Deniability and Duress
mit.eduThe first two paragraphs of the article are about a journalist covering war crimes exiting a country and being searched.
Fifth amendment distinctions between passwords and fingerprints aren't a solution to the problems in Egypt, China and Turkey as those countries aren't subject to US law.
In that situation, from one perspective a duress code that wiped the phone might seem useful - it would establish that there's no point in continuing to torture you for the unlock code, as there's no longer any data to decrypt. But when the thugs saw you'd used the factory reset duress code, wouldn't they throw you in jail anyway?
What you want in that situation is to present a plausible alternative story ("as you can see, I was writing a story about the great success of your glorious leader's agricultural productivity reforms") while keeping the war crimes work hidden from accidental or forensic discovery.
Of course, it would take work to keep the alternative story plausible - which a journalist working on war crimes might be willing to do, but your average mobile phone user probably wouldn't.
I guess ideally a duress code would make it seem as though regular access was given, while silently either wiping sensitive data or keeping it hidden.
The most disseminated example is TrueCrypt's hidden volumes.
Can you (or others) elaborate here?
Truecrypt is a (now discontinued) encryption program that allowed you to nest encrypted containers within one another in a way that if you provided Password1, it would open Container1, and if you provided Password2, it would open Container2.
Since the Container's full size was allocated at creation, and the size of the contents cannot be determined without the key, this gave plausible deniability. You could keep your real sensitive information in an encrypted volume, and put something that could plausibly be sensitive but that you didn't really care about someone getting in a nested volume, and when forced by the law/rubber hose to decrypt, provide the password to the volume you don't care about, and there's no way for anyone to prove that you didn't fully decrypt the contents.
Side note: TrueCrypt lives on as VeraCrypt.
But isn't it a non-trivial problem to generate plausible fake data?
You would use a 'fake' container for safe work that you don't mind revealing, while only entering your 'secret' container only when, and alway when, doing work you want to keep secret. This way. there isn't really any 'fake' data, just different data.
Truecrypt didn't generate fake date, you (the user) did. E.g. put porn on "show to thugs" partition and "Death star plans" on "true" encrypted partition.
Yeah, I know. My point is that it's hard to generate a plausible alternate dataset for something like that.
"So, the decrypted hard drive says that you used the computer exactly once to put pornography on the computer and then never use it again ..."
Poop porn? Also, besides keeping that, and starting VLC muted in the background from time to time to keep plausibility, you would use the porn tainted partition for your everyday stuff. Hacker news, etc.
echo "Truecrypt test" > /mnt/plausible_deniability_volume/README && history -d $(history | tail -n1 | cut -d' ' -f1)
I've never used it so all I could say you can find in the documentation.
Could a cooperative effort to create a plausible body of work help in these situations? A journalist could keep a plausible number of canned stories on their machine and when the duress code is triggered everyone stops using them and more are written to take their place.
What level of quality in the writing is needed? Can some kind of news aggregating algorithm generate plausible stories? Some kind of propaganda bot that writes stories that are favorable to the regime for the purpose of creating a plausible cover?
Do I need to go get more coffee and watch fewer spy movies?
More coffee and more movies. :) How about some real canned stories but of less devastating effect.
In the kind of place where you have to worry about rubber hoses, it seems probable that you'd not want to be carrying a device that has the known purpose of secreting information.
Any solution that has to maintain plausible deniability must be resistant to automated forensic exploitation suites commonly sold to law enforcement.
The pre-boot authentication phase is far harder to attack than an operating system that has already booted, so the only solution I can see is a typical hidden volume setup with two independent operating systems. The capability needs to be baked into both iOS and Android by default.
Cloud backup, wipe and restore is also nice, but not necessarily an option for some people depending on the circumstance. On this front, I wish Android would stop sucking. From what I understand of iOS, it's simple and easy to do this with iCloud, and you end up with basically perfect backup restorations.
Why it's even acceptable for western border agents to rifle through people's private digital lives is mind boggling. It has zero national security value (there's already a large intelligence apperatus that does this at internet-scale), so the only real reason has to be to catch non-technical people lying about their immigration status. Somehow that justifies violating everyone's rights in the process.
> It has zero national security value
I'm against it too, but of course it has more than zero national security value.
How so?
Unless a terrorist or spy is exceptionally stupid, they're not going to be carrying anything of value on their phone through a border checkpoint.
I wouldn't underestimate the propensity of humans of all sorts to act against their own interests in service of laziness.
State-sponsored agents are less likely to be lazy and more likely to follow SOPs, but the average person (law abiding or not) is likely to be lazy/sloppy a lot.
There are stupid terrorists. However, one could argue the value to national security is negative, because of drag on the economy, resentment, and because these resources could be better spent elsewhere. Like training our own real life spies.
Hi, author here. Really happy (but somewhat surprised) to see this up on HN, and am generally interested in pursing this as a PhD thesis topic. If anyone has ideas or thoughts on novel systems in this arena I’d be very interested to hear about it!
Two possible (partial?) solutions mentioned on this thread were:
- TrueCrypt's hidden volumes
- Two OS's on the same phone; you have the innocent one booted up, and the other encrypted.
What are your thoughts on these?
Not novel, but not widely known about is the (original?) Rubberhose File System[1], where you can have a number of deniable partitions, and adversaries shouldn't ever be entirely certain you've given up all of them.
[1] site seems to be dead, but still on archive.org: https://web.archive.org/web/20110709155818/http://iq.org/~pr...
Also, proff is Julian Assange.
Is it possible to create a "zip file" format that looks like a normal zip file, but has two passwords and two separate paths to decode to different content?
iPhones require the password(/code) when turned on and (IIRC) under certain other conditions.
But I believe this isn't enough considering recent developments. They write:
It’s important to note that deniability refers to the
ability to deny some plaintext, not the ability to deny
that you’re using a deniable algorithm.
And while I would welcome a technical solution, it's important not to discount the power of the law. Such invasions of privacy would be illegal in the EU, and contrary to the cynics, laws are generally respected in the developed world. The current news are making me hopeful that (parts of) the US population are also starting to be sympathetic to some rights of foreigners even when they're applying for the privilege of crossing the border.
I wish EU and other non-US countries would offer "US-border treatment" to all US citizens when they enter, and normal border control when they leave.
That way they could maybe get an idea on how unfriendly, impolite, invasive and denigrating it actually is. And then when leaving get the idea that border agents can be helpful and friendly too.
Edit: And oh yes, all communication and paperwork is done in the language of the destination country.
i feel sympathy for the idea, but it kinda undermines the case against these practices. If we're saying "terrorism" isn't enough of a reason for wide-scale privacy invasion, how could "getting the US to change its policy" ever be enough? Additionally, it's an individual's rights being infringed, almost none of whom have influence on policy beyond voting, and the vast majority of whom, belonging to the subset of Americans traveling to Europe, didn't even vote for Trump.
> didn't even vote for Trump.
These practices mentioned by GP exist since well before 2017.
Following your logic, the question would be if they voted for Obama. And, if the vast majority didn't vote for Trump, they probably voted for Obama. So it actually would affect the "right" people.
(Not that I agree in any way with punishing citizens for what their government does)
It is a clear technical problem. Pre-smartphone, you weren't dragging your whole life around in your pocket.
There needs to be a better way to manage user data -- there's no middle ground right now and the UI is awful.
My friends went through an invasive, humiliating search at a Canadian border crossing that also damaged my friend's car, because they matched a description of cigarette smugglers in the 90s. The border/customs people were within their rights to do that.
The frequency of US searches is high now, but you NEVER had rights at any border crossing, and thinking carefully about what you drag across a border is a consideration that you need to think about.
On that topic, we've included some guides on crossing borders / going through airports / attending protests and loads of other physical/digital security stuff in Umbrella App. (Learn more or download at https://www.secfirst.org). The specific piece is available on our Github (all our stuff is open source or Creative Commons, so feel free to re-use or please add more!).
https://github.com/securityfirst/Umbrella_content/blob/maste...
Hope it's useful!
> It's now common for border agents in the US to demand login credentials for social media accounts, and search all electronic devises.
Can you define common?
Requesting account names is already common practice: http://www.politico.com/story/2016/12/foreign-travelers-soci.... That does not include passwords, and it's "voluntary". But having filled out US immigration forms a few times (and watched others doing it), the process is quite intimidating and many will be pressured into providing that data. Why else would they? There is no upside to the US gov having that data for me.
With regards to passwords, I don't have numbers, but have seen a few dozen reports over the years without actively looking for them and knowing someone personally to whom it happened (he refused and was allowed entry after a few hours). And whatever is currently discussed would probably include it, considering the San Bernadino case they cite as justification involved information shared with strict privacy setting:
https://www.google.de/search?client=safari&rls=en&q=us+askin...
The ESTA form asks for social media accounts (though not passwords, and ostensibly providing the accounts is "optional"): https://esta.cbp.dhs.gov/esta/
It does indeed. Here is a screen shot: http://imgur.com/a/jreOU
Oh wow that wasn't there last time I ESTA'd. Good thing I got that business visa a few years ago.
Then again, I used my social media and general web presence as partial justification for the current O-1 visa so ... oh well.
At least they can't find anything by googling my legal name.
Fucking hell, that's the first time I see this too. I might have to reconsider my US trip...
What countries are only accessible via the US?
None (it's not like Lesotho inside South Africa or San Marino inside Italy). I assume he meant destinations where most international flights go via the US, but not sure that's relevant - I'm pretty sure basically all South American countries have direct flights to Europe or Canada, say.
It can be prohibitively expensive to find a flight from Europe to the Caribbean or Central America that doesn't involve a stopover in the US.
> For instance, scanning anything but your right index finger might force a password-only lock. Scanning a pinky (or some other fingerprint / combination of fingerprints) might cause the phone to factory reset, or unlock and trigger deletion a specified portion of user data.
That's not plausible deniability, it's willful destruction of evidence. It's going to look extremely suspicious when your phone suddenly asks for a second factor or gets factory reset. This will only invite more liberal use of the rubber hose.
True plausible deniability is completely different. Your phone should unlock and expose all sorts of insignificant-but-realistic data to make it look like you've been using it all the time. This can't be done convincingly with a hidden O/S unless you use the hidden O/S every day, which is impractical for most people.
What we need is software that allows us to mark certain bits of data (files, messages, call history, apps) as "safe to expose" (whitelist mode) or "must hide" (blacklist mode) with little more than a couple of taps/clicks during normal usage. Not just hidden at the application level, but gone from the underlying filesystem as well. Any ideas for an encrypted, possibly layered filesystem with two or more keys that expose different subsets of files, leaving the rest indistinguishable from empty space?
"However, the bad news is that hand-typed passwords are increasingly seen as the way of the past; hardware tokens and biometric sensing are considered to be far more usable, and will likely be employed more and more in the future."
Anytime you sacrifice security for convenience or simplicity, you lose. That's why I have no intention of ever using anything other than good ol' alphanumeric passwords that must be entered by hand. Anything that doesn't originate directly from my mind is not really protected at all. If all the government needs to do to grab all my data is take my hand and scan it, or hold my eyeball to a sensor, then it's all pointless.
> Anytime you sacrifice security for convenience or simplicity, you lose.
No, you don't. And it's exactly this kind of black and white, all or nothing thinking that has hampered the success of the security community for decades.
Security folks, for obvious reasons, are only ever thinking about user scenarios where active security is needed. Scenes involving rubber hoses, angry cops, jealous spouses, competing corporations, etc. Those scenes matter, but they are a very small fraction of most users lives'.
Users are not stupid. When they reason about security, they think about all of the scenarios in their life. And, for every time they get picked up by the secret police and would be really glad they picked a 14-digit alphanumeric passcode, they know there are a million more times where they wanted to take a picture of that cute thing their kid is doing right now and don't want to spend the time unlocking the phone.
That is a real win in the user's mind. And those many small conveniences and joys are a huge part of the equation of their life.
Well-designed systems give users good security by integrating into their whole life, not just the idealized nefarious circumstances security folks spend all day thinking about. If you make your security too annoying, users will route around it, and now they have no security.
Why not both? A password with a U2F security key seems hard to beat.
I use this combo whenever possible, though the number of services yet supporting FIDO/U2F is still a bit disappointing. It's been incredibly convenient to be able to use my bitcoin hardware wallets to double as U2F keys wherever I need them. Given that any device I would use an OTP or text 2FA solution with already requires time to unlock, it's far less convenient on top of being more exploitable.
Are you using the ledger as a wallet? Doesn't plugging the device into an untrusted PC worry you at all? Leaving all that aside, the biggest issue for me an u2f is the mobile problem I have a yubikey neo, but u2f does not work over nfc, so I'm still stuck creating application passwords for things.
The Ledger is designed to plug into an untrusted PC, that's the whole point. It's running secure hardware and never reveals the private key. It also has a display that tells you how much you're sending and to what address, so you're protected even if you have spyware that attempts to spoof those parameters.
According to Yubikey, "All YubiKey NEO devices manufactured as of February 10, 2015 supported the current FIDO U2F specification for NFC."
https://www.yubico.com/products/yubikey-hardware/yubikey-neo...
Maybe you have an older device? Or, if you have an iPhone, it's Apple that's the problem, since it restricts NFC to Apple's own payment system. With Android, NFC is available to any app.
You're correct, but the implementation is limited. Chrome supports it, I think via Google Authenticator, but even their Gmail app doesn't support it directly. Nor does Dropbox, which are my primary two use cases. I highly doubt most other apps do either. The Google Authenticator support is a step, but it really needs to move to "enter password, tap token" in any app to really be useful.
Even better. My point was only that I will never use something that doesn't require an alphanumeric password. Anything added on top of that like two-factor just sweetens the pot.
The worst thing to do, when facing rubber hoses, or legalistic equivalents thereof, is to lie. Especially if you're not a well-trained lier. And especially if there may be independent evidence that would trip you up. The best option is having nothing to hide. When crossing hazardous borders, sensitive stuff should be securely in the cloud. And when coercion is likely, a third party should control access to it.
> securely in the cloud
isn't this a contradiction? Given how the NSA and co have backdoors in the cloud and such, and can order the operators of said cloud service to release information from their users.
If you have sensitive stuff, best not to cross any borders I'd say. Stay away from the US.
Here's a simple hack. Anonymously lease N inexpensive VPS. Archive your stuff (perhaps a VM) with tar, encrypt with gpg, and use split to get N pieces. Use bbcp to put distinct subsets of pieces on each VPS, such that any M of the N VPS will give your stuff back.
Consider SpiderOak or similar things that encrypt data on the client side and never upload the key.
Borg is the best backup software I've found, for what it's worth.
Except that travellers may be (and sometimes are being) asked for login credentials to online accounts.
I'm sure we can think of a "double lock" feature, where you allow a friend to lock you out of your account.
There's even an easy local solution: encrypt your data with a friend's public key (sealed box in libsodium parlance). It may be seized and intercepted, but you can't possibly decrypt it.
That's probably the kind of scheme Snowden used when he arranged his inability to decrypt his NSA data even if captured and tortured by some foreign country.
The really bad people, are probably at that point going torture you just to make an example of you to discourage others from doing the same.
Yeah, that's the downside of carrying stuff that you can't decrypt. They won't believe you, and won't stop until you decrypt it. Better is not to have anything sensitive with you.
Encrypted volumes look random. There's no way of proving whether or not you have something you can't decrypt. Hence the need to have some innocent volume to decrypt as a tool in the argument to convince an interrogator that you have nothing left to hide.
Better yet, fill every hard drive with random junk before formatting and selling them. If everyone has random data in their free space, it won't even look suspicious.
I don't mean normal online accounts. I mean something like the WikiLeaks upload site.[0] Once stuff is uploaded, you don't have control, or even access.
> Scanning a pinky (or some other fingerprint / combination of fingerprints) might cause the phone to factory reset, or unlock and trigger deletion a specified portion of user data.
IANAL, but AFAIK there is a strict line between not providing incriminating evidence (legal, protected under 5th Amendment) and destroying evidence (criminal).
My iPhone forces password entry after 5 failed attempts at TouchID unlock. If you can quickly thumb the sensor a few times, you can render fingerprint unlock impossible.
Better to disable anyway, but it's an option.
Exactly this. If they can force you to give them a fingerprint, but not a password, just reset the phone. You haven't destroyed anything, the data is still there, it's just inaccessible without the password.
One possible threat here could be access being gained another way (court-order to provide text key), then with the device unlock key known being required to try each finger in sequence to identify if you provided a genuine try to unlock the device. Could be seen as obstruction (IANAL).
I immediately thought the same thing upon reading. One thing that comes to mind is: automatically triggered data destruction. If laptop or the phone detects non-owner access attempts and destroys data on its own, is it destruction of evidence? Owner did not do it, and it was there just to protect from the real bad guys: corporate spies, identity thieves.
The law often uses intention. Could you convince a jury of your peers you didn't do this just to hide your stuff from law enforcement?
The obvious rebuttal is that you did this to hide your stuff from EVERYONE. Criminal mens rea doesn't exist; you're just a citizen who likes his privacy.
Yes, if it was the default OS behavior. Which is the argument the article makes.
> is it destruction of evidence?
I'd say that depends on how much you pissed persecuting entities off.
The theory is that the cops would be the ones selecting the finger. This would be no different from LE trying to crack a password, and the system permanently locking them out. However, I am also Not A Lawyer.
Besides, it would not be useful to trigger reset or deletion because LEOs could take a backup before the procedure.
If you are a terrible person with really weird requirements you might prefer the charges related to destruction of evidence to the charges related to the evidence itself.
(if you are a terrible person without really weird requirements you avoid capturing or destroy the evidence on an ongoing basis, not after you are caught)
For instance, in New York at least, if you are suspected of DUI and refuse to submit to a breathalyzer test, it is an automatic civil suspension of of you drivers license for I believe two years. If you have prior convictions then and are looking at jail time and a license suspension, the smart play is to refuse to take the test.
I don't think being a "terrible person" (whatever the hell that means) has any bearing on whether or not you would want to protect your privacy.
Sure, but someone carrying around evidence of crimes with heavier punishments than destruction of evidence is considering a different scenario than someone simply concerned with their privacy.
In the case of journalist covering war crimes, the journalist is not necessarily a "terrible" person. There's a lot of countries where the laws are such that it is not necessarily unethical not to respect them.
Again, sure, I was pointing out an instance where a person might prefer the destruction of evidence charges, not trying to exhaustively list all such situations.
Not sure if this was mentioned already but Kali Linux includes a patch for cryptsetup that essentially does this - provide a certain passphrase and it nukes the keyslots, effectively making the data irrecoverable.
https://www.kali.org/tutorials/emergency-self-destruction-lu... and tutorial for use at https://www.kali.org/tutorials/nuke-kali-linux-luks/
and the patch on github;
The takeaway for me: US law enforcement can compel you to provide a fingerprint to unlock your phone, but cannot compel you to provide a password.
In particular, a recent precedent-setting court case in Minnesota has decided that fingerprints used for access control can be taken from a suspect without violating his fifth amendment rights. The logic of the decision [...] is that fingerprints are tantamount to similar evidence that is taken from suspects in the course of an investigation such as blood samples, handwriting samples, voice recordings, etc., all of which have been deemed by the Supreme Court to not be protected under the Fifth Amendment.
> US law enforcement can compel you to provide a fingerprint to unlock your phone, but cannot compel you to provide a password.
This may be true for normal law enforcement, but if you're at (or perhaps near) the border, the rules are different.
It's been pointed out recently that "near the border" is "100 miles from the border" and the coastline counts as border, so the rules are different for most places in the USA where people actually live.
IIRC, the border is also defined as any airport which receives international flights.
Of course, in practice the border definition isn't actually used in this fashion (that has been made public), but the potential does seem to exist.
so why isn't there a feature for a duress fingerprint? all it does it turn the phone off or force the password required?
I travel to the US semi-regularly. I never have trouble. Though it's a shame to have to mention it, I was born in the UK and have white skin. My colleague, who was also born in the UK but has darker skin, was detained for half an hour last time we crossed the border.
I'm a classic "nothing to hide". But I am seriously considering taking no electronics with me next time I cross the border. Might make work more of a hassle, but I'm sure it's doable.
You'll be flagged as someone who has something to hide because you had no phone. Just get a travel phone and another set of accounts (email/fb), use them occasionally, take some silly instagram photos of dogs/face swaps/food and you're done.
Yeah maybe. But I don't do any web, email or social media on my phone anyway (I used to, heavily, but it wasn't a positive thing in my life so I cut it out. That's a separate issue).
Re dog photos, as others have said, falsifying anything is a very bad idea.
Use real dogs?
I hate dogs.
FTA:
> If it isn’t baked-in to the operating system, the fact that the journalist was using some out-of-the-ordinary software itself, which may or may not have undeniable tells, would likely be a red flag and induce liberal use of the rubber hose.
This is in fact a thought that I've had about Truecrypt/Veracrypt: given a user, it seems the probability of them having a hidden volume is high. It might be deniable in the cryptographic sense, but it's very highly suggestive.
Yes, that's why everyone should be using it.
Or simply it should be shipped by default with your operating system. That way, everyone has it, whether they need it or not, and you can claim you don't know what that is and it must be something that came with your Windows copy.
Yep, that's another good idea.
Android had user profiles for a while. If you associate different fingerprints or different pin codes with different accounts, you can have your sneaky account with all the warcrime photos and the "open" account which is full of dick pics and selfies, as per usual. Almost no new technology required.
This all assumes the border guard is simply going to go through texts, pictures and maybe open up a facebook or similar. If forensics get hold of it you're screwed.
Android still does have user profiles. On Nougat, go to Settings -> Users. You can add profiles and associate a different lock with each (haven't tried fingerprints). Each has different sets of app data and switching between them is kinda obscure if you don't know what to do.
Just need to switch user before you get off the plane.
Yes, this is the way to go.
You have to give the thugs something... or else they'll keep after you until you do. So you have to give them some boring but credible data. Wiping the phone is suspicious.
There needs to be a way to unlock the phone at a moment's notice via either profile. And there shouldn't be an easy way to see if there is another profile on the phone.
If you're phone is android and FDE is unlocked they can plug it in to a device which will rip everything off. It's quite fast. Everything is then searched for keywords, contact phone numbers matched against ones of interest, etc. Best just to have a plain phone and restore from the cloud.
'had'? My android device has user profiles.
I like the idea of using a sequence to unlock the phone, or specific finger to wipe the phone, and a different finger to load into a "clean" environment. That would be a usable mix of secret knowledge, physical security, and convienience.
A system like that would need to do more than provide a clean slate. It wouldn't be plausible that someone would be using a worn phone without having installed any apps on it. Also, I don't know how the phone would be able to obscure the contents of a micro-SD card, for example.
> A system like that would need to do more than provide a clean slate
It just need to provide the mechanism with proper sandboxing. You still have to make this alternative look reasonable.
> I don't know how the phone would be able to obscure the contents of a micro-SD card, for example
You wouldn't use something like that for plausible deniability.
Why shouldn't it have any apps on it? From my understanding, the point is that the crucial subset of user data is not available in that usage mode.
The malicious actor would find it very suspicious (especially if/when these features are in popular platforms and thus widely known), breaking the deniability.
It's your own responsibility to tailor this "clean" state to your liking and make it look like you use it.
Or for an iPhone a finger that says "Upload my backup to iCloud, turn on password until the backup is done, then wipe my phone."
Like a fake ATM PIN number that shows only $28 in your account and signals authorities.
Actually does not sound like a bad idea.
The idea isn't new but it never really took off.
I think this article is glossing over an important part of the discussion. Biometric Information is good for user identification it is not good for passwords and AFAIK this is a widely shared-opinion across security professionals. Don't use fingerprints as passwords to protect sensitive data.
This is precisely something Julian Assange was working on with Rubberhose, in the leadup to Wikileaks. https://en.wikipedia.org/wiki/Rubberhose_(file_system)
This is a really excellent idea that can do nothing but good. I would support this however I could.
Strange that the article didn't mention steganography, [1].
just from a practical point of view I like the idea that different fingers could launch into different desktops, a home and work one for example
I find it funny how you either concentrate on examples backing up one side of the debate (journalist vs political persecution) or another (pedophile ring), but almost nobody in this debate dares to propose legal and technological solutions that would be reasonable to both of these extreme examples.
Just make them available to everybody.
It should only be seen as temporary solution though. The permanent solution would be to reclassify passowrds, fingerprints, blood samples etc as testimony.
Making prosecuting the <0.1% easier at the cost of making 99.9%+ vulnerable should always be avoided.
Make technology to resist.
How did journalists deal with this in the pre-digital days, when their notes would have been on paper and their photographs on rolls of film?
Duress codes are so effective that government will never, ever allow them to become widespread.