If you are stopped or arrested by a law enforcer there’s a possibility, one that increases every day, that they will demand to see the contents of your phone, which was the topic of yesterday’s meeting.
Interactions with law enforcers is a complex topic because it involves both legal and technical aspects. None of us at CryptoPartyMN are lawyers but the information we presented regarding the legal aspects of law enforcement interactions was primarily sourced from the Electronic Frontier Foundation (EFF) and they have a team of lawyers. We encourage everybody to read through the EFF’s Know Your Rights series to gain a better understanding of the legal aspects of law enforcement interactions. But there is one thing that we wish to emphasize above all else: Never consent to a search of your phone.
Phone searches will usually start as polite requests. The officer will ask, “Do you mind if I take a look at your phone?” If you say yes, you have legally consented to a search of your phone. Therefore, If an officer asks you if they can search through your phone, tell them, “I do not consent to a search of my person or property.” That language is unambiguous and to the point. It’s possible that the officer will become persistent and even try to strong arm you into consenting. Don’t give into the pressure. Just continue stating that you do not consent to a search. If the officer claims to have a warrant, demand to see it and, if they actually have one, make sure that they only search the locations specifically listed on the warrant. It’s also wise, especially if you participate in protests or other forms of activities that carry a higher than average chance of interacting with law enforcers, to have a lawyer at hand that you can call. Lawyers know how to talk to the police without incriminating you so let them do the talking.
After getting that out of the way, we discussed the technical aspects involved in interacting with law enforcers. Most modern smartphones have the ability to encrypt the contents of the device (usually referred to ask full-disk encryptioin). Since the release of iOS 8, iPhones setup with either a password of PIN have encrypted the contents of the device. Android has included support for full-disk encryption since 5.0, although support for the feature may vary from vendor to vendor.
Although both iOS and Android take measures to increase the complexity of your password, when encrypting the contents of your device you should utilize a strong password, not a PIN. Modern iOS devices and many Android devices attempt to make utilizing a strong password easier but including fingerprint readers. When the fingerprint reader is enabled you are able to avoid typing in your password every time you want to unlock the device. However, using a fingerprint reader carries additional legal risks. Namely, courts have been mostly unanimous in ruling that law enforcers can force you to provide your fingerprint to unlock your phone. The courts are far less unanimous about whether law enforcers can force you to provide your password to unlock your phone.
On iOS devices you can deauthorize the fingerprint reader by rebooting the phone. Once the fingerprint reader is deauthorized you must enter your password to reauthorize it. You can reboot an iPhone 6S or older iPhone by holding the power and home buttons simultaneously for a few seconds. With the introduction of the solid-state home button on the iPhone 7 Apple had to change the buttons. You can reboot an iPhone 7 by holding down the power and volume down buttons simultaneously for a few seconds. If you’ve enabled the fingerprint reader on your phone, you should reboot the phone before interacting with a law enforcer so they cannot force you to unlock your phone. The behavior of the fingerprint reader and the procedure for rebooting an Android device can vary. You will have to look that information up for your specific device.
In addition to performing manual searches, some law enforcement departments have begun issuing devices capable of cloning the contents of cell phones to their officers. These devices generally connect to the USB/30-pin/Lightning port on the phone and copy all of the stored contents including the call log, contact list, and text messages. Methods to defend against these devices vary. Oftentimes these devices will use exploits to bypass your password. Therefore, the first step in defending against these devices is to ensure that you are running the latest version of your phone’s operating system. New releases of iOS and Android contain fixes for known exploits, including many of the exploits used by cellphone cloners. If you’re using an iOS device, there is a way to lock the device’s 30-pin/Lightning port to a single computer. If you set your phone up in this manner, it will refuse to communicate with any device, besides the computer your configured it to communicate with, via its 30-pin/Lightning connector. Barring an exploit capable of bypassing this feature (once again, ensure your phone’s operating system is up to date), locking your phone’s 30-pin/Lightning port will prevent cellphone cloners from pulling data from your phone.
A category of mobile devices that is gaining traction as of late is wearables. Wearable devices such as the Apple Watch and Android Wear devices can display information stored on your phone, which makes them an attractive target for law enforcers. If you’re using an Apple Watch, you should setup a password and enable wrist detection. This will lock the watch if it is removed from your wrist, which means you can make it inaccessible to law enforcers by simply removing it. Once again, the procedure for Android Wear devices may vary and you will have to look up the security features of your specific device.
This guide (as well as yesterday’s discussion) is meant to serve as a primer for interacting with law enforcers, it isn’t a complete guide. Following the information presented here will provide you a decent amount of protection from snoopy law enforcers but you are encourage to continue your education in this matter. This guide it won’t provide any help if an officer threatens you with physical harm if you refuse to unlock your phone. Such a scenario falls outside of the realm of regular device security and enters the realm of physical self-defense and is therefore outside the scope of this guide. Furthermore, this guide is specific to physical interactions with law enforcers. It is possible for law enforcers to access your data in other ways. For example, law enforcers can often access your data that is stored on third-party services after an interaction or without any prior interaction.