Its five years with no limitations, so when you are due to be released; Whats your password? Another five years... Its such a poorly worded law you could literally spend your life in prison for forgetting your password. And Its mostly used against peaceful protesters.
I'm not even sure how much practical difference there is between 5 and indefinite in practice, 5 years is a long time. I imagine it is pretty life-destroying. Especially for the crime of having something on your phone that you want to keep private.
> If it’s not about nation security or CSAM, it’s two.
I am sure we all get what you mean, but there is a comic interpretation in vaguely-Soviet style here where if someone hasn't done anything wrong they only get 2 years. I'm going to spend some time this weekend making sure my encryption is plausibly deniable where possible.
The police must obtain appropriate permission from a judge to obtain a s.49 RIPA notice.
Before a judge grants the notice, they must be satisfied that:
The key to the protected information is in the possession of the person given notice.
Disclosure is necessary in the interest of national security, in preventing or detecting crime or in the interests of the economic wellbeing of the UK.
Disclosure is proportionate.
If the protected information cannot be obtained by reasonable means.
You're in a place called "Hacker" news, many of us hackers feel like we shouldn't be forced to unlock our private devices, not sure this is surprising.
Feature request: Make it default behavior on phones that you can have multiple passwords, connected to different profiles. With no way to determine how many profiles a phone have.
I'm sure there's some people here working on mobile operating systems, might be worth considering?
Allow the device user to create a different (duress) password, which when entered, will immediately wipe the phone without any secondary warnings. The user could then provide that password to the people who seized their device, and be in compliance with all laws, while maintaining information security.
"This profile doesn't have anything on it. Give us the password for the real profile."
Or even worse, you did give them the real password, but because your phone supports the feature and your profile is kind of barren, they don't believe you. Now you are in a very bad lose-lose situation.
You do use your "fake" profile regularly, just for "sanitized" activities. Check in on official sanctioned news sources, do your "legit" banking and financial stuff, etc.
As others have pointed out this would likely not save you in this case, but there are some phones which do support this, and I know people in Brazil that use these features in order to be able to comply when getting mugged without giving away access to your bank etc.
Android has a "Private Space" feature. As far as I can tell it's only a single extra profile you can create, but I think you can keep it "hidden" (at least in as much as you can't tell if it's been created without unlocking it).
Software isn't going to save you in this scenario. If you're worried about local laws violating your privacy then buy a burner and only put data on there that's necessary for your travels.
I wonder what would happen if HK tried to force somebody to unlock their business phone. It's typically a violation of corporate policy to allow a third party to access the encrypted, confidential information on corporate mobile devices.
The poor device user would be faced with a choice of losing their job and being held criminally liable for breaching their company's systems, or going to jail in Hong Kong.
I think everyone's glossing over that this extends to anyone who knows the password. Your sysadmin, your business partner, your spouse. Hong Kong just turned your company's entire key management chain into a legal liability.
It would be nice if phones had a feature where you can define more than one pin, but only one is for your actual phone contents - the other ones leave you to a completely harmless but otherwise indistinguishable looking smartphone interface that contains no or only completely bogus data.
Samsung has the secure folder which is similar. You lock aware the goods behind a second password and activating that secure folder can be slightly hidden.
Funny how it's a horrible misrepresentation slurring the honor of the United Kingdom to exaggerate the penalty of not unlocking your phone for His Majesty's Law Enforcement, but US border cops being allowed to ask foreigners for the same thing upon pain of not being allowed to enter the country (something that no one seems to care about other nations doing?) is totally the same thing.
> Of all the issues with the US justice system, being compelled to disclose passwords isn't one of them.
This is not totally true. It is also a US issue: CBP has been asking for passwords (or to unlock the device) for phones and computers for more than a year now. Last year, multiple people got turned around because they disagreed with US policies and political views that differ from those of the US's current president.
Depends, you can get NSL'd to disclose passwords. Good luck running that one up to the supreme court. And biometrics aren't as well-protected. Though, yes, in the UK it's a much more routine affair.
The above probably meant a point that current democracies are increasingly sliding into the same hole as authoritarian governments. Amount on encroachment of governments and big corporations on personal freedoms and democracy in "democratic" countries is quickly becoming intolerable under a guise of safety and "save the children" mantras
No one likes when I say this but it's really past time to stop doing anything interesting on your phone. Delete all your apps, set it as minimally as possible. Leave it home when you go for walks, and power it off when you go driving or to the store, or whatever.
I'm starting to believe this is [a] way forward. Or maybe an approach which is on a spectrum between <everything I have is on a phone behind a fingerprint and a four digit pin> and <I don't own a smartphone>.
Unfortunately, it's pretty common to only have a smartphone as your sole compute device, and increasingly onerous not to own one at all.
>Or maybe an approach which is on a spectrum between
>increasingly onerous not to own one at all.
Yes, and I think this unfortunately demands a grey area. I'm starting to treat my smartphone more like a work device, and there are a few things I do on it:
- My work's authenticator app is there.
- Unfortunately Signal is tied to smartphone usage.
- Practically speaking, people will expect to be able to send you text messages.
- It's still useful for taking pictures.
- My banking app is on there.
Outside of rare occasions, that's really all I use my phone for. I don't carry it around the house. If I go somewhere with my wife, I don't even bring my phone most of the time. I'm "required" to have it, but in principle it's not even mine. It shouldn't be trusted or enjoyed.
Now we just have to wait N years for Android and iOS to get approval from the government to build something similar, that they can market yet somehow screw up enough to not actually help.
How about the US? What I'm going to write smells of "whataboutism", but it's tragic how more and more of the world is becoming police states. Going to the USA, they want your social media accounts. Regardless of that, the border thugs can probably demand you unlock your devices or they'll detain you for weeks on end, without any repercussions, because that sort of lawlessness is government policy now.
Wow, what a free society! In the UK if you refuse to unlock your device you can be imprisoned indefinitely! In HK it's just one year!
In UK you can be imprisoned for liking a post on Facebook that is considered "hate speech".
Why are you misrepresenting about UK law?
Yes, it can be a criminal offence. But the maximum tariff for this under RIPA 2000 is five years. If it’s not about nation security or CSAM, it’s two.
(Incidentally, the USA is a real outlier in this topic)
Its five years with no limitations, so when you are due to be released; Whats your password? Another five years... Its such a poorly worded law you could literally spend your life in prison for forgetting your password. And Its mostly used against peaceful protesters.
Are we damning the UK with faint praise now?
I'm not even sure how much practical difference there is between 5 and indefinite in practice, 5 years is a long time. I imagine it is pretty life-destroying. Especially for the crime of having something on your phone that you want to keep private.
> If it’s not about nation security or CSAM, it’s two.
I am sure we all get what you mean, but there is a comic interpretation in vaguely-Soviet style here where if someone hasn't done anything wrong they only get 2 years. I'm going to spend some time this weekend making sure my encryption is plausibly deniable where possible.
5 replies →
Oh just 5 years, that's OK then.
The police must obtain appropriate permission from a judge to obtain a s.49 RIPA notice.
Before a judge grants the notice, they must be satisfied that:
The key to the protected information is in the possession of the person given notice. Disclosure is necessary in the interest of national security, in preventing or detecting crime or in the interests of the economic wellbeing of the UK. Disclosure is proportionate. If the protected information cannot be obtained by reasonable means.
So you're saying it's still at the discretion of a single magistrate?
I'm sure China could find some judges to rule in the name of national security if it would give everyone warm fuzzies.
Judicial checks and balances only function when they're independent of the executive and parliament
3 replies →
[dead]
[flagged]
You're in a place called "Hacker" news, many of us hackers feel like we shouldn't be forced to unlock our private devices, not sure this is surprising.
5 replies →
Feature request: Make it default behavior on phones that you can have multiple passwords, connected to different profiles. With no way to determine how many profiles a phone have.
I'm sure there's some people here working on mobile operating systems, might be worth considering?
Another feature request:
Allow the device user to create a different (duress) password, which when entered, will immediately wipe the phone without any secondary warnings. The user could then provide that password to the people who seized their device, and be in compliance with all laws, while maintaining information security.
"This profile doesn't have anything on it. Give us the password for the real profile."
Or even worse, you did give them the real password, but because your phone supports the feature and your profile is kind of barren, they don't believe you. Now you are in a very bad lose-lose situation.
With LLMs, it should be easier than ever to fake generate text messages, notes, emails, etc.
I suppose that you could have the phone listening in real time and generating profiles that are hidden and embarrassing but not illegal.
So when they ask for the real profile it shows in the next unlock a profile that makes it very clear you have a deeply embarrassing ASMR addiction.
It could cross reference your local laws to ensure to not spill the beans on something locally illegal.
You do use your "fake" profile regularly, just for "sanitized" activities. Check in on official sanctioned news sources, do your "legit" banking and financial stuff, etc.
So put stuff on it, duh
2 replies →
xkcd 538
https://imgs.xkcd.com/comics/security.png
Veracrypt e.g. has had this for a long time.
https://en.wikipedia.org/wiki/Plausible_deniability
As others have pointed out this would likely not save you in this case, but there are some phones which do support this, and I know people in Brazil that use these features in order to be able to comply when getting mugged without giving away access to your bank etc.
Android has a "Private Space" feature. As far as I can tell it's only a single extra profile you can create, but I think you can keep it "hidden" (at least in as much as you can't tell if it's been created without unlocking it).
https://source.android.com/docs/security/features/private-sp...
Software isn't going to save you in this scenario. If you're worried about local laws violating your privacy then buy a burner and only put data on there that's necessary for your travels.
> Provide fake credentials? Three years behind bars.
They would be real credentials, just to a separate profile. Are they going to make multiple profiles illegal?
Genius.
I wonder what would happen if HK tried to force somebody to unlock their business phone. It's typically a violation of corporate policy to allow a third party to access the encrypted, confidential information on corporate mobile devices.
The poor device user would be faced with a choice of losing their job and being held criminally liable for breaching their company's systems, or going to jail in Hong Kong.
I think everyone's glossing over that this extends to anyone who knows the password. Your sysadmin, your business partner, your spouse. Hong Kong just turned your company's entire key management chain into a legal liability.
It would be nice if phones had a feature where you can define more than one pin, but only one is for your actual phone contents - the other ones leave you to a completely harmless but otherwise indistinguishable looking smartphone interface that contains no or only completely bogus data.
Samsung has the secure folder which is similar. You lock aware the goods behind a second password and activating that secure folder can be slightly hidden.
It would be nice if I didn't get beaten with a hose in a vain attempt to prove that I unlocked the "real" one.
If your country has this problem, you’re way past worrying about phones, and you need to be acquiring arms and training.
1 reply →
I maintain that the series "24" back in the day did us all a great disservice by promoting the value of torture to "save the world".
I'm hard pressed to find any reason for any citizen to be compelled to share their secrets with the police because the police had "suspicions".
The 4th and 5th are paramount for a free society.
> with a hose
You mean wrench? https://xkcd.com/538/
1 reply →
Almost every chinese android variant has that. On Oppo it’s called clone system
My Oppo Find N6 allows multiple user accounts
Ah, finally catching up to ... The UK, Australia, Ireland, France, the Netherlands, and probably a lot more.
The horrible bastion of despotism that is China-run Hong Kong has now caught up to the rule of law utopias of enlightened thought in the US and UK.
>in the US and UK
???
Of all the issues with the US justice system, being compelled to disclose passwords isn't one of them. It is an issue for UK, though.
Funny how it's a horrible misrepresentation slurring the honor of the United Kingdom to exaggerate the penalty of not unlocking your phone for His Majesty's Law Enforcement, but US border cops being allowed to ask foreigners for the same thing upon pain of not being allowed to enter the country (something that no one seems to care about other nations doing?) is totally the same thing.
> Of all the issues with the US justice system, being compelled to disclose passwords isn't one of them.
This is not totally true. It is also a US issue: CBP has been asking for passwords (or to unlock the device) for phones and computers for more than a year now. Last year, multiple people got turned around because they disagreed with US policies and political views that differ from those of the US's current president.
8 replies →
> Of all the issues with the US justice system, being compelled to disclose passwords isn't one of them
Under the present administration I wouldn't be surprised if for example ICE tried the $5 wrench method.
Depends, you can get NSL'd to disclose passwords. Good luck running that one up to the supreme court. And biometrics aren't as well-protected. Though, yes, in the UK it's a much more routine affair.
You have never crossed the border into the Great US of A then
2 replies →
The above probably meant a point that current democracies are increasingly sliding into the same hole as authoritarian governments. Amount on encroachment of governments and big corporations on personal freedoms and democracy in "democratic" countries is quickly becoming intolerable under a guise of safety and "save the children" mantras
I take it you haven't crossed the border recently?
in china was never a problem for police to detain you for any reason (or no reason) but HK has a different legal system
No one likes when I say this but it's really past time to stop doing anything interesting on your phone. Delete all your apps, set it as minimally as possible. Leave it home when you go for walks, and power it off when you go driving or to the store, or whatever.
For many people, their phone is their primary, if not only, computing and communications device.
Right, which is why they need to start changing their behavior.
3 replies →
I'm starting to believe this is [a] way forward. Or maybe an approach which is on a spectrum between <everything I have is on a phone behind a fingerprint and a four digit pin> and <I don't own a smartphone>.
Unfortunately, it's pretty common to only have a smartphone as your sole compute device, and increasingly onerous not to own one at all.
>Or maybe an approach which is on a spectrum between >increasingly onerous not to own one at all.
Yes, and I think this unfortunately demands a grey area. I'm starting to treat my smartphone more like a work device, and there are a few things I do on it:
- My work's authenticator app is there.
- Unfortunately Signal is tied to smartphone usage.
- Practically speaking, people will expect to be able to send you text messages.
- It's still useful for taking pictures.
- My banking app is on there.
Outside of rare occasions, that's really all I use my phone for. I don't carry it around the house. If I go somewhere with my wife, I don't even bring my phone most of the time. I'm "required" to have it, but in principle it's not even mine. It shouldn't be trusted or enjoyed.
"Featured" on HN just a week ago, seems GrapheneOS' "Duress pin" would be very helpful in these cases: https://news.ycombinator.com/item?id=47445931).
Now we just have to wait N years for Android and iOS to get approval from the government to build something similar, that they can market yet somehow screw up enough to not actually help.
Ohh no, so they caught up with US border patrol?
What happens if you just say "I don't know it, only answer calls on it."
I'd imagine that's even more suspicious if you can't tell them who does know the password.
These kinds of laws worry me since I have forgotten several old passwords. Being disorganized shouldn't be a criminal offense.
>The US is evil
>China makes you give phone passwords, China makes Apple give user data
>The US wiretaps 1 person
"OMG THIS IS AN OUTRAGE!"
We forget because a Republikan is in charge how good we have it in the west. We forget how bad it is elsewhere.
The cops from the John Woo HK action flicks I've seen would love this
This shit is why I don't visit China.
This shit is why I build platforms like Safecloud: https://community.safebots.ai/t/safecloud-governance-due-pro...
Wait till you hear about most of europe...
Roleplaying a parallel reallity where "Europe" is an oppressive totalitarian regime will never not be funny.
8 replies →
How about the US? What I'm going to write smells of "whataboutism", but it's tragic how more and more of the world is becoming police states. Going to the USA, they want your social media accounts. Regardless of that, the border thugs can probably demand you unlock your devices or they'll detain you for weeks on end, without any repercussions, because that sort of lawlessness is government policy now.
In the US, not disclosing a password is explicitly protected (5th amndmnt), SCOTUS has been clear. not so for biometrics, but so for PIN/passwd
8 replies →
[flagged]