People vs. Diaz Fails to Consider Enterprise Data on Mobile Devices

Mark Rasch, Director of Cybersecurity and Privacy Consulting, CSC

On October 10, California Governor Jerry Brown vetoed a proposed law, SB 914, which would have required the police to obtain a warrant to search the cell phones, laptops or tablet computers of individuals who are arrested or detained by the police and thereby reversed a California Supreme Court decision in People v. Diaz 51 Cal. 4th 84; 244 P.3d 501; 119 Cal. Rptr. 3d 105; 2011; Cal. LEXIS 1 (Cal. Sup. Ct., Jan. 3, 2011).  Under the Diaz decision, the court ruled that the police interests in both protecting themselves from physical harm and preventing the destruction of evidence entitles them to seize and then search the entire contents of any device found on or near the person of a detainee. But what happens when these personal devices have corporate information on them?

Enterprise mobility and the idea of bringing your own device (BYOD) to work are on the rise within enterprises today. Couple this with the advent of new cloud technologies adopted specifically for portable mobile devices, and you have a situation where, ultimately, police may search more than your purse or pockets on a routine traffic stop. They may search — without a warrant — the contents of all of your employees computers at home and in the office, and everywhere on the Internet that your mobile device has stored data — including what is stored on an enterprise cloud.

The rationale behind the searches is what is called a “search incident to a lawful arrest.”  When police detain someone, they are entitled to search both that person and items near that person for self-protection (look for weapons) or to prevent the destruction of evidence (gambling records on “flash” paper).  What the court failed to consider in the Diaz case is the nature of a modern cell phone and other electronic devices, from iPhones and iPads to thumb drives, laptops, and “cloud devices.” Unlike something similar to an alphanumeric pager, modern devices that people keep on their person reveal a tremendous amount about their owners and often it is highly likely that it will reveal a lot about the organization that they work for — all of which could be evidentiary in nature — for good and for bad. Moreover, cloud-enabled or enterprise devices may simply act as portals to even greater volumes of information, and may store passwords to enterprise services that may be located in a remote location.

Now we do not suggest that police should be denied access to this treasure trove.  Rather, they should not be permitted access to it automatically by virtue of the fact that someone had the device with them at the time they were detained.  A warrant, probable cause, or some showing of an immediate need to search without such a warrant should be required.

This is particularly true when you consider the fact that, as The Washington Post recently reported, there are more than 150 minor offenses for which police can and are instructed to arrest you for in just Washington D.C. If your car has expired tags you can be arrested; and your cell phone, laptop, iPad or other things can be seized and searched. Other “arrestable” offenses include things like not having your dog on a leash and climbing a street light. In many states, the police may simply approach anyone, ask them to produce identification documents, their full true name, address, date of birth, and where they are going and what they are doing; and if they fail to adequately provide this information they can be arrested and then searched. In 1996, the U.S. Supreme Court held that a person can be detained even if the detention was a “pretext” to conduct an otherwise unlawful search (arresting people in D.C. for not using a turn signal because they wanted to search the car), and in 2001 the U.S. Supreme Court held that a mother could be arrested (and her car searched) for not wearing a seat belt – an offense which carried only a minor fine. The message here then is that if the police WANT to search your phone, laptop, iPad or cloud device, they can probably find an excuse.

It is difficult to see how an iPhone could be confused for a weapon, and certainly the police would be entitled to examine the device under the “search incident” rational to ensure that it is, in fact, just a phone.  As the dissenting Judge pointed out in Diaz, “there is apparently no app that will turn an iPhone or any other mobile phone into an effective weapon for use against an arresting officer.” Modern cell phones contain too much information to be the subject of routine warrantless searches, especially when the justification is that they might be a weapon. On a personal level it is obvious what these devices contain — contacts, photos, text messages, etc — but as a mobile extension of an employee’s office they can reveal product roadmaps, sensitive corporate materials, and large quantities of proprietary and confidential information.

But this is only the tip of the iceberg.  As storage capacity of mobile devices increases, they are capable of holding every document, note, video and communication of an employee. If company data is on or accessible on a device held by someone who is detained, all that data can be examined by the cops. There appears to be no limit to the scope of the “examination” conducted by the police; having lawfully seized the device, there is no reason that they could not “mirror” or image the device and its contents, and then share the contents of that device with anyone they choose.

More distressing is what happens as storage and processing are moved from the mobile device to the cloud. The smart-phone will become a portal to cloud computing, cloud processing, and cloud analysis. The device will store a userID and password that will connect automatically and seamlessly to a server in a remote location, which can contain virtually everything. Under the “search incident to the lawful arrest” doctrine, law enforcement officials may assert a right not only to search the device without a warrant or cause, but to search everything on the cloud accessible by the device. Indeed, they may not be able to make such a distinction. The arrestee’s “grabbable reach” extends from his or her pockets into the cloud.

Courts need to understand that computers are not mere storage devices.  Just because I can search your briefcase at the airport does not imply that I should be permitted to mirror the contents of your hard drive, or log into your cloud server. The volume and nature of the device reveal things that need to be protected from prying eyes. Certainly there can be evidence of crimes — even serious crimes — on such devices and in that case, the best course of action is for the police to obtain a proper warrant to search them. But the need to prevent guns, knives and bombs from being used simply does not apply to bits and bytes.

About these ads
This entry was posted in Business/IT Co-evolution, Cyber Security, Cybersecurity, Privacy and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s