Device Sanitization

Security vs. Privacy

Digital security and digital privacy are often used to mean the same thing, however they are different topics. Image a home with hardened entry locks, steel barriers on the windows, a high-end alarm system and a trained guard dogs. This is a secure house. However this same house might have several 'smart home' devices that stream personal data to different cloud services. This means the house is secure, but not private. Digital security and digital privacy are often used to mean the same thing, however they are different topics. Imagine a home with hardened entry locks, steel barriers on the windows, a high-end alarm system and trained guard dogs. This is a secure house. However this same house might have several 'smart home' devices that stream personal data to different cloud services all day long. This house is secure, but not private.
Google is very secure but not private. Google is very secure and hacks and data breaches are unheard of. However Google makes huge profits from personal data harvesting and sales.

Device Security

Deployment Device

Securing your device

Two methods for ensuring device security are:

• device sanitization: scrub the device of sensitive information

• device encryption: encrypt sensitive information on the deviceDevice sanitizationDevice encryptionDescriptionScrub the device of sensitive informationEncrypt sensitive information on the deviceWhen to useAdvantagesDisadvantagesThe sensitive information remains on the device and an adversary can attempt coercion to force you to decrypt the device

  	Device sanitization	Device encryption
  Description	Scrub the device of sensitive information	Encrypt sensitive information on the device
  When to use
  Advantages
  Disadvantages		The sensitive information remains on the device and an adversary can attempt coercion to force you to decrypt the device

Device sanitization

Device sanitization is a thorough search and removal of all information from your device that could present a security threat for you, your team, your organisation or your friends and family.

Slow method

Search and remove sensitive information, such as the following:

• Personal photos and videos
• Team photos and videos
• Photos of organisation assets
• Team group chats
• Maps
• Plans
• Personal documents
• Bank statements
• Cryptocurrency material
• Culturally insensitive material
• Unnecessary apps

Fast method

• Check all important material is backed up
• Factory reboot your device
• Only reinstall apps and content that is mission-essential

Apps

Unnecessary apps should be deleted. Not only do unnecessary apps cause delays if an adversary is going through your device, they also drain your battery if they are constantly communicating with a sever which can also create a security risk.

Device Accounts

Device accounts such as Google, Apple, and Facebook provide convenience by allowing seamless access to all their connected services at a device level. Unfortunately this also helps an adversary the same way. While you may have deleted unnecessary apps, your device account provides easy access to this material.
Material linked to device accounts, which should be deleted, can include:

• Photo and video storage such as Google Photos and Apple iCloud
• Maps history including places visited and searches
• Browser search history

Device encryption

Plausible Deniability

Plausible deniability in security means that you can plausibly deny a request from an authority or adversary and have a somewhat believable reason. For example, if a government official was attempting to force you to unlock an encrypted password manager with a master password, you could 'plausibly deny' that you remember the password. The adversary may not believe you, but there's no denying that it's a plausible excuse - people do forget things. On the other hand, if you use biometrics (fingerprint, retina, face) to unlock an encrypted vault, then it is impossible to deny that you have access to the vault (you can deny that you have a face, retina or fingerprint). The official could simply hold the device to your eye, face or finger and unlock the vault. The amount of resources that an adversary will allocate to unlocking your encrypted data will be proportional to the potential value of the information you may have. For most people working in the field, they are low-value travellers. The amount of effort required to force you to unlock your encrypted data is low.
:::note[Recommendations]

1. Delete all apps that are not mission-essential. Apps that have an equivalent website should also be deleted and the website used instead
2. Remove device accounts that are not mission-essential such as Google, iCloud and Facebook. If a device account is mission-essential, check your activity history and clear it where possible
3. Do not use biometric security on your field device. Instead, use a master password or passphrase that is committed to memory, and can therefore be 'forgotten'. :::

Device Selection

Consider security implications when selecting devices for field use. See invasive Israeli software harvesting data from Samsung users for an example of supply chain risks.

Securing Your Device

Two methods for ensuring device security are:

• Device sanitization: scrub the device of sensitive information
• Device encryption: encrypt sensitive information on the device

Device Sanitization

Device sanitization is a thorough search and removal of all information from your device that could present a security threat for you, your team, your organisation or your friends and family.

Plausible Deniability

Plausible deniability in security means that you can plausibly deny a request from an authority or adversary and have a somewhat believable reason. For example, if a government official was attempting to force you to unlock an encrypted password manager with a master password, you could 'plausibly deny' that you remember the password.