
Deniability and Duress - johnhess
http://www.mit.edu/~specter/articles/17/deniability1.html
======
michaelt
The first two paragraphs of the article are about a journalist covering war
crimes exiting a country and being searched.

Fifth amendment distinctions between passwords and fingerprints aren't a
solution to the problems in Egypt, China and Turkey as those countries aren't
subject to US law.

In that situation, from one perspective a duress code that wiped the phone
might seem useful - it would establish that there's no point in continuing to
torture you for the unlock code, as there's no longer any data to decrypt. But
when the thugs saw you'd used the factory reset duress code, wouldn't they
throw you in jail anyway?

What you want in that situation is to present a plausible alternative story
("as you can see, I was writing a story about the great success of your
glorious leader's agricultural productivity reforms") while keeping the war
crimes work hidden from accidental or forensic discovery.

Of course, it would take work to keep the alternative story plausible - which
a journalist working on war crimes might be willing to do, but your average
mobile phone user probably wouldn't.

[1] [https://cpj.org/imprisoned/2016.php](https://cpj.org/imprisoned/2016.php)

~~~
joekrill
I guess ideally a duress code would make it seem as though regular access was
given, while silently either wiping sensitive data or keeping it hidden.

~~~
77pt77
The most disseminated example is TrueCrypt's hidden volumes.

~~~
rattray
Can you (or others) elaborate here?

~~~
ianferrel
Truecrypt is a (now discontinued) encryption program that allowed you to nest
encrypted containers within one another in a way that if you provided
Password1, it would open Container1, and if you provided Password2, it would
open Container2.

Since the Container's full size was allocated at creation, and the size of the
contents cannot be determined without the key, this gave plausible
deniability. You could keep your _real_ sensitive information in an encrypted
volume, and put something that could plausibly be sensitive but that you
didn't really care about someone getting in a nested volume, and when forced
by the law/rubber hose to decrypt, provide the password to the volume you
don't care about, and there's no way for anyone to prove that you didn't fully
decrypt the contents.

~~~
SilasX
But isn't it a non-trivial problem to generate plausible fake data?

~~~
kilotaras
Truecrypt didn't generate fake date, you (the user) did. E.g. put porn on
"show to thugs" partition and "Death star plans" on "true" encrypted
partition.

~~~
SilasX
Yeah, I know. My point is that it's hard to generate a plausible alternate
dataset for something like that.

"So, the decrypted hard drive says that you used the computer exactly once to
put pornography on the computer and then never use it again ..."

~~~
jacobush
Poop porn? Also, besides keeping that, and starting VLC muted in the
background from time to time to keep plausibility, you would use the porn
tainted partition for your everyday stuff. Hacker news, etc.

------
rl3
Any solution that has to maintain plausible deniability must be resistant to
automated forensic exploitation suites commonly sold to law enforcement.

The pre-boot authentication phase is far harder to attack than an operating
system that has already booted, so the only solution I can see is a typical
hidden volume setup with two independent operating systems. The capability
needs to be baked into both iOS and Android by default.

Cloud backup, wipe and restore is also nice, but not necessarily an option for
some people depending on the circumstance. On this front, I wish Android would
stop sucking. From what I understand of iOS, it's simple and easy to do this
with iCloud, and you end up with basically perfect backup restorations.

Why it's even acceptable for western border agents to rifle through people's
private digital lives is mind boggling. It has zero national security value
(there's already a large intelligence apperatus that does this at internet-
scale), so the only real reason has to be to catch non-technical people lying
about their immigration status. Somehow that justifies violating everyone's
rights in the process.

~~~
monochromatic
> It has zero national security value

I'm against it too, but of course it has more than _zero_ national security
value.

~~~
rl3
How so?

Unless a terrorist or spy is exceptionally stupid, they're not going to be
carrying anything of value on their phone through a border checkpoint.

~~~
sokoloff
I wouldn't underestimate the propensity of humans of all sorts to act against
their own interests in service of laziness.

State-sponsored agents are less likely to be lazy and more likely to follow
SOPs, but the average person (law abiding or not) is likely to be lazy/sloppy
a lot.

------
mspecter
Hi, author here. Really happy (but somewhat surprised) to see this up on HN,
and am generally interested in pursing this as a PhD thesis topic. If anyone
has ideas or thoughts on novel systems in this arena I’d be very interested to
hear about it!

~~~
shabble
Not novel, but not widely known about is the (original?) Rubberhose File
System[1], where you can have a number of deniable partitions, and adversaries
shouldn't ever be entirely certain you've given up _all_ of them.

[1] site seems to be dead, but still on archive.org:
[https://web.archive.org/web/20110709155818/http://iq.org/~pr...](https://web.archive.org/web/20110709155818/http://iq.org/~proff/rubberhose.org/current/src/doc/maruguide/x32.html)

~~~
pessimizer
Also, proff is Julian Assange.

------
matt4077
iPhones require the password(/code) when turned on and (IIRC) under certain
other conditions.

But I believe this isn't enough considering recent developments. They write:

    
    
        It’s important to note that deniability refers to the
        ability to deny some plaintext, not the ability to deny 
        that you’re using a deniable algorithm.
    

It's now common for border agents in the US to demand login credentials for
social media accounts, and search all electronic devises. I can't think of
anything more invasive than someone going through my photos and messages. Yet
many people are required to visit the US (or countries only reachable via the
US). We need methods to separate data into two parts, one being highly private
and completely hidden from someone given access to our devises.

And while I would welcome a technical solution, it's important not to discount
the power of the law. Such invasions of privacy would be illegal in the EU,
and contrary to the cynics, laws are generally respected in the developed
world. The current news are making me hopeful that (parts of) the US
population are also starting to be sympathetic to some rights of foreigners
even when they're applying for the privilege of crossing the border.

~~~
chrisbolt
> It's now common for border agents in the US to demand login credentials for
> social media accounts, and search all electronic devises.

Can you define common?

~~~
microtherion
The ESTA form asks for social media accounts (though not passwords, and
ostensibly providing the accounts is "optional"):
[https://esta.cbp.dhs.gov/esta/](https://esta.cbp.dhs.gov/esta/)

~~~
Swizec
Oh wow that wasn't there last time I ESTA'd. Good thing I got that business
visa a few years ago.

Then again, I used my social media and general web presence as partial
justification for the current O-1 visa so ... oh well.

At least they can't find anything by googling my legal name.

~~~
StavrosK
Fucking hell, that's the first time I see this too. I might have to reconsider
my US trip...

------
kijin
> _For instance, scanning anything but your right index finger might force a
> password-only lock. Scanning a pinky (or some other fingerprint /
> combination of fingerprints) might cause the phone to factory reset, or
> unlock and trigger deletion a specified portion of user data._

That's not plausible deniability, it's willful destruction of evidence. It's
going to look extremely suspicious when your phone suddenly asks for a second
factor or gets factory reset. This will only invite more liberal use of the
rubber hose.

True plausible deniability is completely different. Your phone should unlock
and expose all sorts of insignificant-but-realistic data to make it look like
you've been using it all the time. This can't be done convincingly with a
hidden O/S unless you use the hidden O/S every day, which is impractical for
most people.

What we need is software that allows us to mark certain bits of data (files,
messages, call history, apps) as "safe to expose" (whitelist mode) or "must
hide" (blacklist mode) with little more than a couple of taps/clicks during
normal usage. Not just hidden at the application level, but gone from the
underlying filesystem as well. Any ideas for an encrypted, possibly layered
filesystem with two or more keys that expose different subsets of files,
leaving the rest indistinguishable from empty space?

------
turc1656
"However, the bad news is that hand-typed passwords are increasingly seen as
the way of the past; hardware tokens and biometric sensing are considered to
be far more usable, and will likely be employed more and more in the future."

Anytime you sacrifice security for convenience or simplicity, you lose. That's
why I have no intention of ever using anything other than good ol'
alphanumeric passwords that must be entered by hand. Anything that doesn't
originate directly from my mind is not really protected at all. If all the
government needs to do to grab all my data is take my hand and scan it, or
hold my eyeball to a sensor, then it's all pointless.

~~~
Rafert
Why not both? A password with a U2F security key seems hard to beat.

~~~
miend
I use this combo whenever possible, though the number of services yet
supporting FIDO/U2F is still a bit disappointing. It's been incredibly
convenient to be able to use my bitcoin hardware wallets to double as U2F keys
wherever I need them. Given that any device I would use an OTP or text 2FA
solution with already requires time to unlock, it's far less convenient on top
of being more exploitable.

~~~
stinkytaco
Are you using the ledger as a wallet? Doesn't plugging the device into an
untrusted PC worry you at all? Leaving all that aside, the biggest issue for
me an u2f is the mobile problem I have a yubikey neo, but u2f does not work
over nfc, so I'm still stuck creating application passwords for things.

~~~
DennisP
The Ledger is designed to plug into an untrusted PC, that's the whole point.
It's running secure hardware and never reveals the private key. It also has a
display that tells you how much you're sending and to what address, so you're
protected even if you have spyware that attempts to spoof those parameters.

According to Yubikey, "All YubiKey NEO devices manufactured as of February 10,
2015 supported the current FIDO U2F specification for NFC."

[https://www.yubico.com/products/yubikey-hardware/yubikey-
neo...](https://www.yubico.com/products/yubikey-hardware/yubikey-neo/)

Maybe you have an older device? Or, if you have an iPhone, it's Apple that's
the problem, since it restricts NFC to Apple's own payment system. With
Android, NFC is available to any app.

~~~
stinkytaco
You're correct, but the implementation is limited. Chrome supports it, I think
via Google Authenticator, but even their Gmail app doesn't support it
directly. Nor does Dropbox, which are my primary two use cases. I highly doubt
most other apps do either. The Google Authenticator support is a step, but it
really needs to move to "enter password, tap token" in any app to really be
useful.

------
mirimir
The worst thing to do, when facing rubber hoses, or legalistic equivalents
thereof, is to lie. Especially if you're not a well-trained lier. And
especially if there may be independent evidence that would trip you up. The
best option is having nothing to hide. When crossing hazardous borders,
sensitive stuff should be securely in the cloud. And when coercion is likely,
a third party should control access to it.

~~~
Cthulhu_
> securely in the cloud

isn't this a contradiction? Given how the NSA and co have backdoors in the
cloud and such, and can order the operators of said cloud service to release
information from their users.

If you have sensitive stuff, best not to cross any borders I'd say. Stay away
from the US.

~~~
nine_k
Consider SpiderOak or similar things that encrypt data on the client side and
never upload the key.

~~~
StavrosK
Borg is the best backup software I've found, for what it's worth.

------
tomp
_> Scanning a pinky (or some other fingerprint / combination of fingerprints)
might cause the phone to factory reset, or unlock and trigger deletion a
specified portion of user data._

IANAL, but AFAIK there is a strict line between not providing incriminating
evidence (legal, protected under 5th Amendment) and destroying evidence
(criminal).

~~~
maxerickson
If you are a terrible person with really weird requirements you might prefer
the charges related to destruction of evidence to the charges related to the
evidence itself.

(if you are a terrible person without really weird requirements you avoid
capturing or destroy the evidence on an ongoing basis, not after you are
caught)

~~~
pc86
I don't think being a "terrible person" (whatever the hell that means) has any
bearing on whether or not you would want to protect your privacy.

~~~
maxerickson
Sure, but someone carrying around evidence of crimes with heavier punishments
than destruction of evidence is considering a different scenario than someone
simply concerned with their privacy.

~~~
nicolas_t
In the case of journalist covering war crimes, the journalist is not
necessarily a "terrible" person. There's a lot of countries where the laws are
such that it is not necessarily unethical not to respect them.

~~~
maxerickson
Again, sure, I was pointing out an instance where a person might prefer the
destruction of evidence charges, not trying to exhaustively list all such
situations.

------
baconhigh
Not sure if this was mentioned already but Kali Linux includes a patch for
cryptsetup that essentially does this - provide a certain passphrase and it
nukes the keyslots, effectively making the data irrecoverable.

[https://www.kali.org/tutorials/emergency-self-destruction-
lu...](https://www.kali.org/tutorials/emergency-self-destruction-luks-kali/)
and tutorial for use at [https://www.kali.org/tutorials/nuke-kali-linux-
luks/](https://www.kali.org/tutorials/nuke-kali-linux-luks/)

and the patch on github;

[https://github.com/offensive-security/cryptsetup-nuke-
keys](https://github.com/offensive-security/cryptsetup-nuke-keys)

------
aorth
The takeaway for me: US law enforcement can compel you to provide a
fingerprint to unlock your phone, but cannot compel you to provide a password.

 _In particular, a recent precedent-setting court case in Minnesota has
decided that fingerprints used for access control can be taken from a suspect
without violating his fifth amendment rights. The logic of the decision [...]
is that fingerprints are tantamount to similar evidence that is taken from
suspects in the course of an investigation such as blood samples, handwriting
samples, voice recordings, etc., all of which have been deemed by the Supreme
Court to not be protected under the Fifth Amendment._

~~~
kybernetikos
> US law enforcement can compel you to provide a fingerprint to unlock your
> phone, but cannot compel you to provide a password.

This may be true for normal law enforcement, but if you're at (or perhaps
near) the border, the rules are different.

~~~
gcp
It's been pointed out recently that "near the border" is "100 miles from the
border" and the coastline counts as border, so the rules are different for
most places in the USA where people actually live.

~~~
falcolas
IIRC, the border is also defined as any airport which receives international
flights.

Of course, in practice the border definition isn't actually used in this
fashion (that has been made public), but the potential does seem to exist.

------
afandian
I travel to the US semi-regularly. I never have trouble. Though it's a shame
to have to mention it, I was born in the UK and have white skin. My colleague,
who was also born in the UK but has darker skin, was detained for half an hour
last time we crossed the border.

I'm a classic "nothing to hide". But I am seriously considering taking no
electronics with me next time I cross the border. Might make work more of a
hassle, but I'm sure it's doable.

~~~
angry_octet
You'll be flagged as someone who has something to hide because you had no
phone. Just get a travel phone and another set of accounts (email/fb), use
them occasionally, take some silly instagram photos of dogs/face swaps/food
and you're done.

~~~
afandian
Yeah maybe. But I don't do any web, email or social media on my phone anyway
(I used to, heavily, but it wasn't a positive thing in my life so I cut it
out. That's a separate issue).

Re dog photos, as others have said, falsifying anything is a very bad idea.

~~~
angry_octet
Use real dogs?

~~~
afandian
I hate dogs.

------
andreareina
FTA:

> If it isn’t baked-in to the operating system, the fact that the journalist
> was using some out-of-the-ordinary software itself, which may or may not
> have undeniable tells, would likely be a red flag and induce liberal use of
> the rubber hose.

This is in fact a thought that I've had about Truecrypt/Veracrypt: given a
user, it seems the probability of them having a hidden volume is high. It
might be deniable in the cryptographic sense, but it's very highly suggestive.

~~~
StavrosK
Yes, that's why everyone should be using it.

~~~
TeMPOraL
Or simply it should be shipped by default with your operating system. That
way, _everyone_ has it, whether they need it or not, and you can claim you
don't know what that is and it must be something that came with your Windows
copy.

~~~
StavrosK
Yep, that's another good idea.

------
chillydawg
Android had user profiles for a while. If you associate different fingerprints
or different pin codes with different accounts, you can have your sneaky
account with all the warcrime photos and the "open" account which is full of
dick pics and selfies, as per usual. Almost no new technology required.

This all assumes the border guard is simply going to go through texts,
pictures and maybe open up a facebook or similar. If forensics get hold of it
you're screwed.

~~~
Veratyr
Android still does have user profiles. On Nougat, go to Settings -> Users. You
can add profiles and associate a different lock with each (haven't tried
fingerprints). Each has different sets of app data and switching between them
is kinda obscure if you don't know what to do.

Just need to switch user before you get off the plane.

~~~
ansible
Yes, this is the way to go.

You have to give the thugs something... or else they'll keep after you until
you do. So you have to give them some boring but credible data. Wiping the
phone is suspicious.

There needs to be a way to unlock the phone at a moment's notice via either
profile. And there shouldn't be an easy way to see if there is another profile
on the phone.

~~~
angry_octet
If you're phone is android and FDE is unlocked they can plug it in to a device
which will rip everything off. It's quite fast. Everything is then searched
for keywords, contact phone numbers matched against ones of interest, etc.
Best just to have a plain phone and restore from the cloud.

------
hvidgaard
I like the idea of using a sequence to unlock the phone, or specific finger to
wipe the phone, and a different finger to load into a "clean" environment.
That would be a usable mix of secret knowledge, physical security, and
convienience.

~~~
timClicks
A system like that would need to do more than provide a clean slate. It
wouldn't be plausible that someone would be using a worn phone without having
installed any apps on it. Also, I don't know how the phone would be able to
obscure the contents of a micro-SD card, for example.

~~~
kkleindev
Why shouldn't it have any apps on it? From my understanding, the point is that
the crucial subset of user data is not available in that usage mode.

~~~
dbaupp
The malicious actor would find it very suspicious (especially if/when these
features are in popular platforms and thus widely known), breaking the
deniability.

~~~
hvidgaard
It's your own responsibility to tailor this "clean" state to your liking and
make it look like you use it.

------
tunesmith
Or for an iPhone a finger that says "Upload my backup to iCloud, turn on
password until the backup is done, then wipe my phone."

------
Waterluvian
Like a fake ATM PIN number that shows only $28 in your account and signals
authorities.

~~~
throwawayish
Actually does not sound like a bad idea.

~~~
_nedR
The idea isn't new but it never really took off.

[http://www.snopes.com/business/bank/pinalert.asp](http://www.snopes.com/business/bank/pinalert.asp)

[https://en.wikipedia.org/wiki/ATM_SafetyPIN_software](https://en.wikipedia.org/wiki/ATM_SafetyPIN_software)

------
forgotpwtomain
I think this article is glossing over an important part of the discussion.
Biometric Information is good for user _identification_ it is not good for
_passwords_ and AFAIK this is a widely shared-opinion across security
professionals. _Don 't_ use fingerprints as passwords to protect sensitive
data.

------
davidgerard
This is precisely something Julian Assange was working on with Rubberhose, in
the leadup to Wikileaks.
[https://en.wikipedia.org/wiki/Rubberhose_(file_system)](https://en.wikipedia.org/wiki/Rubberhose_\(file_system\))

------
aerovistae
This is a really excellent idea that can do nothing but good. I would support
this however I could.

------
amelius
Strange that the article didn't mention steganography, [1].

[1]
[https://en.wikipedia.org/wiki/Steganography](https://en.wikipedia.org/wiki/Steganography)

------
tudorw
just from a practical point of view I like the idea that different fingers
could launch into different desktops, a home and work one for example

------
golergka
I find it funny how you either concentrate on examples backing up one side of
the debate (journalist vs political persecution) or another (pedophile ring),
but almost nobody in this debate dares to propose legal and technological
solutions that would be reasonable to both of these extreme examples.

~~~
BentFranklin
Just make them available to everybody.

------
meanduck
It should only be seen as temporary solution though. The permanent solution
would be to reclassify passowrds, fingerprints, blood samples etc as
testimony.

Making prosecuting the <0.1% easier at the cost of making 99.9%+ vulnerable
should always be avoided.

------
philip142au
Make technology to resist.

------
tzs
How did journalists deal with this in the pre-digital days, when their notes
would have been on paper and their photographs on rolls of film?

------
1_2__3
Duress codes are so effective that government will never, ever allow them to
become widespread.

