We need “Protest Mode” on phones

January 30, 2017
by Marc
Musings

Yes, it’s all very depressing and yet somewhat uplifting at the same time that so many people have the courage to resist what is going on at the moment. This happens a lot around the world, recall the “Arab Spring” was not so long ago, and this is but the most painfully close-to-home incarnation of it in the Western World.

The very real risks of protesting under these kinds of regimes are many, as surveillance-states definitely do:

  • Track (pre-emptively if possible) your movements, mobile calls, SMS and data usage. GCHQ, NSA and their sister agencies in other countries have software and hardware that does this, even in “benign” and “free” countries. In many cases this is off-the-shelf equipment purchased from private companies who have been offering e.g. GSM mobile network spying equipment for many years. They even write specific software for pre-empted events and have testing dry-runs before it happens.
  • Confiscate mobile devices and either try to compel you to unlock them or unlock them using tools (remember the whole Apple vs. FBI spat last year)
  • Scrutinize your social accounts, profiles, postings, photos, videos and messages. They can do this anyway via their intelligence agencies because most (all?) of these social networks are not sufficiently secure by their very nature, but it is much easier for law enforcement officials to just compel you to reveal your account IDs on the spot by blocking you doing something else like going about your legal business and threatening you with detention lawful or otherwise.

Through these actions they can intimidate you, your friends and your family and discourage civil protest, as well as track down and tenuously connect you to others at protests. You can bet all the flavour-of-our-times “machine learning” will be put to good use by the State, pulling faces out of photos and matching them to tagged Facebook photos eventually.

Think about photogrammetry too, where many photographs from a scene are auto-assembled into a 3D scene. Confiscate and unlock 100 devices from a protest and put them all together to create a VR scene of the protests and pick out the people you want to persecute.

This is why I wish we had some kind of “Protest Mode” on iOS and Android phones. Given that many devices now can be unlocked with fingerprints, we have gained security and convenience but arguably weakened our ability to prevent the State cracking open our devices, to reveal the photos and videos just taken and people you’ve communicated with. All they have to do is coerce you to put your finger on the home button. That could be done in many different ways.

My vision of a “Protest Mode” is along these lines:

  • During device setup, you are asked to choose 5 people from your contacts to use as “advocates”. The contact details of these are stored one-way encrypted in the cloud (so they can be verified using 2FA), and the advocates invited to accept the requests, with a public key exchange mechanism set up and credentials for their account in the cloud service stored in the participants secure “keychains” to be unlocked only with fingerprint/reliable biometric (no PIN/password unlocks). The names and contact details of these advocates are not stored on the device at all
  • Some users at a protest location explicitly put their phone in Protest Mode, like they might DND mode. This turns on a bluetooth beacon with a category/type that indicates “A device is in protest mode” but without any unique identifying data. The beacon ID needs to be randomized frequently so people cannot be traced between (or within) protests.
  • Other devices in the area scan for this beacon type all the time (they are scanning for beacon ids already if Bluetooth is on). If they detect a “Protest Mode” beacon, they buzz and ask the owner of the device “Would you like to turn on Protest Mode?”. This makes the process of being “data safe” in a protest a semi-automatic viral thing based on your location.

When Protest Mode is engaged, the device would change its behaviour:

  1. You cannot make any normal calls or send/receive messages, and access to all contact details and apps prevented (essentially you’re in Emergency Calls Only mode). All notification display is disabled. This sounds counter-intuitive but otherwise you can be compelled to unlock your device with your fingerprint and incriminate everybody you’ve been in contact with.
  2. You can only call or message emergency services and advocates and legal assistance, with numbers already present in the device and displayed with a large menu on the home screen e.g. “Get Medical help”, “Get Legal help”, “Contact Press”. Your GPS location is automatically sent to these services when you contact them, with a confirmation from you. It could allow calling/secure messaging (hello, iMessage!) if you have memorized the contact’s number, but keeps no history of the calls or message transcripts on the device or in the cloud.
  3. All photos and videos are temporarily stored strongly encrypted on the device using keys that only the user’s advocates have access to, and if network is available they are streamed immediately to a secure cloud account and then deleted from the device when upload completes. Videos are automatically spliced into small, e.g. 5 second chunks so that interrupted uploads do not mean that no content makes it up
  4. Here’s the killer feature: you can’t exit “Protest Mode” in any way on your own device, without; a) being in the same physical location as one of your advocates, and b) both of you authenticating simultaneously on your devices with strong biometric e.g. fingerprint, and c) GPS is enabled and both of you are at one of your homes

Yes it all sounds like a royal pain in the arse, but not having this right now means that people are incredibly vulnerable to intimidation and incrimination by association, and this undoubtedly dissuades many from protesting at all in the first place.

Of course the problem here is that this all needs to be implemented at the operating system level. I don’t really expect Apple to do anything like this, but it should be very possible with Android or custom Android builds but of course you have the apparent problem that you don’t know if your device is already compromised by an intelligence agency in that case, like you know… Trump’s own device.

It may be possible to get close to this with current devices by essentially wiping and re-configuring a device to have no personal information on it, and a “direct to cloud” secure photo & video upload app and no other apps or social accounts installed, and a Contacts list containing only relevant helpful agencies. This could probably be done by having a “clean protest backup” of your device prepared and restore it just when needed before going to a protest… but it is a bit onerous and that will therefore prevent most casual conscientious protestors from doing it.

The Author

Marc Palmer (Twitter, Mastodon) is a consultant and software engineer specialising in Apple platforms. He currently works on the iOS team of Concepts sketching app, as well as his own apps like video subtitle app Captionista. He created the Flint open source framework. He can also do a pretty good job of designing app products. Don't ask him to draw anything, because that's really embarrassing. You can find out more here.