It’s easier than ever for police to get your phone data

An illustration of a giant phone surrounded by red tape that says “Caution, evidence.”

Zac Freeland/Vox

The government’s ability to access phone data depends on a patchwork of court decisions and laws that predate the technology.

Open Sourced logo

Our lives are on our phones, making them a likely source of evidence if police suspect you’ve committed a crime. And there are myriad ways law enforcement can obtain that data, both externally and from the phone itself.

Companies that specialize in cracking phone passcodes and exploiting vulnerabilities are getting better and better at undermining them. And although Apple has tried especially hard to make its phones impossible to break into, more and more law enforcement agencies are using those tools to gain access to devices, even when someone is accused of relatively petty crimes.

While there are a few good primers online that cover the steps you can take to minimize your phone’s exposure to law enforcement surveillance, there’s no way to completely guarantee your privacy.

When it comes to data that can only be obtained from access to your phone, what law enforcement can actually get varies depending on how you lock it down, where you live, and the jurisdiction of the law enforcement agency that is investigating you (local police versus the FBI, for instance). Here are some of the main ways the government can get information from your phone, including why it’s allowed to and how it would do so.

Law enforcement wants access to third-party data on my phone. What can it get?

Short answer: Whatever it wants (with the right court order).

Long answer: Depending on what law enforcement is looking for, it may not need physical possession of your device at all. A lot of information on your phone is also stored elsewhere. For example, if you back up your iPhone to Apple’s iCloud, the government can get it from Apple. If it needs to see whose DMs you slid into, law enforcement can contact Twitter. As long as they go through the proper and established legal channels to get it, police can get their hands on pretty much anything you’ve stored outside of your device.

You do have some rights here. The Fourth Amendment protects you from illegal search and seizure, and a provision of the Electronic Communications Privacy Act of 1986 (ECPA) dictates what law enforcement must obtain in order to get the information. It might be a subpoena, court order, or warrant, depending on what it’s looking for. (WhatsApp actually does a good job of explaining this in its FAQ.) A section of the ECPA, known as the Stored Communications Act, says that service providers must have those orders before they can give the requested information to law enforcement.

But, assuming the government has the right paperwork, your information is very obtainable.

“Basically, anything that a provider has that it can decode, law enforcement is getting it,” Jennifer Granick, surveillance and cybersecurity counsel for the ACLU’s speech, privacy, and technology project, told Recode.

Note that this only covers service providers. If law enforcement wants to get WhatsApp messages you exchanged with a friend from your friend’s phone, it doesn’t need a warrant as long as your friend is willing to hand over the information.

“You don’t have a Fourth Amendment interest in messages that have been received by someone else,” Andrew Crocker, a senior staff attorney for the Electronic Frontier Foundation, told Recode.

If your friend refuses to willingly hand over what the police want, they can still get it — they just have to get a warrant first.

Law enforcement wants access to personal data on my phone. Can they do that?

Short answer: If your phone is protected by a passcode or biometric unlocking features, there’s a chance police can’t gain access to your personal data. But that’s not guaranteed.

Long answer: In addition to data hosted by a third party, there’s a lot of information that can only be gained from access to your phone. For example, the data in iCloud backups is only as recent as the last time you uploaded it, and it only includes what you choose to give it — assuming you back up your phone at all. Encrypted messaging services like WhatsApp don’t store messages on their servers or keep track of who is sending them to whom, so the only way for police to access them is through the sender’s or the receiver’s device. And as we’ve explained above, the government can get WhatsApp messages from the person you’re communicating with, but only if it knows who it is in the first place.

So how exactly would someone other than you — police, for instance — get access to that data? If your phone doesn’t have a password or law enforcement is able to access it using specialized passcode cracking tools like Cellebrite or GrayKey — and they have the necessary search warrant to do so — then it’s all theirs. A recent report from the technology and justice advocacy group Upturn showed that law enforcement use of these phone-cracking tools is more prevalent than previously known, and there is little oversight governing how and when those tools may be used, or what information they’re limited to accessing. But if your phone is locked with a passcode and law enforcement can’t hack into it, the Fifth Amendment may be your friend.

Essentially, the Fifth Amendment says you can’t be compelled to give self-incriminating testimony. (This amendment is perhaps known best to you as that dramatic moment on Law & Order when the person on the stand says, “I plead the Fifth.”) Testimony, in this case, is defined as revealing the contents of your own mind. Therefore, civil rights advocates say, the government can’t force you to tell them your phone’s password.

Most courts seem to agree with this, but that’s not always enough. There is what is known as the foregone conclusion exception. That is, a defendant’s testimony is not self-incriminating if it reveals something the government already knew, and the government can prove that prior knowledge. In this case, the defendant’s testimony is a foregone conclusion — a predictable outcome.

So, for phone passwords, the government can and does argue that revealing the password only shows that the phone belongs to the defendant. If the government has enough proof to establish the phone’s ownership, that’s a foregone conclusion that the defendant would also know its password. Some courts have interpreted this to require the government also to show it has knowledge of the specific pieces of evidence it expects to find on the device.

This exception comes from a 1976 US Supreme Court ruling. In Fisher v. United States, someone being investigated for tax fraud gave documents prepared by his accountant to his lawyer. The IRS wanted those documents; the defendant said that producing them would be self-incriminating and therefore was protected by the Fifth Amendment. The Supreme Court sided with the IRS, ruling that since the existence and location of the tax documents was a “foregone conclusion,” the act of producing them didn’t tell the government anything it didn’t already know.

Obviously, a 44-year-old decision over tax papers doesn’t take into account how information can be stored today, nor how much.

“The EFF’s position is that the foregone conclusion exception is very narrow and should never apply in these passcode cases,” Crocker said.

But without further guidance from the Supreme Court, it’s largely been left up to interpretation by lower courts, with state courts considering their state constitution’s provisions as well as the federal. The result, Crocker says, is “a total patchwork of [decisions from] state Supreme Courts and federal courts.”

For example, in 2019, Massachusetts’s highest court forced a defendant to reveal his phone’s passcode while Pennsylvania’s highest court ruled that a defendant could not be compelled to unlock his computer. Indiana’s and New Jersey’s highest courts are both considering compelled passcode disclosure cases. On the federal side, the Third Circuit Court of Appeals ruled that a defendant could be compelled to unlock multiple password-protected devices, even though the defendant claimed he couldn’t remember his passwords. The 11th Circuit Court of Appeals, on the other hand, ruled the other way in a different case.

“It’s very much in flux,” Crocker said. “Eventually, the US Supreme Court could get involved and resolve this.”

There are other ways to protect your phone. Some phones can use fingerprints, facial recognition, and iris scanners to unlock instead of passwords. Law enforcement is allowed to use people’s bodies as evidence against them, for instance by compelling them to participate in suspect lineups or provide their DNA. So if the police can take your fingerprints, can’t they use them to unlock your phone? Again, courts are all over the map on this.

“The issue with biometrics is, is it testimonial?” Granick said. “The courts have not entirely decided that, but there have been a couple courts recently that said biometrics is basically the modern technological equivalent of your passcode.”

Crocker says courts should consider that the evidence police can get from your fingerprint is much more restricted and known than what they can get when your fingerprint unlocks a phone. So far, though, he says, courts have been more likely to rule that the Fifth Amendment does not apply to biometrics than they are that it applies to passcodes.

Yet another factor to consider here is that, while it’s impossible for police to read your mind and get your passcode, they can hold a phone up to your face or press your finger on it to bypass the biometric lock. And while your lawyer can (and should) argue that any evidence found this way was illegally obtained and should be suppressed, there’s no guarantee they’ll win.

“It’s fair to say that invoking one’s rights not to turn over evidence is stronger than trying to have the evidence suppressed after the fact,” Crocker said.

So, all things considered, if you’re worried about law enforcement getting access to your phone, your safest bet is to just use a passcode.

Sadly, I have died. Law enforcement wants to unlock my phone, but they can’t get my password due to my aforementioned death. What happens now?

Short answer: Your Fourth and Fifth Amendment rights generally end when you do. But other parties have rights, too, and those might be enough to keep the government out of your phone.

Long answer: This isn’t about your Fourth or Fifth Amendment rights anymore; for the most part, you lost those when you died. (That said, law enforcement might have to get the right paperwork if they were looking for evidence against someone else on your phone — after all, their Fourth Amendment rights are still intact.) If law enforcement can’t get into your device on its own, it may well be the phone’s manufacturer’s rights that come into question.

Attorney General Bill Barr has made no secret of his disdain for Apple over its refusal to grant law enforcement access to locked and encrypted devices. In May, he called for a “legislative solution” that would force tech companies to cooperate with his demands.

Barr also claimed in January that the only way the FBI could access dead suspected terrorist Mohammed Saeed Alshamrani’s iPhones is if Apple unlocked them. The agency has made this argument before. In 2016, the United States tried to use the All Writs Act, which dates back to 1789, to force Apple to create a “back door” that would give the FBI access to the San Bernardino shooter’s locked phone. Apple refused, saying the government could not force it to create “a crippled and insecure product” that it would not have built otherwise. So far, there’s been no legal resolution: In both cases, the FBI was able to access the phone through other means before a court could rule on it.

You may have noticed by now that, while many of the cases concerning phones and passcodes are recent — some are even still making their way through the legal system — the cases cited to make legal arguments are decades or even centuries old. The wheels of justice turn slowly, and judges are often forced to use decisions about access to pieces of paper to inform their rulings about access to devices that hold tremendous amounts of personal information: who we talk to, when, and about what; where we were yesterday, last month, or three years ago; what we spent money on or got money for; our calendars, photos, emails, and contacts. These devices hold tens or even hundreds of gigabytes of data on almost everything about us.

You may not be able to control what law enforcement can get from someone else or what they do with your phone once you’re dead. But, with so much uncertainty surrounding what the government can force you to do with it when you’re alive, it’s a good idea to check out your legal options before handing over that passcode.

Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.


Support Vox’s explanatory journalism

Every day at Vox, we aim to answer your most important questions and provide you, and our audience around the world, with information that has the power to save lives. Our mission has never been more vital than it is in this moment: to empower you through understanding. Vox’s work is reaching more people than ever, but our distinctive brand of explanatory journalism takes resources — particularly during a pandemic and an economic downturn. Your financial contribution will not constitute a donation, but it will enable our staff to continue to offer free articles, videos, and podcasts at the quality and volume that this moment requires. Please consider making a contribution to Vox today.

via Vox – Recode

Check out the Finding Your Identity Podcast!