Imagine you're a human rights activist, pulling up to a border crossing. The on-duty customs agent requests that you hand over your phone and unlock it, without a warrant—an increasingly common practice for US Customs and Border Protection.

Your phone holds sensitive photographs documenting abuses abroad, but the agent can't find them. At most, he might notice that you've deleted some files recently. Once you're back on your way, you immediately call a colleague, who provides you with a special passcode. You then open your phone, enter the code into an app, and the photos you "deleted" have returned to the same cloud-storage folder where you last saw them.

That's the scenario enabled by BurnBox, a new prototype designed by researchers from Cornell University, Cornell Tech, and the University of Illinois Urbana-Champaign, which will be presented at the USENIX Security conference next month. Designed to work on top of existing cloud storage services like Dropbox, BurnBox is a form of what the researchers call "self-revocable encryption," which allows users to temporarily revoke access to some content on their device. While BurnBox is not a commercially available product and far from foolproof, it's a glimpse at how journalists, dissidents, and others who carry sensitive data might deal with situations like border crossings in the future.

"The basic idea of BurnBox is dealing with what happens when we are forced to give up access to our personal data," says Ian Miers, one of the coauthors of the paper and a postdoc at Cornell Tech. "You're dealing with a setting where not only does someone have access to your files and the key. In this setting, they have your actual computer and they have everything you've done with it."

Just One Piece

BurnBox works essentially by making encrypted files whose keys have been revoked look indistinguishable from deleted ones, at least to a border crossing agent or similar adversary. In a fully working version, users would need to restart or turn off their device right before they cross, in order to wipe any relevant metadata from its memory. The key used to regain access to the files needs to be stored somewhere else entirely, like at home or with a trusted friend. The technology behind BurnBox theoretically can work on both mobiles phones and other devices like laptops.

"BurnBox is just one piece of this puzzle of a whole ecosystem of apps." Nirvan Tyagi, Cornell University

You could also use BurnBox simply to delete files more securely. As the researchers point out, some cloud storage services have experienced problems in the past that prevented them from fully deleting items, and they also may be subject to government surveillance. Last year, for example, Dropbox acknowledged it suffered from a now-fixed bug that prevented some files and folders from being fully deleted from its services for years.

The technology behind BurnBox has a number of limitations, many of which have to do with how operating systems and the applications they run work. Revoking access to a file or deleting it does not, in many circumstances, also remove the associated metadata, like file size, when it was last accessed, and its name. That kind of information can be telling, especially in a high-stakes situation like crossing a border. An incriminating file name or an indication that something was recently deleted could raise the suspicions of a customs agent.

Miers likens the problem to a craft project. "You can clean up the things you actually made, but the glitter gets everywhere, it gets all over the place, and operating systems are not good at cleaning it up," he says.

For BurnBox to work fully as intended, operating systems and applications would likely need to be reimagined with stronger privacy protections. "BurnBox is just one piece of this puzzle of a whole ecosystem of apps," says Nirvan Tyagi, a PhD candidate at Cornell University and the lead author on the paper. "Here is this problem and we have a solution to one part of it."