The first two paragraphs of the article are about a journalist covering war crimes exiting a country and being searched.<p>Fifth amendment distinctions between passwords and fingerprints aren't a solution to the problems in Egypt, China and Turkey as those countries aren't subject to US law.<p>In that situation, from one perspective a duress code that wiped the phone might seem useful - it would establish that there's no point in continuing to torture you for the unlock code, as there's no longer any data to decrypt. But when the thugs saw you'd used the factory reset duress code, wouldn't they throw you in jail anyway?<p>What you want in that situation is to present a plausible alternative story ("as you can see, I was writing a story about the great success of your glorious leader's agricultural productivity reforms") while keeping the war crimes work hidden from accidental or forensic discovery.<p>Of course, it would take work to keep the alternative story plausible - which a journalist working on war crimes might be willing to do, but your average mobile phone user probably wouldn't.<p>[1] <a href="https://cpj.org/imprisoned/2016.php" rel="nofollow">https://cpj.org/imprisoned/2016.php</a>
Any solution that has to maintain plausible deniability must be resistant to automated forensic exploitation suites commonly sold to law enforcement.<p>The pre-boot authentication phase is far harder to attack than an operating system that has already booted, so the only solution I can see is a typical hidden volume setup with two independent operating systems. The capability needs to be baked into both iOS and Android by default.<p>Cloud backup, wipe and restore is also nice, but not necessarily an option for some people depending on the circumstance. On this front, I wish Android would stop sucking. From what I understand of iOS, it's simple and easy to do this with iCloud, and you end up with basically perfect backup restorations.<p>Why it's even acceptable for western border agents to rifle through people's private digital lives is mind boggling. It has zero national security value (there's already a large intelligence apperatus that does this at internet-scale), so the only real reason has to be to catch non-technical people lying about their immigration status. Somehow that justifies violating everyone's rights in the process.
Hi, author here. Really happy (but somewhat surprised) to see this up on HN, and am generally interested in pursing this as a PhD thesis topic. If anyone has ideas or thoughts on novel systems in this arena I’d be very interested to hear about it!
iPhones require the password(/code) when turned on and (IIRC) under certain other conditions.<p>But I believe this isn't enough considering recent developments. They write:<p><pre><code> It’s important to note that deniability refers to the
ability to deny some plaintext, not the ability to deny
that you’re using a deniable algorithm.
</code></pre>
It's now common for border agents in the US to demand login credentials for social media accounts, and search all electronic devises. I can't think of anything more invasive than someone going through my photos and messages. Yet many people are required to visit the US (or countries only reachable via the US). We need methods to separate data into two parts, one being highly private and completely hidden from someone given access to our devises.<p>And while I would welcome a technical solution, it's important not to discount the power of the law. Such invasions of privacy would be illegal in the EU, and contrary to the cynics, laws are generally respected in the developed world. The current news are making me hopeful that (parts of) the US population are also starting to be sympathetic to some rights of foreigners even when they're applying for the privilege of crossing the border.
> <i>For instance, scanning anything but your right index finger might force a password-only lock. Scanning a pinky (or some other fingerprint / combination of fingerprints) might cause the phone to factory reset, or unlock and trigger deletion a specified portion of user data.</i><p>That's not plausible deniability, it's willful destruction of evidence. It's going to look extremely suspicious when your phone suddenly asks for a second factor or gets factory reset. This will only invite more liberal use of the rubber hose.<p>True plausible deniability is completely different. Your phone should unlock and expose all sorts of insignificant-but-realistic data to make it look like you've been using it all the time. This can't be done convincingly with a hidden O/S unless you use the hidden O/S every day, which is impractical for most people.<p>What we need is software that allows us to mark certain bits of data (files, messages, call history, apps) as "safe to expose" (whitelist mode) or "must hide" (blacklist mode) with little more than a couple of taps/clicks during normal usage. Not just hidden at the application level, but gone from the underlying filesystem as well. Any ideas for an encrypted, possibly layered filesystem with two or more keys that expose different subsets of files, leaving the rest indistinguishable from empty space?
"However, the bad news is that hand-typed passwords are increasingly seen as the way of the past; hardware tokens and biometric sensing are considered to be far more usable, and will likely be employed more and more in the future."<p>Anytime you sacrifice security for convenience or simplicity, you lose. That's why I have no intention of ever using anything other than good ol' alphanumeric passwords that must be entered by hand. Anything that doesn't originate directly from my mind is not really protected at all. If all the government needs to do to grab all my data is take my hand and scan it, or hold my eyeball to a sensor, then it's all pointless.
The worst thing to do, when facing rubber hoses, or legalistic equivalents thereof, is to lie. Especially if you're not a well-trained lier. And especially if there may be independent evidence that would trip you up. The best option is having nothing to hide. When crossing hazardous borders, sensitive stuff should be securely in the cloud. And when coercion is likely, a third party should control access to it.
<i>> Scanning a pinky (or some other fingerprint / combination of fingerprints) might cause the phone to factory reset, or unlock and trigger deletion a specified portion of user data.</i><p>IANAL, but AFAIK there is a strict line between not providing incriminating evidence (legal, protected under 5th Amendment) and destroying evidence (criminal).
Not sure if this was mentioned already but Kali Linux includes a patch for cryptsetup that essentially does this - provide a certain passphrase and it nukes the keyslots, effectively making the data irrecoverable.<p><a href="https://www.kali.org/tutorials/emergency-self-destruction-luks-kali/" rel="nofollow">https://www.kali.org/tutorials/emergency-self-destruction-lu...</a> and tutorial for use at <a href="https://www.kali.org/tutorials/nuke-kali-linux-luks/" rel="nofollow">https://www.kali.org/tutorials/nuke-kali-linux-luks/</a><p>and the patch on github;<p><a href="https://github.com/offensive-security/cryptsetup-nuke-keys" rel="nofollow">https://github.com/offensive-security/cryptsetup-nuke-keys</a>
The takeaway for me: US law enforcement can compel you to provide a fingerprint to unlock your phone, but cannot compel you to provide a password.<p><i>In particular, a recent precedent-setting court case in Minnesota has decided that fingerprints used for access control can be taken from a suspect without violating his fifth amendment rights. The logic of the decision [...] is that fingerprints are tantamount to similar evidence that is taken from suspects in the course of an investigation such as blood samples, handwriting samples, voice recordings, etc., all of which have been deemed by the Supreme Court to not be protected under the Fifth Amendment.</i>
I travel to the US semi-regularly. I never have trouble. Though it's a shame to have to mention it, I was born in the UK and have white skin. My colleague, who was also born in the UK but has darker skin, was detained for half an hour last time we crossed the border.<p>I'm a classic "nothing to hide". But I am seriously considering taking no electronics with me next time I cross the border. Might make work more of a hassle, but I'm sure it's doable.
FTA:<p>> If it isn’t baked-in to the operating system, the fact that the journalist was using some out-of-the-ordinary software itself, which may or may not have undeniable tells, would likely be a red flag and induce liberal use of the rubber hose.<p>This is in fact a thought that I've had about Truecrypt/Veracrypt: given a user, it seems the probability of them having a hidden volume is high. It might be deniable in the cryptographic sense, but it's very highly suggestive.
Android had user profiles for a while. If you associate different fingerprints or different pin codes with different accounts, you can have your sneaky account with all the warcrime photos and the "open" account which is full of dick pics and selfies, as per usual. Almost no new technology required.<p>This all assumes the border guard is simply going to go through texts, pictures and maybe open up a facebook or similar. If forensics get hold of it you're screwed.
I like the idea of using a sequence to unlock the phone, or specific finger to wipe the phone, and a different finger to load into a "clean" environment. That would be a usable mix of secret knowledge, physical security, and convienience.
I think this article is glossing over an important part of the discussion. Biometric Information is good for user <i>identification</i> it is not good for <i>passwords</i> and AFAIK this is a widely shared-opinion across security professionals. <i>Don't</i> use fingerprints as passwords to protect sensitive data.
This is precisely something Julian Assange was working on with Rubberhose, in the leadup to Wikileaks. <a href="https://en.wikipedia.org/wiki/Rubberhose_(file_system)" rel="nofollow">https://en.wikipedia.org/wiki/Rubberhose_(file_system)</a>
I find it funny how you either concentrate on examples backing up one side of the debate (journalist vs political persecution) or another (pedophile ring), but almost nobody in this debate dares to propose legal and technological solutions that would be reasonable to both of these extreme examples.
It should only be seen as temporary solution though. The permanent solution would be to reclassify passowrds, fingerprints, blood samples etc as testimony.<p>Making prosecuting the <0.1% easier at the cost of making 99.9%+ vulnerable should always be avoided.