Got sensitive data? There’s an app for that
Civil liberty advocates are concerned by the increasing power of border officials, with many countries now demanding the search and seizure of travelers’ electronic devices upon entry.
Laws like New Zealand’s Customs and Excise Act, which allows authorities to fine those refusing to hand over their passwords a maximum of NZ$5,000 (approximately $3,400), have incited journalists and activists to look for new ways protect any sensitive information they’re carrying.
Virtual encrypted disks, such as VeraCrypt, have long been used to hide confidential files, although possession of the software can easily be detected by law enforcement.
This leaves the individual without many options – simply claiming to have forgetten the password to a device is often recommended as the most viable, but this is not without its risks.
“Lying to border people never ends well,” said Ian Goldberg, professor at the University of Waterloo’s Cheriton School of Computer Science, speaking to The Daily Swig about his new data project, Shatter Secrets.
Goldberg famously cracked the cryptography behind the Netscape web browser, leading to the wide adoption of the Secure Sockets Layer (SSL) protocol for safer communication.
“Lying to law enforcement in itself is a crime,” he said. “We absolutely do not want to encourage anyone to do this.”
Shatter Secrets could be a solution. The app aims to protect the traveler by encrypting their password and then splitting it into several places, or ‘shares’. These slices of data are then given to people known by the individual, who reside in the target destination.
“Importantly, you don’t know the password,” Goldberg said. “Once you get through the border, the [only] way to deconstruct the password, and decrypt your data, is to physically visit those people and tap your phones together.”
US Customs and Border Protection searched nearly 15,000 electronic devices in the first half of 2017 – a number, the federal agency states, affected only 0.008% of those arriving into the country.
But while this figure is small, its significance is possibly highlighted by the minority of people that would rather be refused entry than forcibly give up the data that they are trying to protect.
“Other schemes that try to protect your data when you cross the border pretty much all require lying by omission, or explicitly lying about how the data can be decrypted,” said Goldberg.
“Here [with Shatter Secrets], you’re not trying to hide the fact that you have sensitive data. You can say truthfully that you don’t know the password, and here’s how the system works.”
Open source, open privacy
At this stage, Shatter Secrets remains an open source prototype app for Android that proposes using threshold cryptography in order to implement the distributed decryption system.
“Users are asked to make an account on our server, which effectively acts only as a relay server for transmitting encrypted secrets over TLS,” reads the white paper by Goldberg and his colleague Erinn Atwater, research director of the Canada-based non-profit Open Privacy.
“At registration time, the app generates a public-key encryption keypair and transmits the public key to the server, to be used for end-to-end encryption of encrypted shares being relayed to each designated friend.”
It adds: “Encrypted shares are deleted from the server once they have been retrieved, and the user is informed when all of their friends have retrieved their respective shares and it is ‘safe’ to cross the border.”
Sharing schemes with threshold cryptography have been proposed before, but there has yet to be any real-world applications that are feasible.
Goldberg and Atwater believe that by focusing on the situation at international borders, the work can be made possible.
“Open Privacy is hoping to raise money in order to turn this into a real app that people can use,” said Goldberg.