pull down to refresh
21 sats \ 6 replies \ @kepford 1 Jun \ on: GrapheneOS releases long requested Duress Password feature tech
I know many do not see the need for this but people living under oppressive regimes need this option to protect those they communicate with. Obviously one is still at risk in a physical attack scenario but this option really could help others.
I've been thinking about this feature. First off I think its great, but I'm trying to imagine how it would play out in real life.
-
You've been arrested by oppressive regime. They are demanding you give up your pin because they (rightly) believe you have sensitive material on your phone.
-
You deploy duress-pin and your phone is erased.
-
Now what?
They are going to know that you disabled / erased phone somehow. Are they now just going to let you go? Do they now torture you?
I have a feeling that a better feature is not a duress-erase-everything password. But a diversion-fake-account password? This way you give them a password and it takes them to an account filled with meaningless cat photos and "be there in 10 mins" messages.
I guess the thing is...unless the phone is erased they would probably take a backup and then its possible that they will access the real data.
I suppose the gold ring would be to combine these two ideas: Diversion pass takes them to fake account and simultaneously erases all the real data from main profile. In this way you get plausible deniability and erased messages.
reply
reply
This feature had been heavily requested but it won't be added, it adds trust in a feature that wouldn't meet the objective people would want it to have. There will always be traces such a feature is either in use or was configured if they had file system access or other control. The device keeps the OS installed anyways so it can be recovered to a fresh install.
There's some justification here:
It wouldn't be good to assume a regime with power to locate you and kill you would be subverted by a simple trick. We are on many peoples' radars already as per leaked Cellebrite documentation describing their lack of GrapheneOS extraction capabilities. It wouldn't be far from the tree to assume the big guys describe GrapheneOS features to their customers and partners. A knowledgeable person also wouldn't trust a GrapheneOS user to comply with this feature.
You should never use GrapheneOS features to trick people, and to use the duress PIN that way isn't the way it's designed to be used. You can't really be sure that they will let you go if the trick worked or even if you complied either. If they can kill or torture someone without accountability then there'd be little disadvantage in keeping you or even killing you beyond them cleaning up the blood and guts. Duress is to protect data, not the device owner.