Shatter Secrets app encrypts a phone or laptop and transmits the password abroad to secure the device
Experts at UW have developed a way for journalists, activists to encrypt their devices
WATERLOO — Privacy experts at the University of Waterloo have developed a new way for journalists and activists to encrypt their digital devices to protect any important information they’re carrying before they cross the border.
Shatter Secrets is an app that encrypts the electronic device’s password or fingerprint lock, digitally splits it, then transmits the pieces (or “shares”) to friends or associates at the final destination.
The developers say it makes it virtually impossible for someone to comply with a border guard’s request to unlock the device for inspection.
It was designed for people who may be carrying sensitive material across borders, such as the millions of documents known as the Panama Papers that were leaked in 2015 and have details on hundreds of thousands of offshore financial accounts.
“We made this app with activists and journalists in high-risk situations in mind. It’s not intended for protecting a couple vacation photos,” said Erinn Atwater, a PhD candidate at UW who developed the application with Prof. Ian Goldberg, a faculty member in the Cryptography, Security and Privacy group at the university.
“It’s aimed at people who would rather be detained and make a big international fuss rather than be compelled through torture to give up their password.”
The idea came to Atwater and Goldberg when they started seeing reports of border agents asking for device or social media passwords as part of their routine inspections, primarily in the United States.
In their journal article describing Shatter Secrets, Atwater and Goldberg found that the U.S. Customs and Border Protection agency searched approximately 30,000 consumer electronics devices in 2017 — more than triple the number of searches performed in 2015 — leading to 250 complaints about warrantless searches.
According to the Office of the Privacy Commissioner of Canada, Canadian courts have not yet ruled on whether a border officer can compel a person to turn over their password, or on what grounds. However, a Canadian Border Services Agency policy states that such searches “may be conducted only if there are grounds or indications that evidence of contraventions may be found on the digital device or media.”
If someone refuses to provide their password to Canadian border agents, the device may be held for further inspection. Officers may only examine what is physically stored within a device, including photos, files, downloaded emails and other media.
U.S. border agents, however, have much broader inspection powers that can include requesting passwords to a laptop, tablet or mobile phone without any evidence of wrongdoing.
Atwater said she’s not worried about criminals or terrorists potentially using her system to circumvent law enforcement, since most already have access to similar tools.
“The bad guys already have access to strong encryption,” said Atwater. “They have their own programmers, access to free software and other powerful security tools. We’re bringing this same level of security to the good guys — the journalists and activists that are fighting government corruption.”
Shatter Secrets is free and open-sourced software, and is already in the prototype phase for Android operating systems, although Atwater is discouraging anyone from actually using it to protect sensitive information until they can do a full security audit and ensure it works as intended. She’s launched a nonprofit agency, Open Privacy, to help fund that work.
The system encrypts the password and sends it to any number of people at the final destination through end-to-end encryption, meaning it can’t be intercepted. The device is then locked and cannot be opened until it makes physical contact with the devices that were sent the password.
This so-called near-field communication tap technology is similar to the tap method used for credit or debit cards, and it eliminates the threat of a border agent impersonating a detained individual to request the password shares remotely.
“If it can be (unlocked) remotely, then there’s a chance you can be compelled to (unlock) it remotely,” said Atwater.
Users can also set a minimum threshold of people needed to unlock their device, meaning that if they send the information to 10 people they can set it so only four of them need to tap their devices to retrieve the complete password.
University of Waterloo PhD candidate Erinn Atwater has developed an encryption program called Shatter Secrets that splits your password and sends it to acquaintances abroad, making it impossible for you to unlock your device at the request of a border guard.