Title: Reflections on GrapheneOS' duress feature Date: 2024-06-03 14:45 A couple of days ago, [GrapheneOS 2024053100](https://grapheneos.org/releases#2024053100) recently added a new interesting "duress" feature: > add support for setting a duress password and PIN for quickly wiping all > hardware keystore keys including keys used as part of deriving the key > encryption keys for disk encryption to make all OS data unrecoverable > followed by wiping eSIMs and then shutting down. While this is a neat feature from an implementation point of view, it's even more interesting from a social one, and thus immediately sparked interesting conversations on a small irc channel somewhere on the internet. There are [various bits and pieces](https://duckduckgo.com/?t=ffab&q=not+providing+password+cops&ia=web) of literature about not providing passwords, like [Catch Me If You Scan: Constitutionality of Compelled Decryption Divides the Courts (2020)](https://crsreports.congress.gov/product/pdf/LSB/LSB10416), [Police Can’t Demand You Reveal Your Phone Passcode and Then Tell a Jury You Refused](https://www.eff.org/deeplinks/2021/10/police-cant-demand-you-reveal-your-phone-passcode-and-then-tell-jury-you-refused) by the EFF, … but I haven't found anything about duress erasing. I've suggested "immediate shutdown" instead of "immediate nuking" as a middle-ground, since it might not be classified as "destruction of evidence", but in some countries (USA, England, parts of the Commonwealth, …), while one has the right to not incriminate themselves nor provide a testimony, some have been held in [contempt of court](https://en.wikipedia.org/wiki/Contempt_of_court) for refusing to provide decryption materials. Whereas if you have destroyed the data, you won't be held in contempt of court for not being able to do the impossible. Note that claiming you forgot your password is [different]( https://www.digitaltrends.com/computing/contempt-of-court-decrypt-password/ ) than refusing to give it. It's also *interesting* to note that in the USA, destruction of evidence is [pretty close](https://en.wikipedia.org/wiki/Tampering_with_evidence) to evidence concealment, but one might argue that turning off your phone doesn't really change anything evidence-wise. Of course, willful destruction of evidence is usually "frowned upon", but in practise, so is refusing to talk to the cops, provide your decryption keys, and generally not confessing to whatever your charges are regardless of whether you did it or not. This raises the question of respective penalties for those behaviours: to deter people from nuking their data instead of handing them over, the one for the former needs to be significantly higher than the one for the latter. But to avoid breaking the proportionality principle (throwing people in jail for years for refusing to unlock their phone) it would be up to the police to prove that the phone that was nuked contained incriminating materials/evidences. If they can't do so, could refusing to unlock still be "concealing of evidence"? Obtaining an IMEI/identifier of a given phone isn't hard, so having the cops systematically check if a recently-nuked device was used before the arrest/raid/confiscation/… might make it easier to prove it. But even so, would you stand a better chance just erasing your phone when you can, and let your lawyer sort out establishing that you didn't know that your phone was going to be seized and used in a trial? Once you're being asked to provide the passphrases so it can be used in a trial, it will be much harder to argue you don't know it's going to be used in a trial. In the first case, burden of proof is on the prosecutor to establish both means and motive, while in the second case you are the one on the spot to provide a motivation for not complying with a court order. Most people don't have their phones stockpiled with criminal evidences against them; and if they do, odds are there is likely plenty of that to be found elsewhere as well. What they have, is a ton of messages, media, pictures, … from other people, who did not send them with the intention of being published by a prosecutor, leaked to the press/internet/…, stored indefinitely in a [Palantir](https://en.wikipedia.org/wiki/Palantir_Technologies) database, … nuking the data is the morally right choice here. Another interesting use-case would be mitigate [planted evidence](https://en.wikipedia.org/wiki/False_evidence), which is [popular in India](https://duckduckgo.com/?q=planted+evidence+india&t=ffab&ia=web), as well as some other countries. I've mostly thought about the "cops got your phone, ask you to unlock it" situation, where erasing your phone on the spot will look incredibly dodgy, but there are so many others ones: domestic violence, mugging, lazy investigators, surprise seizure but-they-have-three-floors-to-climb-before-reaching-my-room, … situation where you don't care that the attacker knows you resetted the phone, or would *think* you did but would have a really hard time proving it, or where you might be able to pass it off as "my phone is broken". A nice example usecase would be have the duress pin written on a label inside the phone case, or set it to `1234`, so that if someone steals the phone, odds are they'll think it's the unlock pin, and will wipe it. While I would love to have this kind of conversation with lawyers, I'm grateful to the lovely people of `#tech` for the chat, especially for the down-to-earth/practical comments and examples of situations, since I'm clearly [gauche caviard](https://en.wikipedia.org/wiki/Gauche_caviar), and real cases are very different from theoretical-ones-from-my-couch. With all this in mind, [don't talk to the police](https://www.youtube.com/watch?v=d-7o9xYp7eE), ask you [local activist chapters](https://infokiosques.net/spip.php?article538) about this topic, or even better, a friendly neighborhood lawyer. Stay safe.