Around the turn of the century, the FBI was pursuing a case against a suspect—rumored to be Las Vegas strip-club tycoon Michael Galardi, though documents in the case are still sealed—when it hit upon a novel surveillance strategy.

The suspect owned a luxury car equipped with an OnStar-like system that allowed customers to "phone home" to the manufacturer for roadside assistance. The system included an eavesdropping mode designed to help the police recover the vehicle if it was stolen, but the FBI realized this same anti-theft capability could also be used to spy on the vehicle's owner.

When the bureau asked the manufacturer for help, however, the firm (whose identity is still secret) objected. They said switching on the device's microphone would render its other functions—such as the ability to contact emergency personnel in case of an accident—inoperable. A federal appeals court sided with the company; ruling the company could not be compelled to transform its product into a surveillance device if doing so would interfere with a product's primary functionality.

The specifics of that 2003 ruling seem quaint today. The smartphones most of us now carry in our pockets can easily be turned into surveillance and tracking devices without impairing their primary functions. And that's not the only privacy risk created as we shift to a mobile, cloud-based computing world. The cloud services we use to synchronize data between our devices increase the risk of our private data falling prey to snooping by the government, by private hackers, or by the cloud service provider itself. And we're packing ever more private data onto our mobile devices, which can create big headaches if we leave a cell phone in a taxicab.

What to do about it? In this feature, we'll explore the new privacy threats being created as the world shifts to an increasingly mobile, multi-device computing paradigm. Luckily, there are steps both device makers and lawmakers can take to shore up privacy in the mobile computing age.

Cloudy with a chance of snooping

Law enforcement loves cloud computing. We don't know exactly how much information the government collects from online service providers, but Google alone fields thousands of requests from the US government each year for private customer data. Other providers have been less transparent, but they presumably experience similar request volumes.

A user-visible LED should be hard-wired to every camera, microphone, or GPS sensor on every mobile device.

Shifting data to a remote server makes life easier for mobile users, but it also makes life easier for people who want to access their data with or without permission. Data stored on third-party servers is much more vulnerable to surreptitious snooping not only by the government but also by hackers and the service provider itself.

Google's new privacy policy, which allows Google to more freely swap data among Google products, has attracted criticism from privacy groups such as the Electronic Privacy Information Center. Last year, Dropbox revealed it had accidentally left some of its users' data exposed to casual snooping for a few hours. Sony also had trouble safeguarding the data of PlayStation users.

A FreedomBox future?

What can we do to avoid the privacy problems created by third-party storage? Ars Technica talked to Eben Moglen, a law professor at Columbia University and chairman of the Software Freedom Law Center. He argued the only way for users to truly safeguard their privacy is not to relinquish control of personal information in the first place.

The best approach, Moglen argued, is for "storage and sync service to be provided in a form which deliberately disables computation on that data on the storage provider." Under Moglen's preferred model, services like Amazon's S3 might help users store their data in encrypted form, but computation using unencrypted data would only occur on devices physically under the control of the data's owner.

Moglen is a driving force behind the FreedomBox, a project to build a user-friendly home server that would allow ordinary users to provide many of the computing and communications services currently offered by firms like Google and Facebook.

Moglen acknowledges it's a big technical challenge to make the FreedomBox a reality. Free Web servers, mail servers, content management systems, and other software exists, but currently requires far too much user configuration to provide a plausible alternative to managed services for the average user. Improvements in reliability are also needed. And even federated social networking services like identi.ca have failed to gain significant traction against centralized services like Twitter and Facebook.

But while progress has been relatively slow, Moglen believes his model will prevail eventually. "What we're talking about is what's going to affect the nature of humanity in the long run," he told us. "The important question is can we do it at all. We've never met a problem we can't solve"—given enough time.

Fixing the third-party doctrine

While Moglen and his colleagues work on a user-friendly alternative to the cloud, users are entrusting a growing amount of information to cloud providers. Under a legal principle called the third-party doctrine, this data does not enjoy the same robust Fourth Amendment protections available to data physically controlled by a user. That means that the government may be able to obtain access to your private Facebook posts and even the contents of your Dropbox folder without getting a warrant.

There have been some moves toward extending full Fourth Amendment protections to online services. In 2010, the United States Court of Appeals for the Sixth Circuit held that remotely-stored e-mail is protected by the Fourth Amendment. And in January, Supreme Court Justice Sotomayor called the third-party doctrine "ill-suited to the digital age." In the future, she may convince a majority of her colleagues to embrace the Sixth Circuit's arguments. For now, data stored in the cloud lacks full Fourth Amendment protections in most jurisdictions.

In the meantime, Congress could update federal privacy law to give cloud services stronger statutory protections than the constitutional minimum established by the courts. The last time Congress re-wrote electronic privacy law was in 1986. Obviously, communication technologies have changed dramatically in the last quarter-century. The legal categories Congress established then don't necessarily make much sense today.

My phone, the spy

Lower Merion High School in suburban Philadelphia issued laptops to its 2300 students in the fall of 2009. Freshman Katarina Perich soon noticed the green light next to the camera on her school-issued MacBook was turning on for no apparent reason. "It was just really creepy," she told USA Today.

Perich's concerns were justified. The district eventually admitted it had installed an anti-theft system that included the ability to remotely activate laptop cameras. The system had been activated and thousands of pictures of students' homes were taken and transmitted back to the district's servers. School district officials contend the surveillance was due to a technical glitch, and the authorities ultimately decided not to press charges. A civil lawsuit brought by some students was settled for $610,000.

A growing number of mobile devices have built-in cameras, microphones, and GPS sensors. This means law enforcement agents no longer have to take the risk of physically invading a suspect's property to install a bug or tracking device. They can simply order whichever company is in charge of the target device's software to modify it to enable remote surveillance and tracking. And because most mobile devices do not have hard-wired LED indicators like those on laptop cameras, the owners of these devices are none the wiser.

In repressive regimes, the danger of government spying is already considered severe. Removing batteries from cell phones is a common practice among dissidents. As the Washington Post reported last year, "The practice has become so routine that Western journalists sometimes begin meetings with Chinese dissidents by flashing their batteries—a knowing nod to the surveillance risk."