this post was submitted on 17 Dec 2023
299 points (98.7% liked)

Technology

59440 readers
3172 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Utah Supreme Court says suspects can refuse to hand over phone passwords to the police | Other state Supreme Courts disagree and the case would wind up before the US Supreme Court::undefined

top 46 comments
sorted by: hot top controversial new old
[–] henfredemars@infosec.pub 124 points 11 months ago* (last edited 11 months ago) (3 children)

What happens when I have a passphrase that's a confession to a crime that I was forced to provide?

What if I forgot my passphrase due to the stress and trauma of being associated with a horrible event or merely at the stress of being detained? Am I to be detained indefinitely without due process and without being accused of a crime?

What if the passphrase was set by my wife and I, a personal and private communication that is not in direct association with the crime under investigation?

Would be nice if you could not turn my individual liberties into Swiss cheese. I can barely see the parchment.

[–] Cornpop@lemmy.world 36 points 11 months ago (1 children)
[–] tias@discuss.tchncs.de 1 points 11 months ago

An upvote would have sufficed to communicate as much

[–] sanguine_artichoke@midwest.social 17 points 11 months ago (2 children)

The answer to all of those is they probably beat you with a stick.

[–] TheFriar@lemm.ee 6 points 11 months ago

Popo stick with special bash in’ handle. To give you the right kind of leverage over the prostrate individual’s face.

[–] Crashumbc@lemmy.world 4 points 11 months ago

If you're rich you get off, if you're poor you go to jail for a very long time. In the US at least.

[–] rickdg@lemmy.world 57 points 11 months ago (6 children)

We need some kind of multi-account that loads up according to what password gets used. I wouldn’t be surprised if this is something that already exists in rooted androids.

[–] Scirocco@lemm.ee 17 points 11 months ago (1 children)

I've mulled/wished for this for years. Also useful at borders, where in the past I have actually been asked (required) to unlock phones and laptops. Generally you have no rights whatsoever there.

Those shadow accounts would need to be 'lived in' to pass those border checks. My worst experience was traveling with new, obviously burner devices


border agents were extremely suspicious.

[–] scarilog@lemmy.world 2 points 11 months ago (1 children)

Country borders? If so, what countries?

[–] Scirocco@lemm.ee 1 points 11 months ago (1 children)

Virtually every international border on the planet.

[–] scarilog@lemmy.world 1 points 11 months ago

Well that's just not true I've crossed international borders before and have never had to do this.

[–] Buttons@programming.dev 12 points 11 months ago* (last edited 11 months ago) (1 children)

I forgot what it was called, but someone create an encrypted file system where you could never be certain all files were decrypted. You could enter one password and files A B and C would be revealed and accessible, then you could enter another password and files D E and F would be revealed, and again, another password would reveal file G, etc.

The file system was just a big blob of seemingly random bytes, but when processed with the right password, certain patterns would be revealed, those patterns being the files. This brought with it the possibility that files would be lost, because when writing files with password 1, files encrypted with password 2 might be overwritten. Several copies of each file were stored to protect against this, but you could still lose files.

There are some philosophical / legal issues with such a file system, because you can never prove that you've decrypted all the files. If prosecutors wanted to claim that you had more files on the filesystem, there's no way you could disprove it, because you can never prove that you've decrypted everything. Hopefully people would be considered innocent until proven guilty, but believing the law always works that way is naive.

EDIT: It's called deniable encryption: https://en.wikipedia.org/wiki/Deniable_encryption

[–] uriel238@lemmy.blahaj.zone 2 points 11 months ago

Multi-account encryption has been around since at least the aughts and is readily available for those who are privacy conscious enough to find it out.

Much of the effort is to educate the average Joe that they need to be exactly that privacy conscious.

[–] Classy@sh.itjust.works 11 points 11 months ago (1 children)

I used to have an android launcher years back that did just that thing, actually. It ran different instances of the home page based on what password you entered. You could access other instances when logged in via a 3-finger side drag, but it was able to be disabled. I don't recall what it was called anymore but I had to have been using it back when I had a Galaxy S8 or even older.

[–] Classy@sh.itjust.works 9 points 11 months ago

Somewhat related, the app LockMyPix is a pretty decent media organizer and encrypter for Android, and it allows for multiple distinct vaults to store images and video in. One password for Vault A, another for Vault B, etc

[–] assembly@lemmy.world 9 points 11 months ago

I had something similar on my laptop with encrypted volumes and duress passwords. So my documents folders were all on an encrypted volume and opened by the standard super hard password. The duress password was much easier and contained a skeleton structure to look legit. The idea was that if anyone brute forced the password it would just find the duress folder first and hopefully no one would look further. Seems like overkill but I was traveling to China for business so necessary. I did however use a burner phone as opposed to my real cell.

[–] misanthropy@lemm.ee 8 points 11 months ago (1 children)

No, but there is at least one app out there that lets you set a panic code that will wipe the phone when used

[–] ABCDE@lemmy.world 4 points 11 months ago

There is one which already exists like this, I think it was on the Mozilla phone.

[–] AnonStoleMyPants@sopuli.xyz 3 points 11 months ago (1 children)

I doubt that's how the password is used for. More like they copy all contents of the phone and ask the password to go through encryption. The data is already there, accounts don't matter.

This is also the reason why it's no good to have a dead man's switch or the like, as in a certain password just wipes everything. You'd just get arrested for destroying evidence and they continue from a copy.

[–] Crashumbc@lemmy.world 2 points 11 months ago

Yeah, pretty much any first year police IT is going to make an exact copy of the phone first.

[–] CaptainSpaceman@lemmy.world 33 points 11 months ago (3 children)

5A protections SHOULD cover divulging passwords or being forced to supply biometrics as a password.

Now, if the police/feds can take fingerprints obtained at booking and use a 3d printer to simulate that finger and then use that fake finger to open a lock, then I dont think 5A would protect that. Thats just crafty detective work.

[–] AdamEatsAss@lemmy.world 15 points 11 months ago (1 children)

Yeah biometrics historically haven't been protected by the 5th amendment. I have seen other people argue that not supplying the password if the police obtain a warrant can result in obstruction of justice charges. I like to think it wouldn't. They have the phone and a warrant it's up to them to figure it out, a person doesn't have to point out where they hide things in their home to police.

[–] meco03211@lemmy.world 6 points 11 months ago (1 children)

But if you don't open the safe, they can destroy it to retrieve the contents. They could destroy your phone too in the process.

[–] AdamEatsAss@lemmy.world 6 points 11 months ago

...Exactly. The laws in the USA don't really reflect modern digital technology that well. Many of our legislators don't understand the tech and the government is so divided that getting anything to pass seems impossible.

[–] Phlogiston@lemmy.world 6 points 11 months ago (1 children)

How is your “crafty detective work” really any different than sneaking in through a window even though you don’t have a search warrant?

[–] CaptainSpaceman@lemmy.world 0 points 11 months ago (1 children)

I never said they wouldnt have a warrant, I dont understand the comparison

[–] Phlogiston@lemmy.world 4 points 11 months ago* (last edited 11 months ago) (1 children)

If one had a warrant then you just force the suspect to give over. Just like forcing them to give fingerprints. Isn’t the whole discussion moot if they have a warrant?

So when you offer a path to get into the phone without a warrant it’s just like breaking into a “house” without a warrant. Technically easy - just go through the window or use the fingerprint from booking. It if we agree with due process either is wrong.

[–] Decoy321@lemmy.world 2 points 11 months ago

It is not, because the issue is whether police CAN compel someone to give their password.

From the article:

When [Valdez] was arrested, the police found a cell phone in his pocket and obtained a search warrant for its contents. However they were unable to crack the password and Valdez refused to provide it when asked. The police were never able to search the phone.

Further down, italics added by me to emojis the important bit.

He was convicted in the jury trial, which was reversed by the court of appeals that agreed Valdez had a right under the Fifth Amendment to refuse to provide his passcode, and that the state violated that right when it used his refusal against him at trial.

Lastly, I want to add one important distinction. Fingerprints are physical characteristics, while passwords are personal information. Fingerprints are distinct from passwords in that you have fingerprints, but know a password. You can only get one of them off a dead guy.

[–] Scirocco@lemm.ee 5 points 11 months ago (1 children)

It's pretty well established that any biometric can just be taken from you


facial recognition is super easy and it won't be hard to force your thumb onto the sensor.

This is also the case for things like blood draw for blood alcohol testing.

The only unlock key that's (probably) truly yours is something inside your brain.

[–] CaptainSpaceman@lemmy.world 9 points 11 months ago

Being well established and being valid are two different things.

[–] superduperenigma@lemmy.world 28 points 11 months ago (1 children)

Police: What's your password

Me: i forgor 💀

[–] sloppy_diffuser@sh.itjust.works 15 points 11 months ago (1 children)

Yeah, I thought the magic words were "I don't recall". Seems to work in all those high profile cases, or maybe its just being wealthy.

[–] Crashumbc@lemmy.world 2 points 11 months ago

It's just being wealthy.

Don't think for a second an average person wouldn't sit in jail for years until they have up the password.

[–] irish_link@lemmy.world 10 points 11 months ago (2 children)

For all those who may be wondering "Hey Siri, who's phone is this" will lock it as if you had just booted the phone. This then requires the full pass code and not just a face scan or finger scan.

Unfortunately I don't know the equivalent for Android.

[–] sugar_in_your_tea@sh.itjust.works 7 points 11 months ago

It's pretty simple, you throw it as hard as you can at the ground.

[–] pineapplelover@infosec.pub 3 points 11 months ago

Android has a lockdown button when you hold power button, which is like as if you just rebooted it. Imo though, just shut it down to begin with. Additionally, my sim card is password protected so that's an additional password to get by.

[–] csm10495@sh.itjust.works 9 points 11 months ago

It's odd to me that you can't plead the 5th on giving over your phone.

[–] BrrooklynMan@lemmy.world 8 points 11 months ago (1 children)

You can just set your phone to wipe after X wrong attempts and do that, ending the issue.

[–] seejur@lemmy.world 22 points 11 months ago* (last edited 11 months ago) (1 children)

Until your 5 years old manage to get his hand on your phone unsupervised at least

[–] GamingChairModel@lemmy.world 22 points 11 months ago (1 children)

Every security mechanism is also a potential denial of service vector.

[–] Vqhm@lemmy.world 4 points 11 months ago

Yea. And most of the data is already cloud backed up anyway. Which means you can restore it. Also means it's not really your data either and someone else has access to do what they want with it.

If you're worried about losing access cuz you lost your 2 factor FIDO2 key or One Time Password or whatever you can print off "backup codes" and put them in your lock box.

But if you don't backpack your data locally then whomever you delegated backups to can cut you off at any time for any reason.

Google shut off access to this parents account after he took a photo of his child's genitals for teledoc and sent it to his wife over Google chat: https://www.nytimes.com/2022/08/21/technology/google-surveillance-toddler-photo.html

[–] werefreeatlast@lemmy.world 4 points 11 months ago

Well they can try. As someone already pointed out...I forgot.

[–] 01adrianrdgz@lemmy.world -5 points 11 months ago (2 children)

i hope mexico implements this new law feature!! it can protect privacy but it can be harmful because criminals can keep illegal information...

[–] Octopus1348@lemy.lol 2 points 11 months ago

It's their passwords, not search history or something.

[–] Octopus1348@lemy.lol 1 points 11 months ago

On a second read, is this satire?