Who Has Access to Your Smartphone Data?

“Who Has Access to Your Smartphone Data?”
Communications of the ACM, October 2020, Vol. 63 No. 10, Pages 15-17
News
By Keith Kirkpatrick

“There are very few legal limits on what governments can do with even the most personal data once they have it.”

In a world that is defined by the generation and collection of data by technology and communications companies, personal information—including where people go, with whom they associate, what they purchase, and what they read, listen to, and even eat—it is quite a simple task to create a detailed profile of an individual based solely on the data captured in his or her phone.

The right to access and use the cache of personal information stored in each person’s smartphone has become a major question about balancing personal privacy rights against governments’ desire to monitor and retrieve data about its citizens’ activities for law enforcement, public safety, and health issues. While much of the attention over the past several years has focused on demands from law enforcement to access this data to aid in criminal investigations, the COVID-19 pandemic of 2020 has refocused the debate on the government’s right to access location data during health or other public safety emergencies.

Within the U.S., the primary communications privacy law that regulates the disclosure of and access to electronic data held by communication services providers, including wireless carriers, Internet Service Providers (ISPs), social media platforms, and search companies, among others, is the Electronic Communications Privacy Act of 1986 (ECPA) which, along with the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act OF 2001, protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. As the Act explicitly states, “Some information can be obtained from providers with a subpoena; other information requires a special court order; and still other information requires a search warrant.”

Andrew Crocker, senior staff attorney on the Electronic Frontier Foundation’s civil liberties team, says the ECPA generally “requires the government to use legal process to get data about users,” rather than simply allowing them to request and receive information from service providers.

Similarly, the Fourth Amendment of the U.S. Constitution requires law enforcement agencies to demonstrate probable cause when seeking historical location data from an individual’s phone. This requirement was affirmed via a 2018 Supreme Court decision, in which Chief Justice John Roberts, writing on behalf of the majority, held that police are required to obtain a warrant in ordinary investigations, but could access such information without a warrant in an emergency, such as during a bomb threat, kidnapping, or other exigent circumstance where time is of the essence. However, law enforcement agencies do need to obtain a warrant after the imminent threat has passed, to demonstrate the inquiry was made in good faith.

“It would of course be more efficient to allow law enforcement officials to decide who to surveil on their own, without oversight by a court, but that would risk invasive surveillance at the whim of the government,” says Crocker. “If there is a true emergency that makes getting a warrant impractical, such as an imminent threat to someone’s life, the Fourth Amendment and these laws allow for a brief warrantless search, often requiring the government to come back to a court after the fact.”

Former law enforcement officials agree, noting that there will always be some tension between the desire to protect personal privacy and the clear value of information that can be used to solve crimes or keep the public safe.

“It’s definitely a challenge, and it’s a balance between personal freedom and the ability of law enforcement to do their job, especially during the emergency circumstances that are putting others in harm’s way,” says Daniel Linskey, managing director of the Security Risk Management practice of New York-based risk solutions provider Kroll, and head of the company’s Boston office. Linksey, a former superintendent-in-chief of the Boston Police Dept., notes that in addition to the requirement to get a warrant to obtain information, the business models of Google and other collectors of personal data generally are focused on protecting privacy, rather than making it easy for law enforcement to access such data.