[liberationtech] Belarus/Ericsson/GSM

Chris Palmer chris at eff.org
Mon Jan 17 19:04:39 PST 2011 

Some notes. Some things are re-assertions of what other people have said; I repeat them because there seems to be a fair amount of confusion and I get worried that people will do something dangerous while working under misconceptions.

Yes, you can use some phones on wifi without a SIM card.

Even if you do use a phone on wifi, and/or take the SIM card out, the phone still has a baseband radio with its unique identifiers (IMEI, et c.) and its trackable behavior. And wifi is geolocatable too.

Tor does not operate at the link or similar layers (wired Ethernet, wifi, GSM, CDMA, et c.; I use the term "link layer" loosely and from an internet point of view). Making a Tor-like thing that did probably would not work --- the link layer is inherently local and has an inherently small anonymity set at any one time. On the third hand, make a link-layer Tor and prove me wrong. :)

Tor on a phone lacks the features of Torbutton. A better approach would be to make a customized browser that supports Torbutton-like features. Although this is not easy, you do have powerful generic objects/libraries like WebView/WebKit, and the source code of the Android Browser, to start from.

The smartphone encryption article seems to mainly discuss how it's not supported (Android) or when it is, it is useless (iPhone). (As the article says, iPhone's "encryption" is in fact merely a pretty decent remote wipe feature, not a storage confidentiality mechanism.) Imagine for a second that you had the gold standard of local storage encryption, BitLocker, on your phone. How good is your key protector? Is it an offline brute-forceable PIN or short password? I bet it is. Even if you have a TPM: when your phone is seized or stolen, is it powered on or powered off? I bet it's on, and that the adversary can attack the phone while its filesystem is mounted and available unencrypted. As you can see, storage encryption for easily-lost and always-on devices is not a clear win, even if it were widely available.

If you want your phone to not be an audio/video/location bug and evidence/PII goldmine, take the battery out and/or leave it at home. Jim Youll has the right idea.


-- 
Chris Palmer
Technology Director, Electronic Frontier Foundation

More information about the liberationtech mailing list