I've been thinking about this feature. First off I think its great, but I'm trying to imagine how it would play out in real life.
  1. You've been arrested by oppressive regime. They are demanding you give up your pin because they (rightly) believe you have sensitive material on your phone.
  2. You deploy duress-pin and your phone is erased.
  3. Now what?
They are going to know that you disabled / erased phone somehow. Are they now just going to let you go? Do they now torture you?
I have a feeling that a better feature is not a duress-erase-everything password. But a diversion-fake-account password? This way you give them a password and it takes them to an account filled with meaningless cat photos and "be there in 10 mins" messages.
I guess the thing is...unless the phone is erased they would probably take a backup and then its possible that they will access the real data.
I suppose the gold ring would be to combine these two ideas: Diversion pass takes them to fake account and simultaneously erases all the real data from main profile. In this way you get plausible deniability and erased messages.
11 sats \ 0 replies \ @anon 2 Jun
Now what?
You've bravely sacrificed yourself to protect the data on your phone. Sometimes that's worth it.
reply
111 sats \ 1 reply \ @final OP 1 Jun
This feature had been heavily requested but it won't be added, it adds trust in a feature that wouldn't meet the objective people would want it to have. There will always be traces such a feature is either in use or was configured if they had file system access or other control. The device keeps the OS installed anyways so it can be recovered to a fresh install.
There's some justification here:
It wouldn't be good to assume a regime with power to locate you and kill you would be subverted by a simple trick. We are on many peoples' radars already as per leaked Cellebrite documentation describing their lack of GrapheneOS extraction capabilities. It wouldn't be far from the tree to assume the big guys describe GrapheneOS features to their customers and partners. A knowledgeable person also wouldn't trust a GrapheneOS user to comply with this feature.
You should never use GrapheneOS features to trick people, and to use the duress PIN that way isn't the way it's designed to be used. You can't really be sure that they will let you go if the trick worked or even if you complied either. If they can kill or torture someone without accountability then there'd be little disadvantage in keeping you or even killing you beyond them cleaning up the blood and guts. Duress is to protect data, not the device owner.
reply
13 sats \ 0 replies \ @freetx 2 Jun
Many thanks for the explanation.
reply
10 sats \ 1 reply \ @kepford 1 Jun
That's a good scenario and I think you are correct. My thought was more along the lines of wiping the phone before they ask for a pin.
Like I said, I don't think this feature protects the user more than those that are yet to be connected to them.
reply
13 sats \ 0 replies \ @freetx 1 Jun
My thought was more along the lines of wiping the phone before they ask for a pin.
ahhh...yeah good point.
reply