Smartphone are marvelous devices but they also collect a great deal of personal information about us. Data stored locally can be encrypted but data that is uploaded to third party servers is at the mercy of the security practices of the service provider. If your mobile phone, for example, uploads precise location information to Google’s servers then Google has that information and can be compelled to provide it to law enforcers:
So investigators tried a new trick: they called Google. In an affidavit filed on February 8th, nearly a year after the initial robbery, the FBI requested location data pulled from Graham’s Samsung Galaxy G5. Investigators had already gone to Graham’s wireless carrier, AT&T, but Google’s data was more precise, potentially placing Graham inside the bank at the time the robbery was taking place. “Based on my training and experience and in consultation with other agents,” an investigator wrote, “I believe it is likely that Google can provide me with GPS data, cell site information and Wi-fi access points for Graham’s phone.”
That data is collected as the result of a little-known feature in Google Maps that builds a comprehensive history of where a user has been — information that’s proved valuable to police and advertisers alike. A Verge investigation found affidavits from two different cases from the last four months in which police have obtained court orders for Google’s location data. (Both are embedded below.) Additional orders may have been filed under seal or through less transparent channels.
This problem isn’t unique to location data on Android devices. Both Android and iOS have the ability to backup data to “the cloud” (Google and Apple’s servers respectively). While the data is encrypted in transport it is not stored in an encrypted format, at least no an encrypted format that prevents Google or Apple from accessing the data, on the servers. As Apple mentioned in the Farook case, had the Federal Bureau of Investigations (FBI) not fucked up by resetting Farook’s iCloud password, it would have been feasible to get the phone to backup to iCloud and then Apple could have provided the FBI with the backed up data. Since the backed up data contains information such as plain text transcripts of text messages the feature effectively bypasses the security offered by iMessage. Android behaves the same way when it backs up data to Google’s servers. Because of this users should be wary of using online backup solutions if they want to keep their data private.
As smartphones continue to proliferate and law enforcers realize how much data the average smartphone actually contains we’re going to see more instances of warrants being used to collect user information stored on third party servers.
Luckily everything you describe here can be fixed as service providers respond to market demand and encrypt cloud data in a way that only the data’s owner can access. But until that happens, thanks for the warning.
Much harder to protect from prying by criminals (government and otherwise) is metadata, but even there technical solutions should be possible, I think, though they may not be on the immediate horizon.