Duress PIN limited usefulness

glacier4204

This subject has been discussed before but I am not able to comment on the thread. I have just created an account to say something about this matter, because I find it critically important.

I'll quote a small extract of the post above: "the current feature disables the entire phone. this does not give you any plausible deniability. if you are a journalist with damaging information on a particular nation, it would be obvious to an adversary that you deleted evidence."

GrapheneOS is close to perfectly protecting me and I am extremely thankful for that to the people dedicating time and financial resources to that end.

I am keeping my "regular" apps, most of them relying on Google Play, on my main profile. The more sensitive apps are now in my "Private space", only relying on Accrescent and F-Droid. It's a very simple, yet very effective setup. I only unlock that Private space once a day to check on the status of various things.

The issue arises if, for any reason, I am suddenly forced to hand over the control of my phone. A duress situation indeed. I have two choices at the moment:

hand over the correct PIN/passphrase and take high chances of also being asked for the PIN/passphrase of the "Private space"
hand over the duress PIN/passphrase and risk being found guilty of destroying evidence

We're so close to something that both protects from a duress situation AND preserves plausible deniability.

All it would take is that, instead of deleting the entire phone, it would delete the Private space.

🤞

DeletedUser88

glacier4204 All it would take is that, instead of deleting the entire phone, it would delete the Private space.

then what? You'll provide whoever is coercing you the correct PIN? This will put your device in AFU mode where they have access to literally everything. There is no way (at least a non-complex/robust way) to provide plausible deniability for deleting a profile, a simple scan of your system log after they have access to your phone in AFU will indicate that a Private Space used to exist or that it was just deleted.

The point of the Duress PIN is that you use it if you determine that being found guilty of destroying evidence would cause you less severe consequences than the discovery of this evidence.

DeletedUser76

It's a good idea but such feature should be implemented in a way of removing the evidence that private space existed if you want a perfect plausible deniability. And I'm not sure if this is technically possible...

glacier4204

Thank you @DeletedUser76 and @DeletedUser88 for your answers.

I believe this question should be discussed more. It's as tricky as it is critical for many people using GrapheneOS.

Such feature (one where a duress PIN would only delete a user "Private space" or a complete user profile) would still be very useful even if the plausible deniability would not be optimal. I can think of several situations where such feature would protect me, whereas the full phone deletion would rarely achieve that aim.

Also, an important question is why are we not supposed to delete our data? Generally, it's due to a duty to preserve evidence. But this duty only exists in specific circumstances, such as:

The commencement of a lawsuit, if you are the plaintiff.
Being served with a complaint, if you are the defendant.
Knowledge of a potential claim and the ability to identify relevant evidence, even before formal litigation begins.

I guess my argument is that in most cases, having a duress PIN that only deletes a user "Private space" or a complete user profile, would provide more "real-life" security than the current duress PIN that nukes the phone.

de0u

glacier4204 I can think of several situations where such feature would protect me, whereas the full phone deletion would rarely achieve that aim.

Such as?

glacier4204 Why are we not supposed to delete our data? Generally, it's due to a duty to preserve evidence. But this duty only exists in specific circumstances, such as: [...]

Any such list is dependent on which legal jurisdiction one is in. And in some jurisdictions it doesn't matter much what the law says.

glacier4204 I guess my argument is that in most cases, having a duress PIN that only deletes a user "Private space" or a complete user profile, would provide more "real-life" security than the current duress PIN that nukes the phone.

There are lots of scenarios and lots of jurisdictions. One feature of the current duress implementation is that it is designed to maximize the likelihood that triggering it wipes everything from the device. Plausible-deniability wiping is a much harder problem; it's not clear there are any reliable implementations of that on any Android variant. Honestly it's unclear it would be possible to do it at all without rebooting the devce, which by itself would tend to weaken deniability.

glacier4204

de0u Such as?

I won't be able to elaborate on details specific to myself, my apologies.

I guess I have made this post to express that, for my personal threat model, being able to delete a "Private Space" would be very useful, even if it leaves some trail behind (mostly invisible). Whereas, being able to delete the whole system is not something that would protect me in most situations.

I understand it may be too difficult or impossible to implement to the quality level expected by the GrapheneOS team and community. I am just providing feedback, hopefully that was useful.

lawman

I hope the technical issues can be resolved, as this would be an extremely helpful feature. either

1) delete private space without trace, or
2) my preferred - log into dummy profile without any access/log to other profiles. (with/without deleting other profiles at same time).

thanks