They want the authority to search phones incident to arrest. Before you form an opinion about this --- I'm not sure what mine is --- you should know that the police have always had broad authority to conduct warrantless, intrusive searches at the time of an actual arrest. That's one of the things that makes arrest very different from mere detention.
If you're arrested by the police, they will not generally need to obtain a warrant to search your person, your pockets, your bag, or the passenger compartment of your car. Thoroughly.
People confuse "search incident to arrest" with "Terry stops", which are light, supposedly unintrusive searches that can be conducted without individualized suspicion for purposes of officer safety (ie, for weapons). Terry stops are the ones where, supposedly, the police aren't supposed to be reaching into your pocket. Search incident to arrest, going back over 100 years, has always had a purpose of discovering and preserving evidence; they aren't simply about officer safety.
That said: a modern smart phone is more than just a container you carry on your person. It can provide access to much of the same personal information that a search of your most personal possessions would. It's a totally reasonable question as to whether an intrusive search of the data on a smartphone falls into the rubrick of what search incident to arrest was meant to cover.
You generally cannot search a vehicle's trunk under search incident to arrest. However, you can impound the vehicle during the arrest, at which point it is subject to an inventory search, without violating the Fourth Amendment.
And the police have (overly) broad discretion in conducting inventory searches, which are also practically carte blanche. However, there are limits; for instance, evidence from a video tape viewed by police during one such search was thrown out.
Very interesting. I'd love to read the case on the video tape admissibility. Do you remember the name, or have any information about it?
Edit: Can't find the case, but the rationale according to a secondary source is "The search was invalid because the viewing of the tape was unnecessary to ensure its return to the defendant and it did not further any valid objective of an inventory search."
So the rationale hangs on the definition of the "valid objectives" of an inventory search. The "objectives [of an inventory search are] preserving the property of the defendant, shielding the police against claims of lost property, and protecting the police and others from any dangerous objects.
It's a good question, but legalisms aside, having your phone securely encrypted with a strong passcode gives you much more control over whether your phone is going to be decrypted.
Even if there's a circumstance in which the police can compel you to decrypt your phone, you're virtually certain to be able to have your attorney present when that happens.
On iOS, it is by default (actually, you can't turn it off). The random key used is protected by your passcode. A good 80% solution is to use an 8+ character numeric passcode, or a 6+ character alpha passcode.
Apple can turn off the "try ten times and erase phone" feature, but it still can't brute force faster than ~8 tries per second on a 5S. You might also want to turn off the "apple key escrow" feature.
If that works, then something is incredibly broken...
The encryption key, just some random 256-bits, is protected by the rate-limited HSM, which can be unlocked by the passcode. Imaging the flash of another phone with the ciphertext is futile, because that other phone has neither the same key or passcode hash in it's HSM. A different HSM wouldn't be able to decrypt the ciphertext even given the correct passcode.
The whole point of the HSM is that pulling the key or the passcode hash out of it should be quite difficult... certainly not as easy as imaging the phone!
Right; that's the difference between Apple's hardware and (almost all) Android phones right now -- a dedicated hardware security element. Blackberry has this, too. Old Windows Phone didn't; I'm not sure if WP8 does. It was broken pre-iPad 2/iPhone 4S, though.
The Apple encryption specification claims to use a combination of:
A)The encryption key burned into the chip's internal HSM
B)A randomly generated encryption key in effaceable storage
C)The user's passcode
Each passcode attempt is protected by 250,000 rounds of some key stretching function (can't remember what exactly) using the device's internal crypto acceleration hardware.
To successfully parallelize an attack on an iPhone's passcode, you would have to A) get the key out of effaceable storage (can probably be done with a root 0day) and B) extract the HSM's burned-in crypto key (would require a decapping or maybe differential power analysis).
And even then, you're still stuck with a few hundred thousand rounds of hashing per try, which is pretty brutal.
Apple claims that the KDF uses salt fabricated into secure conclave in the CPU. You cannot realistically bruteforce password outside the device since you don't know high-entropy salt. So you have to type in pin code by hand and have your phone erased after N times.
That article doesn‘t provide the proper caveat to enabling the erase data option for passcode lock on iphone. It's obviously dangerous if your phone data isn't continuously backed up.
Since modern technology keeps extensive track of everybody's life at all times, when police take an interest in you they now get to examine a complete picture of everything about you. What you were doing, what you were going to do, who you've been talking to, who you work for, your family, your sex life, your romantic life, your interests, your politics, your religion, everything. Why get a search warrant if they can just pull you over for not signaling correctly and then get access to your entire life nicely packaged for them?
Ten years ago they didn't have any of these tools that they now claim are indispensable to do their jobs. How did they do their jobs back then?
> Ten years ago they didn't have any of these tools that they now claim are indispensable to do their jobs. How did they do their jobs back then?
To be fair, ten (well, twenty) years ago people did all those things in a way that was much more visible to the police. People would go get film developed at the drug store, people would use pay phones, etc.
I would say nothing has changed in the long run. As new technology has appeared that may make it easier to avoid the interest of law enforcement, so has the technology that law enforcement uses to counter the avoidance.
If you were a part of a criminal enterprise twenty years ago you developed your own film and never use the randomly chosen pay phone more than once.
I would even go as far to say that their jobs of collecting usable evidence is much easier today than it was twenty years ago.
This is a case about a drug dealers mobile phone. Presumably he conducted his business through it. I don't think I need to tell you the vast amount of information stored simply when turning one of these on and having it connect.
Police work /should/ be hard. We don't /want/ it to be trivial for police to poke around in the depths of your personal data, fishing for reasons to think you might have done something wrong in the past.
"my job is difficult" is not sufficient reason to justify what they are asking for.
As the article mentions, there's no real need for these search powers, when the phone can simply be turned off or physically taken out of range of reception to prevent it from being wiped. The feds have yet to prove this is even a real problem.
What about a "dead-man's switch" that wipes if the authorized user doesn't authenticate every 30 minutes or so? If network connectivity is lost for too long? And turning it off risks losing resident data on the latest activities of the phone, encryption keys in memory, etc.
I'm by no means a whole-hearted supporter of DOJ's position on this, but I think their opponents are also exaggerating the availability of other options to collect evidence later.
That dead man's switch sounds like a great way to wipe your phone every time you take a nap.
Regardless, if the hypothetical possiblity that some incredibly uncommon dead man's switch exists is justification for this sort of search, then only allow that sort of search if the police have some sort of reasonable suspicion such a switch exists.
It's analogous to how unwarranted home searches are permitted only if an officer reasonably believes there's imminent destruction of evidence - we don't just allow all home searches without warrants because somewhere out there someone might destroy evidence in their house.
Another version of the same thing - encrypt your phone with a large key file stored in memory (like an 8096-bit SSL private key or something). If you don't take some action (logging in, etc) every 30 minutes, the key file is deleted, rendering the data completely inaccessible.
You then have the option of keeping a backup version of the key file somewhere separate, where police aren't going to be able to find it or using a dead man's switch which triggers the destruction of the backup key on a longer timescale (1 day, 1 week).
Of course, encrypting the phone with a password whenever the screen goes off serves essentially the same purpose, the only difference being that using an auto-shredded key file would likely be slightly more convenient for day-to-day use, and that once the key file is shredded, it's impossible for them to compel the login information from you; the best they can do is get the location of the backup key from you, which can itself be booby-trapped to self-destruct (this has the advantage that it's stored on hardware YOU control, whereas a self-destruct password on the phone itself wouldn't do much if they bother to make a backup image before they start trying to decrypt it).
If I were a drug dealer, I think I'd take on pretty onerous risks like that. You could reconfigure the wipe interval and/or drop all sensitive data from RAM and leave it in a safe encrypted state, as the situation requires.
You have good points. Both sides seem to be pushing for the extreme permissiveness or restriction in their respective viewpoints, but the best probably lies in between, as you say.
And when their burner is seized by the police, what protection do they have from all their accomplices being harvested from the contacts list? I guess the numbers can mostly be derived by subpoenaing call records from the phone company, but the names could be useful to police.
I guess really smart and serious dealers are going to use cheap burners AND not save numbers, or at least only with useless (to the police) names.
One reasonable alternative is to use Apple Configurator and set the number of failed attempts before wipe to much lower than the default 10, say 2 failed attempts only.
Because sometimes a police goof that goes public may hurt the victim more than the police. Many people would note that the police searched your house for child porn but many may fail to notice the police got a bogus address from a paid informer who needed money.
Plus I believe that stuff is often public knowledge, it's just not collected in an easy to use manner I would imagine.
It's not that warrants are bad, it's just that the abuse of warrants and SWAT being used for trivial warrants makes them seem bad.
Do you think the kill switches mentioned in this article are really to help with mobile phone thefts? It's probably more likely the kill switches will be used to turn off phones in areas where people are doing things the government doesn't like. Want to take a photo of that police officer beating your friend? Sorry, kill switch.
Honestly, I dont feel like the mandated kill switch is going to be an issue for someone who is wanting to be able to wipe their phones in the case of apprehension. The guys out there today already have a means ready, such as rooting and having a wipe program ready.
If you root an android phone then it's trivial for police to bypass the lock screen. There also isn't any time to fiddle with a phone while guns are being pointed at you and police are screaming orders not to move.
If you're arrested by the police, they will not generally need to obtain a warrant to search your person, your pockets, your bag, or the passenger compartment of your car. Thoroughly.
People confuse "search incident to arrest" with "Terry stops", which are light, supposedly unintrusive searches that can be conducted without individualized suspicion for purposes of officer safety (ie, for weapons). Terry stops are the ones where, supposedly, the police aren't supposed to be reaching into your pocket. Search incident to arrest, going back over 100 years, has always had a purpose of discovering and preserving evidence; they aren't simply about officer safety.
That said: a modern smart phone is more than just a container you carry on your person. It can provide access to much of the same personal information that a search of your most personal possessions would. It's a totally reasonable question as to whether an intrusive search of the data on a smartphone falls into the rubrick of what search incident to arrest was meant to cover.
Either way: make sure your phone is encrypted.