The recent federal raid on the home of Washington Post reporter Hannah Natanson isn’t merely an attack by the Trump administration on the free press. It’s also a warning to anyone with a smartphone.
Included in the search and seizure warrant for the raid on Natanson’s home is a section titled “Biometric Unlock,” which explicitly authorized law enforcement personnel to obtain Natanson’s phone and both hold the device in front of her face and to forcibly use her fingers to unlock it. In other words, a judge gave the FBI permission to attempt to bypass biometrics: the convenient shortcuts that let you unlock your phone by scanning your fingerprint or face.-
It is not clear if Natanson used biometric authentication on her devices, or if the law enforcement personnel attempted to use her face or fingers to unlock her devices. Natanson and the Washington Post did not respond to multiple requests for comment. The FBI declined to comment.
People, if you are taken into custody and are forced to unlock the phone and you wipe the phone instead, you are living in a fantasy world if you think you can’t get in trouble for that.
Maybe that’s worth it but let’s not kid ourselves that there wouldn’t be consequences.
Remember plausible deniability is a social concept not a legal one. It might of helped you get out of being grounded but it won’t save you from jail time.
Use GrapheneOS so you can “unlock” your phone and enter the wipe code instead.
Even better, set it to 1234567890 or 00000000 or similar easy to guess pin, and change it to the length of your actual pin, now if someone tries to bruteforce your phone it will instantly wipe and you can make a case that it was the law enforcement who destroyed any “evidence” by their own actions if in comes up In court.
This sounds like a convenient way to have all your locally saved photos wiped by your kid
Always back up anything you don’t want to loose.
How should I protect the backups? Same story?
Your backups aren’t nearly as likely to be subject to an immediate civil forfiture as a phone is. Cops don’t need a judicial warrent to take your phone, but they do need one to search your home legally, and if you do your offsite backups in another country, they would need the cooperation of the local authorities of that country. Strong encryption can provide a relatively safe barrier for offsite backups.
Also, it’s possible to have some things that may only exist on your phone and not your server/backup system(easy biometric unlock for a password manager, or encrypted chat logs, to name a few examples).
These practices and tips are not for everyday people but for high targets and work devices
Actually, these tips are for every day people (just not people whose kids can get to their phones). High targets get their ram frozen with liquid nitrogen, their PSU spliced into a battery pack, and the entire system-state backed up for retries.
Don’t they make a copy of the phone before they go about trying to unlock it?
This kind of security is only going to work against a careless or incompetent atta-- oh. I see…
That requires USB connection to even be possible with a locked phone.
Yes, and you can disable usb completely on graphene.
Not for state sponsored campaigns. They’ll cut the damn chips from your phone and send signals directly to the individual pins if they have to. They’ll freeze your ram into super cold state to make it nonvolatile. They’ll do some crazy shit, man.
Holy Christ, what are you guys doing on your phones to fuel this much paranoia? I have a constitutional right to privacy and i dont want my information/data (the very essence that makes me me) harvested and sold – for those reasons im opposed to most searches and i’ve never used biometrics. But the need to nuke my phone because a cop got it is so far from a necessity that I cant think of what im doing that I would need it.
Other than literally everything I think and feel you mean? I think it’s perfectly reasonable to not want to allow police or especially federal agents into my own head. My note taking apps, my password manager which links to all of my online accounts, and my entire web browsing and search history are all linked through my phone. Also signal and discord and lemmy, and on and on…
I use biometrics to access some of the apps on my phone. But my home screen requires a password to unlock.
Good advice, thanks.
hold the device in front of her face and to forcibly use her fingers to unlock it. In other words, a judge gave the FBI permission to attempt to bypass biometrics
This isn’t bypassing biometrics. This is using biometrics as intended. Bypassing implies this was an unexpected side effect when every security researcher ever has warned that biometrics is intrinsically vulnerable and a terrible password substitute for this exact reason.
Or at the very least; turn your phone entirely off (shutdown) whenever you expect or encounter police contact.
Biometrics only work when the device is already running. Mobile devices are in their most locked down/secure state when ‘at rest’, ie shutdown.
In android; there is also a ‘lockdown’ mode you can quickly activate from the power off screen, that disables Biometrics until next unlock with a pin/pattern, but doesn’t fully shutdown so you can still quickly access things like the camera. This has to be explicitly enabled in settings first and will not offer much protection from various lockscreen bypass software available to law enforcement.
In android; there is also a ‘lockdown’ mode you can quickly activate from the power off screen, that disables Biometrics until next unlock with a pin/pattern, but doesn’t fully shutdown so you can still quickly access things like the camera. This has to be explicitly enabled in settings first and will not offer much protection from various lockscreen bypass software available to law enforcement.
2 things. Unless I accidentally enabled this setting, it’s on by default. And what do you mean by lockscreen bypass software. What would be the point of lockdown if its not effective against law enforcement trying to brute force your privacy?
it’s on by default
It may well be on by default now. I just know I had to enable it the last time I looked at this.
what do you mean by lockscreen bypass software
Tools such as those provided by Cellebrite and similar.
Lockdown mode is mainly to disable biometrics, to prevent someone on the street forcibly using them to unlock your device. It’s not going to stop an entire agency with more sophisticated tools.
Also, don’t take your phone to protests. ACAB.
Wear clothing that can’t identify you. Hide tattoos and anything that might make you stand out. Get clothes from a free giveaway place, without cameras. Walk a bit differently if you need to.
Cover your face and cover surveillance cameras, or break them, or hack them (do the latter two only if you know what you’re doing).
Wear a body cam. Get bear and pepper spray. Pigs can fucking get it.
I’ve been debating buying a burner phone for protests, leaving my main phone elsewhere, and only powering on the burner when it’s needed. Probably the only way to bring a phone to a protest.
You can also buy faraday bags, if you want a phone available but not online. But it’s still there physically so burner would still be a good choice.
Just test it first. I got a faraday bag of Amazon and it didn’t work.
100%. I tested mine with calls and making sure the wifi and Bluetooth didn’t go through.
In android; there is also a ‘lockdown’ mode you can quickly activate from the power off screen, that disables Biometrics until next unlock with a pin/pattern
On iOS, with a locked device, quickly press the lock button five times to do the same, it should bring up the power off/SOS screen, which you can dismiss.
This can also be done by holding down both power and volume up buttons for a few seconds.
TIL thanks!!!
What if you take your dick and use that on the fingerprint scanner, do you think the cops would make you whip it out
Probably, although they probably can’t force you to reveal it’s your dick that unlocks the phone.
What if I compromise and reveal that it’s a dick that unlocks it, but not whose?
then they’d probably punch you in the dick
Jesus fucking christ.
I don’t use my phone for anything other than directions, phone calls, and texting my wife. Partially because I’m not going to carry around something with tons of shit that can be used against me.
This is fucking insane.
It does not matter. The phone still uses you, no matter how much you use it.
For directions you can use a separate GPS navigation tool. Phone and text calls -> just get a dumb phone.
Just know that SMS and regular phone services are inherently insecure and to not use them for any conversations you wouldn’t want broadcasted to the whole world.
Fair point, what’s then the safest?
I don’t think there’s necessarily a safest, thats a moving target and everyone’s threat level is different. There’s a number of open source E2EE encrypted messaging apps though and lots of resources comparing their pros and cons. I can try to find you a link a bit later when I have more time if you’d like.
Sure, I’m always open to it. And even if it has no use for me, all the more use for other queers and demsocs :3
I’m not sure what demsoc means, but I’ve found these sites to be helpful.
https://www.privacyguides.org/en/real-time-communication/ https://eylenburg.github.io/im_comparison.htm
Simplex is probably the safest.
But I would say signal is very safe while being more convenient.
On iPhone say “Hey Siri, who’s phone is this?” to disable biometric unlock temporarily.
On Android press the power and volume up buttons to open the power off screen, then press “lock down”.
On the iPhone you can also press both the upper left and right button. It will enable that you can only log in with a password, even if you have Face ID/Touch ID.
You can also establish that if there are too many false attempts to log in, the phone will delete all data. I could imagine that if you kept most phone data on the phone itself, rather than in the cloud, this can be useful. E.g. insert the password wrongly multiple times.
And if you’re feeling really concerned, you can make a Faraday cage (preventing it from sending data altogether). Wrap a plastic bag around, then aluminium foil tightly without gaps, then plastic… repeat three times.
Alternatively, put it in a microwave. Or a stainless trash can with a tight lid, lining the inside with (optional: cardboard first, then…) plastic wrap, maybe more foil. Phone also foiled.
I only use a 10-digit pin number I’m guaranteed to never forget. I type it in every time. But, I don’t spend much time on my phone, sometimes I even forget it when I leave the house.
I prefer grapheneos’s numeric pin+fingerprint or alphanumeric password. Plus I get to brag that I have MFA on my phone login (even if you can use only the password).
Don’t forget the duress password and the protections in BFU state! :)
I only enable duress password when I may need it. With my luck I’ll wipe my phone putting it in my pocket.
That’s a great idea but let’s not forget that this administration and it’s poorly-trained attack dogs might try and justify the password hammer
That’s why something like the duress password exists for GrapheneOS - just keep a backup of the important stuff at a separate location away from your pockets.
*an encrypted backup
@Truscape@lemmy.blahaj.zone
or second factor PIN
iOS biometrics is on the phone on an encrypted chip, and Face ID does not work if your eyes are closed… also if you press power 5 times it disable the face id unlock.
Face ID does not work if your eyes are closed
And then they hit you with a five dollar wrench until you open them. Not good opsec.
They could do the same and ask for your password
GrapheneOS duress password says hello.
Yeah they’re kinda missing the point of the $5 wrench example there
