In my country, the police can force people to unlock their phones and it’s happening pretty frequently on the street. When you get pulled over for traffic violation or just random ID check, the police often check the photos, the chats, sometimes social media, and what apps are being installed (they said they were looking for illegal gambling apps and activities but who knows what they are actually looking for).
That is my main concern, and I found out that Chinese phones like Xiaomi, Huawei, OnePlus, and Oppo have features called “Second Space”, “Privacy Space”, or other similar names based on the brand, but they all do one same thing: The phone will launch one or the other of the “spaces” (user profiles) from the lock screen, based SOLELY on the PIN or fingerprint used for authentication on the lock screen.
For example:
I turn on the phone screen by pressing the button, now it’s showing a lock screen
if I enter 1234 or use my left thumb fingerprint, it will unlock user profile A
If I enter 5678 or use my right thumb fingerprint, it will unlock user profile B
There’s no need to switch to or select a user profile before entering the PIN or fingerprint. So it looks just like you’re unlocking your phone normally without revealing the other profiles.
My solution is to set up a dummy profile that I can let the police check freely without knowing that I have another profile. I don’t want them to go through my chats and photos.
What’s your opinion on my solution? I’m aware that GrapheneOS also has user profiles but it’s not possible to open another profile on a whim without manually switching to it. I wish I could do that on GrapheneOS.
My question is what are the drawbacks of using phones like Xiaomi, Huawei, OnePlus, and Oppo in terms of privacy compared to GrapheneOS?
Note: English is not my first language, I’m sorry if there’s something unclear in my post, please ask me to clarify things if there’s anything unclear.
The question is: What exactly are you looking for? Privacy from Law Enforcement (LE) on causal stop and searches, that is, causal Plausible Deniability (DP)? Strong Anti-Forensic (AF), and/or General Privacy (GP)?
If you are strictly looking at causal PD towards LE on the streets, then the Chinese phones could be a mitigation. However, without knowing your jurisdiction, you should consider it as poor PD. You should also consider, and take into account, LE may be aware of the SecondSpace/PrivateSpace on these Chinese phone.
In your jurisdiction, is LE known for seizing devices if they suspect you are hiding something? If so, then you should consider GOS, as it has much better AF and GP.
Such is not really a feasible mitigation for OP. LE would be able to see OP unlocking the phone and then enter PrivateSpace. The benefit of these Chinese phones is that they allow one to enter the space from the lock screen.
I have a similar situation to deal with. Chinese private space implementations do work but if an enforcer was properly instructed beforehand, then they can and they will find out that particular functionality is active (for example some manufacturers leave a special shortcut in notifications section for quick access to main space etc.). It’s a consumer solution in the end, so it is pretty basic. These implementations work for protection against basic criminals to a certain degree, in a heat of a moment so to speak but it’s joke for an experienced government man. IMO your best bet is a second phone with GrapheneOS for any sensitive activity in WIFI-only mode, that is permanently residing at your home.
I mainly look for privacy from Law Enforcement on casual stop and searches.
Another thing I care about is I want to prevent the government apps on my phone from snooping on me. There are apps I need to install to manage tax and personal legal paperwork. I heard that GrapheneOS is ideal for that, since GrapheneOS user profiles are reliably isolated from each other, I can install all the government apps in a separate user profile. And I can also control the permissions. Regarding this, I have a question: What data can an app track or collect from the phone or other apps on the phone running regular Android?
I also care about privacy in general, especially privacy from mass surveillance, so I use end-to-end encryption whenever possible. For example, I use Signal since I’m worried that the government might be able to view my chats on popular platforms like Facebook or Instagram. I use Notesnook instead of Apple Notes or iCloud because I’ve read that my country has a law that requires iCloud’s user data to be stored in a domestic server, which makes me suspect that the government can freely access it. I use custom DNS resolver, DoH, and sometimes VPN to make it harder for the ISP to snoop on me.
So I’d like to know more about what privacy I would lose by using a Chinese phone instead of a Pixel with GrapheneOS, so I can make an informed decision about whether the trade-off is worth it.
Fortunately no, they only seize devices when a person is detained, casual stop and searches normally don’t lead to seizure of devices.
Thank you for the heads up. I don’t have much information about this at the moment.
This. It doesn’t really help at any angle, whether one is trying to present a properly set private space or a main space. It is always obvious what a person is trying to do. Not to forget that in some places there are mandatory government issued apps (sometimes even pre-installed) that collect enough information for identification. So they already know what apps a person of interest is using. That’s why I think that physical separation is the only viable option. Personally, I don’t like taking chances.
Get two phones.
First Huawei or any other one
Second Google Pixel 7a or newer with GOS.
If the LE pulls you over you show them your innocent Huawai phone. The GOS phone is hidden somewhere.
As long as they not suspect that you have a second phone somewhere you are good. If they search for the second phone you are pretty much f*cked.
So make sure that the innocent phone looks convincing and make sure to hide the GOS phone where they will not find it easily.
In a place where LE pulls people over a lot and look through their phone, something like this would look interesting enough to be worse than one phone with two profiles. It would also likely lead to the nicer of the two phones disappearing into a cop’s pocket, depending on the level of corruption.
How?
You should not make the Huawai to a dumphone that you do not use. You should still use the Huawai as a main phone, but load sensitive tasks off to the GOS phone.
If they pull you over hand your huawai phone that you actually use and keep the GOS hidden (in your underpants or somewhere they do not want to look).
Plausible deniability such as this is actually one of the most requested features on the GrapheneOS forums. There’s new threads about it all the time. To summarize, so far the devs have shut down the idea for various reasons. The central one of them is that they can’t currently implement it in a way that could stand up to an actually competent adversary, such as the NSA or the various other intelligence agencies, due to a lack of proper hardware support.
Their answer so far has been the Duress PIN feature instead, which is pretty much the opposite of plausible deniability.
Then there’s the other reason of their general development philosophy of wanting to avoid “badness enumeration” in favor of simple & straightforward solutions. If the adversaries have been told what to look for (signs of a profile, perhaps) then it’d be just a race of whack-a-mole, a race they (currently as far as I can tell) have no interest in taking part in. Only one mistake in such a race could lead to catastrophic consequences for the users of such faulty plausible deniability.
And finally, there’s the reason of possibly putting users in danger. Let’s say you are a user of an OS that has implemented plausible deniability. Let’s also say you do NOT use that plausible deniability. Let’s also say that the adversaries know you use that specific OS. Now when you’re stopped, even when you give up your password to your one & only profile, the adversaries can still think that you are using plausible deniability, even when you are not. And now, you might be in deep trouble for not revealing your “second password” to that hidden profile of yours (which does not exist but the adversaries think so because your using an OS that implementes such functionality) and every denial is only taken as proof that you’re simply in need of more “convincing.”
I believe that if the GrapheneOS devs want to implement such a feature, which I’m sure they’ve at the very least looked into given its prominence on the GOS forum, they won’t do it unless they it can do it in a way that can meet their standards for reliability & security.
Thank you for the measured reply. The GrapheneOS response is well taken in this scenario. I hadn’t thought through all the potential headaches a user could face.
I wonder if using GrapheneOS in the first place already introduces you to this type of scrutiny though. If you’re stopped by customs or border patrol agents of a certain country, and they see you have GrapheneOS, I’m sure it already puts you on an elevated threat level. This is due to things like the duress pin. We have already seen people be arrested in the US for using this feature ( Atlanta activist charged with wiping phone before CBP search ).
If you’re getting pulled over and using your GOS phone for directions or answering a message, do you have time to stuff it in your pants? When frisked, that’s a HUGE red flag that is easily found.
Police in places where they have extraordinary powers to stop people and search their phones mean that on a long enough time line, they’ll feel like tossing the car and searching their person looking for something of value. another phone is worse to find than OP’s idea of having a not-obvious profile. IMO, the not obvious profile is more easily hid from non-tech-savvy cops that just need to look and say “looks fine, meh” and let OP move along.
You could get plausible deniability to an extent by not loading the sensitive data onto your phone, right?
Just memorize the passphrase and store it on a website. Only you know the website and only you know the password and it’s not on your device.
Disappearing messages as well. I wonder the extent to which the SimpleX hidden chats are deniable. The way it works is you hide the chat with a password that you enter into a regular search bar and only after searching that does the chat come up.
I imagine not to the extent that GOS considers, because there’s no plausible deniability on ssds, which is the main problem.
