Encrypt Your Smartphone — Or Else

pin0chet writes "Modern smartphones contain ever-increasing volumes of our private personal data — from text messages to images to emails — yet many smartphone security features can easily be circumvented by thieves or police officers equipped with off-the-shelf forensics equipment. Worse, thanks to a recent California Supreme Court ruling, police officers may be able to search your smartphone for hours without a warrant if you're arrested for any reason. Ars Technica has an article exploring the legal issues surrounding cell phone searches and explaining how you can safeguard your smartphone from the prying eyes of law enforcement officers."

Encrypted texting on Android

[intellitech]

I use TextSecure [whispersys.com] by Whisper Systems for text messaging. It's currently in beta, but secure sessions are easy to set up, and the whole application, in general, is working out quite well for me. Better than the stock messaging application in CyanogenMod [cyanogenmod.com], at least.

Re:How about...

[Romancer]

How about you have data required to do your job on a device supplied by your employer that also happened to have you sign a NDA?

How would this play out with a cellphone or a laptop now that you have two distinct laws you have to abide by.

Should the govt be able to request your password for information stored on your (or a company) device that you have signed contracts to keep secret?

Re:Simple...

[TheGratefulNet]

as a person who does not currently have a smartphone, I think I just decided not to EVER get one - until this kind of privacy invasion is nullified at the state (maybe even fed) level.

until then, I can EASILY do without carrying another computer with me. I spend enough time in front of an actual pc (work and home) that its somewhat of a relief NOT to have to carry yet another 'bother me' device while I'm out.

even if you have done 'nothing wrong' the fact that some thug in a badge can ruffle thru your correspondence for NO good reason - just ends the conversation on getting a smart phone.

thanks - you just saved me close to $100/mo for a 2yr minimum.

If they ask for a password

[tiberiumx]

It would probably be trivial to write a lockscreen program with a pair of passwords: One that you use personally to unlock it and another that silently wipes text messages / e-mail / saved data for selected applications (e.g. saved login for facebook, IM) for cases where you are compelled to provide a password.

But I would expect that as warrantless cell phone searches gain popularity software will be available to just about anybody to bypass any security at the application level.

Re:Simple...

[Anonymous Coward]

> as a person who does not currently have a smartphone, I think I just decided not to EVER get one - until this kind of privacy invasion is nullified at the state (maybe even fed) level.

As a person who does not currently have a smartphone, I think I just decided not to EVER get one - until this kind of privacy invasion can be nullified [[BY ME having the ultimate control over my own device, rather than Apple or whichever telecom]].

That's the *only* way to trust it. Laws cannot accomplish that. If nothing else, the law cannot protect you from the government that made the law.

FTFY.

Re:How?

[Anonymous Coward]

N900's can presumably do the same encryption as debian, and have truecrypt as an installable package.

As for Blackberries... don't they store most of your data on Blackberry's servers? That doesn't sound very secure.

Re:If they ask for a password

[Anonymous Coward]

You really wouldn't want to do that on Android, unless you desire to wipe all data affiliated with that Google account. It syncs both ways.

A simpler script would unsync the account and clear the cache(s). Best thing is you don't really lose anything (except SMS/call history).

Re:Simple...

[Anonymous Coward]

Don't be such a downer. Instead, develop software that makes your phone look completely unlocked (and mostly vanilla and innocent data on it) if you don't swipe the screen unlock thing the correct way.

Not only could it hide/wipe personal data when the pigs are trying to rummage through your phone, it could also record them talking to each other about it - with a false data transfer icon showing low or no bandwidth use (lying) as it uploads their chatter to a server they could never hope to reach, even if they knew about it. Not only while they screw with your phone, but the whole time they have it near them. Trying to unlock it wrong would trigger the recording, but only the battery dying (or extended silence) would stop it. You would have to turn this decoy mode off once you got your phone back.

Imagine how useful this insider knowledge could be to you! This thing cuts both ways. Pigs might have physical might/intimidation, but they tend to not have a lot of brains. A smart enough person could easily trick some pigs into revealing a lot about themselves, while the pigs learn nothing (and suspect nothing) of the phone owner.

P.S. I don't hate police (one of my best friends is one). I do hate (and unfortunately, know some) pigs.

Re:Or Else What

[TheGratefulNet]

seriously, this is the near definition of 'chilling effect'.

don't want to reveal your whole life to some badged thug? guess you cannot HAVE a portable computer with you.

lets tell this to the smartphone companies and carriers. lets pit the economic interests of those behemoths to the thugs in blue. maybe if the carriers and vendors realize that smartphone sales are plummeting they'll get the laws changed.

wait - what am I saying?! you folks are like crack addicts with your cellphones and the lawmakers KNOW IT. you'll never give them up, sadly.

Data on the phone vs. data presented on the phone

[swb]

Let's assume for argument's sake that I'm stopped by the police and I'm arrested. My phone is unlocked and they start to search it.

Are they entitled to data only ON the phone, or are they allowed to use an application on the phone which allows access to data stored elsewhere on the phone?

In theory, an email client setup for IMAP doesn't store data on the phone -- messages are retrieved from the server. This glosses over caching, butassume the device could be setup to NOT cache messages locally (or background erase them after N seconds/minutes), the data isn't "on the phone" it's only being *presented* on the phone.

My vague understanding of searches when arrested is that proximate searches are OK, but with an always-connected network device, what's proximate, especially if (like almost all IMAP clients, even ones with very limited caching) there's no perceptible difference between data that's local and data that's on some server somewhere else?

Is the limit some dump of flash (and RAM, if they could do that)?

And why stop at smartphone application data? What if I have an RDP or a SSH/telnet app on my phone that gives them access to dozens of machines (which, in turn, may ALSO offer dozens of machines)? Are those remote systems, because they can be accessed as if local, also eligible for a search?

I guess what's scary is that it's not hard to see a slippery slope where anything the phone allows them into they have access to.

Re:Data on the phone vs. data presented on the pho

[pin0chet]

To my knowledge, no court has addressed that particular issue to date. Professor Adam Gershowitz argues in his 2008 UCLA Law Review article http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1084503 [ssrn.com] that courts addressing warrantless cell phone searches might consider distinguishing between data that is stored locally on a cell phone and data that is accessible via a cell phone. The rationale for such a distinction is rooted in the notion of the "immediate grabbing space" which police are allowed to search incident to arrest.