Photo by WeissenbachPR. CC BY NC 2.0

Article by Harlo Holmes - FPF

Chief Information Security Officer and Director of Digital Security

So, you’ve been arrested covering an event. You’re taken to the police station, you’re booked, and your phone is confiscated. When you’re let out, after a few hours or even a few days, your phone is handed back to you in a plastic baggie; the SIM card and SD card taped to the back. Someone has definitely gone through your digital belongings.

What does it mean?

Your digital belongings — phone, SIM, SD card data could have been copied and gone through.

Your phone may have been turned on, apps and browsers opened. The cops might have access to any accounts your phone was logged into, this means they may have read personal communication, noted your personal accounts including email addresses, social media account names to follow, sent messages or made posts using your log in.

The SIM card contains very little information in modern smartphones, but still holds your phone number and other numbers that uniquely identify it, sometimes printed on the card. Police may track the location of individuals through the location of their mobile phone and SIM card, and your unique phone and SIM combination may now be used to locate you.

The SD card contains photos and other media; could contain chat logs, and other user-generated content. Not only can this data be used to build a profile on you, but can be used to map social connections between people you frequently communicate with, and they can unjustly become "persons of interest" to investigators. Such tactics can also be used, sometimes under the flimsiest of pretexts, to justify warrants for escalated surveillance on you in the near future.

What are your rights?

Depending on the circumstances of your arrest and the method of seizure of your mobile device, you are subject to a certain set of rights, laws, or protections. First off, know that in the U.S., it is your right to decline the warrantless search of your mobile phone. If you are arrested or taken into police custody, you should verbally state that you do not consent to a search of your devices. A law enforcement agency is only permitted to conduct a warrantless search of your device if a compelling case for an emergency can be made.

If you find that you are the victim of an unlawful search by police officials, you have various avenues for recourse.

If the authorities are using evidence obtained through an unlawful search of your mobile device against you in a criminal proceeding, you can move for that data to be suppressed under the Fourth Amendment right to freedom from incidental seizures.

If information gleaned from the warrantless and/or non-consensual search of your mobile device is not used against you in a criminal proceeding, you have the right to sue the law enforcement agency or city for damages under Section 1983 of Title 42 of the U.S. Code.

Were you arrested for recording or photographing the police? As a participant in a public event, you have the right to photograph and take video of law enforcement officers, but often documentation is taken, destroyed, or obstructed by law enforcement. If you are arrested for reporting on an event as either a credentialed or non-credentialed journalist, you may be allowed enhanced protections or alternative avenues of legal recourse. Professional journalists — as well as bloggers and livestreamers — have the right to document police activity at protests and demonstrations without undue state interference under the First Amendment right to freedom of the press.

What can you do?

As the old saying goes, an ounce of prevention is worth a pound of cure. Follow these simple steps to keep your phone secure, your social media accounts safe, and your property out of reach from prying eyes, for the next time. In addition to these tips here, have a look at EFF’s excellent guide for protesters; it has great tips for how you can protect yourself next time you go out there!

1. Encrypt your phone. Having an encrypted phone means that most data in that phone will not be readable to anyone when your phone is powered down. Even if a copy is made of your phone data, it won't be readable without your unlock code. This requires using a PIN or passphrase to unlock your device, which might seem like a lot of work at first; but it's worth it, and you will get used to it.
2. Lock your phone. Change your settings so your phone locks immediately after a short period of time, say 30 seconds, and immediately after you press the power button. While this doesn't encrypt your phone by itself (it's always unencrypted while it's on, especially on Android), it will prevent anyone from accessing and using your apps.
3. Prevent your text messaging apps from showing the full text of a message while the phone is locked. No one should be able to read your communications with friends, or two-factor auth codes, without opening the app first.
4. Lock your SIM card. Set a PIN to control access to your SIM data and cellular network use. A SIM card may still be unlocked by your carrier, but locking it with your own PIN protects it from being used in someone else’s device, unless they know that PIN. Note that when you first start this process, you will first need to enter the default passcode that is etched into your SIM card before you can enter your desired passcode. You might not know what that default passcode is, and risk locking your SIM card after 3 incorrect attempts. So, before you start to set up a SIM card lock, do a quick search online for the default PIN for your carrier. For example, Verizon’s default PIN is 1111.
5. Protect your mobile service account. Take the time to properly lock-down the account you have with your mobile carrier. Some people think of it as an afterthought, but it's alarmingly easy for anyone to take over your phone number, SIM card, and eventually, all mobile communications if such accounts aren't secured. Visit your provider's website to create a strong passphrase and/and back-up PIN for your account. Then call your provider and have a representative put a "security notice" on your account, saying something to the effect of "No one can make any changes to my account unless they give you the passphrase/PIN first."
6. Keep a list of all the accounts that are important to you. Having a list of accounts that need to have their passwords reset, or get logged out from all devices, in the event of compromise will save you time and worry.
7. Burst the cloud! Frequently delete your browsing history from your web browsing apps via their settings. If you're a Google services user, prune (or better yet, pause) your "Web and App Activity". iPhone users should prevent messaging apps from syncing data to iCloud. We know it might seem scary, but unlinking your phone and mac computers from iCloud is the best way to protect your data from anyone knocking on Apple’s door for your data. Journalists, activists, and concerned citizens usually want to sync photos and videos to the cloud as soon as they take them, and that's OK! However, consider using another cloud-based service that gives you more control over how, when, and where you sync your data — something better than iCloud.

If you find yourself in a situation where you’re very sure your device has been compromised, the first thing you’ll want to do is to preserve evidence.

1. Preserve your old SIM and SD card somewhere safe.
2. Audit your account activity. From another, trusted computer, check your Google, Facebook, Dropbox (and other) account activity logs for activity that someone else might have generated while your phone was taken from you. Document any new IP addresses, locations, and devices by taking screenshots.
3. Be on the lookout for strange activity in social media. Investigators have been known to try infiltrating your and your friends' networks with fake profiles, catphishing, and other weird tricks. Get in the habit of taking documentation and screenshots of anything that looks strange to you.

Next, it’s time to regain control of your accounts and data. Follow these steps to restore your personal data and social media accounts.

1. Sign out of all important accounts. Any place you’re logged in will have session cookies set somewhere, and an adversary could potentially resume your session if they've copied these cookies from your device. By logging out, you signal to the service that the session has ended.
2. Refresh your device. At this point, you should either factory reset your phone, or get a completely new one. While it's unrealistic for most people to buy a brand new phone unexpectedly, it's also worth noting that the IMEI number cannot be changed, even if you wipe the device and start from a fresh slate.
3. Change the passwords for services you use. On another, trusted computer, reset each account with brand-new, complex passphrases. Additionally, if you enabled two-factor authentication on a particular service, that will also have to be reset. Instructions depend on the service, but nearly all services offering two-factor authentication will also provide a way to reset these codes.
4. Get a new SIM. Your old SIM will be logged, and might have had extra metadata pushed onto it while it was out of your possession. Get a new SIM card from your carrier by simply walking into the store. Remember, it’s your right to bring your old phone number with you, and it should be handled easily at the store. Be sure to bring two pieces of proper identification (driver's license, passport, social security card, etc.) because retailers require this proof of identity for customers' security.
5. Get a new SD card. Purchase a new one, or use another one you already have (other than the one taken from you!) You cannot trust the old one since it's left your possession...

Phone recommendations

An iPhone is a great phone, if you can afford one. Recent iPhones are encrypted by default, which is hugely beneficial for security. If you are an iPhone user, beware of what you sync to iCloud, and consider only syncing directly to your computer, rather than letting the phone sync automatically to the cloud.

Android is trickier, because there are so many hardware manufacturers on the market, and each manufacturer will implement Google’s open source Android operating system in different ways. Ideally, you should invest in a phone that implements Android the way Google intended (sometimes referred to as Android One phones). The Pixel line is the best Google has to offer; it receives the latest software updates as soon as Google pushes them live, but it can be very expensive. Nokia has a less expensive lineup of Android One certified phones that also receive timely updates. Motorola’s Motorola One line provides some great options as well. Whatever you choose, be sure to buy a phone that supports encryption, and allows for granular permissions for applications. Some phones do not implement these features properly, or at all, which will put you at risk. If you’re comfortable doing so, you can still go to a brick-and-mortar store, like Best Buy, where you can play with the phones on display.

For encryption, go to Settings -> Security and make sure there’s an option to turn on encryption. That way, you know that whatever phone you buy has those capabilities in advance.

Who can I turn to?

When these things happen, it’s important to know who’s got your back. Finding legal representation that understands your situation, and understands technology, is key. You and your legal team might also require assistance from digital forensics experts, or talk to digital security trainers who can help you navigate this tricky situation. Finally, self-care is hugely important. This work is extremely stressful; talking to the right people might help you recapture your courage, prevent you from doing harm to yourself and others, and help you get through the trauma.

Legal Resources

• Your local affiliate for the ACLU: https://www.aclu.org/about/affiliates?redirect=affiliates
• National Lawyers Guild: https://www.nlg.org/
• Law for Black Lives (via Center for Constitutional Rights): http://www.law4blacklives.org/

Resources for the press

• Reporters Committee for Freedom of the Press legal defense hotline: https://www.rcfp.org/legal-hotline/
• Student Press Law Center legal hotline: https://splc.org/legalrequest/

Digital Forensics

• Citizen Lab: https://citizenlab.ca/about/
• Privacy International https://privacyinternational.org/

Digital/Operational Security Training

• Electronic Frontier Foundation: https://eff.org/
• Freedom of the Press Foundation: https://freedom.press
• Access Now: https://accessnow.org
• CryptoParty network: https://cryptoparty.in/
• Safe + Secure (geared toward filmmakers): https://safeandsecure.film/

Mental Health Resources

• Dart Center: https://dartcenter.org/resources
• CPJ has trauma support and preparedness resources: https://cpj.org/emergency-response/resource-center/
• PEN's online harassment field manual: https://onlineharassmentfieldmanual.pen.org/