By Jason Purviance, Chief Information Officer, ModeOne Technologies
People consider their smartphones an extension of themselves: their eyes, ears, and touch. One day, a manufacturer will figure out how to incorporate scent. No wonder individuals maintain a strong privacy interest in their smartphones and personal data.
The right to privacy is a fundamental human right protected by law in many countries. It is the right to be free from unwarranted intrusion, surveillance, and interference into an individual’s personal life. Because the smartphone has become an integral part of our daily lives and contains a wealth of personal information, including browsing history, contacts, messages, and photographs, people believe their privacy rights extend to their cell phones. And the Supreme Court of the US (SCOTUS) agrees. In Carpenter v. United States, the High Court opined that cell phone users have a reasonable expectation of privacy under the Fourth Amendment. But there’s much more to it than that.
People believe they have a privacy interest in controlling their data to protect their personal information from being misused or exploited by others. Although federal law and SCOTUS have not weighed in on those matters, state laws, such as the California Consumer Privacy Act (CCPA), give individuals more control over the personal information businesses collect. In the international arena, Europe’s comprehensive privacy law, known as General Data Protection Regulation (GDPR), requires companies to ask in advance for some permissions to share data and gives individuals rights to access, delete, or control the use of that data.
ModeOne’s truly remote, targeted smartphone collection technology and processes recognize individual privacy interests in their smartphone and generally their right to control their personal data. In fact, the company’s patented SaaS framework for data collection for litigation, compliance, and investigation purposes separates ModeOne from other technology and services providers who collect ALL smartphone data and claim to review only what is relevant to a matter using search parameters and date-range filters. That’s the traditional, but not necessarily better way to collect data from mobile devices. Why not capture only the relevant data required from the smartphone and then review this limited subset of data? ModeOne asked and answered this question.
The Danger of Over-Collecting Smartphone Data
The traditional method of smartphone collection has been to access the phone and take a full image of ALL the data it stores. But attorneys generally don’t need every piece of data stored on a smartphone. They require only what’s relevant to the matter at hand. Targeted collection protects the custodian’s privacy, expedites the “time-to-facts,” and saves time and money.
For example, most matters don’t require pictures of the custodian’s kids playing soccer or their birthday celebration photos. Issues usually don’t involve grocery shopping lists and map coordinates to the nearest steakhouse. They apply to some event within a specific date range, using known data sources and types involving particular participants. ModeOne understood and has addressed these issues.
Consider the burden of collecting all the data from a smartphone and securing it from unauthorized access. Can’t imagine it? Recall Alex Jones’ cell phone leak. Jones’ attorney inadvertently sent the contents of the Infowars founder and far-right conspiracy theorist’s smartphone to opposing counsel for the Sandy Hook parents who sued Jones for defamation over his false “hoax” claims about the 2012 Newtown, Connecticut massacre.
The result did not turn out well for Jones. Juries in Connecticut and Texas awarded $1.487 billion in damages from Jones to a first responder and victims’ families. And the House committee investigating the January 6 Capitol Hill insurrection wanted the details of “intimate messages” between Jones and former Trump political advisor Roger Stone found on the phone, according to the Sandy Hook parents’ lawyer. This is a great example of the danger of over-collecting smartphone data, which is not a worry for users of ModeOne’s SaaS framework for Apple and Android phone collections.
ModeOne’s remote, targeted smartphone collection
ModeOne collects targeted data within the scope of a matter. A client typically provides a forensic technician information about a data custodian’s smartphone and how he/she uses it for business activities. The technician considers this information and the requirements of a matter, defined by counsel, to establish appropriate parameters for the scope of the smartphone collection.
ModeOne’s SaaS solution enables the technician to define the date ranges and data sources relevant to each matter. The ModeOne framework gains remote access to the smartphone only after receiving the custodian’s advance permission, locates the relevant data stored on the phone, and securely transfers it to ModeOne’s cloud storage on Amazon Web Services (AWS), where it is encrypted and stored. The client can then search and review relevant messages in a threaded format like what we experience on our smartphone using ModeOne’s web-based user interface and download selected messages in a format compatible with any eDiscovery review platform.
ModeOne protects custodians’ privacy rights to their smartphone data by accessing and transferring only the data authorized by the client. It provides a collection inventory summary to review the specific details of the data collected including individual file size and number of messages, threads, and photos.
ModeOne’s proven smartphone collection process adheres to the guidelines of privacy frameworks by using only the data required and relevant to a specific matter. It encrypts the data in transit and at rest in the cloud. It uses multiple layers of security to monitor, detect, and defend against possible malicious activity and unauthorized access to data stored. The company also deploys an additional security incident and event monitoring solution.
In summary, ModeOne developed and patented truly remote, targeted smartphone data collection software to protect user privacy and adhere to privacy frameworks. But smartphones are not immune from hacking and data breaches. To ensure maximum privacy protection, business organizations should take the necessary steps to manage application permissions, encrypt data, delete old apps, and require locking of employee phones using biometrics, a PIN, or a passcode.