Forgot your password?
typodupeerror
Encryption Cellphones Communications Handhelds Privacy IT

Encrypt Your Smartphone — Or Else 304

Posted by timothy
from the red-phone-repeat-red-phone dept.
pin0chet writes "Modern smartphones contain ever-increasing volumes of our private personal data — from text messages to images to emails — yet many smartphone security features can easily be circumvented by thieves or police officers equipped with off-the-shelf forensics equipment. Worse, thanks to a recent California Supreme Court ruling, police officers may be able to search your smartphone for hours without a warrant if you're arrested for any reason. Ars Technica has an article exploring the legal issues surrounding cell phone searches and explaining how you can safeguard your smartphone from the prying eyes of law enforcement officers."
This discussion has been archived. No new comments can be posted.

Encrypt Your Smartphone — Or Else

Comments Filter:
  • How? (Score:5, Insightful)

    by sirsnork (530512) on Tuesday January 18, 2011 @09:28PM (#34922994)
    I read this yesterday and it basically says "No apps can actually encrypt your entire phone, so buy a Blackberry". They point to some apps that will selectivly encrypt parts of your data but none seem to do all of it. I found myself wondering about the headline if for %99 of the phone sout there it's actually impossible.
    • Re: (Score:2, Insightful)

      by Lehk228 (705449)
      blackberry still has a huge install base, far huger still if you only consider phones with anything worth stealing on them. blackberries access things like corporate and government secrets, iphones access things like angry birds and youtube.
    • Re:How? (Score:4, Informative)

      by Gaygirlie (1657131) <gaygirlie@NOsPAM.hotmail.com> on Tuesday January 18, 2011 @10:07PM (#34923256) Homepage

      I found myself wondering about the headline if for %99 of the phone sout there it's actually impossible.

      I guess in most cases it is indeed impossible to encrypt everything; apps simply don't have low enough access to the filesystem and there is no way to use an encrypted filesystem. Parts of your data would always remain unencrypted and be recoverable.

      Android is very malleable but I doubt even that would support such without some heavy modifications. My Nokia N900 on the other hand could sport encrypted filesystems and home directory, thus encrypting everything but it's such a unique little thing that that's of no help here.

    • Re:How? (Score:5, Informative)

      by teridon (139550) on Tuesday January 18, 2011 @10:27PM (#34923356) Homepage

      Blackberries can be securely encrypted, but it caused me a unforeseen problem.

      I use my blackberry to filter incoming emails and alert me based on the message contents (or subject, sender, time of day, etc.) You can't do that with the default email program -- you have to get a third-party app.

      Unfortunately, if you encrypt the phone, the third-party app can't read the incoming emails anymore. It seems to be a platform limitation. (If someone can prove me wrong, please do so!) I *want* to encrypt my blackberry, but it would then become basically useless to me.

      I have a password on it, of course, but that's not nearly as good as using device encryption.

    • My iPhone is set with a non-PIN password, which will wipe the phone after 10 bad entries.

      The solution, if you have recent backups, is to nuke the phone (entering 10 bad attempts) immediately upon being pulled over in your car... it would be nice if you could say, enter a "self-destruct" password and just do it with one go, but 10 is easily doable (10 blank entries, for example).

      It's sad we have to resort to these tactics, but it is wise if you have any even marginally questionable content or are worried abo

      • then they get you on 'destroying evidence'.

        citizen: ANYTHING you do can be construed as a violation of SOME US law. there are over 10k laws in the US! we are all breaking the law 5 times a day, at least, technically.

        (this was done on purpose. when you are always able to be arrested, it keeps the population 'in check'. ie, afraid to speak up.)

        • Here's the argument from the article again, we all break the laws several times a day without knowing, but the police know and will put us all in prison or worse for crimes we didn't commit or for things that shouldn't be "crimes" in any non-fascist society.

          This accusation of unjust incrimination for everyone and everything is the crucial difference between the Police and the Gestapo, yet no one bothered to name a single situation, example or proof, where this could happen.

          If there are 10.000 laws in the US

      • Have you actually tried this? I just did. I intentionally biffed the passcode 6 times and it locked the phone for 1 minute. After the minute was up I intentionally biffed it again. It then locked the phone for 5 minutes. I did not bother to complete the experiment.

        You can't get rid of your data that quickly. It makes sense. Otherwise some joker at work could get hold of your phone and cause you instant grief for the rest of the day.

    • by fermion (181285)
      I can't really see the need for encryption of a data on my phone. I encrypt the hardisk of my computer I carry around because I am not willing to lose that data at a whim. There is nothing on my phone that is not redundant. There are any number of way to wipe the phone, and I suspect that anyone who plays with the phone will wipe the data. That is fine with me. If I do it accidentally, it is a simple restore.
  • by intellitech (1912116) * on Tuesday January 18, 2011 @09:31PM (#34923032)
    I use TextSecure [whispersys.com] by Whisper Systems for text messaging. It's currently in beta, but secure sessions are easy to set up, and the whole application, in general, is working out quite well for me. Better than the stock messaging application in CyanogenMod [cyanogenmod.com], at least.
    • by s0litaire (1205168) on Tuesday January 18, 2011 @10:25PM (#34923342)

      Come on!
      HTC's stock SMS program is VERY secure,

      it wipes those SMS's totally!

      even when you don't want it too...

      http://code.google.com/p/android/issues/detail?id=5669 [google.com]

    • What about Android in general?

      Seems trivial to get around lock screens by just plugging in a USB cable and using ADB Pull to get at, well, pretty much all the files on the device. :(

  • by Haedrian (1676506)

    Not storing any incriminating data on your phone to begin with?

    This is like telling a person to buy a portable safe to carry illegal drugs on him.

    • Sounds about right to me. Using technology to subvert immoral laws (and immoral law-enforcement).

    • That's what I do. My phone is just a phone and I don't have anything stored on it, mainly because of fear that I might lose the phone & sensitive information. And now: Because of fear of search by police or Homeland Gestapo or the Airport SA.

      I was already stopped once because Homeland Insecurity wanted to search my car w/o a warrant. Made me stand in the hot Texas sun over an hour before finally letting me go. The last thing I need is for these Stazi to peruse my phone, and charge me with somethin

    • Re:How about... (Score:4, Interesting)

      by Romancer (19668) <romancer@deathsd ... 5926com minus pi> on Tuesday January 18, 2011 @09:41PM (#34923116) Journal

      How about you have data required to do your job on a device supplied by your employer that also happened to have you sign a NDA?

      How would this play out with a cellphone or a laptop now that you have two distinct laws you have to abide by.

      Should the govt be able to request your password for information stored on your (or a company) device that you have signed contracts to keep secret?

      • by Haedrian (1676506)

        If your employer gave you that sort of data, then s/he should be able to take steps to ensure that this data can be properly kept safe.

        Encrypting that particular data is a no-brainer.

        Where I worked with, there were people who were allowed company laptops. To turn on the laptop they needed to be docked in a particular item and swiped with the company card.

        If your company hands you top secret data, then they need to make sure that its protected.

        • by Romancer (19668)

          And since we are not all perfect, don't work for the brightest company bosses, and even the US government is still trying to work out a good process of handling sensitive material that needs to be transported by the user masses...

          What happens when a business or government employee (ours or theirs) travels through one of these nations or states that have enacted a search process that allows them to take and make copies of data stored therein? Even if they're not in the limited class of people traveling with

          • by tftp (111690)

            If you have signed an NDA and have the unfortunate set of circumstances put upon you, do you have any option that would not land up with you breaking at a minimum a contract, and at worst the law?

            An NDA can't ask you to break the law. So if you are arrested it's because you took the NDA too far. NDA typically tells you to take "reasonable measures" to protect the information; it doesn't mean that you must defend it with your life or your freedom.

    • its not just YOU - if you have any contact info or emails, they can now connect THOSE people with you and maybe your friends don't want to get a knock on the door if the cop are on some fishing exped.

      its like when I get spam from some moran who has me in their address book and runs a windows trojan that spams everyone in their contacts list. I had nothing to do with it but now because I'm 'associated' with a clueless moran, I now am added to some spam list.

      so, its not just you. your contacts are also now

      • by Cwix (1671282)

        Everyone is on a damn watchlist. Just most of the id10ts think its the greatest thing in the world cause of OMG the Terrorists are out to get us !!!11!1!

    • Not storing any incriminating data on your phone to begin with?

      This is like telling a person to buy a portable safe to carry illegal drugs on him.

      You understand that means not storing any data, right? [youtube.com]

    • Re:How about... (Score:5, Insightful)

      by Lazareth (1756336) on Tuesday January 18, 2011 @10:15PM (#34923286)

      What you're basically saying is that we don't need no stinking privacy, if you've done nothing wrong you got nothing to hide.

      As the laws are now, the citizen has to take steps to prevent unjustified invasion of privacy by the state, which is completely backwards.

      • What you're basically saying is that we don't need no stinking privacy, if you've done nothing wrong you got nothing to hide.

        It's not that we don't need privacy. It's that if you encrypt your phone, the cops will beat the password out of you anyway. And if you complain of being beaten, they'll beat you more, and no one will stop them.

        Of course, not every cop is corrupt like this. Plenty of cops would never dream of beating a person in custody. They have other prisoners do the beating, instead.

        The lesson is not "if you've done nothing wrong, you have nothing to hide", it's "don't put the stuff you need to hide on your damn ph

    • by klui (457783)

      As per the article, difficult to do when there are tens of thousands of laws that are on the books. What if your phone's accelerometers show you were traveling greater than the speed limit? The data is captured and you didn't even know.

    • Not storing any incriminating data on your phone to begin with?

      Are you sure that you have never broken any laws? Are you sure that your phone does not store any incriminating data?

      • by msauve (701917)
        "Are you sure that you have never broken any laws?"

        Everyone is guilty of something. It's only a matter of how much they want to get you, that they go to the trouble of figuring out what it is.

        Vote Libertarian.
    • by Darinbob (1142669)
      Sure the police can search the phone, but they're going to do that whether it's encrypted or not. I'm not going to be happy if police can read my email, but it won't actually hurt me in any way. The real pain is when they go and confiscate the computer or phone and you don't have access to it. Encryption won't help you there.
    • by rolfwind (528248)

      Not storing any incriminating data on your phone to begin with?

      This is like telling a person to buy a portable safe to carry illegal drugs on him.

      Who modded this snarky, dumbass comment up?!

      I take it you have never seen the video, "DON'T TALK TO THE POLICE!" by Professor James Duane and Officer George Bruch:
      http://video.google.com/videoplay?docid=8167533318153586646# [google.com]

      If it's too long for you, the gist is that we have SO MANY DAMNED LAWS that even the authorities can't count them. We're no longer in the land

    • And your friend who mentioned in an e-mail that he's staying home to smoke pot tonight? While you, as I choose, may not smoke pot, I would happily make the effort to protect him.

  • by commodore64_love (1445365) on Tuesday January 18, 2011 @09:33PM (#34923058) Journal

    What part of this Supreme Law do they not understand? "The right of the people to be secure in their persons, houses, papers[data], and effects[cellphones], against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things [phones] to be seized." It was adopted as a response to the abuse of the British Writ of Assistance, which is a type of general search warrant, during the 1760s and 70s and their use forbidden in 1776 when the Colonies declared themselves independent States.

    Cellphones should not be searchable until a police officer stands before a judge and obtains a warrant, and swears an oath that he, the officer, is telling the truth (and punishable with Perjury if not).

    • The part they don't understand is that, even though you've been arrested with the phone on you, it's still an "unreasonable... seizure" of your effects. Their view is that it's not unreasonable once you're already under arrest.

      Traditionally, how have the contents of wallets, etc. been considered? Because a phone is in much the same situation...

      • But that's too easy. Remember they arrested Professor Gates even though he had done nothing wrong (telling cops he's sick of being mistreated because of his skin color, is Protected speech). So since Gates was arrested, does that mean the cops get to search the Professors' phone, find nudie pics, illegal MP3s, or whatever, and charge him? In California "yes" but it shouldn't be that way.

        A cop should not be able to arrest a person whenever they feel like it ("resisting") and then do a hunt through a pers

        • by QuantumG (50515) *

          any contraband should be thrown-out as illegally-obtained

          If it is illegally obtained then it will be.

          Your scenario: false arrest -> search -> find something for legitimate arrest.

          This is a classic "fruit of the poison tree" and will be thrown out in any court.

          The point is: if you're arrested for a crime and they find evidence of that crime on your person, should it be admissible? And the answer is an obvious, resounding, yes. It doesn't matter if that evidence is blood on your watch band or threatening text messages on your cellphone.

          • by Darinbob (1142669)
            This also applies if you're arrested for one crime (drunk driving) but evidence is found of another crime after searching (dead body in the back seat). Of course if there's no blood dripping from the trunk, no foul smell, and no reasonable suspicion that anything is wrong they can't look in the trunk without a warrant.
          • by dbcad7 (771464)
            I don't think it's so much getting arrested for a crime and then searching for related evidence, that people find unreasonable search.. If it's relevant to what you arrested for, then it makes sense.. But,,, If for example. you ran a red light, and you had an unpaid parking ticket that became a warrant and were arrested.. would searching your phone be acceptable ?
          • by whoever57 (658626)

            Your scenario: false arrest -> search -> find something for legitimate arrest.

            This is a classic "fruit of the poison tree" and will be thrown out in any court.

            Your scenario of false arrest is unrealistic. They can always find some "legitimate" reason to arrest you. There was a study that suggested that every American commits an average of 3 felonies per day. Have you paid all your parking tickets? Then there is the old standby "resisting arrest".

            • by hacker (14635)

              Then there is the old standby "resisting arrest".

              Uhm...you can't be arrested for resisting arrest. If that's the case, what were you arrested for in the first place, for which you were "resisting"?

      • by Darinbob (1142669)
        True, none of this applies to them just searching your phone on the street or when stopped in traffic. The rules are about what happens after being arrested.

        When you're arrested and tossed in the slammer, your personal effects that you had on your at the time are collected and put in a box. The police and investigators can look in the box to see what's there. That means opening up the wallet to see that piece of paper with a phone number on it. This however does not mean that they can search your home w
        • Ie, is the cell phone just a stupid phone with a list of numbers which is reasonable to search, or is it a portable computer in your pocket which is not reasonable to search without a warrant.

          Just note, there are about 10 different "search theories" which have been decided by the courts and the constitution, which Law Enforcement officers use as a gauge as to whether it is reasonable to conduct a certain search or not in a given situation. It's not about whether the phone is a phone or a computer, it is about whether it is covered in the "incident to arrest" search theory or not. It should also be noted that police officers, if not constrained by time, will usually get a warrant even when one is

      • Traditionally, how have the contents of wallets, etc. been considered? Because a phone is in much the same situation...

        That's a pretty obviously false statement. The contents of a wallet can be searched because they could be dangerous to the officer. How much data has ever physically harmed a police officer making an arrest?

        • That's a pretty obviously false statement. The contents of a wallet can be searched because they could be dangerous to the officer. How much data has ever physically harmed a police officer making an arrest?

          A text/email saying "Arrested, send guys with AKs kthxbye" ?

    • Cellphones should not be searchable until a police officer obtains a warrant

      Caution: IANAL zone

      How about we generalize it to future-proof the idea. Your home and your car are both physically distinct spaces, and (in my understanding) officers are only allowed to search them without warrant because they're already there--if I understand correctly, being arrested while in your car doesn't give them right to search your house without a warrant, being arrested in your home doesn't give them right to search a car you own which isn't on the premises.

      Your cell, your computers at home, a

  • by Wrath0fb0b (302444) on Tuesday January 18, 2011 @09:37PM (#34923088)

    TFS:

    Worse, thanks to a recent California Supreme Court ruling, police officers may be able to search your smartphone for hours without a warrant if you're arrested for any reason.

    First, not all Americans live in California. Other States can (and have) interpreted their 4A equivalents to provide more or less protection than the Federal one.

    More to the point, it's probably not true that they can search your cellphone if you are arrested for any reason. Rather, the US Supreme Court explained recently in Gant[1], the idea is that the police can search for things "reasonably believed to contain evidence of the offense of arrest". So searching the cell phone of the CA drug dealer might come out differently than searching the cell phone of (say) a parole violator or a drunk driver.

    To be fair, Gant was an automobile search and the court might distinguish a cellphone from a car in some important sense. Nevertheless, the blanket statement in the summary is not likely to hold up if the police do not have some nexus between the arresting crime and the cellphone.

    And of course, Gant might be wrong as a matter of policy, although Orin Kerr has a very good writeup[2] of the extensive history of search incident to arrest in Anglo-Saxon law that's worth reading for some historical context.

    [1] http://www.law.cornell.edu/supct/html/07-542.ZO.html [cornell.edu]
    [2] http://volokh.com/2010/12/14/the-origins-of-the-search-incident-to-arrest-exception/ [volokh.com]

    • by pin0chet (963774)
      Fair point; my short summary doesn't specify that warrantless searches of cell phones seized incident to arrest are presumptively lawful (barring exigent circumstances) only if the cell phone is "immediately associated with the arrestee" (i.e. in the arrestee's pocket). The article explains this crucial distinction in detail, noting that if you're arrested, your phone enjoys substantially greater protection from warrantless search if it's in your luggage, glove compartment, or trunk, rather than on your per
  • by tiberiumx (1221152) on Tuesday January 18, 2011 @10:02PM (#34923240)

    It would probably be trivial to write a lockscreen program with a pair of passwords: One that you use personally to unlock it and another that silently wipes text messages / e-mail / saved data for selected applications (e.g. saved login for facebook, IM) for cases where you are compelled to provide a password.

    But I would expect that as warrantless cell phone searches gain popularity software will be available to just about anybody to bypass any security at the application level.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      You really wouldn't want to do that on Android, unless you desire to wipe all data affiliated with that Google account. It syncs both ways.

      A simpler script would unsync the account and clear the cache(s). Best thing is you don't really lose anything (except SMS/call history).

      • There's a very nice android app that runs as a service and automatically backs up your SMS and call history to a gmail account (they show up marked as read in a separate folder, so it doesn't clutter your inbox or anything), and can then restore them to the phone later. It's called SMS Backup+ and I highly recommend it, especially if you like to play around with different ROMs and so on, because you really will never lose anything.

  • Let's say, that my smartphone provides acess to my emails that are not stored locally, but on a server somewhere, or files that II acess using a key that is stored on my smartphone. Would the CA Supremes think that an arrest would allow the police to then rifle through my (remotely stored) files and emails?

    What if the files and email are stored on my home PC and acessed over a VPN?

    What if I can access a camera in my house?

  • or police officers equipped with off-the-shelf forensics equipment

    So? If you're not doing anything wrong, then why worry about this?

    • by betterunixthanunix (980855) on Tuesday January 18, 2011 @10:54PM (#34923494)
      Well, for starters, we have the right to privacy; apparently, though, that right is not respected anymore, so we really need to be taking matters into our own hands and reminding the government that we do not want them spying on us.

      Second, and probably the more practical reason, how do you know whether or not you are doing something illegal? There are a lot of laws on the books, and people can be arrested for all sorts of things that do not seem illegal but which actually are. I very strongly doubt that you can accurately claim to follow every law; you may even have committed felony offenses without realizing it. All it would take is a police department under pressure to engage in a crack down, or a cop who just does not like you, and you could find yourself arrested and in court (but they would never do that, right?).
    • For instance, have you ever played online poker, even somewhere that it was legal?

      If you happen to be driving through Oregon then "Possession of gambling records" showing 5 bets totalling over $500 is a Class C felony. Better be sure to purge those confirmation emails!

      Do you live in a state with lax laws about ordering prescription drugs overseas? better not happen to have the money transfer go through while you are in another state.

      Have you ever used a random open wifi network? You phone probably remember

  • If you've done nothing wrong, you have nothing to fe-... hang on, I just have to answer the knock at the door...................

    • by TheCarp (96830)

      All you have to do is never speed, never have a tail light out, never smoke pot, never drive after having more than one drink with dinner, always wear your seat belt, never look like another guy who did something bad, always have a record of where you where and who you were with, never let your driver's license expire, never have sex with an underage girl, even if she lies about her age, has fake id, and you met her in a bar, which checks everyones ID.

      depending on the current political climate, you may also

  • just get a cheap dumb phone, no camera, no apps, no browser, nothing, just makes phone calls
  • . . . just use the smartphone as a shield and let them kill two birds with one bullet.
  • The really frightening (and continuing) trend is for LEOs to seemingly look for ways to skip doing the work before hand, and swoop in and defend questionable search and seizures on people they claim to know are 'guilty'.

    While somewhat off topic, it seems to go back to the Bush era warrantless wiretapping and the FISA court. The DoJ would wiretap anyone they wanted without a warrant beforehand, under the cover of clear and present danger (or some such) and then apply later for the warrant. Now think about th

  • by swb (14022) on Wednesday January 19, 2011 @12:04AM (#34923872)

    Let's assume for argument's sake that I'm stopped by the police and I'm arrested. My phone is unlocked and they start to search it.

    Are they entitled to data only ON the phone, or are they allowed to use an application on the phone which allows access to data stored elsewhere on the phone?

    In theory, an email client setup for IMAP doesn't store data on the phone -- messages are retrieved from the server. This glosses over caching, butassume the device could be setup to NOT cache messages locally (or background erase them after N seconds/minutes), the data isn't "on the phone" it's only being *presented* on the phone.

    My vague understanding of searches when arrested is that proximate searches are OK, but with an always-connected network device, what's proximate, especially if (like almost all IMAP clients, even ones with very limited caching) there's no perceptible difference between data that's local and data that's on some server somewhere else?

    Is the limit some dump of flash (and RAM, if they could do that)?

    And why stop at smartphone application data? What if I have an RDP or a SSH/telnet app on my phone that gives them access to dozens of machines (which, in turn, may ALSO offer dozens of machines)? Are those remote systems, because they can be accessed as if local, also eligible for a search?

    I guess what's scary is that it's not hard to see a slippery slope where anything the phone allows them into they have access to.

  • by gr8dude (832945) on Wednesday January 19, 2011 @11:57AM (#34928138) Homepage

    There is a program called SecuBox, http://aikosolutions.com/ [aikosolutions.com] it creates virtual encrypted disk on Windows-powered handhelds. You can keep your sensitive data there, in encrypted form.

    Your phonebook, SMS and other data are still kept in the phone using regular methods though. On the bright side - at least you get to control where your files are kept.

"If I do not want others to quote me, I do not speak." -- Phil Wayne

Working...