Questions about cell phone privacy and security have been asked a lot lately, so let’s take a look at the current state of encryption and phone privacy focusing on California. There are two big parts of the question: what is stored on your phone and what information is stored somewhere else. We’ll examine both in this post. It is important to keep in mind that nailing these topics down is a moving target because so much is unsettled law.
Information on Your Phone
As an initial matter, it is important to remember that law enforcement can view anything on your phone if you consent. This occurs when people are being questioned by police and they voluntarily unlock their phones and hands them over. Without consent, law enforcement have some hurdles to clear and a few factors need to be considered.
Do They Need A Warrant?
Unless you consent to the search, generally yes they need a warrant. In the 2014 case Riley v. California, the U.S. Supreme Court held that police cannot search someone’s phone incident to the arrest. This means that just because you get arrested, the police cannot automatically search your phone. Now law enforcement must get a warrant before trying to access a phone.
In 2016, California codified the Riley decision and added a lot of clarity to this area. This law, dubbed the Electronic Communications Privacy Act was passed and has been in force since January 1, 2017. It made changes to the Penal Code and now requires that law enforcement obtains a warrant before obtaining any electronic communications or electronic device information. Electronic device information is defined as “any information stored on or generated through the operation of an electronic device, including the current and prior locations of the device.” Now it is clear that California law enforcement needs warrants to access electronic information. This law is broader than the Riley decision because it covers information stored off the phone–like cell site records. This law was a welcomed clarification of both existing case law and a patchwork of outdated federal laws. While law enforcement interests did not approve, it was broadly welcomed by the tech community and consumer advocates. This law does not apply to federal law enforcement even if they’re operating in California.
While warrants are referred to as the “gold standard” for privacy protection in the United States, it is important to keep in mind that the threshold for issuance of a warrant is quite low. The standard for issuing a warrant is met if “there is a fair probability that contraband or evidence of a crime will be found in a particular place.” (Illinois v. Gates (1983) 462 U.S. 213, 238.) Once a warrant is issued, a reviewing court will give it “great deference.” Some practitioners have described the Gates “fair probability standard” as “the realm of possibility.” Many would also agree that the saying “a grand jury would indict a ham sandwich” applies at least as well to getting warrants.
What If My Phone Is Locked?
Many cell phones are not secure enough to withstand sophisticated attempts to bypass the security whether from law enforcement or for nefarious reasons. The FBI was able to access information in 87% of cell phones, including more than half that had passcodes enabled. Many people do not take advantage of all the security options their phones offer. It is important to understand the features of your particular phone and the settings that you are using.
The flagship models from the major manufacturers like Apple’s iPhone and Samsung’s Note and Galaxy allow users to set up passwords that encrypt the device. The iPhone has included encryption since iOS 4 and the iPhone 3GS. The security got beefed up substantially in iOS 8. Android phones are a more mixed bag because the operating system comes on models from many manufacturers. Once a phone is encrypted it is much more difficult for anyone to access whether a thief or law enforcement.
What Is Encryption?
Encryption is a process that converts and encodes information into an unreadable form (cipher text) that cannot be easily understood by unauthorized people. Apple describes encryption has a process that “turns your data into indecipherable text that can only be read by the right key.” The encryption key is not stored anywhere including on the device or by the manufacturer. That means that Apple cannot unlock encrypted phones.
Apple uses 256 bit AES encryption on the iPhone and similar 128 bit encryption on iCloud stored information. This type of encryption has not been publicly cracked and is considered very secure. Some people speculate that the NSA may or may not be able to crack it.
The second layer of security offered on some smart phones is that they will erase automatically after 10 incorrect password attempts. The iPhone has this setting. It eliminates an unauthorized user from using a brute force attempt to enter the possible passwords one after another.
Can They Make Me Unlock My Phone?
Some courts have ruled that forcing you to divulge your passcode would violate your Fifth Amendment right against self-incrimination. This seems logical. The police are asking you to say something “from your mental process that is akin to testimony that could be incriminating.” That is exactly what the Fifth Amendment protects against. For fingerprints, however, it may be different. At least one court has ruled that the police can force you to unlock your phone with your fingerprint. The police have also gotten a replica made of a deceased person’s finger and used that to unlock a cell phone.
What Was The Deal With Apple And The FBI?
Last year, Apple made waves by refusing to comply with FBI requests to unlock an iPhone that belonged to Syed Farook, who killed 14 people in the San Bernardino shooting in December 2015.
The thrust of the FBI’s argument rested on the New York Telephone case from 1977 that interpreted a law, the All Writs Act, first passed in 1789. That case involved a telephone company that was compelled to help law enforcement install a pen register device that would record numbers dialed from a suspected gambling operation. The Supreme Court found that the phone company was closely related to the issue because the phone lines were used in the crime. The Supreme Court also found that the FBI needed only “meager assistance” to install the pen register and the company would not be burdened by the request. So, because of the closeness and limited burden, the Court found it was reasonable to make the phone company help the FBI.
Following the reasoning from New York Telephone, a federal judge ordered Apple to provide “reasonable technical assistance” to unlock the iPhone 5c for the FBI. Apple vigorously opposed the judge’s order on many grounds. Apple argued that New York Telephone did not apply because the assistance requested was much more significant than “meager” because writing new code would take significant time and engineering. Apple also argued that the order violated its First Amendment rights. On the First Amendment claim, Apple argued that the FBI was requiring it to write code. Code is protected speech and this particular speech is abhorrent to Apple’s viewpoint. Further, Apple CEO Tim Cook explained that if his company made the “backdoor” through iOS encryption the tool “would be the equivalent of a master key, capable of opening hundreds of millions of locks.”
However, the FBI withdrew its request before the Court ruled on Apple’s opposition. The FBI had paid an outside party over $1.2 million—variously reported to be Israeli company Cellebrite or some gray hat hackers—and has kept its method classified.
How Does Law Enforcement Get Into Locked Phones?
It is interesting to note that Cellebrite provides products to many local law enforcement agencies as well. These products allow law enforcement to analyze cell phones without relying upon the manufacturer or service provider. According to Cellebrite, their products:
- Bypass user locks, recover application data and reveal deleted data from the widest range of devices in the mobile forensic market, including the leading smartphones
- Decode rich sets of encrypted and non-encrypted data and narrow results to certain date and time frames, or a maximum or minimum number of events, including:
- Calls, SMS, MMS
- Media, emails, calendar and contact files
- Location information decoded from apps, GPS, cell towers, Wi-Fi networks and media files
A leaked report from ZDNet shows an actual Cellebrite extraction. The company openly advertises its services as a way to bypass locked phones. At least publicly, it does not appear that law enforcement has a work around to encryption on iPhones newer than the 5c.
Update 2/24/17: Cellebrite’s director of forensic research confirmed the company’s capability to extract current iPhone models. Read more about Cellebrite’s newest tools at Cyber Scoop.
Cellebrite's CAIS now supports lawful unlocking and evidence extraction of iPhone 4S/5/5C/5S/6/6+ devices (via our in-house service only).
— Shahar Tal (@jifa) February 22, 2017
What Does All This Mean?
First, there is not a consensus among tech companies and phone providers about how to respond to law enforcement requests. At least with the new California law, state law enforcement must have a warrant. While Apple opposed the FBI requests as they jeopardized the cell phone privacy and security of its biggest product, some companies don’t bat an eye over helping. Also remember that Apple itself cannot access newer encrypted iPhones. However, the biggest takeaway is that the dispute was not settled and many battles will be waged moving forward.
Information Not Stored On Your Phone
What Exactly Is Stored Somewhere Else?
There are volumes of electronic information that people think of as “phone information” which is not actually stored on the phone. This means that the considerations about encrypted phones do not apply. This information includes your phone backups to the cloud and information cellular providers store about your calls.
As you use a smart phone, it communicates with your service provider and any cloud services that you use. The new California law requiring a warrant covers information maintained by your service provider and the information stored in the cloud. Again, this law does not apply to federal law enforcement. The law in this area is murkier than searching what is stored locally on your smartphone.
Your Phone May Be In The Cloud
Many cell phones store information in remote servers. These cloud services can be backup storage that protect against you losing data or they can provide on demand access to documents without using up local storage on the phone. The common services are Apple’s iCloud and Google Drive.
Apple still responds to law enforcement warrants for iCloud backups. These backups can contain virtually all the information from an iPhone:
- Subscriber information, including: name, physical address, phone number, IP connection log for 30 days
- Emails and mail logs
- Photos and videos
- Calendar, reminder, and notes
- iMessage and SMS text messaging
- Voice mail
- Device settings
- Application data
- Call history
Apple’s ability to produce this data is a big departure from what is stored locally on the phone. As smart phones gain in sophistication, the ins and outs of what is stored locally and how it is secured will continue to grow in complexity. Consumers need to be cognizant of the degree to which particular data is secured.
Service Providers Have Information Too
Call detail records include information about numbers called and duration of the calls. Cell service providers respond to hundreds of thousands of law enforcement requests per year. One of the big pieces of information that is not stored on your cell phone concerns which cell towers your phone is connecting to. Providers keep information about the towers your phone has connected to, where those towers are located, and when those connections were made. Law enforcement argues that such information helps locate people at particular times. These records can be looking back at historical data or in real time.
Even though the pen registers from New York telephone feel like something from a bygone era, they are still used today. Sprint reported that they helped law enforcement with 22,000 pen register requests in 2012.
A document obtained by the ACLU from the U.S. Department of Justice shows what providers collect and how long the data is retained:
Law Enforcement Collects Data Directly Too
Many law enforcement agencies also use a device called a Stringray that simulates a cell phone tower to locate and even intercept communications from cell phones. Stingray devices can also subject innocent people in the vicinity of the suspect to government intrusion. The case law with these devices is unsettled but at least one federal court has ruled that “[a]bsent a search warrant, the Government may not turn a citizen’s cell phone into a tracking device.”
Is The Law Going To Change Any Of This?
After the FBI and Apple dispute there were California, New York, and federal laws proposed concerning phone encryption. The California bill did not make it out of committee and the federal bill was so maligned that it was never officially introduced. However, more bills along the same lines will surface.
What Do These Bills Propose?
2016 California Assembly Bill 1681 proposed a law that would have penalized cell phone manufacturers from selling phones that they could not decrypt. The bill did not outlaw encrypted cell phones outright but it would have made encrypted cell phones unfeasible because it put the manufacturer on the hook permanently for financial penalties.
Is This A Good Thing?
In the famous Hamlet soliloquy, Shakespeare referenced “the law’s delay.” Things have not changed. The legal and legislative process is continuing to have growing pains dealing with the advancement of technology. While the law is not going to ever match Moore’s Law, that the power of computing doubles roughly every two years, it is making constant adjustments and tweaks.
In Riley v. California Chief Justice John Roberts showed an appreciation for the massive role that cell phones play in society: “The term ‘cell phone’ is itself misleading shorthand; many of these devices are in fact minicomputers that also happen to have the capacity to be used as a telephone. They could just as easily be called cameras, video players, rolodexes, calendars, tape recorders, libraries, diaries, albums, televisions, maps, or newspapers.”
This was an important step because the scope and importance of the device must be understood before good policy can be formed or good rulings can be made. The stakeholders in these debates have been business interests concerned with maintaining technological progress and not opening up Pandora’s Box for liability, consumers wanting to protect privacy, and law enforcement concerned with safety.
What Is Coming Up Next?
The case law and legislation about last year’s dispute concerning cell phone privacy and security are not settled and others are also beginning to brew. “Smart” connected homes will become more mainstream along with the expansion with the internet of things (IoT). This will present issues concerning 3rd party access to information from home thermostats to live cloud-based video camera storage. Further, issues with personally identifiable information (PII) will continue to come up.
In August, Apple applied for a patent that would record the fingerprint and take a picture of unauthorized users. Thus, people (whether a friend picking up your iPhone or a thief trying to access your phone) would have their fingerprint and picture stored on your phone. While many definitions of PII include fingerprints, current laws have not contemplated many of the current and proposed applications.
A related issue is the piece meal nature of much tech related law with different definitions for the same thing. The California definition of PII that can be collected during a credit card transaction is different and much broader. In the context of credit card purchases, the California Supreme Court found that collection of a zip code during a purchase violated the law. Plaintiffs prevailed on many class action lawsuits after litigating something that was not contemplated when the law was being proposed.
The challenge to the legislative and legal system will be to appreciate the speed of the advancements and massive scope of the issues. A slow and myopic approach will result in disparate results in the criminal justice realm and much litigation in the civil.