Should police be able to search the contents of your smartphone without a warrant? That's the question that faced the U.S. Supreme Court this week — and the answer could have ripple effects for the Internet industry as a whole. Here's how.
If you're just tuning in, the case has to do with a California man named David Riley, who was pulled over for driving with expired license plates. Police searched through Riley's smartphone without obtaining a search warrant and discovered photos that they say linked Riley to a drive-by shooting. Within minutes, a relatively minor traffic stop had suddenly become very, very serious.
Riley's lawyers argue that cellphones should be protected from that kind of warrantless search. And, broadly, the Supreme Court justices seemed sympathetic during oral arguments Tuesday, acknowledging, for example, that entire photo albums stored on a smartphone are very different from, say, a few pictures in a wallet.
"Most people now do carry their lives on cellphones," said Justice Elena Kagan, "and that will only grow every single year as, you know, young people take over the world."
Among Kagan's concerns was the quantitative difference between the amount of data that can be gleaned from a person's phone compared with the other possessions people carry around with them. Yet there's also a qualitative difference at play: The contents of a wallet is very unlikely to reveal, for instance, a person's entire financial history, whereas a smartphone easily can.
You can see where this is headed. Much of the information we think of as being "on" a phone may instead be stored on a server, retrievable from the cloud. To use the financial history example, there are services such as Mint that pull down all of a user's recent transactions every time the user fires up the app. As Chief Justice John Roberts noted during the arguments, police officers could find that data incredibly useful for identifying potential drug deals or illegal weapons buys. But it's not technically information that's stored in the phone.
Other basic content, such as a person's contacts or notes, are synced to the cloud even if they're also stored locally. Sometimes you don't even have a choice in the matter: Last year, Apple upset customers when the company began forcing some iPhone users to sync their address books through iCloud.
This creates a legal gray area, according to Hanni Fakhoury, a privacy lawyer at the Electronic Frontier Foundation. "So, when you search, are you searching the cloud, or are you not?" Fakhoury asked. "I don't know the answer to that question… If the court wants to future-proof their decision, they should come up with a rule that says you can't search the phone, period."
If police are looking at data retrieved from the cloud, are they effectively performing a search of another company's property — and does that mean they need to issue a formal data request to that company? After all, that's precisely what happens when the authorities want user information from Google or Facebook.
It gets more complicated. Every subpoena and warrant filed to those companies gets logged and reported in their periodic transparency reports. But if a law enforcement officer can perform a warrantless search of a suspect's cell phone anytime the person is detained, the companies would have no record that the information was accessed.
The federal government has come out against searches of cloud-based data. In its brief for a similar case the Supreme Court is also hearing this term, the Justice Department acknowledged that smartphones could be abused to view content stored remotely. Officials even used the word "cloud."
"Using a cell phone to retrieve files beyond those stored on the phone could not be justified as a search incident to arrest," the government wrote.
Whether that view extends to the states is unclear. In theory, everyone from the highway patrol to the sheriff's department could be free to thumb through your Evernote files. It would also be difficult to distinguish between what's stored locally and what's stored remotely in each instance. An officer would have to know how each app or operating system works, and perhaps what a user's settings were at the time.
As more of our lives get shifted to the cloud, we'll need to reconsider the legal standards for how police can access that content. There's a movement afoot to review the Electronic Communications Privacy Act, the law that governs this practice. Riley's case demonstrates that the push on ECPA ought to take into account what can happen during traffic stops. That could be a good thing for law enforcement, too: The nation's finest have enough work to do without also being forced to become on-the-spot engineers.