Smartphone snooping by police may wreck evidence, forensics expert says

Technology, not legal niceties, may be one of the strongest reasons police shouldn’t be allowed to search the smartphones of people they’ve stopped or arrested. At least, that’s the view of a technology expert quoted in a recent Forbes story about a case currently before the U.S. Supreme Court

The court is considering the validity of evidence obtained without a court-issued warrant. Two defendants are challenging their convictions on the grounds that data found on their phones should not have been allowed as evidence at trial.

The legal question is whether the Fourth Amendment to the U.S. Constitution, which bars unreasonable searches, requires police to get court approval before searching a cellphone belonging to someone who’s been arrested.

But the real issue may be technological, not legal or moral, says iOS forensics expert Jonathan Zdziarski. Zdziarski, who trains police to search mobile devices, says the real problem is that police can inadvertently destroy evidence.

“If there are exigent circumstances – such as an active kidnapping or someone’s life in danger – police should go through a phone, but otherwise they risk destroying crucial evidence,” Zdziarski says. “They’ll play with it, go through apps — open Safari and Maps — and they do it wrong and destroy useful evidence. Then they ruin the data.”

The government position is that police need to be allowed to search a phone as quickly as possible to prevent someone from remotely deleting information on it.

Zdziarski says police should disconnect phones from Wi-Fi and other connectivity when they seize a device, unless they turn it off or put it in a “Faraday cage” that blocks signals. He notes that the RCMP has rebuilt a former bank vault as a room-sized Faraday cage where they can examine mobile devices.

However it’s accomplished, the smartphone needs to be ‘frozen’ until a forensics lab can examine it, so that the device is preserved exactly as it was when last used.

“If you’re dealing with online child porn or sex trafficking, the criminal participates in a lot of forums exchanging info and photos,” Zdziarski says. “Hypothetically, if a criminal was doing this with Safari on their phone, you can use a forensics tool to access cookies and a screenshot of their last visit.”

The problem is that if the browser is opened, it automatically refreshes the page so that the last visit shown will be when the police seized the device. And Zdziarski says that if the session cookies have expired, the browser launches the sign-in screen, deleting whatever the user looked at most recently along with the URL.

“The best argument for why the phone shouldn’t be searched when it’s seized is that some cops aren’t smart enough,” says Zdziarski. They may think that removing the SIM card will shut down the phone, not realizing that it can still connect to Wi-Fi in that state. “Most cops are trained to be cops, not forensics experts. They can destroy and corrupt data… Just train them to properly secure the device and then get a warrant before you search it.”

Andrew Brooks
Andrew Brooks
Andrew Brooks is managing editor of IT World Canada. He has been a technology journalist and editor for 20 years, including stints at Technology in Government, Computing Canada and other publications.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web