I'd pay for a decoy PIN and profile on my Android phone, and I'm not alone
If I'm forced to unlock my phone one day, I'd like to show a decoy profile instead of my real account.
Aug 15
/
Android Authority
A few days ago, my colleague Calvin shared an interesting fact about GrapheneOS: The custom ROM allows him to set a duress PIN that completely erases the phone when he enters it, including encryption keys and the eSIM partition. It’s a very drastic privacy measure that lets anyone protect their data if they’re being forced to hand over or unlock their phone when they don’t want to do it.
I love that the feature exists for those who think they might need it, even if it’s through a custom ROM, but as many commenters pointed out on Calvin’s article, this is too drastic for most of us. Instead, what several commenters and I would like is more akin to a decoy PIN that opens a sandboxed version of my profile. And I’m not alone. Several of you want exactly that and would even pay for it.
Another option would be to make multiple users on Android accessible from the same PIN unlock screen, and we’d be golden. I’m surprised this feature isn’t yet a part of Android, especially when it could benefit everyone, not just privacy freaks, including families that share a tablet at home.
Another option would be to make multiple users on Android accessible from the same PIN unlock screen, and we’d be golden. I’m surprised this feature isn’t yet a part of Android, especially when it could benefit everyone, not just privacy freaks, including families that share a tablet at home.
A duress PIN is too much; a decoy PIN is a simpler solution
Even though I’m fascinated by the idea of setting up a kill switch on my phone, I think it’s an extreme measure that very few, if any, people will ever need or use. It’s an overkill solution that leaves room for potential forgetfulness and misuse. If you choose a strong PIN, you might forget about it the very moment you need it. If you choose a weak PIN, like 0000 or 1234, you’ll risk someone (a kid, most likely) wiping your phone and data by mistake if they pick up your phone and try to guess your code. Someone suggested choosing a decoy PIN that differs by one number from their primary PIN, but I think that’s even worse. One finger slip and my data is poof, gone. Better never use my phone with oily or sweaty fingers!
What also worries me about duress PINs is that they might trigger violence on the side of the person forcing me to unlock my phone. Who knows what they might do when they realize I erased everything?
A decoy PIN would behave a bit differently. Instead of erasing my phone, it would either unlock a sandboxed version of my profile with all crucial apps (banking, files, photos) hidden, or it would unlock under a different user and keep my primary account and data hidden and encrypted. For the former, Google would need to figure out how to privately and effectively sandbox parts of the OS, which may not be the easiest option. For the latter, it would be on the (very invested and tech literate) user to choose whether they want to do the work to create a separate profile and believable account.
Personally, I imagine setting this up with a relatively unused Google account, and keeping a few apps and bits of data there with no real value. If I’m ever forced to unlock my phone, I could enter this decoy PIN, open a decoy profile, and let them explore that. No reason for them to suspect that I’m hiding something or that I’ve erased data and evidence.
What also worries me about duress PINs is that they might trigger violence on the side of the person forcing me to unlock my phone. Who knows what they might do when they realize I erased everything?
A decoy PIN would behave a bit differently. Instead of erasing my phone, it would either unlock a sandboxed version of my profile with all crucial apps (banking, files, photos) hidden, or it would unlock under a different user and keep my primary account and data hidden and encrypted. For the former, Google would need to figure out how to privately and effectively sandbox parts of the OS, which may not be the easiest option. For the latter, it would be on the (very invested and tech literate) user to choose whether they want to do the work to create a separate profile and believable account.
Personally, I imagine setting this up with a relatively unused Google account, and keeping a few apps and bits of data there with no real value. If I’m ever forced to unlock my phone, I could enter this decoy PIN, open a decoy profile, and let them explore that. No reason for them to suspect that I’m hiding something or that I’ve erased data and evidence.
Look, I know that, technically, in the case of police investigations or targeted assault from violent criminals, no duress PIN or decoy PIN can guarantee that you’ll come out unscathed or that your data won’t be obtained in some other manner. But most of us are normal people who live boring old lives. There’s no logical reason we should be afraid of these situations. What worries me, personally, is more on the scale of petty modern thieves who might demand access to my financial apps. And in those cases, keeping the banking and money apps away under a main profile while the decoy profile houses nothing of the sort seems like a good level of protection to me, without going too far in the cloak-and-dagger mentality.
I liken it a bit to using a duress code on my alarm system. Instead of triggering the sirens around the house, entering this secondary code disarms the system but sends a silent notification to my emergency contacts saying that I was forced to disarm. It’s an invisible security measure and doesn’t stress out the aggressor, which is what I like about it. Some countries even impose this in their alarm system regulations.
I liken it a bit to using a duress code on my alarm system. Instead of triggering the sirens around the house, entering this secondary code disarms the system but sends a silent notification to my emergency contacts saying that I was forced to disarm. It’s an invisible security measure and doesn’t stress out the aggressor, which is what I like about it. Some countries even impose this in their alarm system regulations.
Get in touch
-
admin@inv-network.org
About Us
Inv-Network was created to support those who are tasked with the difficult job of protecting children from online child exploitation. Our goal is to provide community, resources, and training to Law Enforcement, District Attorney's, and Parole & Probation Officers.
Copyright © 2023
SEX OFFENDER MANAGEMENT SYMPOSIUM REFUND POLICY
Our Symposium aims to provide the most beneficial and practical experiences for our students. From providing resources, special guest speakers, and also networking and bonding experiences. All of this is costs for us at Intellect-LE. We do our best to cover the travel costs for our instructors as well as resource give aways for students and all of that is paid prior to the course dates. If we have a large amount of students cancel before class, this incurs a large out of pocket expense for use and we would not be able to sustain our course. When you or your agency registers and pays for class we believe you are attending. We understand that circumstances arise so while we do not refund paid seats, we do offer the following options;
1. Your seat may be transferred to another attendee from your agency at no additional cost.
2. Your seat may be moved to our next available training date, even if it is in another location.
3. You can be granted 1 year's worth of access to our skills center and all the training it contains.
1. Your seat may be transferred to another attendee from your agency at no additional cost.
2. Your seat may be moved to our next available training date, even if it is in another location.
3. You can be granted 1 year's worth of access to our skills center and all the training it contains.
SEX OFFENDER MANAGEMENT SYMPOSIUM REFUND POLICY
Our Symposium aims to provide the most beneficial and practical experiences for our students. From providing resources, special guest speakers, and also networking and bonding experiences. All of this is costs for us at Intellect-LE. We do our best to cover the travel costs for our instructors as well as resource give aways for students and all of that is paid prior to the course dates. If we have a large amount of students cancel before class, this incurs a large out of pocket expense for use and we would not be able to sustain our course. When you or your agency registers and pays for class we believe you are attending. We understand that circumstances arise so while we do not refund paid seats, we do offer the following options;
1. Your seat may be transferred to another attendee from your agency at no additional cost.
2. Your seat may be moved to our next available training date, even if it is in another location.
3. You can be granted 1 year's worth of access to our skills center and all the training it contains.