Cyrus Stoller home about consulting

The need for plausible deniability

While 4096-bit keys can protect sensitive information from brute force attacks, they’re easily circumvented if you’re put in a situation like the US-born NASA scientist, who was pressured to divulge sensitive information to customs agents. Until recently, my security concerns have been primarily about black-hat activities, but current events have shown that our government should be treated as an adversary in the threat model.

Sadly, it’s naive to expect government to play by the rules (e.g. waiting for search warrants). A president willing to push legal boundaries and arguably neglect his oath to preserve, protect, and defend the constitution can use the tools of government to subvert democracy by routing out perceived opposition. This intimidation undermines our sense of safety in our beliefs and sabotages freedom of expression.

The achilles heal of encryption is that adversaries typically know whether or not they have been given the right key. For example, if you provide the wrong password, the system will likely reject your login attempt, so your interrogator will know that you have not provided truthful information. This is particularly important when under duress. So to be effective, privacy tools need to support both sound encryption and plausible deniability.

One idea to address this is for users to have two types of passwords: one for genuine use, and one for duress.

One of the big downsides to biometric passwords is that you cannot hide them, and that you can be forced to place your thumb on a fingerprint scanner. So when possible, stay away from these types of passwords. But, because it’s hard to remember so many passwords, people often turn to password managers to store your passwords to other services. Unfortunately, this leaves you particularly vulnerable if that password gets compromised.

With the solution that I’m proposing, you’d have two sets of passwords. The first is the type that you’d use when trying to access your passwords for everyday use. But, the second would be a separate accepted password that would appear to login to a genuine account but would be full of dummy accounts and passwords. Depending on your level of paranoia, these could be real accounts that you use from time to time, but that have minimal sensitive information.

In practice, this could mean if you’re the victim of a mugging, you’d be able to provide an actual bank account, but one with a smaller balance to help minimize your losses.

Similarly, I want medical professionals and attorneys to have duress passwords to protect the privileged information of their patients and clients if they’re put under duress.

Additionally, journalists traveling to countries with oppressive governments may be asked for login credentials to their email and social media accounts to check that they aren’t dissident sympathesizers and that they aren’t associating with rebel forces. It’d be great to be able to comply with their request, while concealing the stories they’re writing. In addition to using tools like Tails or Qubes, journalists would ideally be able to login to their phones and computers to show that there’s nothing of interest.


With increased fear-mongering by politicians, we need to continue building tools that address the needs of law-abiding users, who are the overwhelming majority. Unfortunately, there will always be bad actors. But, this is not an excuse for the government to create loopholes in our privacy technologies, which potentially allow authorities to catch them, while leaving everyone else as collateral damage. This is an unreasonably high price to pay.

We cannot abandon our legal tradition of protecting the rights of the innocent, even when that means accepting that some guilty people will walk free. If we’re not careful, we’ll quickly allow the powerful to revert to the dark ages of “guilty until proven innocent,” which run antithetical to our conception of freedom and democracy.

Category Idea