1. 5
  1. 10

    While running on the treadmill, I received a text from my wife. My phone wouldn’t let me unlock it to reply. “ERROR! EXCESSIVE HEART RATE DETECTED!” it said. “YOU ARE BEING TORTURED!”

    My son got a text from his crush the other day, asking him out to the movies. He interrupted the conversation he was having with me and stared at his phone incredulously: she’d never really acknowledged him before. I saw him fidget with his phone, trying to unlock it. He grew increasingly frustrated with the device. “Dad, please! It won’t let me!” he said as he handed me the device. Its screen read, “ERROR! EXCESSIVE HEART RATE DETECTED! YOU ARE BEING TORTURED!”

    It was midnight on a Saturday when I received a text from our head of DevOps telling us that the server farm hosting our web services had gone completely down. I needed to jump on a call now to deal with the issue, every minute would cost us millions. My phone refused. “ERROR! INCREASED STRESS LEVELS DETECTED IN FACIAL RECOGNITION! YOU ARE BEING TORTURED!”

    I was lucky to be conscious after the drunk driver slammed into our car. My wife and son were not so lucky: both were unconscious and losing a lot of blood. My legs were broken and I was in immense pain. I needed to call emergency services, but instead my phone screen read, “ERROR! CORTISOL LEVELS CRITICAL! EXCESSIVE HEART RATE DETECTED! INCREASED STRESS LEVELS DETECTED IN FACIAL RECOGNITION! YOU ARE DEFINITELY BEING TORTURED!”

    This is a poorly-thought-out article.

    1. 1

      To be fair on the last one, most phones allow emergency calling when locked. But assuming that no one is going to be using their phone for general tasks while stressed or injured is ridiculous.

    2. 9

      What about a little checkbox that says “I am not being tortured in exchange for access”? Put it in the Terms of Service, simple as.

      1. 8

        “Please select all squares containing your captors. If there are none, click skip.”

      2. 7

        The article’s premise is silly. It’s only offering prevention for a narrow (and unlikely) form of the “torture” case – when you’re literally in the midst of it. Even the “futuristic” case is based on cortisol levels.

        But you could:

        • merely be shown the torture device that will be used on you
        • be tortured, allowed to calm down, threatened with continued torture
        • be threatened with having your family/friends tortured

        And so on.

        1. 7

          “More realistic approaches”:

          Touch ID with heart rate measurement

          What about when you’re paged in the middle of the night and need access? Your heart rate is probably going to be higher than normal because of the stress.

          Face ID with a crazy machine learning model

          Same here.

          Panic button

          Apple has that already.

          1. 2

            Also there’s medication to control heart rate. Coffee is enough to increase it, I guarantee you there’s stuff that has a side effect of “slows it down”

          2. 5

            A technical solution to a very human problem.

            Sometimes “more tech” is not enough of an answer.

            1. 5

              The point of “rubber hose cryptography” is “cryptography is a small part of your overall security, work to improve the whole system”, but many people take it to mean “we need to make rubber hose-proof cryptography!”

              I once went to a cryptoparty. The organizers were talking about securing against tempest radiation. I asked how many of them could run a mile. Zero.

              1. 1

                The best trick to torture proof your crypto is to never get tortured. Good points.

            2. 3

              Coercion can take many forms.

              “If you don’t unlock your phone, we will kill your loved ones. Unlock it, and they live.”

              1. 3

                If the mechanisms by which the “under-skin microcomputer” detects stress are known, your kidnappers may be able administer drugs to alter your heartbeat and hormone levels to appear “normal” to the sensor. Even if the drugs don’t work very well, you’ve essentially switched being tortured for being given a potentially unsafe cocktail of drugs (while possibly still being tortured).

                1. 3

                  If they can bypass the torture they will. If they’re after your device, the pain is just a means to access it. If you provide a way that makes it possible to coax access out of the system without torturing you, they won’t torture you (well, unless that’s also on the todo list or they genuinely like administering pain). Coincidentally, if you just unlock the device, you also wouldn’t be tortured. Now, whether you’d make it out of it alive at all, that’s also a good question, but I think I’m already deep enough in speculation.

                2. 2

                  I believe a problem this doesn’t address is that you could also just be tortured, and then left into a steady state until your body indicators become normal. Then your torturer could just ask you to unlock whatever needs to be unlocked, threatening you of torturing you again if you don’t.

                  Basically, I think the assumption of “body indicators = normal” => “willingly unlocking device” is not so right

                  1. 2

                    Looking forward to the dystopian future where I can’t use my phone in any kind of stressful situation.

                    “The authorities are coming and I need to send out my info and then delete it right now” counts as a stressful situation.

                    1. 1

                      Is zhe a new abbreviation for he/she/it? I assumed from context but might be good to clarify.

                      And what about the model that TrueCrypt had, where you could have multiple passwords for a single volume, and you could give up a decoy password that still encrypts it, but not the content you’re hiding (and there is no way to find out if it was the correct password or if others exist).

                      Passwords are probably better than biometric things because they can be used directly to derive keys rather than needing some kind of secure enclave to hold the decryption keys and only giving them up with the approximate right biometric measurement.

                      1. 2

                        zhe is a gender-neutral pronoun. As an aside, “it” should never, ever be used especially with regard to gender-queer people as it’s dehumanizing. Thanks for asking :)

                        1. 3

                          Well, regardless of their perception of their own gender, I don’t think I’d ever call anyone it unless it’s my cat. In which case, it doesn’t really care, as long as there’s food on the table and it gets to sleep.

                          Since we’re technology people, maybe we should invent a <pronoun type="neutral"> tag for HTML and then people can choose whatever pronoun their browser should display? I’d probably go with they in an informal context and an explicit he/she in a formal context because most people would understand that.

                          1. 3

                            What’s wrong with “they”?

                            1. 2

                              In my mind, nothing, but people are allowed their preferences and being kind means making an effort to comply with them.