI>)
they can easily recover the data.

Before the boot-up ROM used on the iPhone was exploited, though, this was much
more difficult (if not impossible).

