There’s No App For That: Smartphone Data Privacy and Law Enforcement Searches

Smartphones have become repositories for vast amounts of personal information.  As their functionality grows, users store more and more of their details in their smartphone, from friends’ phone numbers, diary entries, photos, and messages, to shopping lists, bank details, and travel plans.  At the same time, phone manufacturers and app designers silently gather data on users’ movements, browsing habits and passwords.  The resulting bounty of data is extremely convenient for users, but also makes smartphones attractive targets for corporate marketers and law enforcement alike.


Regulating data collection

Many cell phone apps collect personal data from owners, unbeknownst to the user.  Some app manufacturers store the data, or even release it to advertisers.  This has attracted the attention of lawmakers.

On February 1, the Federal Trade Commission released a staff report, containing recommendations for smartphone manufacturers, app designers and advertisers regarding the collection and use of personal information.  Describing the data collection potential of smartphones as “unprecedented”, the FTC has issued these recommendations in response to widespread concern regarding the expansive and sometimes opaque data collected by their smartphones and third party app producers.  The report recommends that apps seek express consent before accessing “sensitive” data, like geolocation information, and that greater transparency be programmed in, so that users know and can easily determine what information is being collected and when it is being transmitted to a third party.  It also suggests that smartphones offer users a “do not track” feature.  The report is not binding, but its suggestions are considered likely to be highly persuasive to the big players in the cell phone market like Google and Apple.

Companies risk running afoul of the FTC if they access users’ personal information in a misleading fashion.  Last week, the FTC settled an action against the makers of a social networking app, “Path”, which it alleged had misled users about the data it would gain access to.  In particular, Path had accessed users’ phone contacts, regardless of whether they had expressly requested this.  This left consumers with “no meaningful choice” about what information would be collected.  Ars Technica later reported that other social networking app developers are engaging in similar activities.  The incident attracted the attention of the House Energy & Commerce Committee, which sought responses from various app makers regarding their approach to user privacy.

In 2011, New Jersey prosecutors considered criminal charges against app developers over similar activity (transmission of user information to third parties without consent).  App makers, including the makers of the internet radio app, Pandora, reported receiving grand jury subpoenas in relation to potential charges under the Computer Fraud and Abuse Act, also used to prosecute hackers and, notoriously, Aaron Schwartz (Schwartz’s prosecution for downloading the JSTOR database of academic articles without authorization attracted criticism, and led to complaints that the Act is too broad).  Such charges frame the app makers’ access to user data as a form of unauthorized access to a computer, thus falling within the terms of the CFAA.


Cellphone searches incident to arrest

When police place an individual under arrest, they are permitted to conduct a full search of the individual’s person, without a warrant, to look for weapons and preserve evidence.  This search authority includes the ability to search within “containers” the person is carrying, such as a cigarette packet inside a pocket (U.S. v. Robinson).

The so-called “search incident to arrest” doctrine has been relied upon by police to justify searching an arrestee’s cellphone.  These searches are not uncommon — according to Adam Gershowitz, by 2010 over 40 courts nationwide had been asked to assess the constitutionality of cell phone searches incident to arrest.  The argument for lawfulness relies on an analogy to physical containers.  Prior to the cellphone era, courts held that a pager could be searched by police upon its owner’s arrest, as it was no different from a purse or address book, which could also be lawfully searched (U.S. v Chan 830 F. Supp. 531 (N.D. Cal., 1993) and the cases which followed it).

The Supreme Court has not ruled on whether a warrantless cell phone search can be justified under the search incident to arrest doctrine.  But reviews of the caselaw conducted by Junichi Semitsu and Adam Gershowitz conclude that the majority of courts having considered the question found that warrantless searches of cell phones could be upheld on this basis.  For example, in U.S. v. Finley, the Fifth Circuit held that a search of Finley’s cellphone following his arrest for selling drugs to a police officer was justifiable on the basis of the container cases.

But there is division within the judiciary on this point, with a minority of courts rejecting the container analogy.  The Ohio Supreme Court concluded that warrantless cellphone searches could not be analogized to container searches, because cell phones contain intangible data, not physical objects, and do so on a scale which is incomparable to a physical container (State v. Smith).  A District Court judge in California also rejected the analogy, finding that a cellphone contained such a large amount of evidence that it was conceptually closer to a large container which was within the arrestee’s control, but not on their person (U.S. v. Park).

Further, if the police interaction with a suspect does not result in an arrest, a cellphone search is unlikely to be permissible.  In United States v. Zavala, the Fifth Circuit held that a pat-down search conducted during a Terry stop (also known as a “stop and frisk”) did not include the right to search the suspect’s cell phone.  Officers performing a Terry stop are only permitted to engage in a protective search for weapons or contraband, and not a search for evidence such as is contained on a cellphone.

Locking a cellphone using a passcode appears unlikely to put it beyond the reach of law enforcement personnel.  Gershowitz concludes that there is no legal impediment to police seeking to gain access to a passcode-protected phone by guessing or cracking the passcode, provided this is reasonably contemporaneous with arrest.  And from a practical standpoint, officers may have the technical capacity before long to gain access to phone data without knowing the passcode at all.  As the ACLU argued in 2011, it appears that some state police have purchased “forensic cellphone analyzers”, which enable extraction of a range of data (photos, text messages, contacts, and more), even if the phone passcode is not known.


Cellphones in vehicles

A further question arises regarding the lawfulness of police searching cellphones left in vehicles.  According to Supreme Court caselaw, if police have probable cause to search a vehicle, they are lawfully able to look inside containers within the vehicle for the object of their search (California v. Acevedo), even if that container belongs to someone other than the owner of the vehicle (Wyoming v. Houghton).  However, if the object of the search is a physical thing (e.g., drugs or weapons), this could not justify searching a cellphone.

In certain circumstances, the search incident to arrest doctrine, discussed above, can also be relied upon to allow police to search the vehicle occupied by the arrestee at the time of their arrest.  In Arizona v. Gant, decided in 2009, the Supreme Court held that police may conduct a search of the vehicle’s passenger compartment if the suspect is unsecured and could reach into the vehicle to grab something.  Alternatively, if the suspect has been secured (most commonly, using handcuffs), a search of the vehicle is permissible if it is reasonable to believe it contains evidence relevant to the crime which led to the arrest.  Junichi Semitsu argued in 2012 that, in the majority of post-Gant cellphone searches which have been challenged and upheld, the state relied on the Gant rule.

The Court of Appeals for the Fifth Circuit also held in Zavala that the accused’s consent to search his vehicle did not include consent to search his cellphone, which had been removed from him when he was stopped and placed on the roof of the vehicle.  It was not objectively reasonable for the officer to conclude that the consent granted extended to the cellphone.


Where law enforcement searches and data privacy coincide

If the weight of authority comes to be the settled law, there are many circumstances in which law enforcement may lawfully search smartphone without a warrant.  And thanks to the under-regulated and often opaque data collection practices of smartphone companies, what they find in their search may be more expansive than many users realise.

Further, as Junichi Semitsu explains, certain smartphone apps do more than just reveal the contents of the device to the user.  Some, like the Facebook app, also allow the user to access content stored on a server, with no signal to the user regarding which form of content is being observed.  This greatly expands the information to which police can gain access through a warrantless search (information which they would otherwise require a subpoena to obtain).  But, as Semitsu discusses, this distinction has not persuaded courts that the analogy with a “container” is inapt.

Along with apps collecting and storing more data, there are user-driven transformations to information storage taking place.  As the use of cloud storage expands, smartphone users are increasingly using apps like Evernote, Dropbox and Instapaper, along with OS-integrated facilities like iCloud, to synchronize information across multiple devices.  This means that in addition to having the user’s smartphone data at their fingertips, law enforcement personnel may have access to data from the user’s other devices as well.

The expansion of cloud computing has caused the Senate Judiciary Committee to reconsider the scope of the Electronic Communications Privacy Act of 1986 (which regulates law enforcement access to electronic records stored by third parties); perhaps the time has come for reconsideration of warrantless smartphone searches on the same grounds.  Far from being mere “containers,” these devices encapsulate more information than the search-incident-to arrest doctrine could ever have envisaged.


Leave a Reply