#RSAC: Know the Changing Laws on Device Security

Written by

Precedent laws are beginning to be set around warrantless searches, and giving up device access. 

Speaking in a session at RSA Conference 2019 on exploring what you need to know about the cybersecurity landscape and cyber-cases, Richard Aldrich, cybersecurity policy and compliance analyst, highlighted several cases where privacy elements were potentially violated. 

In the case of the USA vs. Touset, where a person was tracked via a payment app and a Yahoo account, and was arrested as child abuse images were found, Aldrich said that this involved a forensic search which would usually require “reasonable suspicion.” 

Aldrich said that while this was not in this case, if there is a locked cellphone, the 2018 border inspection manual says a person “can be forced to give up their passphrase” and while this has not come up in court, the police case says this raises a fifth amendment issue.

In the case of a fingerprint reader, Aldrich asked if this was a fourth amendment violation, and concluded that a “fingerprint is no expectation of privacy.”

As for facial identification, Aldrich said that while there is little legal precedent of this, if a police officer holds a phone to a person’s face which opens it, is it legal? “Most jurisdictions say that there is no expectation of what your face looks like in public.”

He recommended that companies update corporate IT policies for employees who cross borders, as employees could be forced to give up their passphrase when requested to do so as if they refuse, they may be denied entry.

Aldrich went on to highlight other cases, such as the Carpenter vs. USA case from 2017 where police requested GDS location data for users for 127 days, with no search warrant. “Is a warrantless search a violation of the fourth amendment? The sixth circuit said it wasn’t a violation.”

Also presenting was Dr Adriana Sanford, professor of cybersecurity law at Pepperdine University,who said that “global risk and financial impact on your industry varies” and highlighted the GDPR, and the Right to be Forgotten, while national laws vary. For example, New Zealand and Canada say you must surrender passwords.

Concluding, Aldrich said that businesses should review their organization’s policy on transporting electronic files across borders, and in the next three months “identify personal information your company holds on individuals that could subject you to a class action if lost or stolen” and review cloud and service provider contracts.

Sanford recommended not relying on your general counsel, and know laws in countries and discuss complexities with senior management and repercussions. 

What’s hot on Infosecurity Magazine?