Sunday, April 24, 2016

Mobile Device Privacy Battle in the US - Forgetting is Easy - Deleting is Hard

There are a variety of possible technical solutions to resolve the US law enforcement's fears about criminals and terrorists "going dark" in regards to their access to mobile devices.  The question isn't what is technically possible or even what is legally feasible, it is whether we want to live in a country where these solutions are enshrined in law.

As US citizens, we have long accepted that, with a warrant signed by a judge shown sufficient evidence, law enforcement could search our homes or any other space and anything within them.  If there is a safe in your home, Law enforcement has the right to break into it with a warrant.  US law enforcement is currently trying to extend this line of reasoning to our mobile devices as though it were the same sort of inquiry.  Missing from this reasoning is the fact that mobile devices contain far more info about us than our homes.  How often do we do Spring cleaning on our mobile devices?  If we run out of space on our phones, we can get more space or shuttle data to on-line services accessible from our devices.  If we run out of space in our homes, it is a much harder problem to solve and we are under constant pressure to dispose of traces of our lives.  Mobile devices bring all of our data together in one place and commonly access all our history, too.  Phone manufacturers and mobile service providers often provide tools or services to move all of your data from your old device to your new one.  It makes sense: It encourages customers to buy more.  These capabilities keep an unprecedented amount of history accessible to if not stored directly on our mobile devices.

If I want to know what I was doing in 2007, I search my Gmail. If I want to know what I was doing in 2001, I search my previous webmail provider.  Law enforcement may be able to get separate warrants to search both of those service providers.  Getting a single warrant for my mobile device, by contrast, gives them the passport to all of my data, no matter which medium or service it is stored in.  At some point, many years ago, I ran out of physical space and time to keep and manage even a small portion of these data in my home.  

Arguably, my home PC would give a searcher access to these same data sources.  The difference is that my home PC doesn't go places with me, logging everything as I go.  My mobile device is my GPS, storing all the places I lookup driving directions to or map-based searches for and which route I took, when, whether I deviated.  I'll often search for businesses using a mobile map app to constrain the results to those nearby or more quickly get to a place's phone number, menu, etc.  Those data are accessible to the map service provider but are also accessible on or through my mobile device with everything else.  My mobile device is also my primary camera.  By default, it time-stamps and geolocates every photo I take with it.  Certain apps scan these photos for faces, conveniently making who I was with, when, and where accessible from a simple app.  Again, these photos may be backed up or shared via on-line service(s), but the all of originals with full resolution and details are on the phone and it would be more policework to get warrants for all of the services I could possibly use to share and backup photos.  There are also logs that the device manufacturer or service provider keep on the device that indicate which tower I was near at what times, filling in gaps between map searches and photos with a continuous log of where I was potentially going back several years.  Which apps I use, when, and what for are logged, too, not only web search history and cookies.  Mobile devices tend to store more passwords to my on-line services, too.  Typing a complex password on a PC is far easier than on a tiny touchscreen so its more likely that I'll check that "remember me" box and less likely that services will even ask.  I use a variety of apps services to make voice calls, message, take notes, manage my calendar, and reminder myself of things.  Regardless of whether these data are stored in on-line services, they are of little value unless they are with me when I need them.  Therefore, the best place to access them from is my mobile device.  The single place that all of those logs, calls, messages, notes, meetings, and reminders can be accessed from is my mobile device.  

No other location, device, service, or data source has as much information about me, my identity, my thoughts, my beliefs, my history of actions, meetings, locations, and communications than my mobile device.  It stores things I have long since forgotten, making access to it more personal than direct access to my own memory.  Giving someone access to this device gives them unrestricted access to all of it, unfiltered, unbiased by my feelings of what is important and what I can forget.  Forgetting is easy.  Deleting is hard.  Therefore, access to my mobile device is far more invasive than access to my home and should be subject to far greater protections from access, even by those with the noblest of intentions.