Fifth amendment distinctions between passwords and fingerprints aren't a solution to the problems in Egypt, China and Turkey as those countries aren't subject to US law.
In that situation, from one perspective a duress code that wiped the phone might seem useful - it would establish that there's no point in continuing to torture you for the unlock code, as there's no longer any data to decrypt. But when the thugs saw you'd used the factory reset duress code, wouldn't they throw you in jail anyway?
What you want in that situation is to present a plausible alternative story ("as you can see, I was writing a story about the great success of your glorious leader's agricultural productivity reforms") while keeping the war crimes work hidden from accidental or forensic discovery.
Of course, it would take work to keep the alternative story plausible - which a journalist working on war crimes might be willing to do, but your average mobile phone user probably wouldn't.
What level of quality in the writing is needed? Can some kind of news aggregating algorithm generate plausible stories? Some kind of propaganda bot that writes stories that are favorable to the regime for the purpose of creating a plausible cover?
Do I need to go get more coffee and watch fewer spy movies?
The pre-boot authentication phase is far harder to attack than an operating system that has already booted, so the only solution I can see is a typical hidden volume setup with two independent operating systems. The capability needs to be baked into both iOS and Android by default.
Cloud backup, wipe and restore is also nice, but not necessarily an option for some people depending on the circumstance. On this front, I wish Android would stop sucking. From what I understand of iOS, it's simple and easy to do this with iCloud, and you end up with basically perfect backup restorations.
Why it's even acceptable for western border agents to rifle through people's private digital lives is mind boggling. It has zero national security value (there's already a large intelligence apperatus that does this at internet-scale), so the only real reason has to be to catch non-technical people lying about their immigration status. Somehow that justifies violating everyone's rights in the process.
I'm against it too, but of course it has more than zero national security value.
Unless a terrorist or spy is exceptionally stupid, they're not going to be carrying anything of value on their phone through a border checkpoint.
- TrueCrypt's hidden volumes
- Two OS's on the same phone; you have the innocent one booted up, and the other encrypted.
What are your thoughts on these?
[1] site seems to be dead, but still on archive.org: https://web.archive.org/web/20110709155818/http://iq.org/~pr...
But I believe this isn't enough considering recent developments. They write:
It’s important to note that deniability refers to the
ability to deny some plaintext, not the ability to deny
that you’re using a deniable algorithm.
And while I would welcome a technical solution, it's important not to discount the power of the law. Such invasions of privacy would be illegal in the EU, and contrary to the cynics, laws are generally respected in the developed world. The current news are making me hopeful that (parts of) the US population are also starting to be sympathetic to some rights of foreigners even when they're applying for the privilege of crossing the border.
That way they could maybe get an idea on how unfriendly, impolite, invasive and denigrating it actually is. And then when leaving get the idea that border agents can be helpful and friendly too.
Edit: And oh yes, all communication and paperwork is done in the language of the destination country.
There needs to be a better way to manage user data -- there's no middle ground right now and the UI is awful.
My friends went through an invasive, humiliating search at a Canadian border crossing that also damaged my friend's car, because they matched a description of cigarette smugglers in the 90s. The border/customs people were within their rights to do that.
The frequency of US searches is high now, but you NEVER had rights at any border crossing, and thinking carefully about what you drag across a border is a consideration that you need to think about.
https://github.com/securityfirst/Umbrella_content/blob/maste...
Hope it's useful!
Can you define common?
With regards to passwords, I don't have numbers, but have seen a few dozen reports over the years without actively looking for them and knowing someone personally to whom it happened (he refused and was allowed entry after a few hours). And whatever is currently discussed would probably include it, considering the San Bernadino case they cite as justification involved information shared with strict privacy setting:
https://www.google.de/search?client=safari&rls=en&q=us+askin...
That's not plausible deniability, it's willful destruction of evidence. It's going to look extremely suspicious when your phone suddenly asks for a second factor or gets factory reset. This will only invite more liberal use of the rubber hose.
True plausible deniability is completely different. Your phone should unlock and expose all sorts of insignificant-but-realistic data to make it look like you've been using it all the time. This can't be done convincingly with a hidden O/S unless you use the hidden O/S every day, which is impractical for most people.
What we need is software that allows us to mark certain bits of data (files, messages, call history, apps) as "safe to expose" (whitelist mode) or "must hide" (blacklist mode) with little more than a couple of taps/clicks during normal usage. Not just hidden at the application level, but gone from the underlying filesystem as well. Any ideas for an encrypted, possibly layered filesystem with two or more keys that expose different subsets of files, leaving the rest indistinguishable from empty space?
Anytime you sacrifice security for convenience or simplicity, you lose. That's why I have no intention of ever using anything other than good ol' alphanumeric passwords that must be entered by hand. Anything that doesn't originate directly from my mind is not really protected at all. If all the government needs to do to grab all my data is take my hand and scan it, or hold my eyeball to a sensor, then it's all pointless.
No, you don't. And it's exactly this kind of black and white, all or nothing thinking that has hampered the success of the security community for decades.
Security folks, for obvious reasons, are only ever thinking about user scenarios where active security is needed. Scenes involving rubber hoses, angry cops, jealous spouses, competing corporations, etc. Those scenes matter, but they are a very small fraction of most users lives'.
Users are not stupid. When they reason about security, they think about all of the scenarios in their life. And, for every time they get picked up by the secret police and would be really glad they picked a 14-digit alphanumeric passcode, they know there are a million more times where they wanted to take a picture of that cute thing their kid is doing right now and don't want to spend the time unlocking the phone.
That is a real win in the user's mind. And those many small conveniences and joys are a huge part of the equation of their life.
Well-designed systems give users good security by integrating into their whole life, not just the idealized nefarious circumstances security folks spend all day thinking about. If you make your security too annoying, users will route around it, and now they have no security.
isn't this a contradiction? Given how the NSA and co have backdoors in the cloud and such, and can order the operators of said cloud service to release information from their users.
If you have sensitive stuff, best not to cross any borders I'd say. Stay away from the US.
There's even an easy local solution: encrypt your data with a friend's public key (sealed box in libsodium parlance). It may be seized and intercepted, but you can't possibly decrypt it.
That's probably the kind of scheme Snowden used when he arranged his inability to decrypt his NSA data even if captured and tortured by some foreign country.
IANAL, but AFAIK there is a strict line between not providing incriminating evidence (legal, protected under 5th Amendment) and destroying evidence (criminal).
Better to disable anyway, but it's an option.
I'd say that depends on how much you pissed persecuting entities off.
(if you are a terrible person without really weird requirements you avoid capturing or destroy the evidence on an ongoing basis, not after you are caught)
https://www.kali.org/tutorials/emergency-self-destruction-lu... and tutorial for use at https://www.kali.org/tutorials/nuke-kali-linux-luks/
and the patch on github;
In particular, a recent precedent-setting court case in Minnesota has decided that fingerprints used for access control can be taken from a suspect without violating his fifth amendment rights. The logic of the decision [...] is that fingerprints are tantamount to similar evidence that is taken from suspects in the course of an investigation such as blood samples, handwriting samples, voice recordings, etc., all of which have been deemed by the Supreme Court to not be protected under the Fifth Amendment.
This may be true for normal law enforcement, but if you're at (or perhaps near) the border, the rules are different.
I'm a classic "nothing to hide". But I am seriously considering taking no electronics with me next time I cross the border. Might make work more of a hassle, but I'm sure it's doable.
Re dog photos, as others have said, falsifying anything is a very bad idea.
> If it isn’t baked-in to the operating system, the fact that the journalist was using some out-of-the-ordinary software itself, which may or may not have undeniable tells, would likely be a red flag and induce liberal use of the rubber hose.
This is in fact a thought that I've had about Truecrypt/Veracrypt: given a user, it seems the probability of them having a hidden volume is high. It might be deniable in the cryptographic sense, but it's very highly suggestive.
This all assumes the border guard is simply going to go through texts, pictures and maybe open up a facebook or similar. If forensics get hold of it you're screwed.
Just need to switch user before you get off the plane.
You have to give the thugs something... or else they'll keep after you until you do. So you have to give them some boring but credible data. Wiping the phone is suspicious.
There needs to be a way to unlock the phone at a moment's notice via either profile. And there shouldn't be an easy way to see if there is another profile on the phone.
It just need to provide the mechanism with proper sandboxing. You still have to make this alternative look reasonable.
> I don't know how the phone would be able to obscure the contents of a micro-SD card, for example
You wouldn't use something like that for plausible deniability.
Making prosecuting the <0.1% easier at the cost of making 99.9%+ vulnerable should always be avoided.