Security Bits Logo

Security Bits – Forced Smartphone Decryption Breaches 5th Amendment, Apple Fails to Remove Malicious App, Google & MasterCard Sharing Info

Followups

  • Instapaper comes back to the EU at last — www.macobserver.com/…
  • Facebook is refusing to comply with a GDPR data request, so a complaint has been lodged with the Irish Data Protection Commissioner (DPR). The DPR has opened an investigation, but has said the case is likely to get escalated from Ireland to the European Data Protection Board. This will be a really important test case to watch — nakedsecurity.sophos.com/…

Security Medium — 🇺🇸 Forced Smartphone Decryption Breaches 5th Amendment to US Constitution

The US Appeals Court in Indiana (only level below the US Supreme Court) has ruled that forcing a user to decrypt their encrypted smartphone violates the 5th amendment to the US constitution (self incrimination). IMO the ruling is noteworthy for two reasons.

Firstly, the ruling recognises that a smartphone is effectively an extension of our brain, and that makes it very special indeed:

A modern smartphone, with its central purpose of connecting its owner to the Internet and its ability to store and share incredible amounts of information in ‘the Cloud’ of online storage, is truly as close as modern technology allows us to come to a device that contains all of its owner’s conscious thoughts, and many of his or her unconscious thoughts, as well. So, when the State seeks to compel a person to unlock a smartphone so that it may search the phone without limitations, the privacy implications are enormous and, arguably, unique.

Secondly, the ruling lays down a set of legal tests it recommends courts apply ‘for resolving decryption requests from law enforcement authorities’. The Indiana Lawyer summarised this structure as follows:

  • Requiring the decryption of data should be recognized as data recreation and, thus, strictly limited.
  • Law enforcement will have legitimate need of encrypted data in some instances.
  • Law enforcement requests that are identified as bona fide emergencies should be supported by “a warrant that describes the other imminent crime(s) suspected and the relevant information sought through a warrant.”
  • Law enforcement should be required to seek digital data through third parties in non-emergency situations.
  • Fourth Amendment exceptions and state analogues should be inapplicable or strictly limited in “the search and seizure of digital data stored on devices owned or controlled by that defendant, or from ‘Cloud’ subscriptions that defendant owns or uses.”

Finally, I want to draw attention to the word I bolded in the opening paragraph – encrypted. I’m not a lawyer, but from my reading of the ruling it seems clear it only applies to encrypted phones:

We consider [the plaintif]’s act of unlocking, and therefore decrypting the contents of her phone, to be testimonial not simply because the passcode is akin to the combination to a wall safe as discussed in Doe. We also consider it testimonial because her act of unlocking, and thereby decrypting, her phone effectively recreates the files sought by the State.

So, if you’re not encrypting your phone yet, here’s yet another reason to do it!

Links:

Notable Security Updates

  • Adobe released a critical out-of-band patch for the Creative Cloud desktop app — www.us-cert.gov/…

Notable News

Suggested Reading

Palate Cleansers

1 thought on “Security Bits – Forced Smartphone Decryption Breaches 5th Amendment, Apple Fails to Remove Malicious App, Google & MasterCard Sharing Info

  1. Anonymous - September 20, 2018

    I saved this post quite a while ago and just got around to reading it. I have to disagree with your last premise about unlocking a phone vs. decrypting said phone. My view is that the very nature of unlocking is essentially the same as giving testimony. Again, the fifth amendment may apply here. Hard to say without seeing more of the legal briefings.

Leave a Reply

Your email address will not be published.

Scroll to top