How plausible deniability can protect your data

In an age of draconian surveillance, there are still ways to hide, or at least deny that you have access to, the data on your devices.

3 min read

Hi, I'm Lexie! I write about information security, Bitcoin, and privacy.

An illustration of an ostrich burying its little head in the sand.

Plausible deniability allows individuals to claim they had no involvement in an action taken by others (or, in some cases, themselves).

For example, though you can plausibly state that you do not know the password to a phone that you do not own, it is not plausible for you to deny that you do not know the password to your phone. To get plausible deniability in this instance, you would need to convince the other side that the phone is not yours, or that unlocking it is impossible.

The above example is particularly pertinent in New Zealand, where border agents can compel you to reveal your passwords to let them search the contents of your devices.

Such dangerous and authoritarian laws and practices may violate your Human Rights (Article 12 of the Universal Declaration of Human Rights, for example), but also make it potentially dangerous for journalists, lawyers or doctors to carry out their duties.

While plausible deniability is not a legal concept, it is increasingly becoming more critical in the context of searches, privacy intrusions, and harassment.

How to achieve plausible deniability with your data

Encrypting your data is the first step towards protecting it. All the information on your phone, computer, or external drives should always be encrypted both at rest and in transit.

The presence of encrypted data, however, still proves that you are in possession of the data, even if it is inaccessible, and criminals or governments may force you to hand over encryption keys.

Fortunately, there are still ways to hide, or at least deny that you have access to, the data on your devices.

Add a hidden volume to your device

Hidden volumes are encrypted containers inside other encrypted containers. When the outer layer is decrypted or opened, it should be impossible to tell whether there is a second container inside of it.

Veracrypt, for example, offers a feature that allows you to create hidden volumes defined by two separate passwords. One that is entirely secret and which you never reveal, and another which you admit in cases of distress.

Ideally, you will also fill your outer volume with mundane but plausible data, such as travel pictures. Anybody who obtains your password will only be able to access these pictures, but not know about the existence of the hidden data.

This tactic has its limits of course. If Hidden Volumes were a common occurrence, an extortionist might not be satisfied with your explanation and continue to threaten you unless they get access to the data they expect to find.

Use hidden operating systems

While more complex than hidden volumes, it is feasible to store an entirely hidden second operating system (OS) inside a device.

If you are stopped and asked to open your laptop and show its contents, you would be able to comfortably show a fully functioning computer with dummy files and programs. As long as this appears convincing to those stopping you, any sensitive data will remain hidden on the second OS.

Your plausible deniability also depends on whether there is any evidence pointing to the fact that there may be a hidden volume, but if set up correctly, even advanced forensics wouldn’t be able to generate such proof.

Employ deniable authentication methods

Chat protocols like Off-the-record (OTR) use a feature called deniable authentication that allows you to verify you are talking to the person you think you are talking to, but without making this proof visible to others who are potentially eavesdropping on your conversation.

In contrast, if using encryption protocols like PGP (also called GPG or GnuPG), an observer can easily tell which keys sign a message. This transparency is a feature of PGP, as it allows you to prove you signed a document or file publicly. But in the context of plausible deniability, this is the opposite of what we want..

Use anonymous accounts

No matter if it is social media, chats, online hosting services, or your communications, nothing should be linked to you. Usernames and email accounts must be random, and you should never access them from IPs you use. Take extra care not to reveal yourself with any metadata, too.

Encryption is an excellent first step, but…

Simple encryption will protect your data from snooping and being accessed after losing it. It’s a vital step no matter who you fear may be getting access to your data.

But if you fear you might come into situations where you can be forced to reveal your encryption keys and passwords, you will need plausible deniability.

Hidden volumes, operating systems, deniable authentication, and general online anonymity are all crucial steps needed to protect yourself.

Lexie is the blog's resident tech expert and gets excited about empowerment through technology, space travel, and pancakes with blueberries.