The ruling follows an appeal by a drug dealer who was arrested after selling Ecstasy tablets to an undercover officer. During arrest the dealer’s cell phone was seized and, following an interview at the station, the arresting officer looked at the phone’s text messages. He uncovered one text seemingly placing an order for drugs and when the dealer saw it, he admitted the crime.
Essentially, the ruling says that searching a cell phone is just like searching any other property the defendant might have at the time, such as clothing or a cigarette package. This is based on precedents set in the 1970s.
In a dissenting comment, Associate Justice Kathryn Werdegar pointed out how absurd this is: “The potential intrusion on informational privacy involved in a police search of a person’s mobile phone, smartphone or handheld computer is unique among searches of an arrestee’s person and effects… Never before has it been possible to carry so much personal or business information in one’s pocket or purse.”
However, from the standpoint of an IT professional it’s merely a reminder that businesses need to both create and enforce policies regarding data storage on personal electronic devices. With the ability to work highly effectively from modern smartphones and tablets–something users of primitive handsets couldn’t do just a few years ago–mobile data security has become a critical issue that can no longer be ignored.
Employees need to be aware that just because data is contained in electronic form on their phone, it is no less confidential and should be treated no less carefully than that on paper. Ideally, this should be written into employment contracts.
From a user’s point of view, there’s an easy solution to the problem if confidential data appears in text messages: Delete them after reading (and empty the trash folder, if necessary). Alas, we’re not used to doing this and mobile phones don’t encourage us to do so, making the procedure clumsy.
From a business perspective, to protect against data leaking out via SMS, it might be simpler to deactivate text messaging if the company is paying for the phone service. This is possible with many carriers. Additionally, some cell phone product lines such as BlackBerry allow the text messaging functionality to be deactivated (look under the Firewall settings).
Alternatively, text message data can be encrypted so that it isn’t immediately available to anybody without the passkey, thus forcing authorities to seek a warrant should they want to view it.
When it comes to SMS messages, Whisper Systems created waves last year with its TextSecure product for Android, which not only encrypts text messages received but also encrypts transmission of text messages if the recipient is also running TextSecure. TextSecure is available from the Android Marketplace, although is currently in beta testing. There are similar programs for other platforms, such as SecureSMS for iPhone.
If it’s imperative that SMS messages are saved–maybe to conform to data retention legislation–users should be encouraged to use PC sync software on office computers to download messages to the hard disk and then delete them from the phone. Some cell phone sync software will even download messages automatically as soon as the phone is plugged into the computer, so a solution could be as simple as providing each worker with a docking station in which they can cradle their cell phone when at their desks. If the docking station has a built-in charger, this will add an imperative to use it.
Keir Thomas has been writing about computing since the last century, and more recently has written several best-selling books. You can learn more about him at http://keirthomas.com and his Twitter feed is @keirthomas.