Figuring that I have nothing to hide or steal, I've always chosen convenience over privacy and security. Not anymore.
I plugged my phone into my computer and opened an application called Lantern, a forensics program for investigating iPhones and iPads. Ten minutes later, I'm staring at everything my iPhone knows about me. About 14,000 text messages, 1,350 words in my personal dictionary, 1,450 Facebook contacts, tens of thousands of locations pings, every website I've ever visited, what locations I've mapped, my emails going back a month, my photos with geolocation data attached and how many times I checked my email on March 24 or any day for that matter. Want to reconstruct a night? Lantern has a time line that combines all my communications and photos in one neat interface. While most of it is invisible during normal operations, there is a record of every single thing I've done with this phone, which also happens to form a pretty good record of my life.
Figuring that I've got nothing to hide or steal, I'd always privileged convenience over any privacy and security protocols. Not anymore. Immediately after trying out Lantern, I enabled the iPhone's passcode and set it to erase all data on the phone after 10 failed attempts. This thing remembers more about where I've been and what I've said than I do, and I'm damn sure I don't want it falling into anyone's hands.
* * *
Last week, two separate news items highlighted the importance of what your phone knows. First, the American Civil Liberties Union in Michigan went public with its Freedom of Information Act request for data on how the state police are using a hardware system called Cellebrite UFED. The ACLU suggested that state troopers were using the UFED during routine traffic stops. While the $4,000-8,000 price tag of the systems would suggest it's unlikely that many cops have the systems in their cars, even the possibility of such a practice has got to set Fourth Amendment alarm bells ringing from here to 1791. Here's a word of advice: if a law enforcement official ever asks for your phone, just say no.
In a June 2008 article, Cellebrite bragged that it had sold 3,500 Cellebrite devices in the eleven months the UFED had been on the market. Throw in other common devices from companies like Cellebrite, Parabens, Micro Systemation and Katana Forensics, makers of Lantern, and you can begin to see the scale of mobile phone data extraction that must be occurring across the nation's law enforcement landscape.
MORE ON MOBILE PRIVACY
I don't say that to suggest that the police are doing anything wrong. Like computers, phones certainly seem like fair game for investigators. They're scrambling like the rest of us to keep up with a rapidly changing mobile technology landscape that's forcing strange ethical choices onto them. Let's say someone was texting while driving, which may be against the law in your state. They might want that evidence, so they extract the data from the phone and when they look at it, lo and behold, there are several time-tagged photos of the person getting high earlier that day. Suddenly, a minor ticket gets turned into a DUI.
We're not sure how the courts are going to decide whether evidence like this is admissible because it's complicated. Doctrines like "plain view" -- that cops can seize evidence without a warrant if they can see it -- require informational friction and human embodiment to make sense. With a searchable stash of a phone's data, what is in plain view? What isn't? It's just so easy to find out more than you asked.
The other big mobile data news last week came out of O'Reilly's Where 2.0 conference during which two researchers showed in dramatic fashion that the iPhone keeps a location log of where the phone has been, a fact which Apple had declined to tell anyone and which had first been discovered by the same guy who helped Katana Forensics managing director Sean Morrissey create the Lantern software that opened up my phone for inspection.
* * *
Alex Levinson assisted on Lantern from his living room in Rochester, New York. He's still a student at Rochester Institute of Technology*, but he tells me that his room is "basically an information security and forensic laboratory." He ticks off the equipment at his disposal: four MacBooks, a couple other laptops, two desktop boxes running different operating systems, two iPhones, a couple Droids, a Blackberry, all kinds of wireless and networking equipment and terabytes of storage. He may also know Apple's iOS as well as anyone in the world. A mere 48 hours after Apple released the iPhone 4, Levinson had patched Lantern to support the upgrade. He waited in line for ten hours and spent the next two days poking around the file system that sits underneath the ultraslick user experience.