GrapheneOS has a nice feature where you can use both the fingerprint and a short passcode to avoid having to type out your longer/more valuable password all the time. Seems like a good solution to the problem.
Also, iirc iphones have this feature where if you appear to be under duress, it will refuse to unlock and disable face id. Is this true?
Graphene also has a kind of workaround to add fingerprint duress:
>GrapheneOS improves the security of the fingerprint unlock feature by only permitting 5 total attempts rather than implementing a 30 second delay between every 5 failed attempts with a total of 20 attempts. This doesn't just reduce the number of potential attempts but also makes it easy to disable fingerprint unlock by intentionally failing to unlock 5 times with a different finger.
The first phone I used with Graphene was a Pixel 4XL. It didn't come with a fingerprint sensor. If I remember correctly, the longest lockout period was still really short, like 5 mins or something. It was rather annoying to constantly have to put in your unlock code when you wanted to use or check something on the phone.
Loved Graphene, and the Pixel worked flawlessly, but man, that unlock thing drove me nuts more than a few times.
Though with all the devices GrapheneOS supports, there are only two fingers you can plausibly use with the device: the thumb, usually on your dominant hand. It is quite awkward to be using anything else.
> Also, iirc iphones have this feature where if you appear to be under duress, it will refuse to unlock and disable face id. Is this true?
heh it would suck to be beaten with a wrench to unlock your phone and, finally, to make it stop you relent but then the phone is like "nope, sorry. if you're gonna be dumb you gotta be tough".
If you’re worried about wrench attacks then you’re already in a situation where encryption won’t help you. They may beat you anyway if they don’t find what they’re looking for on the phone, or they may just kill you for being a nuisance to power.
Also, iirc iphones have this feature where if you appear to be under duress, it will refuse to unlock and disable face id. Is this true?
Sort of: if you hold the buttons on both sides of the phone for about three seconds, it will bring up the Power Off/SOS screen. You do not need to interact with that screen, just display it. Easy-peasy, you can do it with the phone in your pocket. Once that screen is displayed, it requires a passcode to unlock the phone. The courts have determined that the passcode is protected by the 5th Amendment, but biometrics are not.
It would be useful imho if an option was available for the phone to automatically enter this mode if separated for more than X seconds from a paired watch or airtag, or with sufficient vibration/acceleration (throw or stomp it). Similar adversarial defense as the phone rebooting after three days [1]. Perhaps part of Advanced Data Protection.
Not legal advice. Having a trusted contact remotely wipe the device is also a potential option with appropriate iCloud creds and a message passed [2], assuming the device is not powered down or kept in a physical location blocking internet/cellular channels.
GrapheneOS by default autoreboots after 18 hours. You can reduce it much further, to as little as 10 minutes. This deletes the keys from memory and prevents a whole range of AFU attacks that sometimes happens.
Given that my Apple Watch throws alerts when I leave a device behind (“mikestew’s iPhone was left behind at $PLACE”), it would be just one more step to flip that “no biometrics” bit. I’m assuming that those APIs are not available to 3rd party devs, so I can’t write my own.
I don't think any rational discussion about privacy can be had without first describing exactly what your definition of "privacy" is in this specific context, AND you must define a threat model. Otherwise we can't know if the vendor is even relevant to what they care about.
Privacy from what? From a determined government and court system? Nothing is going to keep you private from that. From your peers and family? Apple and Google keep you private in that regard. As for the world of privacy in between those extremes: it depends.
> From a determined government and court system? Nothing is going to keep you private from that
While there's always https://xkcd.com/538/ there are not currently quantum computers that can factor 4k RSA keys, so the court can order whatever it wants, unless they have a way past that (which may involve variations of xkcd 538), they ain't getting shit out of a properly configured digital safe. (construction of said safe is left as an exercise to the reader.)
Most of us (reporters included) aren't protecting anything with their life, not just because of a survival instinct, but because what we're protecting isn't actually worth that much.
For the relative handful who are custodians of that sort of data, history suggests a smaller minority than they'd like to admit have a readily achievable breaking point. The true believers who are left then are a minority that's hardly impossible to track and subvert through attacks that don't involve decryption on a device.
The point of that XKCD wasn't to be THE SINGULAR EXAMPLE, it's sort of a Zen Koan for people who only think in terms of technical risks and solutions.
It's not quite settled whether the FBI is able to demand you to decrypt data for now. If this becomes widespread enough, they might try to get SCOTUS to decide this, which may or may not end privacy once and for all.
A better strategy would be to configure multiple profiles and when they ask you to unlock your phone you use the pin that unlocks the boring one.
We just need a UX which makes it impossible to know how many profiles a phone has configured. Not some kind of sneaky hidden mode that you can be labeled a terrorist for having enabled, just that's how it works--you have to know a profile exists in order to log into it.
Of course it's not going to stand up to forensic scrutiny, but that's not what the feature is about anyhow.
For an organization, a better strategy is to never store anything of value on the phone, and have a remote server in a safe place. The phone acts as a thin client to access server. The key in turn is easy to hide in a plausibly-deniable way or simply memorized. The server can also revoke the key, rendering it useless even if it is revealed at a later date.
This is famously used by Uber to protect their systems from the French police, for instance.
without exception, bio metrics should be in-addition-to a password, never the only method. just because it's constantly sold as a convenience alternative, doesn't make it right.
Anyone in journalism should know not to be using biometrics. I use it, but know how to quickly disable it. If using fingerprint, you can always offer up the wrong digit, a few fails should make it fallback to pin.
So all an adversary/the police need to do is watch you unlock your phone once to know which finger to use? Trivial considering how often we unlock our phones and how many cameras exist.
Something that could come in handy: You can put iPhones into passcode mode by holding down a volume button + the lock button (the poweroff/emergency mode sequence), and then cancelling.
My understanding is that this and similar techniques don't get you back into the before first unlock (BFU) state. To do that as far as I know you have to shut down the device. Otherwise--even if locked--your phone will be in the after first unlock (AFU) state. I believe that in the AFU state considerably more of the system is decrypted and accessible than in the much more limited BFU state.
Maybe someone with more knowledge can chime in here.
This is true but there's automatic restart which will automatically restart the phone to get it back into BFU state:
> Automatic Restart is a security mechanism in iOS 18.1 iPadOS 18.1 and or later that leverages the Secure Enclave to monitor device unlock events. If a device remains locked for a prolonged period, it automatically restarts, transitioning from an After First Unlock state to a Before First Unlock state. During the restart, the device purges sensitive security keys and transient data from memory.
Probably a much better idea to just go ahead and hit shutdown if you're on that screen anyway, since many phones are more susceptible to gear like Greykey or Cellebrite if they have ever been unlocked since the last power-on.
I wish phones supported continuous re-authentication. Like an in-screen fingerprint reader that authenticates every single touch (even better if you could also use it to assign different actions to different fingers), or to have FaceID immediately lock the phone if someone other than the owner is using it.
I have always thought biometrics on phones is just another way so-called "tech" companies perform data collection ultimately to be used for commercial purposes or any purposes deemed appropriate by the companies or their business partners
The companies are secretive so who knows what they are up to that we dont know about. What we do know is that these companies do not tell the whole truth when explaining their publicly visible conduct, including their data collection practices
For example, a so-called "tech" company might claim they need a user's phone number for "security" purposes while the data actually serves other purposes for the company that the user might find objectionable if they knew about them (This actually happened)
The mobile phone has become a computer that the user cannot truly control. Companies can remotely install and run code on these computers at any time for any reason.^1 If the user stores data on the phone, the company tries to get the user to sync it to the company's computers
If there are promises, e.g., about "privacy", made by the companies, then these promises are unlikely to be enforceable. It's rather difficult if not impossible to verify such promises are kept, or to discover they have been breached. Unfortunately, when the promises are broken then there is no adequate remedy. It's too late
1. This unfettered access can be blocked but there's been a culture that has emerged around actively doing the opposite. That the so-called "tech" companies are the primary beneficiaries is surely a fortuitous coincidence
Anything else is insecure in principle, and getting less and less secure in practice, as acquisition, collation, sharing, and leveraging unpermissioned information use becomes cheaper, easier, and more profitable by the day.
Cryptography provides a long menu of ways entities can exchange information and interact, without sharing information that is not functionally relevant.
Making those capabilities the basis for digital inter-entity trade is the only way we will get real privacy and avoid the massive predatory surveillance-manipulation-for-hire economy from continuing to metastasize. With AI driving the value and opportunity of its leverage against us ever upward.
Strict laws might have been a practical solution a couple decades ago when information based services began hyperscaling the surveillance-manipulation economy. It wouldn't be a bad thing now. But those laws seem unlikely, so the technical solution is the only path forward.
I don't think people really absorb how much of the value of the economy is parasitically skimmed off by the 2-sided centralized S-M business model. From consumers and ad buyers/producers. The colossal revenues of Google and Facebook to start. And how effectively that is incentivizing and funding continued growth in addictive, manipulative and dominant (through pervasiveness) "personalized" content, that will make things much worse.
> biometrics on phones is just another way so-called "tech" companies perform data collection ultimately to be used for commercial purposes
No, sorry, that's just silly. Routine biometrics have made personal devices near-unhackable and almost un-stealable. They have turned automated password attacks into a historical memory. They are a huge boon to consumers. Yuge, even.
Can they be abused? Yeah, sure. I guess everything can. But to cynically claim they have no value, or negative value, is just detached from reality.
The constitution has been interpreted to allow the police to force your finger onto an inkpad for fingerprints. That decision was extended to allow the police to force your finger onto a biometric reader.
The 5th Amendment has been (so far) interpreted to only limit things that require conscious thought, such as remembering a password and speaking it or typing it.
I don't know about that exactly, but my understanding was that this is similar in justification to compelling a person to be fingerprinted or give a DNA sample. To me there does seem to be a fairly major difference between forcing someone to disclose information held in their mind and forcing them to provide a biometric. The former seems equivalent to compelling testimony against oneself. I have a hard time seeing the latter as compelling testimony against oneself, especially if giving fingerprints or DNA isn't.
Part of it is that compelling information can be problematic, in that other circumstances can happen where the information may not easily be obtainable.
Extreme example, imagine a stroke or head injury causing memory loss.
OTOH DNA/Face/Fingerprints, usually can't be 'forgotten'.
It shouldn't be different. But law enforcement wants access and everyone who could reign them in seems to also want them to have access. Honestly it's surprising at this point they haven't argued that people can be compelled to give up their password using whatever means necessary.
Could you get charged with destroying evidence if you provided the duress password wiping the device when asked for a password ?
You technically followed orders and didn't even touch the device.
Yes, that would be "spoliation of evidence" and probably "obstruction of justice". Also, I believe duress passwords are only a "thing" on GrapheneOS, not iOS or stock Android.
If what you are being charged with carries a larger penalty than simple perjury or destruction of evidence, it makes complete sense to do techniques such as this. Perjury is one of the harder and least prosecuted charges in the USA.
An example from people that I know who have gone through the corrupt courts more than once said the feedback from the last case was the prosecutor felt like a fish flopping outside of water.
The court stands no chance when someone uses techniques that require the government agencies to use their secret programs and tactics. They will rather drop and lose the case. Most of the time they are also extremely incompetent when it comes to technology and have to hire many outside consultants, which gives you more chances to fight. An easy win for the citizen.
Don't use biometrics a pin has been shown to have more 5th amendment protections.
Have your phone automatically reboot at a regular time every day. When your phone reboots a lot of the exploits that can get into your phone are locked out because they rely on reading the active memory.
Unless one has been ordered to preserve evidence already for a pending court case... proving that someone knew said information was valuable as evidence, and willfully destroyed it knowing so, might be extremely difficult.
There are very specific rules for proving destruction of evidence. For a criminal case the burden proof in the US at least is "beyond a reasonable doubt", so someone would likely have to prove that you knowingly destroyed valuable evidence before you'd get in big trouble. And if you haven't already been served with something saying you need to preserve evidence, they might not have any claim to information they had no idea existed beforehand, especially if you don't talk.
Believe this is bad legal advice. They would only need to prove you destroyed information with intent to impede an investigation/case. They would not need to prove something convicting or weighing was destroyed.
What you seem to be referring to would be obstruction, whereas the entire parent thread was specifically discussing destruction of evidence. Fair to point out that there are other offenses that could be charged, but misleading to imply it’s the same thing.
> They would only need to prove you destroyed information with intent to impede an investigation/case
Which requires them to prove they know that device likely contains relevant information. Just being party to a court case doesn't mean you're forbidden from deleting anything ever again... like I said there are very specific rules for evidence, and one cannot begin to claim something relevant is destroyed if you can't even show that you had any idea what might have been destroyed in the first place.
It mostly hinges on your intent, i.e. what they can argue is your understanding of the information you destroyed, not theirs. It unfortunately can be far-reaching, including into the past.
You're right that in normal circumstances you can routinely delete records for data hygiene, to save money, as part of a phone repair, and so on, unless you've been court ordered otherwise.
You're also assuming they even think something may have been destroyed in the first place. A wiped/clean device is not necessarily indicative of anything. For a criminal case they still have to prove beyond a reasonable doubt that they believed the device had something they wanted on it (and now it doesn't), with evidence to back that up... not just "well it COULD have had something". That might fly a bit farther in civil cases but not criminal.
And remember that without a court case alleging something in the first place, they wouldn't even have access to the device to know 1. it existed and 2. it might have had something useful on it. If I had two devices in my house and they're both clean, you can't just say "oh we think one of them had some evidence that was destroyed"... you need some kind of proof that it at least likely contained something relevant in the past before you can even begin to presume it might have been destroyed.
Nope--they don't need to prove they believed the device had something they wanted. That's just the motivation for them to go after you for inconveniencing them.
Same for your second paragraph: "oh we think one of them had some evidence..." - that's not how it works! It's your intent to destroy evidence that is the crime, not whether you destroyed evidence. They do not need to prove you destroyed evidence or even likely storage of evidence to get you convicted.
This is the main thing you're saying that is bad legal advice.
For your other point, yes, if they can't tell anything happened, or it seems like an accident, then you're probably going to get away with it. This happens a lot. I think that's a different topic. Original topic was: if you wink at your phone or use a weird finger (or some other visible gesture) and now your phone's wiped, could you get in legal trouble for that sequence of events.
> It's your intent to destroy evidence that is the crime, not whether you destroyed evidence.
Accidentally destroying evidence can still carry a serious penalty, but yes the intent is generally the most important. But absent intent, it can still help the prosecution to know the device had something useful to them on it.
This is a reason to always use passwords instead of biometrics (fingers, face, palm, etc). A corrupt court cannot force a password to be revealed by the citizen.
Never speak with or offer any assistance to the police or government. It will come back to hurt you.
I've been genuinely depressed about how fast the country is descending into strong man rule while half the country cheers it on. Which I think is their point, they want their political opponents to suffer at all costs.
Samsung phones have the Secure Folder where you can use a different, more secure password. If you have the data encrypted it is very secure as the actual encryption key is stored in a secure element.
> The warrant included a few stipulations limiting law enforcement personnel. Investigators were not authorized to ask Natanson details about what kind of biometric authentication she may have used on her devices.
The warrant said they couldn't demand she do those things, not that they couldn't ask.
Functionally there's very little distinction - a question asked by a law enforcement officer during a search and seizure will inevitably be understood as a demand, no matter how it's worded. (And doubly so when it's in the context of e.g. choosing which of the person's fingers to grab and press to their phone.) I'm surprised that the warrant even acknowledged the possibility of a "voluntary" disclosure.
GrapheneOS has a nice feature where you can use both the fingerprint and a short passcode to avoid having to type out your longer/more valuable password all the time. Seems like a good solution to the problem.
Also, iirc iphones have this feature where if you appear to be under duress, it will refuse to unlock and disable face id. Is this true?
Graphene also has a kind of workaround to add fingerprint duress:
>GrapheneOS improves the security of the fingerprint unlock feature by only permitting 5 total attempts rather than implementing a 30 second delay between every 5 failed attempts with a total of 20 attempts. This doesn't just reduce the number of potential attempts but also makes it easy to disable fingerprint unlock by intentionally failing to unlock 5 times with a different finger.
The first phone I used with Graphene was a Pixel 4XL. It didn't come with a fingerprint sensor. If I remember correctly, the longest lockout period was still really short, like 5 mins or something. It was rather annoying to constantly have to put in your unlock code when you wanted to use or check something on the phone.
Loved Graphene, and the Pixel worked flawlessly, but man, that unlock thing drove me nuts more than a few times.
> a different finger
Though with all the devices GrapheneOS supports, there are only two fingers you can plausibly use with the device: the thumb, usually on your dominant hand. It is quite awkward to be using anything else.
There used to be an android app you to unlock the phone directly to a different app with different finger(print)s.
All this biometric talk in the world and it’s rarely made convenient for the user like this.
It was likely almost as fast as a physical keyboard smartphone for instant entry into an app.
Yes, very nice
Cut to my phone failing to recognize the fingerprint whenever it feels like or maybe because the humidity is 0.5% from the ideal value
sigh
[dead]
> Also, iirc iphones have this feature where if you appear to be under duress, it will refuse to unlock and disable face id. Is this true?
heh it would suck to be beaten with a wrench to unlock your phone and, finally, to make it stop you relent but then the phone is like "nope, sorry. if you're gonna be dumb you gotta be tough".
If you’re worried about wrench attacks then you’re already in a situation where encryption won’t help you. They may beat you anyway if they don’t find what they’re looking for on the phone, or they may just kill you for being a nuisance to power.
What if they only did body blows so there was no bloody nose or black eyes? Does FaceID notice if your eyelids have been taped open?
Or they beat your loved ones in front of you. No physical damage or misremembering passwords due to blunt force trauma to the noggin.
That's a lot of witnesses though
Also, iirc iphones have this feature where if you appear to be under duress, it will refuse to unlock and disable face id. Is this true?
Sort of: if you hold the buttons on both sides of the phone for about three seconds, it will bring up the Power Off/SOS screen. You do not need to interact with that screen, just display it. Easy-peasy, you can do it with the phone in your pocket. Once that screen is displayed, it requires a passcode to unlock the phone. The courts have determined that the passcode is protected by the 5th Amendment, but biometrics are not.
https://arstechnica.com/tech-policy/2023/12/suspects-can-ref...
It would be useful imho if an option was available for the phone to automatically enter this mode if separated for more than X seconds from a paired watch or airtag, or with sufficient vibration/acceleration (throw or stomp it). Similar adversarial defense as the phone rebooting after three days [1]. Perhaps part of Advanced Data Protection.
Not legal advice. Having a trusted contact remotely wipe the device is also a potential option with appropriate iCloud creds and a message passed [2], assuming the device is not powered down or kept in a physical location blocking internet/cellular channels.
[1] New Apple security feature reboots iPhones after 3 days, researchers confirm - https://news.ycombinator.com/item?id=42143265 - November 2024 (215 comments)
[2] Erase a device in Find Devices on iCloud.com - https://support.apple.com/guide/icloud/erase-a-device-mmfc0e...
GrapheneOS by default autoreboots after 18 hours. You can reduce it much further, to as little as 10 minutes. This deletes the keys from memory and prevents a whole range of AFU attacks that sometimes happens.
Given that my Apple Watch throws alerts when I leave a device behind (“mikestew’s iPhone was left behind at $PLACE”), it would be just one more step to flip that “no biometrics” bit. I’m assuming that those APIs are not available to 3rd party devs, so I can’t write my own.
Nice solution! Google, can we get that on Android by default to reach the masses? Apple... you too: you built a reputation for protecting privacy.
If you want privacy, Google and Apple are not the answer. And Apple's claims about privacy are mostly unverifiable and should not be trusted.
I don't think any rational discussion about privacy can be had without first describing exactly what your definition of "privacy" is in this specific context, AND you must define a threat model. Otherwise we can't know if the vendor is even relevant to what they care about.
Privacy from what? From a determined government and court system? Nothing is going to keep you private from that. From your peers and family? Apple and Google keep you private in that regard. As for the world of privacy in between those extremes: it depends.
From advertizers? From power-grabbing BigTech?
> From a determined government and court system? Nothing is going to keep you private from that
While there's always https://xkcd.com/538/ there are not currently quantum computers that can factor 4k RSA keys, so the court can order whatever it wants, unless they have a way past that (which may involve variations of xkcd 538), they ain't getting shit out of a properly configured digital safe. (construction of said safe is left as an exercise to the reader.)
Or they can just let you rot in jail for contempt charges
xkcd 538 can be defeated by a duress wipe feature like the one GrapheneOS has. Your life might be in jeopardy, but the data will be safe.
Most of us (reporters included) aren't protecting anything with their life, not just because of a survival instinct, but because what we're protecting isn't actually worth that much.
For the relative handful who are custodians of that sort of data, history suggests a smaller minority than they'd like to admit have a readily achievable breaking point. The true believers who are left then are a minority that's hardly impossible to track and subvert through attacks that don't involve decryption on a device.
The point of that XKCD wasn't to be THE SINGULAR EXAMPLE, it's sort of a Zen Koan for people who only think in terms of technical risks and solutions.
It's not quite settled whether the FBI is able to demand you to decrypt data for now. If this becomes widespread enough, they might try to get SCOTUS to decide this, which may or may not end privacy once and for all.
I thought it was. I thought passcodes can't be demanded but biometrics could.
This. Reporters should NOT be using a phone that isn't running GrapheneOS.
The duress password feature is also useful. Entering it will completely wipe the phone and reset it to factory.
Obviously it will work. But it's fairly likely this will get you arrested for destroying evidence.
A better strategy would be to configure multiple profiles and when they ask you to unlock your phone you use the pin that unlocks the boring one.
We just need a UX which makes it impossible to know how many profiles a phone has configured. Not some kind of sneaky hidden mode that you can be labeled a terrorist for having enabled, just that's how it works--you have to know a profile exists in order to log into it.
Of course it's not going to stand up to forensic scrutiny, but that's not what the feature is about anyhow.
For an organization, a better strategy is to never store anything of value on the phone, and have a remote server in a safe place. The phone acts as a thin client to access server. The key in turn is easy to hide in a plausibly-deniable way or simply memorized. The server can also revoke the key, rendering it useless even if it is revealed at a later date.
This is famously used by Uber to protect their systems from the French police, for instance.
https://en.wikipedia.org/wiki/Uber_Files#Kill_switch
How does that protect you from rubber hose decryption like in this case? You get beat enough, you’ll unlock your phone
Biometrics should never ever be a username+password. At most a username.
without exception, bio metrics should be in-addition-to a password, never the only method. just because it's constantly sold as a convenience alternative, doesn't make it right.
Anyone in journalism should know not to be using biometrics. I use it, but know how to quickly disable it. If using fingerprint, you can always offer up the wrong digit, a few fails should make it fallback to pin.
So all an adversary/the police need to do is watch you unlock your phone once to know which finger to use? Trivial considering how often we unlock our phones and how many cameras exist.
Something that could come in handy: You can put iPhones into passcode mode by holding down a volume button + the lock button (the poweroff/emergency mode sequence), and then cancelling.
My understanding is that this and similar techniques don't get you back into the before first unlock (BFU) state. To do that as far as I know you have to shut down the device. Otherwise--even if locked--your phone will be in the after first unlock (AFU) state. I believe that in the AFU state considerably more of the system is decrypted and accessible than in the much more limited BFU state.
Maybe someone with more knowledge can chime in here.
This is true but there's automatic restart which will automatically restart the phone to get it back into BFU state:
> Automatic Restart is a security mechanism in iOS 18.1 iPadOS 18.1 and or later that leverages the Secure Enclave to monitor device unlock events. If a device remains locked for a prolonged period, it automatically restarts, transitioning from an After First Unlock state to a Before First Unlock state. During the restart, the device purges sensitive security keys and transient data from memory.
https://help.apple.com/pdf/security/en_US/apple-platform-sec...
> [...] inactivity reboot triggers exactly after 3 days (72 hours). [...]
https://naehrdine.blogspot.com/2024/11/reverse-engineering-i...
GrapheneOS also has this (https://grapheneos.org/features#auto-reboot) with a default of 18 hours.
Maybe one could try to force restart (https://support.apple.com/en-gb/guide/iphone/iph8903c3ee6/io...) to quickly get to BFU. But I could imagine that it'd be hard to remember and then execute the right steps in a stressful situation.
You used to be able to ask Siri "who am I", and it would lock out biometrics, but they removed that feature and I don't know why.
Five presses of the power button works too.
just tested it and it seems to be a bit finicky
if i dont click those 5 presses fast enough it instead opens apple cash or whatever it’s called
i’m assuming that in a stressful situation it’d be much more consistent to hold down power and volume rather than clicking quickly
5 clicks on power button is auto-911 on my Graphene/Android device
For Android, you can hold down the power button and press the Lockdown option that appears. (I think this may need to be enabled in settings.)
Probably a much better idea to just go ahead and hit shutdown if you're on that screen anyway, since many phones are more susceptible to gear like Greykey or Cellebrite if they have ever been unlocked since the last power-on.
I wish phones supported continuous re-authentication. Like an in-screen fingerprint reader that authenticates every single touch (even better if you could also use it to assign different actions to different fingers), or to have FaceID immediately lock the phone if someone other than the owner is using it.
On iPhone SE (and I'm guessing any iPhones with a home button) just a long-press of the power button is sufficient to trigger the passcode input.
I have always thought biometrics on phones is just another way so-called "tech" companies perform data collection ultimately to be used for commercial purposes or any purposes deemed appropriate by the companies or their business partners
The companies are secretive so who knows what they are up to that we dont know about. What we do know is that these companies do not tell the whole truth when explaining their publicly visible conduct, including their data collection practices
For example, a so-called "tech" company might claim they need a user's phone number for "security" purposes while the data actually serves other purposes for the company that the user might find objectionable if they knew about them (This actually happened)
The mobile phone has become a computer that the user cannot truly control. Companies can remotely install and run code on these computers at any time for any reason.^1 If the user stores data on the phone, the company tries to get the user to sync it to the company's computers
If there are promises, e.g., about "privacy", made by the companies, then these promises are unlikely to be enforceable. It's rather difficult if not impossible to verify such promises are kept, or to discover they have been breached. Unfortunately, when the promises are broken then there is no adequate remedy. It's too late
1. This unfettered access can be blocked but there's been a culture that has emerged around actively doing the opposite. That the so-called "tech" companies are the primary beneficiaries is surely a fortuitous coincidence
The only secure data is secure data.
Anything else is insecure in principle, and getting less and less secure in practice, as acquisition, collation, sharing, and leveraging unpermissioned information use becomes cheaper, easier, and more profitable by the day.
Cryptography provides a long menu of ways entities can exchange information and interact, without sharing information that is not functionally relevant.
Making those capabilities the basis for digital inter-entity trade is the only way we will get real privacy and avoid the massive predatory surveillance-manipulation-for-hire economy from continuing to metastasize. With AI driving the value and opportunity of its leverage against us ever upward.
Strict laws might have been a practical solution a couple decades ago when information based services began hyperscaling the surveillance-manipulation economy. It wouldn't be a bad thing now. But those laws seem unlikely, so the technical solution is the only path forward.
I don't think people really absorb how much of the value of the economy is parasitically skimmed off by the 2-sided centralized S-M business model. From consumers and ad buyers/producers. The colossal revenues of Google and Facebook to start. And how effectively that is incentivizing and funding continued growth in addictive, manipulative and dominant (through pervasiveness) "personalized" content, that will make things much worse.
> biometrics on phones is just another way so-called "tech" companies perform data collection ultimately to be used for commercial purposes
No, sorry, that's just silly. Routine biometrics have made personal devices near-unhackable and almost un-stealable. They have turned automated password attacks into a historical memory. They are a huge boon to consumers. Yuge, even.
Can they be abused? Yeah, sure. I guess everything can. But to cynically claim they have no value, or negative value, is just detached from reality.
How is this different, legally speaking, from forcing someone to reveal their password? or at least to type it in?
The constitution has been interpreted to allow the police to force your finger onto an inkpad for fingerprints. That decision was extended to allow the police to force your finger onto a biometric reader.
The 5th Amendment has been (so far) interpreted to only limit things that require conscious thought, such as remembering a password and speaking it or typing it.
What you know (a password) is protected whereas what you have (a finger or an eyeball) is not.
I don't know about that exactly, but my understanding was that this is similar in justification to compelling a person to be fingerprinted or give a DNA sample. To me there does seem to be a fairly major difference between forcing someone to disclose information held in their mind and forcing them to provide a biometric. The former seems equivalent to compelling testimony against oneself. I have a hard time seeing the latter as compelling testimony against oneself, especially if giving fingerprints or DNA isn't.
Part of it is that compelling information can be problematic, in that other circumstances can happen where the information may not easily be obtainable.
Extreme example, imagine a stroke or head injury causing memory loss.
OTOH DNA/Face/Fingerprints, usually can't be 'forgotten'.
IANAL but I think legally speaking that would be forcing speech. Biometrics are not speech.
It shouldn't be different. But law enforcement wants access and everyone who could reign them in seems to also want them to have access. Honestly it's surprising at this point they haven't argued that people can be compelled to give up their password using whatever means necessary.
[dead]
Could you get charged with destroying evidence if you provided the duress password wiping the device when asked for a password ? You technically followed orders and didn't even touch the device.
Yes, that would be "spoliation of evidence" and probably "obstruction of justice". Also, I believe duress passwords are only a "thing" on GrapheneOS, not iOS or stock Android.
Nope. It's not your duty as an accused to care about evidence in a criminal case.
And unlike a witness, you can legally lie and mislead officers.
This.
If what you are being charged with carries a larger penalty than simple perjury or destruction of evidence, it makes complete sense to do techniques such as this. Perjury is one of the harder and least prosecuted charges in the USA.
An example from people that I know who have gone through the corrupt courts more than once said the feedback from the last case was the prosecutor felt like a fish flopping outside of water.
The court stands no chance when someone uses techniques that require the government agencies to use their secret programs and tactics. They will rather drop and lose the case. Most of the time they are also extremely incompetent when it comes to technology and have to hire many outside consultants, which gives you more chances to fight. An easy win for the citizen.
Federal ones, no: https://www.law.cornell.edu/uscode/text/18/1001
You may not think it’s your duty but the courts do and will happy lock you for it.
You can get charged with and convicted of anything, even wrongfully. Welcome to life in the human realm.
Don't use biometrics a pin has been shown to have more 5th amendment protections. Have your phone automatically reboot at a regular time every day. When your phone reboots a lot of the exploits that can get into your phone are locked out because they rely on reading the active memory.
Face ID doesn't work with eyes closed, the warrant wasn't clear whether or not A Clockwork Orange-style setup would be allowed.
These phones need a kill expression or finger. If you touch a sensor with your left pinky or wink at the camera it nukes the phone.
That would be destruction of evidence.
A solution that can seem like plausible deniability could be interesting.
Unless one has been ordered to preserve evidence already for a pending court case... proving that someone knew said information was valuable as evidence, and willfully destroyed it knowing so, might be extremely difficult.
People say this on every thread where this comes up.
If the phone is in your pocket and somebody puts a gun to your head and tells you not to move, you are not pressing anything on your phone.
[dead]
Perhaps a lawyer can chime in here.
My impression is deliberately doing this would be illegal. It would have to be convincingly deniable somehow.
Is there a way to do that?
if something made them decide to force a particular finger into a sensor, what happens next is a result of thier own actions.
Maybe, maybe not. I'm sure there's some legal mechanism for punishing you for setting a boobytrap.
You'd also have to rely on this unnamed other to force that particular finger, rather than the others...
brer rabbit: "no brer fox dont throw me in the briar patch!"
suspect: "no you cant force me to put my pinky there", attempts to make pinky inaccessible.
other: "we will charge you with obstruction if you resist placing the pinky"
Re: https://en.wikipedia.org/wiki/Br%27er_Rabbit
There are very specific rules for proving destruction of evidence. For a criminal case the burden proof in the US at least is "beyond a reasonable doubt", so someone would likely have to prove that you knowingly destroyed valuable evidence before you'd get in big trouble. And if you haven't already been served with something saying you need to preserve evidence, they might not have any claim to information they had no idea existed beforehand, especially if you don't talk.
Believe this is bad legal advice. They would only need to prove you destroyed information with intent to impede an investigation/case. They would not need to prove something convicting or weighing was destroyed.
What you seem to be referring to would be obstruction, whereas the entire parent thread was specifically discussing destruction of evidence. Fair to point out that there are other offenses that could be charged, but misleading to imply it’s the same thing.
No, I am referring to destruction of evidence. It is (very generally) a subset of legal obstruction.
I wonder what the threshold is?
E.x. if one had a "dead man's switch" phone that required a passkey every x minutes, and each time you did so it set the next threshold...
> They would only need to prove you destroyed information with intent to impede an investigation/case
Which requires them to prove they know that device likely contains relevant information. Just being party to a court case doesn't mean you're forbidden from deleting anything ever again... like I said there are very specific rules for evidence, and one cannot begin to claim something relevant is destroyed if you can't even show that you had any idea what might have been destroyed in the first place.
It mostly hinges on your intent, i.e. what they can argue is your understanding of the information you destroyed, not theirs. It unfortunately can be far-reaching, including into the past.
You're right that in normal circumstances you can routinely delete records for data hygiene, to save money, as part of a phone repair, and so on, unless you've been court ordered otherwise.
You're also assuming they even think something may have been destroyed in the first place. A wiped/clean device is not necessarily indicative of anything. For a criminal case they still have to prove beyond a reasonable doubt that they believed the device had something they wanted on it (and now it doesn't), with evidence to back that up... not just "well it COULD have had something". That might fly a bit farther in civil cases but not criminal.
And remember that without a court case alleging something in the first place, they wouldn't even have access to the device to know 1. it existed and 2. it might have had something useful on it. If I had two devices in my house and they're both clean, you can't just say "oh we think one of them had some evidence that was destroyed"... you need some kind of proof that it at least likely contained something relevant in the past before you can even begin to presume it might have been destroyed.
Nope--they don't need to prove they believed the device had something they wanted. That's just the motivation for them to go after you for inconveniencing them.
Same for your second paragraph: "oh we think one of them had some evidence..." - that's not how it works! It's your intent to destroy evidence that is the crime, not whether you destroyed evidence. They do not need to prove you destroyed evidence or even likely storage of evidence to get you convicted.
This is the main thing you're saying that is bad legal advice.
For your other point, yes, if they can't tell anything happened, or it seems like an accident, then you're probably going to get away with it. This happens a lot. I think that's a different topic. Original topic was: if you wink at your phone or use a weird finger (or some other visible gesture) and now your phone's wiped, could you get in legal trouble for that sequence of events.
> It's your intent to destroy evidence that is the crime, not whether you destroyed evidence.
Accidentally destroying evidence can still carry a serious penalty, but yes the intent is generally the most important. But absent intent, it can still help the prosecution to know the device had something useful to them on it.
This is a reason to always use passwords instead of biometrics (fingers, face, palm, etc). A corrupt court cannot force a password to be revealed by the citizen.
Never speak with or offer any assistance to the police or government. It will come back to hurt you.
I've been genuinely depressed about how fast the country is descending into strong man rule while half the country cheers it on. Which I think is their point, they want their political opponents to suffer at all costs.
"political opponents to suffer at all costs" is just the smokescreen to cover up the real goals which is "oligarchs steal everything."
Orig title was fine: Washington Post Raid Is a Frightening Reminder: Turn Off Your Phone's Biometrics
That's the title I gave it when I submitted it, I thought you or dang changed it o_O
https://archive.is/NEjHU
Samsung phones have the Secure Folder where you can use a different, more secure password. If you have the data encrypted it is very secure as the actual encryption key is stored in a secure element.
Can the author even read?
> The warrant included a few stipulations limiting law enforcement personnel. Investigators were not authorized to ask Natanson details about what kind of biometric authentication she may have used on her devices.
The warrant said they couldn't demand she do those things, not that they couldn't ask.
Makes me question the rest of the reporting.
Functionally there's very little distinction - a question asked by a law enforcement officer during a search and seizure will inevitably be understood as a demand, no matter how it's worded. (And doubly so when it's in the context of e.g. choosing which of the person's fingers to grab and press to their phone.) I'm surprised that the warrant even acknowledged the possibility of a "voluntary" disclosure.
> Can the author even read?
Why do you think it's appropriate to talk to people like this?
[dead]
dont just turn it off, physically disable it so the hardware aspect is unusable.