UK Police Charge Activist for Refusing to Hand Over Passwords
motherboard.vice.comOne solution is for all other countries' border control started to demand passwords to unlock phone/all social apps for UK citizens, SPECIALLY target UK politicians and government workers.
Love to see any/all the interesting info one can find from the politicians.
Sounds like a good way to fight back. The US is doing this too sometimes. I don't really see a reason to search everyone's phone unless there's a reasonable suspicion and be allowed to watch them as they go through it. Just check if they have a weapon or not. If no weapon, don't see why further searching is needed. I saw another article about them wanting to scan people's papers they take with them. If they keep this stuff up, I think they will destroy the tourism industry and maybe more people will care.
I have sadly seen people commenting on similar articles on HN about how they don't ever plan to visit the US over these searches. Even a NASA engineer got searched.
Plus TSA has been known to steal also. I hope private jets become cheaper some day to avoid all this, well there are jet sharing programs. Drive straight to the runway and take off :) I guess if you have a huge company like Google or Apple, a private jet is basically free with all the write offs. Probably boosts productivity without all the waiting in lines.
I'm a US born citizen and I don't even look forward to flying. I haven't yet in my life but do want to fly and travel more someday. Every single day lately there's aways some news story about some major airline messing with people, or some story is talked about back to back on every news program involving the TSA.
Politicians are exempt. Seriously.
Diplomats are exempt, but a random Member of Parliament is not.
I recently flew to the U.S. - I did consider wiping my iPhone in advance and then restoring it from iCloud backup once safely in the hotel, but in the end just left it at home. It was very nice taking a break too.
Of course, as a fairly unremarkable middle-aged white guy, I didn't get stopped at all.
This makes me wonder what the statistical likelihood of 'getting into trouble' is for 'unremarkable' people entering the US (by flight).
If I'd fly to the US (unlikely), I'd definitely wipe my phone or leave it at home. But since I'm also 'unremarkable', I'm now wondering if perhaps the chance of getting into trouble is ridiculously small for me, and that perhaps I'm in a bit of a bubble of my own going through all this (pointless) trouble to be 'safe'.
Follow up from previous HN submitted article: https://news.ycombinator.com/item?id=14340137
Surprised more app developers are not creating solutions to this kind of thing - e.g. some form of multisig authorisation to access certain files or 2FA that relies on the second factor only being available at times access is genuinely needed.
If the governments claim they have authority to search your phone, then the only solution is not to store things on your phone during those border activities. Any system for denial of access will simply be considered obstruction.
So technical solutions would simply be to have a backup somewhere, with no trace of the backup software on the device itself. Get to where you're going, go to the website, or download the app, or plug it into another computer, and restore your data from the internet via access codes you have memorized. Or simply travel with a device dedicated for travel, and not your personal goings on.
But obviously, technical solutions don't solve the root poison, which is government destruction of rights and social health in the name of "protecting our rights and society from terrorists".
What I don't understand about the "create a backup" approach is that the government could simply ask you to surrender the backup. You shouldn't lie about having one, since that's (probably) a felony!
Also, what's to stop them from asking for your email or other account passwords?
Depending on the jurisdiction, the government agent may not be able to ask for the backup.
I only know US border control considerations and they can only legally ask for access to what you have on you when you cross the border. If you are an American citizen (or permanent resident) you can decline, and they may well seize your device(s) but cannot deny you entrance. If you are a visitor to the US they can legally deny you entry if you do not comply with their vague and ever changing requests.
But in neither scenario could they legally demand access to a backup copy: they can only ask for access to items in your possession while crossing the border, otherwise they would need to get a warrant.
The law appears to be unclear for permanent residents:
https://mobile.nytimes.com/2017/02/14/business/border-enforc...
Use two factor authentication for your email and whatnot and leave the authenticator at home. Use a different email for travel that is only password protected.
I'm not a lawyer, but I very strongly doubt deliberately making yourself unavailable to give the password on demand is going to be perceived by a court as as cute a way around this law as you believe it to be.
There's no technological solutions to things like this, only political ones.
There are no political solutions to things like this either - not that any of us talking about it here have any meaningful hope of accomplishing, anyway. We might as well try whatever technical fixes we can come up with, since it's better than the nothing we'll get if we wait for the politicians to deal with it.
Political/legal solutions are the only ones that will work long term. Tech solutions can be legislated around.
Political/legal solutions also take a generation or more to accomplish. What are we supposed to do in the meantime, just put up with governmental abuse?
Politics can potentially change within one election cycle, legal faster if get our opposition politicians onside.
Let's not be defeatist. Just because something is difficult and may take a long time does not make it impossible.
Don't travel with electronics?
Here's a business/service idea off the top of my head.
As a traveller, just before going through security you wipe your device and "sell" it to a vendor in exchange for a voucher that will allow you to exchange it back when you land and go through the security at your destination. You take the new device, provision it with your cloud data, and go on your visit; when you go back, you go through this process again, in the other direction.
Lots of problems to be solved with that idea, not the least of which is the business model, but it would allow you to travel without any electronics on your person.
I toyed with building an application like this, except that you just carry your device with you. The application basically tarballs your entire environment up, offsites it, and then wipes and factory-resets your device (incidentally I got lost in the rabbit hole of trying to wipe an SSD heh). It's completely clean, you can surrender your device for inspection, give passwords, etc. And then after you're through, you download the application which acts like a dropper, and it explodes your environment and data onto the device again. Docker was really useful here.
But this makes it very obvious you've reset your phone. Which is a red flag - although not technically illegal, so far.
You really want something that looks like an in-use device and gives no hint that you have sensitive files stored anywhere else.
It would have been configurable. The important thing is that your blob of data (e.g. VeraCrypt volume) is offsited and wiped. You could leave your laptop otherwise completely lived-in, just not containing your data anymore. Otherwise, I've worked for companies that gave out loaner phones for overseas travel. A factory-reset phone is much less suspicious than a threadbare "factory-reset" laptop.
On a laptop, it shouldn't be too hard to have a dual-boot system where OS 1 has nothing of interest, and OS 2 is temporarily hidden from the boot loader.
Alternatively keep the main OS on a USB or hard drive, and get that in/out of the country by other means.
There are other options. Generally, carrying obviously visible sensitive files with you in person is not a necessity.
The tech solution might be giving partial keys to someone in another legal jurisdiction.
e.g. I send a partial key to my cousin and grandmother which live in another country. When crossing borders I then logout and cannot log back in without their part of the key. A local judge will not be able to compel someone in another country to cooperate - and my grandmother's local judge will not be able to compel her since the request is being made in another country.
Kind of hokey - but maybe it works?
That only works if you have a grandma in a non-extraditing country
And if you don't mind being held indefinitely for contempt of court.
That's more or less the point of the GGP's suggestion. Contempt is generally brought in cases where you have the ability to comply, but choose not to.
If you do not have even the ability to comply, justifying contempt becomes increasingly difficult.
Are we expecting a government that violates their own rules to not violate their own rules in a different area? Let's see how fast your grandma will give up the password when it is the only way to get you out of lockup at a torture center (using my definition of torture, not any of the horrible biased ones different governments use).
If your mom overseas has the password, you do have the ability to comply. Ask you mom for the password. She gives it to you. You comply.
Here's another example that might make this more clear. Let's say I embezzle a million dollars from my employer, and they sue me to get it back. (Let's just pretend that I avoid criminal charges for simplicity.) When they win and I tell them, "I can't comply, I gave it to my cousin in France to hold on to," what do you think the judge does? I'll tell you what the judge does: https://en.wikipedia.org/wiki/H._Beatty_Chadwick (This only applies to the U.S.. I suppose in the U.K. you would do two years and then be released.)
In the case you linked, the contention was that the judge thought the defendant had access to the money, whereas he said he didn't. If you give the money to another, autonomous, person, and the judge believes that you did, then you should be in the clear. Naturally, you could ask the person for the money, much as you would a bank teller. However, if you had previously instructed the person to ignore such a request, then you would be incapable of retrieving the money. Holding you beyond then would have the goal of using your incarceration to coerce another person, which I'm sure the courts would frown at.
I am not a judge, but if I were, I imagine I would assume you had been insufficiently sincere in your effort to convince your co-conspirator.
Sure. And you will be held in contempt until you facilitate access.
We need security mechanisms that prevent such overreach being possible at all, just like Apple is doing with their hardware.
Jonathan Zidarski (now at Apple) had a really good post on the approaches to handle security checkpoints [1]. It's enlightening and at the same time depressing.
There is a technological solution: plausible deniability. Devices/apps need two passwords: one unlocks your normal and secret files, and the other only unlocks your normal files. Agents asking for your passwords would see evidence of normal use only. Sort of a "can't prove a negative" defense.
The problem is that HN-types want to assert cryptographic power over agents of governments, ie I won't show you my files and you can't make me so I win.
This is a terrible attitude to have. Basically what your suggesting is that the government should be all powerful and then dole out rights to people as it sees fit. This is a completely unacceptable way for a free society to function.
I agree. In addition, if you pull a stunt like that, expect to have the book thrown at you to make an example of you. Part of the reason Ross Ulbricht's sentence was so harsh was to send a message.
Two passwords, one wipes the device the other unlocks.
Which will lead to an Obstruction of Justice charge or similar.
And The Justice of Obstruction is something that only politicians would have...
This is likely to be even more illegal.
You're right but if this kind of security becomes the norm rather than the edge case, it becomes far more acceptable.
The technological solution is to keep have separate devices for traveling internationally that are unlocked.
I guess the challenge is one of UX; if you're hiding features behind specific sign-in patterns (to avoid security services) then you're also hiding them from a proportion of your users