mirror of
https://git.sr.ht/~seirdy/seirdy.one
synced 2024-11-23 12:52:10 +00:00
New note: coercion and Windows Recall
This commit is contained in:
parent
c4a9465f56
commit
82fb39330f
1 changed files with 21 additions and 0 deletions
21
content/notes/coercion-and-windows-recall.md
Normal file
21
content/notes/coercion-and-windows-recall.md
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
---
|
||||||
|
title: "Coercion and Windows Recall"
|
||||||
|
date: 2024-05-22T04:45:44-04:00
|
||||||
|
replyURI: "https://hachyderm.io/@evacide/112481894385686328"
|
||||||
|
replyTitle: "I’ve got some news for Microsoft about how domestic abuse works."
|
||||||
|
replyType: "SocialMediaPosting"
|
||||||
|
replyAuthor: "evacide"
|
||||||
|
replyAuthorURI: "https://hachyderm.io/@evacide/112481894385686328"
|
||||||
|
---
|
||||||
|
The best ways to improve opsec against coercion are to:
|
||||||
|
|
||||||
|
- Limit what can be taken (reduce what's stored on a device).
|
||||||
|
- Fake what you do have: use duress passwords or secondary devices.
|
||||||
|
- Last resort: use a hardware key that's deliberately easy to lose or break, so there's potentially no key to give up in a rubber-hose attack.
|
||||||
|
|
||||||
|
There's overlap between the three. A duress password temporarily limits what's stored on a device, and losing a decryption key is more or less the same as instantly wiping encrypted data to reduce what you have to offer. All come down to having less data to give when coerced into giving what you have. Operating systems should also obey this principle by storing as little offline data as possible, and providing duress safeguards for what must be stored.
|
||||||
|
|
||||||
|
Windows Recall captures an amount of offline telemetry comparable to parental-control apps [often used to control human trafficking victims](https://www.forbes.com/sites/thomasbrewster/2023/04/06/sex-traffickers-use-parenting-apps-like-life360-to-spy-on-victims/): the data encompass _everything_ potential victims do on their machines, without any duress protections. Presenting such a feature as opt-out seems like it's almost designed to hurt victims.
|
||||||
|
|
||||||
|
The decision-makers behind features like Recall, or invasive child-monitoring spyware, have likely never experienced this type of abuse. Or perhaps they are the abusive party at home.
|
||||||
|
|
Loading…
Reference in a new issue