IME an easy defeat for Touch ID, on the iPhone 5S at least, is to lick your fingers. Your phone will fail to unlock, and if you do it five times, your phone disables Touch ID for you.
Another trick is to simply turn off the phone. Touch ID is always initially disabled at boot.
I wish Apple would add a “duress finger” feature though.
The idea is that the phone would wipe itself/lock you out/whatever when you use a particular finger, rather than unlocking. So if made under duress to unlock the phone with your fingerprint, you use the previously-chosen “duress finger” rather than the normal one.
One of the most unexpected aspects of the emerging global surveillance regime is how trivially easy it is to opt out of.
All you have to do is leave your phone at home.
The over reliance on consumer technology and social platforms by end users is unfortunate but expected. Seeing how law enforcement has become so lazy as to piggyback all of their investigatory efforts on top of it is truly stupefying...
Leaving your tracking device at home will eventually be a criminal offense, if it's even possible to do without ripping it out of the vital organ it's implanted in.
I think OP is pointing our reliance on technology. This contrasts to say soviet era surveillance or in fiction like 1984 in which escaping from the surveillance is not easy.
What makes you say they piggyback all their efforts on our reliance on consumer tech? It's low-hanging fruit that probably yields results reliably, but that doesn't mean LE is helpless if you don't have a phone.
Is my meaning hard to understand through the sound?
Should I elaborately qualify everything I say and such?
Even someone subject to an unfair amount of police scrutiny can estimate whether the activities they plan to engage in at a given time are higher or lower on whatever attention catching scale.
Obviously there should be two modes of operation for the personal device both enabled biometrically. Pinky for police-mode, thumb for internationalmanofmystery-mode... or just don't keep shit the cops want on your phone.
I love being a Norwegian but damn, occasionally the government does some really dumb stuff. Like this. This is just like when they introduced the Data Retention Directive and whadda ya know, it's against human rights and now it's put on ice. I hope it'll happen with this directive.
Android (stock at least, but likely other flavours too) allows you to have multiple users on a device. Swipe down from the top a couple of times, then press the little blue User icon and set up a different user with a pass code for things you want to remain private. You could happily unlock your phone for the default user without giving up any private data.
It's not a method of securing anything as it's just obscurity, but very few people would know about it or bother to look. It's very useful for having 'work stuff' and 'personal stuff' on one device.
I like the idea of dual booting with vanilla Android and CopperHeadOS. CopperheadOS could also have TrueCryptesque steg volumes. This would allow one to divide their testing and more sensitive data in different profiles. More importantly, you could turn off your phone and it would defaultly boot into the vanilla Android volume (especially good for customs/boarder crossing/TSA).
Let me know if you want to help me prototype this :)
A prototype exists from 2013 https://www.ccsl.carleton.ca/~askillen/mobiflage/ but if something like this became popular they would just find ways to discover the 'hidden' partition and force you to open it anyway, or make flashing consumer devices illegal or something.
i don't really think they would, at least for a long time; these pushes only come when the measures they address have become trivially easy or default practice. most jihadis have no particular tech expertise, but anyone can install telegram (for example). doing some fringe deep nerd shit like dual booting with a steg volume on your phone will probably never be popular enough to warrant legal reaction, barring specific high-profile instances popping up in the news.
Undercover police and police lying is most a US phenomenon... It doesn't make much sense..
Yes, undercover police is used in other countries, but there are many restrictions and limitations. The US however is pretty big on what other countries consider entrapment - especially, in fictional TV series :)
Is lying to police a felony in Norway? I think it's not generally a crime in most of the west, though not a right that would override other statutes either.
That's why all phones should have a decoy feature so that when asked to produce a password, you just give them the decoy pass, and it unlocks a clean profile with no way for them to find anything personal, and or incriminating.
My phone has a guest code. I think phones should just have profiles that are complex enough to where nobody could know if it's your main one or not. However, apparently someone somewhere holds a patent to this sort of thing and thus...
One example I found off Google, though I've heard of others:
How many times can we effectively cry "The SOPA is coming!" before protest fatigue sets in? When the wolves are attempted into law over and again, something has to give and I'm not sure that corporate-congressional interest will be the first to blink.
Don't use a thumbprint scanner. Set a PIN. They can force you to put your thumb in the screen but they cannot force you to remember a PIN. OK their may be able to put you in prison for not handing over the PIN, but at least that is your decision. On some phones you can set a PIN that destroys everything....
The argument that "we're allowed to force you to unlock your phone with your fingerprint, because we could physically force you to do it anyway" makes me think that the governments will eventually not give citizens a pass when they have a PIN number or passphrase either, once they develop the technology to read our thoughts. And the reason is the same: because they could physically force you to reveal it.
That's such a shitty way of thinking about laws. Should men be allowed to beat women just because they are physically stronger, too? No, we've simply decided as a society that just because you can do something with physical force, doesn't mean you should be able to do it, and that it's illegal to do it.
And this is why I think forcing you to unlock your phone with your fingerprint, just because in theory the policemen can hold you down and force your finger on the phone, is also an immoral law and an immoral way of thinking.
I don't know about Norwegian law, but in the US the fingerprint compelling doesn't have anything to other do with "we are physically capable of forcing you to do this". Rather, there's existing precedent that allows them to requisition your fingerprint, because historically it was only used for identification. The PIN has no such precedent. (Maybe it even falls underneath 5th amendment?)
Again sorry, dunno what the parallel is in Norway/EU
I couldn't read the article because there were giant Facebook, Twitter, etc logos overlayed on all the text in pure black.
> The PIN has no such precedent. (Maybe it even falls underneath 5th amendment?)
Not likely. I don't think the Supreme Court has decided this sort of case yet, but some lower courts have held that a suspect can be compelled to unlock a phone. The logic is that it's equivalent to compelling a suspect to unlock a safe.
As I recall, PINs are like safe combinations. You cannot be compelled to reveal those (with a 'foregone conclusion' exception). This is because the code is 'testimony' in the sense that you are testifying you know the combination.
Fingerprints are like keys. They are physical things. You can be compelled to produce a key. Similarly you can be compelled to produce your finger.
I'm pretty sure that precedent says you can be compelled to unlock a safe with a combination lock. You don't have to reveal the combination but you can be forced to unlock the safe. Protection from self incrimination doesn't include refusal to turn over evidence.
Not inside the USA (but if you are at the border you can be refused entry in a tit-for-tat fashion - you might count that as compelling). The EFF FAQ has a lot more details.
What phones actually do that though? I wonder what happens if you tell a police officer you may hold data that they may not hold the security clearance to see through though? Those are legitimate cases, what happens then? Weird.
Edit: I guess my case makes more sense as a question of what happens in the US in such a case, but the former question is a general one.
Use the wrong finger. Try it quickly 5 times and it locks, forcing the passcode. If they hold the correct finger down, twist the tip of the finger and try to roll it.
Even better, train a non obvious finger for your passcode. After the last application of your thumb/index finger fails and forces the passcode, turn to them, shrug your shoulders and say I don't know why it didn't work.
Despite the downvotes, your concern is legitimate. Refusal to comply with a legal order is typically a crime of its own.
I'm sure someone will say that they'd just lie about which finger they set up. And sure, you can do that. But if you do it in sworn testimony, it's perjury.
It's definitely a gray area. But there is a huge difference between a court order requiring you to comply with unlocking your phone and a cop demanding to access your phone at a traffic stop.
Zion the latter case, did you comply or not? Did you use the wrong finger or not? Did you intentionally resist or did the sensor fail to work properly/efficiently?
Those are extremely difficult things to prove layer in court.
Norway infamously has some of the nicest of prisons though. I heard a story where the prison guards forgot to lock the jail sells in a prison and the inmates got out and made sandwiches for the night guards.
Or just don't use the biometric unlock features. I don't have anything on my phone I need to hide from the police, but turning on fingerprint login was a complete "nope" to me, because obviously I can be forced to put my finger on the sensor. Not to mention the general spoofability of fingerprint readers. Refusing to make civil rights abuse easier seems like a civic responsibility to me, so biometric security is not something I'm going to use. Bad incentives.
This is about unlocking electronic equipment (phones) based on biometrics and not pin/passwords. I suppose the logic behind it is that the police are already allowed to do similar things. They can use physical force to restrain for instance. They can search one's possessions.
Or consider fingerprinting. What would happen if one were to refuse getting fingerprinted and made trouble? Are police allowed to use force in that case?
The only reason police organizations are making it about biometrics is because they have an easier time getting that then getting laws changed to compel pin/password unlocking.
But make no mistake, this is all about getting unfettered access to everything bit of data they can without a warrant. They saw an easy opening to circumvent existing laws and they jumped for it.
Can you have it require both a fingerprint and password? Perhaps, requiring a different password for each finger? That is why you need open-source, so that you can program it by yourself.
Or to do like I, don't have cell phone. You can write notes on paper, even in code if you need to I suppose. Confuse thieves (including police, which count as thieves too in this case) by writing very confusing stuff.
I haven't seen one that does both for the homescreen lock.
But you'd always want the biometric verification last, since it provides a powerful clue about who can authenticate all the other layers of security on a mobile device.
I see a lot of people in this thread pulling the trigger of this "being an invasion of privacy".
While this is true, I can't help but to feel that the Hacker News crowd tends of see only one side of this issue.
They are not asking smartphone companies to introduce backdoors in their products. They are just trying to make sure that police has the right resources to be able to solve investigations.
To be honest, this sounds reasonable to some extent. When someone gets questioned by the police, you expect the person to tell the truth. If the police gets a hint that your smartphone might have significant evidence of some sort of crime, isn't it reasonable to comply with the request?
It's not like they are asking to access it remotely from anywhere at anytime.
> They are just trying to make sure that police has the right resources to be able to solve investigations.
Which the police can and have been able to do with a search warrant. Courts in various parts of the world have spoken here: the smartphone is unlike other personal effects, in that it may provide access to a historically unprecedented vault of personal information about its owner. The space for police abuse here is vast, and using courts as a check against police power is a common solution.
I think it is acceptable to wait for a search warrant to search someone's house, whatever that person was doing there, chances are that there will be traces of it even if the person tried to destroy evidence (blood residues, fingerprints, smells, etc).
But for a smartphone, I think it works a little bit differently. Any evidence that you might have on your smartphone can be quickly destroyed without leaving any traces. Even if a search warrant takes 5 minutes to be issued, by the time it arrives to the police it will be completely pointless, since you were able to press delete on all your photos during those 5 minutes.
So, what, if you find out you have a warrant, you'll immediately destroy any evidence you have ? Why not, y'know, destroy it in the first place, before any warrant is issued ?
I don't understand the point you're trying to make.
If you're worried about someone destroying evidence, you need to detain them and confiscate their phone. Until then, you have no idea where the evidence is, and it could be destroyed at anytime no matter where it is.
>When someone gets questioned by the police, you expect the person to tell the truth.
Police should not expect anything.
Even if you tell the truth, police could still build a story so that it will make you guilty of something. Not because police are evil, but because investigation is not easy, so any interaction with the police is a great danger for any person, especially the honest ones since they are often more naive and less equipped to deal with the police.
> To be honest, this sounds reasonable to some extent.
Some - many, most? - of the people they will be questioning are completely innocent of a crime.
Imagine you are an innocent bystander in some political event and a group of policemen are holding you down while one of them tears your eyelids open with his fingers and forces your phone against your eye.
Does that sound reasonable to you?
And who gets to make this decision, some policeman, on the spot, in a busy crowd, on a bad day when he's been dealing with rioters? For any reason he likes?
This is just opening up a new avenue for police brutality and physical intimidation of minorities.
Look at stop and search in the US and how it is used (specifically, who it is used against), and it is far less invasive than this.
I think policemen should be standing up to oppose this and require the use of a court warrant, as is the current standard. I wonder how many will.
Meanwhile to search my house you need a search warrant. I'd feel more violated in my privacy by someone snooping through my phone or computer than by someone searching my house. With a search warrant this would be a different discussion.
> When someone gets questioned by the police, you expect the person to tell the truth. If the police gets a hint that your smartphone might have significant evidence of some sort of crime, isn't it reasonable to comply with the request?
A person does not have to testify against oneself. This principle stands in the USA and Finland for sure (that I know of), I'd expect it to stand in Norway as well.
Well, if you saw something happening and you tell the police that you didn't see anything happening, isn't that obstruction of justice?
We could apply the same thing to your smartphone: if you were taking pictures of some view and you happened to catch something on camera which you didn't reveal to the police, wouldn't that be obstruction of justice as well?
Those are quite different, as it is very easy to take a picture without seeing it, or take a picture and not notice something in it. You'd have to intentionally fail to reveal information.
And for that to carry any weight, the police should have to show that you had that information in the first place. If they knew you were filming a crime and you said you saw nothing, that should not be obstruction. It's just suspicious. It should be grounds for a warrant, which could be used to establish that you had captured the evidence and lied. Then it's obstruction.
As a third party witness it is different, at least in Norway.
> In general, anyone is required to appear before the courts and give testimony, except dictated otherwise by the law
Nonetheless:
> §123: A witness may refuse to answer questions leading to self-incrimination either for the witness itself, or for anyone related to the witness as described by §122
> If the police gets a hint that your smartphone might have significant evidence of some sort of crime, isn't it reasonable to comply with the request?
In the US you don't have to talk to the police, and you never should talk to the police. Remember, they aren't necessarily trying to find the perpetrator, they are trying to convict someone, and that's not necessarily the same thing.
If they can establish you had the means, motive and opportunity, why look for anyone else. Your device can put you close enough to a crime scene that you become the convenient person to convict.
The problem is that as this stands, they can force almost anyone. They need probable cause to search my home, but not to unlock my phone. And I'd rather have them look through my clothes and possessions than all my mail and private conversations...
If you consider your smartphone external memory, only accessible through your brain via encryption keys stored therein, then this is compelled speech and potentially self-incrimination. Without a warrant, without a lawyer.
Even in a America, despite what we see in the news, many Americans are quite nice and decent people that want to help.
If the police is investigating a crime in your neighborhood and asks you if you heard anything, or saw anyone suspicious. Was the neighbors door open when you came home last night? what time was that? Would you refuse to answer?
Do you not want the burglar or murderer to be caught?
I know the police in the US is too confrontational, you need to fix that so that people can talk to the police.
Another trick is to simply turn off the phone. Touch ID is always initially disabled at boot.
I wish Apple would add a “duress finger” feature though.