As I had previously mentioned in my post from April 29, 2014
, I totally expected the Supreme Court to rule that a search warrant would be required to search cell phones. I had also mentioned that SCOTUS should stipulate the due to the advancements in technology, they should consider that seizure
of volatile data should be available without a warrant. Unfortunately, the hope for this second portion did not happen.
On the subject of remote wiping of cell phones, it is sad to see that the SCOTUS used a source referred to in the opinion that they viewed as "anecdotal examples of remote wiping triggered by an arrest." Perhaps they should have had staffers consult with real practitioners who have seen actual remote wiping happen on real cases. During a recent consultation with a local law enforcement agency in South Florida, I was informed that not only was an iPhone remotely wiped after arrest, but a message of "F the police" was displayed on it as well - how anecdotal is that?
As a solution to the remote wiping threat, SCOTUS mentioned that officers can either power off the device or pull the battery - sure, this works. They also mention the use of faraday bags to secure mobile devices from the network. Although this may work in some situations, they are not foolproof. In every class I teach regarding mobile forensics, I talk about these faraday bags and also demonstrate how, depending on a variety of environmental factors, they do not work properly - yes, I carry one with me to every class.
Speaking of anecdotal, I have to point out another part of this opinion which is quite interesting on how it was used. The opinion states:
Remote wiping occurs when a phone, connected to a wireless network, receives a signal that erases stored data. This can happen when a third party sends a remote signal or when a phone is preprogrammed to delete data upon entering or leaving certain geographic areas (so-called “geofencing”)
Hmmm... I have not found many references to this other than an enterprise solution for policy administration on iOS devices. According to the Citrix site I found with reference to this, it states: "Geo-fencing in Device Manager allows you to define a geographic perimeter for an iOS device. You can then perform a selective or full wipe upon the breach of the perimeter you set. The policy also notifies Device Manager and the device user when the device has moved beyond the defined radius of the policy. You have the option of setting a delay before the device is wiped, which can give the user time to return to the allowed GPS location perimeter.
" Please tell me SCOTUS, just how is an average user that gets arrested going to have this ability?
Again, the search warrant requirement was not a surprise in the least. I fully expected it. However, I wished that the justices would have considered how technology has, and will always be ahead of the law of the land. A forward-thinking decision to enable law enforcement to seize the contents of the device, much like what is done using a mere preservation letter to a cell phone carrier or internet service provider, would have been extraordinary. Unfortunately, we must live with what
Chief Justice John Roberts stated in the opinion, "It is true that this decision will have some impact on the ability of law enforcement to combat crime.
" - what an understatement!
PS... SCOTUS referred to a DRAFT document by NIST instead of the final version which was available to them since last month at http://dx.doi.org/10.6028/NIST.SP.800-101r1.
The full opinion can be downloaded at http://www.supremecourt.gov/opinions/13pdf/13-132_8l9c.pdf RE: U.S. v. Wurie (13-212) and Riley v. California (13-132)
There are arguments on both sides of the issue of search of a cell phone incident to arrest. In the next 60 days or so, we will finally have a US Supreme Court decision on this issue. The two cases being reviewed are U.S. v. Wurie (13-212) and Riley v. California (13-132). I am not an attorney nor pretend to be one
, but my opinion is that absent exigent circumstances, like computers, a search warrant will be required. However, I would be pleased to see the justices define that seizure of volatile data can be done without a warrant. Let me explain...
Technically speaking, there are numerous well known methods to keep a phone off the network upon seizure. I have talked about these methods in the majority of my training courses. Today, most mobile devices can effectively be isolated from the network to preserve the data on the device. This simple, yet crucial step in crime scene investigation procedures, gives the arresting officer or investigator the time to apply for, and obtain proper search authority (search warrant). Although many of these techniques have been known to law enforcement agencies as best practices when dealing with mobile devices, the fact remains that savvy users (suspects or defendants) have been known to remotely wipe their phones before the device data can be acquired, much less searched.
By now, everyone has heard about the different ways to "find your phone" if it is lost or stolen. The average user also has the ability to remotely destroy the data on that device to protect it from prying eyes. Wouldn't you think it is reasonable to believe that someone under investigation (or even arrested), who has the opportunity to destroy incriminating evidence, might do that? In the spirit of preserving evidence, which can be (and is known to have been) remotely wiped prior to police seizing and searching that data, the justices would serve the people, and law enforcement alike, with an acknowledgement of the technical challenges and dynamic nature of data in mobile devices. A forward thinking court could define that it is reasonable to allow seizure of dynamic and volatile data contained within a cell phone, tablet, etc. (the container) without a warrant. At the same time, they can reiterate the protection of the Fourth Amendment protecting the actual review (search) of the that data until the issuance of a properly executed search warrant.I am guessing the court will probably mention the existence of exigent circumstances to search cell phones. This can be easily addressed by simply reiterating that a search by a law enforcement officer without warrant may take place if exigent circumstances exists.
As the CNN article here states
, "the Constitution's Fourth Amendment protects against unreasonable searches and seizures." In addition, it also states "the high court has repeatedly affirmed the government's discretion to conduct warrantless initial pat-downs and searches of people and vehicles -- to ensure officers' safety and prevent destruction of evidence."
With proper training, officers can be instructed how to keep a device off the network. Keeping a device off the network, can preserve data until proper search authority is obtained for the search and recovery of cell phone data. However, since technology advances so quickly and due to the dynamic nature of data on mobile devices, I am certainly hoping for a forward-thinking decision by the justices which will not impede current investigative procedures.
Your comments are welcome!
I will be teaching the Cellebrite 5-Day Mobile Device Examiner Course at the North Miami Beach Police Department May 19-23, 2014 (registration link below).
The Cellebrite Certified Mobile Examiners Course is designed for the intermediate and advanced investigator / digital forensic examiner. This 5 day course combines the curriculum from the Cellebrite Certified Logical Operator (CCLO) and the Cellebrite Certified Physical Analyst (CCPA) Courses providing the participant with an intense exposure to Cellebrite UFED, Physical Analyzer Software and all of the core competencies associated with examination of mobile devices using Cellebrite’s Tools and methodology. During the course two optional written exams and two optional practical skill challenges are administered and students may earn the Cellebrite Certified Logical Operator Certificate (CCLO) and the Cellebrite Certified Physical Analyst (CCPA), both of which are prerequisites for entering the Cellebrite Certified Mobile Examiner Process.