By Marcel Gerardino
Recently I came across an article by the New York Times about the increasing pressure from officers at airports demanding that passengers hand over and provide access to their personal devices, also offering advice on what to do to safeguard information when facing a digital frisk. This is even more critical in light of recent regulation forbidding devices larger than a smartphone from being brought into flight cabins, meaning passengers will have to register and lose sight of them.
As the article mentions, although citizens are not required by law to provide access and/or reveal credentials to government officials, flat out denying or failing to comply with such demands can make things complicated. The article goes on to suggest several measures that provide certain degree of deniability and therefore protection of private information, among them using an alternate device, disabling fingerprint reader, not memorizing passwords (therefore not being able to reveal it), using two-step verification and encrypting the device.
While most of these measures seem valid, their effectiveness in the aforementioned situation is greatly tied to the concept of plausible deniability, which refers to the ability to deny existence or knowledge of information, secret codes, passwords or any other element being requested. For example, what sense does it make to carry a device you intend to use if you do not know the passcode? also, you can most likely expect some blowback by saying your two-step verification device was left at home. Other measures, like backing up to the cloud and completely wiping the device for later restoration, can be effective but inconvenient at the same time. Using encryption, on the other hand, could perhaps offer the best balance between privacy, security and convenience.
Greater degrees of plausible deniability can be achieved by using methods less likely to seem awkward or raise suspicion. Following is a list of useful tips that can help you avoid the hassle should you ever become subject to these procedures:
- Purge and hide: delete all unnecessary files, browsing history, messages and call logs to limit the exposure surface available to the frisker. Next, hide or disable all apps containing sensitive or private information. Android’s Apex Launcher and a number of other launcher applications provide the capability to hide apps and other elements from plain view.
- Plausible deniability aware encryption tools: encrypting files or entire logical volumes or partitions can provide great security and privacy in this situation. VeraCrypt (a fork of TrueCrypt), Mac OS FileVault, Windows BitLocker, Android Cryptonite and LUKS are some of the tools that can be used to perform on-the-fly encryption and in some cases hide encrypted data.
- Decoy OS through dual-booting: by tweaking your bootloader a complete OS installation or kernel image can be hidden. Mac users can leverage boot managers such as rEFInd to specify a default decoy OS and have the real OS loaded upon pressing a shortcut key (ie. M for Mac OS). A rooted Android device can be made to behave similarly while iOS devices have a more secure boot sequence which prevents or at least makes this process much more difficult.
Although plausible deniability is a questionable security measure, criticized by many in the industry (most notably Bruce Schneier), in a privacy and airport security context it can provide an additional layer of protection. It is important to note that we are referring to protecting your privacy and the security of your data from falling into the wrong hands. This article is by no means a guide to obstruct justice or avoid law enforcement while committing a crime.