You are thinking only in terms of one particular type of entity compelling. This entity may not have legal authority, nor governmental, and the data destruction penalty may be less than the damage done to the lives of third parties - you may not be thinking of yourself. Think global. And remembering how to do that is easier for those that have such threat profiles and not something you have to use. Also, this, I think, is in general only one potential thing such features could be used for: there are several additional and alternative things a device could be made to do in varying scenarios, given the possibility to have login options - many of them quite posititive.
I did think of one really unpleasant scenario that I don’t and probably shouldn’t think about every day, but I edited it out of my post because I was concerned about some of the words I’d have to use to describe it.
So, I should instead say, that the feature is nice to have, but I would imagine you’re probably not in a good place if you can even expect to need something like that, not necessarily though any fault of your own.
1 Like
For example, you might be selling the phone or handing it down and just want a simple way of not giving away any data along with the phone.
No matter the reason, you do want to ensure that wiping the phone does not occur accidentally!!
If you are concerned about a duress scenario then it’s not as if you will want the phone to prompt for confirmation: Do you really want to wipe all data on the phone? 
Also, for instance one way would be to have PIN/PW plus one additional number, 0-9. Each number could be assigned an additional function. One could login with SW locks on all sensors on, another could send location to mum (provided HW lock is not on), third could open system without decrypting certain folders or drives, fourth could start voice recording and fifth could start video streaming or take a pic to your photographic random Twitter-feed. And so on.
1 Like
Do you have a reason for wanting to do that surreptitiously? Otherwise all of that could be achieved by having 10 buttons on your main screen (the screen that is displayed after you unlock).
Where does surreptitiousness sit on the scale between negative and positive? 
That was only one example of the implementation possibilities. With some of those actions it may be a benefit, with some it doesn’t matter that much. In some cases I’d imagine different user situations might alter that equation. Some actions may need to be executed before GUI and system initializes, so that actions could not be prevented from happening (say, delete and overwrite x100 drive decryption keys). I don’t think we should set the limits how a user wants to set that up - just make it possible to use more alternatives (such as some that I previously described with “Malform”).
I’m not personally a fan of duress codes that wipe data as a security measure for that threat. In some jurisdictions that would be considered evidence tampering and may cause you more grief. In the “rubber hose” threat model it would just cause you a different type of grief.
So I personally won’t be pushing for that kind of spycraft for the L5, but of course you are free to develop it yourself if you want it. Instead, I favor what I’ve described as “user personas” in this article as well as in a few places here in the forum whenever travel spycraft on the Librem 5 comes up.
To summarize, I think the safest approach is one that allows you fully comply with customs/border agents or other officials, and not one that requires you to lie (you are not as good a liar as they are lie detectors), conceal, or smuggle something. So with user personas, before you travel you backup your home persona, and replace it with your “travel persona” or “border persona” that only has the data, accounts, and information you need while traveling. Then if someone compels you to turn over your phone, you can comply without putting anything at risk. Then when you get home (or get through a border checkpoint, or whatever the situation is) you can potentially (depending on your threat) restore a different persona from local or remote storage.
2 Likes
Just to add to this, we don’t have an automated way to swap user personas today, but due to the simplicity of Linux users and the fact that sensitive data and settings tends to live under your home directory, it would be easy to do this manually:
- Use the GUI Backup app to backup your home directory somewhere (microSD card, network storage, etc)
- Erase the contents of /home/purism completely and reboot.
- Start with no personal settings and set up your new travel persona with saved accounts/passwords/files/app settings you need.
- Back that up as your travel persona, erase /home/purism again, and restore your original /home/purism persona.
- To swap between personas, just erase/restore /home/purism.
If no one beats me to it, this seems like a relatively simple GUI project to script up with yad using deja dup behind the scenes, if I find some time.
2 Likes
Does this mean … leave the /home/purism directory itself present but remove all the files from that directory?
I don’t think I’ll be rushing to test this procedure. 
Fortunately crossing borders is not something that people can really do at the moment anyway.
Yes. You’d erase all the files (including hidden files that start with ‘.’) underneath /home/purism but leave /home/purism intact. I double-checked with others on the team and because all of the settings you set at first boot ultimately get stored there, it should just reset you back to your first boot state (at least in terms of user settings, any system-level apps or packages you installed previously would still be there).
[Edited to add] I should note that this is essentially what I’ve documented in my backup and restore article and perform each time I’ve migrated my settings and files from one Librem 5 phone to another. The main difference is I backup and restore a few additional things from like my openvpn configs from /etc and my user crontab, as well as restore any uninstalled apps (as I assume I’m starting from a blank, new image).
2 Likes
It looks as if shred is installed by default on the Librem 5. Tick. However there isn’t really any foolproof way of erasing content on a solid state device.
With switchable personae, what do you do about, for instance, email/call/chat connectivity and history, and contacts, which are things that would be of definite interest if your phone is being targeted at international borders? (And things you wouldn’t want to be without while traveling.)
All of that would be erased if you switched to a different persona. So you would set up the travel persona only with the contacts you need while traveling (perhaps hotels/restaurants/etc and people you are traveling with, credit card contact numbers and perhaps an emergency contact if you need it).
For example, see here for call history: Sound on Librem5
On the other hand, you can’t erase the copy that the government is storing.
And I guess you would have to use only web-based email (inconvenient), delete any chats, and not store any passwords on the device.
It is assumed that all of that is buried somewhere in ~purism but you ought to audit that if you are seriously concerned.
It really all depends on your threat. You’d travel with what you were willing to lose. We have a lot of folks that show up in our forum who have given themselves a threat model of an international spy, so those people should be well-acquainted with the idea of compartmentalizing identities and already have all of that set up ahead of time.
For everyone else, the prevalence of free online accounts these days means it’s relatively simple to create travel persona accounts on the various websites you’d need to access. So to take this all the way, you’d set up a travel webmail account somewhere trustworthy and use it for your travel arrangements. That’s a good practice in general anyway as if you start getting spammed on that account you can tear it down and start again.
It’s similar to telling people who want to contact you while traveling the new local # you will get with your prepaid SIM you buy on arrival (if you do that).
Other people may just be concerned with border crossings in their threat model, and not with losing their data once they are traveling within a region. In that case I suppose they could restore a persona from the Internet once they cross the border, then perform the same swap when they cross back.
You adapt the general principles in play to your particular threats.
1 Like
Maybe one of the codes after the pin code could cause a direct short circuit of the Lithium ION battery. So BOOM! the phone catches on fire. After they put the fire out, all that’s left of your L5 is melted plastic, oozing toxic chemicals, and third degree burns on the guy who tried to get to your data. So the data isn’t the only thing that’s gone. The whole phone is gone. Then you tell the authorities “Wow, you just can’t trust those Samsung phones. I thought they solved those battery problems years ago”.
3 Likes
For the international spies among us … would another option be to mount something on the uSD card as /home/purism and that way persona equates to uSD card? You swap personas by swapping uSD cards.
So as you leave your house at the start of the mission, you take the specific required passport and the matching uSD card is inserted into the phone.
Downsides that I can see are:
a) if uSD card is borked then phone may become unusable, and
b) it is readily obvious that you have set it up this way (but I tend to think, as a hypothetical, that if “they” are taking that level of interest in you then you are probably stuffed already)
1 Like