Forced by Police to reveal the pin/password to GrapheneOS

gosets

This is a great conversation. I would like to throw in a possibility. If it were possible to implement a per profile duress pin it could be an interesting tool. Assume the duress pin unlocks the default profile while silently deleting a profile on the phone. I dont know the feasibility or development effort necessary to accomplish this. I am sure it is not trivial.

I think the power of a feature could be extended if the auto reboot timer is set to a relatively short time frame.
(Bonus points if the duress pin could auto set the reboot timer or maybe set a process where by each reboot changes the timeout setting to the next shortest interval .
I fully recognize this modification of the auto reboot would likely be very difficult, if not impossible implement.)

But a per profile duress pin that unlocks the device and loads the default profile while silently deleting a secondary profile could possibly ease some users concerns about data disclosure during visual investigation.

Consider the following scenario. A gos user relies on the default profile for most activity. This user creates a secondary profile where they house data/contacts/images they feel are sensitive and want to minimize the risk of disclosure. The criteria for sensitive is "would the disclosure of this material cause me or others harm such that its disclosure is more detrimental than recognition of my effort to delete it"

This feature and organization of data would empower the user to make the calculation about which outcome is more detrimental for them in their current circumstances. Specifically when confronted by an adversary they can provide the default pin or the profile duress pin, or nothing at all. This would extend the current logic behind the duress pin. Currently the duress pin offers users a similar choice without the ability to try to end a confrontation by a perceived less than sophisticated technical actor. The difference is the user gets to assess their adversary when confronted and judge whether or not providing immediate access to default profile is preferable to wiping the phone. It allows the gos user to take a path they may feel is the best chance of ending the confrontation while simuelteanousluly deleting their most sensitive data in a way that is not manifestly evident at the time the phone is being visually examined.

The adversary in my scenario is sophisticated enough to be familiar with gos and how profiles work but not have immediate access to a forensic tool kit.

Further buttressing this calculation could be that forensic efforts at data recovery could be hampered by a auto reboot every 10 min.

Whats at play is the users ability to build a defensive strategy that is flexible and responsive to the user's judgements of the adversary demanding disclosure. I imagine users of GOS have already thought through some of the scenarios they may encounter as part of their adoption of the paltform. To reiterate, I understand it may not be possible to implement these features.

Jack_kang

This is indeed a very difficult problem. Is it possible to implement a duress password that specifies a configuration file, and once the duress password is unlocked, the configuration file and all the data in it are permanently deleted.

krysor

GrapheneOS How about a duress pin that would wipe a (hidden) private space and or a specific or several secondary profiles but leave the main profile untouched? Is it viable? Would it leave traces on low level?

userofgos

krysor ow about a duress pin that would wipe a (hidden) private space and or a specific or several secondary profiles but leave the main profile untouched? Is it viable? Would it leave traces on low level?

Not a new idea, this has already been suggested more than half a dozen times

DeletedUser499

krysor
How about a duress pin to delete pointless threads, driven by bored users wanting to be James Bond.
GrapheneOS is not magic.. Face to face with an adversary armed etc.. and suspicious items on your phone, its game over, no matter how many profiles hidden or not you have, and in that second of blind panic looking down the barrel of a firearm, which duress pin do you use to delete which profile and can you think clearly enough to be sure.
Pins for this profile pins for secret profiles, its just rubbish. Keep compromising data off your phone is the simplest and best approach.

DeletedUser495

Please stop asking for niche features that would likely cost significant development time and not benefit all, likely only those few trying to dodge the law.

krysor

DeletedUser495 You think it's likely it will be used for bad and I think it will likely be used for good, who's right?

I read the whole thread including the links and came up with an idea that to my simplistic thinking wouldn't require excessive development effort but instead make use of the already existing solutions. That's why I also asked whether it'd make sense at all.

In the end it's up to @GrapheneOS S and their developers to scrutinize the idea. While it's likely not good for some low level reasons, the forum should be the place where the ideas are discussed by merit rather than personal preference or prejudice.

krysor

userofgos I was not aware. Haven't seen it mentioned in the discussion nor the links

Blastoidea

userofgos
This.

A bad idea does not become a good idea, no matter how many times it is repeated.

userofgos

krysor Search site:discuss.grapheneos.org "duress" and you will find these threads:

userofgos

krysor Haven't seen it mentioned in the discussion nor the links

Did you read the OP and comment #33? https://discuss.grapheneos.org/d/24583-forced-by-police-to-reveal-the-pinpassword-to-grapheneos/33

krysor

userofgos Thanks. After reading the topics listed I've realized even implementing a secondary duress password which would wipe profiles or spaces wouldn't change that these profiles and or spaces are still visible on low level. Thus, the solution would only work for low level adversaries. I stand corrected. I'll make sure to search properly next time before proposing something.

While on the topic, would this idea make any sense in case one day the android would be able to completely hide the existence of other profiles and or spaces?

userofgos

krysor You're welcome :)

krysor While on the topic, would this idea make any sense in case one day the android would be able to completely hide the existence of other profiles and or spaces?

I'm not agaisnt the idea entirely, so long as the feature is designed and implemented securely and privately. But what are the implications if this feature was to exist?

krysor

userofgos I imagine the people who need this future, would use it for either good or bad.

From the practical side I'm just thinking out loud. I imagine proper adversaries would obviously be aware of it and would try to prevent the user from either unlocking the device not to risk a potential data loss or they would monitor the device in a sophisticated way when user unlocks it in order to observe a potential wiping.

I guess a plausible deniality is a factor.

Given that the development resources are limited, it will be a question of how many users would actually benefit from it, likely in a low level adversaries scenarios against how many users would benefit from the alternative features possibly covering more common use cases.

userofgos

krysor I guess a plausible deniability is a factor.

This is exactly the issue

JollyRancher

The (probably) easiest to implement and legally safest way to actually implement a duress feature is to extend the auto reboot feature so that the next time the phone is turned on after a user set period of time without a successful logon the phone automatically wipes.

You want this to be a known feature. So law enforcement grabs your phone and, ideally, before they can get a court order to provide the password it has already bricked itself in a manner that you had zero ability to prevent.

Yes, if you use this feature you may well accidentally wipe your device but if law enforcement is a serious concern for your threat model then that may well be a risk you are willing to take.

Blastoidea

DeletedUser499
Absolutely this.

As I said above, keep shit that will lead to broken bones off your phone.

They hurt a lot, and take a long time to heal.

hicks

I'm not judging anybody here, but if you have things on your phone, and you want to make sure no body will get access it in case they get their hand on it just treat it for 3min in microwave. I'm sure they can brute force it for very long time and they'll get nothing.

Cheers Mate.
H.

DeletedUser495

hicks is this your personal experience? There are ways to protect your data and still keep your device. Why not just be reasonable and keep out of trouble? Happiness is a choice, not a result.

tumbord

Im entirely confused as to the sentiment of paricipants of this thread model. Is it law enforcement agents of dictatorial regimes persecuting you that one has to be afraid of or just super paranoid pricks?

« Previous Page Next Page »