While consulting people on how to secure data, Darren Chaker has seen many ask if smashing a phone or computer will make the data unreadable. While it may make the computer inoperable, data still remains on the hard drive. It is common practice to extract info from hard drives that have been thrown out of winders, put into water, etc. However, when a hard drive is broken and unable to boot in the usual way options are available to create a mirror image of the hard drive and boot it as an external drive from a working computer. In a criminal investigation, police will need a data recovery program to help retrieve your data back if it was merely put in the waste basket and emptied without using a secure overwrite. This is done every day some place so breaking the functionality of the phone/computer means very little to retrieving the data.
Further attempting to destroy data may create more problems for the target of the investigation such as an obstruction charge and can also be used by the prosecutor to show ‘consciousness of guilt’ (i.e. you knew there was something illegal on the device you tried to destroy). However, if the computer, phones included, cannot be accessed due to encryption, it is difficult to prove obstruction if it cannot be shown the data was deleted. Not allowing access to a phone is not obstruction since a person’s right to prevent access to a computer is with the person’s Fourth and Fifth Amendment rights. Invoking a right cannot be used against a defendant. This includes refusing a request by police to ‘look’ at your phone to access it with facial recognition. See court ruling here.
The best thing to do (in my opinion) is encrypt your phone/computer, wipe it on a weekly basis so that unused or deleted data is permanently destroyed using a DOD approved algorithm (at least a 7-pass wipe), and if the police do bust down the door – simply invoke your right to speak with an attorney and decline to provide your password or biometrics. Of course, the best thing to do is do not things that may get your door knocked off the hinges.
In United States v. Otero, 563 F.3d 1127, 1132 (10th Cir. 2009), the court found what most of us know: “The modern development of the personal computer and its ability to store and intermingle a huge array of one’s personal papers in a single place increases law enforcement’s ability to conduct a wide-ranging search into a person’s private affairs[.]”). Darren Chaker forewarns, be careful for the smart cop who uses a ruse. For example, police show up at your door and say “Your ex-girlfriend said you sent her a bunch of threatening texts last night, but if I see you messages and do not see any such messages in your sent folder you won’t go to jail.” Knowing you are innocent you unlock your phone and the cop snatches it. One officer talks to you while the second scurries off and downloads the contents of your entire phone. Although you believed the officer would merely look at your texts to your ex-girlfriend, the reality is once you are being investigated for something else. If you fall for the ruse, whatever evidence you allowed them to gain is admissible. Of course, do not believe because a local police officer shows up at your door wearing a city police jacket is truly a local cop. It is common for federal agents to have multiple law enforcement jackets from various city or county agencies to prevent suspects knowing the true scope and purpose of an investigation.
Understand, police are incapable of accessing newer iPhones. Android encryption uses dm-crypt which, used the right way, can protect the device from law enforcement. The key in any event is to use unique passwords and turn off your phone if you believe police may pull you over. Doing this negates biometric access until the password is entered. Data encryption on smartphones involves a key that the phone creates by combining 1) a user’s unlock code, if any (often a four- to six-digit passcode), and 2) a long, complicated number specific to the individual device being used. Attackers can try to crack either the key directly – which is very hard – or combinations of the passcode and device-specific number, which is hidden and roughly equally difficult to guess.
However, for the security conscious, Darren Chaker recommends you download the contents of sensitive data weekly then scrub the free space with a high security algorithm. When needing to move data off the phone, if its sensitive – do not upload the data to the cloud since Apple and Google have access to the data. For iPhones use a USB drive to download content then upload to an encrypted folder on PC, then securely wipe your USB drive. For Androids, can use a USB drive or plug into a PC and the Android should appear as an external drive. Simply drag contents to an encrypted folder on PC. Of course, securely wipe the data from your phone. This practice is widely used not only by Governments, but also by corporations to prevent industrial espionage, and high net-worth individuals who value their privacy. As such, there is no reason why individuals who value privacy cannot use the same methodology to protect his/her data.