Practical Travel Safety Issues - Travelers turning to subterfuge to avoid having laptops examined, seized by DHS

http://www.nytimes.com/2006/11/07/business/07road.html

[...]

anecdotal evidence indicates a growing number of laptops are being randomly and legally scrutinized, and some are even being seized without a reason given by customs agents when travelers return to the United States.

[...]

Last Friday, on behalf of a corporate client, the law firm of Arent Fox filed a Freedom of Information request with the Department of Homeland Security seeking all information related to “searches, forensic searches, temporary or permanent seizures and/or confiscations” of laptops at airports or other border crossings. The law firm also requested information about how many of these searches or seizures have been conducted randomly.

[...]

One e-mail correspondent told me that at Dulles International Airport several months ago as he returned from a business trip to Europe his laptop was seized in what he said he was told was a random search.

“After giving me and my shoes a thorough search, they moved on to my laptop,” he wrote. “On the desktop I had a folder named ‘Blueprints’ which contained, as labeled, blueprints for several potential designs for our company’s expansion in Madrid and Houston.”

He added, “My laptop was initially searched by one person, but he called for backup” when he saw the blueprints. “It seemed they were convinced I was sent to plant bombs in those nonexistent buildings.” He said he hasn’t seen the laptop since.

Eddie Baron, a professor of physics and astronomy at the University of Oklahoma, suggested that a “simple solution to the possible confiscation of a laptop is subterfuge.” He said that all data should be kept on a flash drive “that goes in your checked luggage or is Fedexed back and forth.”

[...]

Encrypted transmission, storage and retrieval of data is going to make DHS's activity in this area even more wasteful over time. And then they'll get more arrogant and start behaving like the Communist Chinese and Taliban Saudis when it comes to international communications.

Encrypted transmission, storage and retrieval of data is going to make DHS's activity in this area even more wasteful over time. And then they'll get more arrogant and start behaving like the Communist Chinese and Taliban Saudis when it comes to international communications.

can we make them sign a non-disclosure agreement before they inspect the
notebooks?

As a matter of practice, they'll routinely refuse to sign one -- or buy time -- and/or go ahead with their procedures and process regardless; and often enough they'll talk about what was discovered anyway.

So what are my options? I was required to encrypt my hard drive on my work laptop PC. If I refuse to give DHS the password, then I guess they can refuse to return the PC to me. I'll make sure that I back up my hard drive before each trip and leave the backup at home. Then I'll let the CEO of my (enormous) company demand my laptop back.

When I would travel for work our laptops (separate travel laptop from in office laptop) had heavy layers on encryption including numerous password layers, some passwords up to 25 mandatory characters long. If you incorrectly entered you password too many times or typed in a "certain" password it would just get rid of all your files for you! We were also told to never save to the laptop anyways but rather to two encrypted memory sticks. Before you leave to fly back home one copy of everyone's memory stick go in a FEDEX envelope and the other one with you.

They can take away your laptop all day long and they won't have any of your data. In foreign countries customs will take your laptop to specifically steal data from you. If you don’t have the proper import / export paperwork filled out for all your software on your computer they can take your laptop as well.

My main concern/question is could ICE detain the person for refusing to reveal passwords.

My company laptop is required to have a hard drive password (not a BIOS password, but a hard drive password that I understand will prevent anyone who doesn't have the password from accessing the hard drive unless they open up the drive and put the platters on another controller), and all highly confidential data is supposed to be encrypted strongly when stored on the drive. All my sensitive personal data is also strongly encrypted.

All work-related contents of the machine are also backed up daily (as long as I'm somewhere with a network connection), though I would lose some personal photos and such from the trip if they took the machine as such personal files are not part of the automatic backup. So if ICE wants to confiscate/steal the machine, my preference would be to refuse any requests for cooperation and just let them take it. As soon as I get home, IT would give me a new laptop and restore it from the last backup in about 30 minutes. I'm out nothing other than my personal photos. The company would almost certainly be madder at ICE than at me.

But this plan breaks down if ICE can detain me in an attempt to extort the passwords.

That's why there's the "special" password that basically opens the computer up but makes it look like a band new computer with absolutely no data on it!

You know they ought to do that for ATM cards so if you're being robbed you just put in your special PIN and it shows you have a balance of like $10 and that's all it lets you take out! (Of course this is no help to you if you actaully have only $10 in there)

They can take away your laptop all day long and they won't have any of your data. In foreign countries customs will take your laptop to specifically steal data from you. If you don’t have the proper import / export paperwork filled out for all your software on your computer they can take your laptop as well.

What countries do this (eg, where should we be worried about this ?)

How long can you be detained if you refuse to supply a requested password? If you're a visitor, I imagine they can arrange to send you home, but if you're a citizen or permanent resident...surely they cannot detain you indefinately.

My main concern/question is could ICE detain the person for refusing to reveal passwords.

Not without some legal wrangling, no. The laptop could certainly be detained until the computer forensics guys manage to get into it. And ICE could probably also get a court order compelling you to divulge the password. Some not-quite-on-point court rulings have found a computer password to be similar to fingerprints or a voice exemplar in that it can be compelled over 5th and 6th amendment rights. Should you defy that order, there's always contempt proceedings. But I've never heard of things ever going that far.

(Disclaimer: IANAL, and I'm waaaay too lazy to search for references right now.)

If you're a visitor, I imagine they can arrange to send you home

You could make an argument that an alien is not cooperating with the inspection and therefore cannot be properly inspected. That would result in the person being refused admission. But, again, that's purely theoretical. I've never heard of it happening, and given the customer-oriented mindset taking over CBP, I don't see it happening without a darn good reason.

i suppose if you're really paranoid you could have a dummy login that erases the info upon login (50x wipe of course)

...given the customer-oriented mindset taking over CBP, I don't see it happening without a darn good reason.

Not to go off topic here, but what customer-oriented mindset? They can still be every bit as hostile and beligerant to citizens, residents and visitors alike as they have been for years now.

Did some new rule come down from HQ in the last 30-60 days?

In the event you are working for a large company with an IT department, then Swampy wonders what all the fuss is about.

Swampy flies because his company requires him to do so. He takes his laptop because the company requires it. The security procedures on the computer have been reviewed and approved by the IT department.

So if DHS were to seize the laptop and broadcast confidential information, Swampy couldn't care less -- its the IT department that will be fired, not Swampy. Its not his job or position to spend one quanta of brainpower worrying about it.

Swampy has worked in companies where he has had to make policies regarding data security (including for his personal machine), and in that case, obviously, it is different matter entirely. However, Swampy has a policy of traveling low tech if he is going to a poorer nation, but that is more out of risk of theft

Swampy would like to know what the magnitude of the problem is, so hopes that there will be a follow up article describing what happened to the FOIA request mentioned in the article.

Our corporate laptops have multiple layers of encryption. We have also been told by IT and our security folks that if challenged by Customs, to not give the passwords and to immediately contact the security department--particularly since this means they will likely seize the laptop.

As I have not had to travel internationally for the company, it's not been an issue for me yet.

Did some new rule come down from HQ in the last 30-60 days?

I wonder if this is part of it:

http://www.washingtonpost.com/wp-dyn/content/article/2005/09/19/AR2005091901570.html

Part, not all, of it.

I wonder if this is part of it:

http://www.washingtonpost.com/wp-dyn/content/article/2005/09/19/AR2005091901570.html

Part, not all, of it.

I'm glad to see that someone in the government has concluded that arresting pornographers is going to keep me safer than arresting terrorists :rolleyes: Of course arresting purveyors of medicinal marijuana needs to come before pornographers or terrorists. We need to keep our priorities straight. Think of the children.

Outside of legally banned material (child porn), I doubt the DHS has the legal right to determine if hard core porn found on a laptop is a violation that should result in the arrest of the person or confiscation of their laptop.

Unless of course, the Bush Administration flushed the 1st Amendment down the toilet after making sure the 4th Amendment didn't leave any residue in the bowl on its way down the pipe.

I'm glad to see that someone in the government has concluded that arresting pornographers is going to keep me safer than arresting terrorists :rolleyes: Of course arresting purveyors of medicinal marijuana needs to come before pornographers or terrorists. We need to keep our priorities straight. Think of the children.

Outside of legally banned material (child porn), I doubt the DHS has the legal right to determine if hard core porn found on a laptop is a violation that should result in the arrest of the person or confiscation of their laptop.

Unless of course, the Bush Administration flushed the 1st Amendment down the toilet after making sure the 4th Amendment didn't leave any residue in the bowl on its way down the pipe.

Might just be one of those fine ideas that CBP got from the UK:

IT journalist Kenneth Neil Cukier found his laptop the target of a Customs and Excise swoop when he stepped off the Eurostar shuttle from Paris at London's Waterloo station last Friday.
http://news.bbc.co.uk/1/hi/sci/tech/150465.stm

Outside of legally banned material (child porn), I doubt the DHS has the legal right to determine if hard core porn found on a laptop is a violation that should result in the arrest of the person or confiscation of their laptop.

Unless of course, the Bush Administration flushed the 1st Amendment down the toilet after making sure the 4th Amendment didn't leave any residue in the bowl on its way down the pipe.

The Bush Administration has been pushing using existing obscenity laws to go after hard-core (but non-child) porn at the Federal level. Given that they claim that these are obscene materials, I bet CBP would see them as illegal and treat them accordingly.

There are a couple of issues in play and represent the situation where technology has outpaced our ability to keep up with it in our legal system. The overlaying aspect is that customs seizes laptops because they can. Giving them the benefit of the doubt for a minute, there are some longstanding customs laws they can enforce through examination of laptops such as:

ITAR export violations: If you have ITAR-controlled information (or other information that either State or Commerce says you can't export without a license) on your laptop, even if it has nothing at all to do with the topic of your overseas business meeting, it's an export violation subject to civil and criminal penalties. There are standard CYA provisions, such as Empowered Official letters, that you're supposed to know about and take advantage of before you leave the US.

The computer hardware and software itself: Sometimes, even the technology in the laptop or the installed software itself is export-controlled!

Piracy and counterfeit laws: Bootleg software and DVDs -- you know the drill

Kiddie porn: Self-explanatory

The average customs guy isn't qualified to look for all this stuff. Even if he knew computer forensics, he probably wouldn't have a clue what he was looking at unless the files contained words like "nuclear" "missile" "warhead" "Kiddie....." So, if you're the lucky one chosen at random or for a reason, your laptop goes off to the "shop" with no statute of limitation if, when, or how you get it back.

FYI, customs inspectors have no special privileges when it comes to proprietary or trade secret information. (I don't know why anyone would want to export the family jewels anyway.) Even if you can't get them to sign a non-disclosure agreement, they are still obligated to protect this information. Customs officers are subject to the same restrictions and penalties as anyone else in government.

There is a higher chance of theft or tampering when you carry a laptop overseas -- either ordinary theft or corporate espionage. This is the main reason why I have never taken a laptop overseas. This threat alone should deter most people from taking a laptop overseas unless you absolutely have to.

A lot of companies and government agencies have "fly-away" laptops with nothing stored on them. You take a mamory stick with only that information you need for the trip. This is a sound practice. If you take your regular work laptop with you, EVERYTHING you have stored on it is fair game for customs or for theft -- all the other projects you're working on, the pictures of your family, all sorts of private emails and personal information, contacts lists, etc. Companies and government agencies with an overseas presence often have loaner laptops you can use while you're overseas. This is also a great idea.

For the overwhelming number of overseas travel situations, it simply isn't worth it to carry your own machine in & out of the US.

Just my two cents...

Not to go off topic here, but what customer-oriented mindset? They can still be every bit as hostile and beligerant to citizens, residents and visitors alike as they have been for years now.

Did some new rule come down from HQ in the last 30-60 days?

Sorry...I should have been more precise in my language. About a year or two ago, CBP management undertook a huge push to retrain all of the employees to be happy, friendly, and get people through faster. Of course, most of the everyday employees felt it to be a load of crap and thus nothing has really changed. But the positive result of it all is that managers are indeed feeling the pressure of negative publicity and public complaints. So while the inspector might not care about your complaints, his/her supervisors and managers certainly will. Make sense?

Outside of legally banned material (child porn), I doubt the DHS has the legal right to determine if hard core porn found on a laptop is a violation that should result in the arrest of the person or confiscation of their laptop.

CBP only cares about "immoral" pictures on your laptop. For all intents and purposes, that can be defined as child porn and bestiality. In some circuits, hardcore bondage and the like may be included, but that comes down to community standards and I've never heard of an inspector willing to go to that much trouble.

What countries do this (eg, where should we be worried about this ?)

We were particularly worried and had lost a couple in the UK.

I complete agree with everything FliesWay2Much said in the earlier post. ITAR info was a big part of it for us so we utilized what was referred to earlier as the fly away laptops.

We were told if they wanted to take it let them and try to get out of there asap. If in the US - call the 24 IT line ASAP - if out of the US - call the cell number given to us for our Embassy Rep.

Too bad there's no black ice that will send 50kV into a snooper's body. :D

(or is there?) ;)

That's why there's the "special" password that basically opens the computer up but makes it look like a band new computer with absolutely no data on it!

You know they ought to do that for ATM cards so if you're being robbed you just put in your special PIN and it shows you have a balance of like $10 and that's all it lets you take out! (Of course this is no help to you if you actaully have only $10 in there)

TrueCrypt (http://www.truecrypt.org/docs/?s=plausible-deniability)
Hidden Volume
It may happen that you are forced by somebody to reveal the password to an encrypted volume. There are many situations where you cannot refuse to reveal the password (for example, when the adversary uses violence). Using a so-called hidden volume allows you to solve such situations in a diplomatic manner without revealing the password to your volume.

The principle is that a TrueCrypt volume is created within another TrueCrypt volume (within the free space on the volume). Even when the outer volume is mounted, it is impossible to prove whether there is a hidden volume within it or not, because free space on any TrueCrypt volume is always filled with random data when the volume is created and no part of the (dismounted) hidden volume can be distinguished from random data.

As for the ATM card, I was at an agency that had just such a "panic" feature with the access control badges. If someone is threatening you to gain access, you can swipe your badge and enter the "Panic PIN" wich is your actual PIN + 1 added to the last digit (9 --> 0). You will still be granted entry but a silent alarm is also transmitted to the armed security response team.


A lot of companies and government agencies have "fly-away" laptops with nothing stored on them. You take a mamory stick with only that information you need for the trip. This is a sound practice. If you take your regular work laptop with you, EVERYTHING you have stored on it is fair game for customs or for theft -- all the other projects you're working on, the pictures of your family, all sorts of private emails and personal information, contacts lists, etc. Companies and government agencies with an overseas presence often have loaner laptops you can use while you're overseas. This is also a great idea.

Yeah we have those. Just loaded with the usual office, engineering and scientific applications...no data. You get to data via beefed up VPN portals and encrypted flash drives.

As for the ATM card, I was at an agency that had just such a "panic" feature with the access control badges. If someone is threatening you to gain access, you can swipe your badge and enter the "Panic PIN" wich is your actual PIN + 1 added to the last digit (9 --> 0). You will still be granted entry but a silent alarm is also transmitted to the armed security response team.

That doesn't sound like a very good idea. With a one-digit difference I would expect a decent number of typo alarms when the digits are right next to each other. While I like the basic concept I think the emergency number should be more different--say, reverse your PIN.

What countries do this
Plenty.

Oh, please, let me translate for you: "anecdotal evidence" means "I heard a rumor."

In the years since 911 I've seen two, count 'em, two laptops turned on at security. No idea why, mind you, but still.

Now, does customs and immigration ask people to turn their laptop on? Seems very likely.

I expect to see this canard on snopes anytime.

Oh, please, let me translate for you: "anecdotal evidence" means "I heard a rumor."
Well, we'll see what the FOIA requests come back with.

My employer just sent out a directive this morning that company laptops were not to be taken out of the country of origin. That is fine with me! I hate lugging the damned thing around! It will be nice not to have that anchor dangling from my shoulder as I fight with my rollaboard. :)

If they have the legal authority to inspect the contents of
my laptop computer, can they strap me to a polygraph
machine and start asking questions? How about my diary? :)

If I use a computer in a foreign hotel to access my VPN
at home, can the government intercept and decrypt the
information being transmitted/received? Technically,
the data is crossing the border... Wait, don't they already
use this logic to monitor international calls between someone
in the US and someone in a foreign country?

Our corporate laptops have multiple layers of encryption. We have also been told by IT and our security folks that if challenged by Customs, to not give the passwords and to immediately contact the security department--particularly since this means they will likely seize the laptop.

As I have not had to travel internationally for the company, it's not been an issue for me yet.



If you refuse to provide the password, ask the customs agents nicely if you can get the suntan lotion out of your checked luggage and carry it with you. You'll need it in Guantanamo Bay...

Calling from the customs area is a no-no...

Your corporate security department probably won't hear
about this... neither will we.... :)

That's why there's the "special" password that basically opens the computer up but makes it look like a band new computer with absolutely no data on it!

You know they ought to do that for ATM cards so if you're being robbed you just put in your special PIN and it shows you have a balance of like $10 and that's all it lets you take out! (Of course this is no help to you if you actaully have only $10 in there)

My home security system has this function. There's the
regular PIN to disarm the system. Then there's another
PIN for distress situations. For example, if I come home
and someone points a gun to my head, I'll enter the
distress PIN. It will disarm the system normally, without
alarming the robber/intruder standing next to me. However,
the security monitoring company will immediately receive
the abduction/distress alert and send police.

Definitely a good idea for ATM cards as well. Of course,
I only keep around $300 in that account. These days, I
don't have much use for cash. :) I even use mileage-
earning credit cards for $1 hot dogs. Last week the post
office even let me pay for a 39-cent stamp with credit card.

Well, this just made my decision for me. I was planning to take a laptop to Paris at the end of the month. This is a trip for pleasure and we were planning to have our pet sitter check in via e-mail so we could make sure our kitties are safe and healthy while we're away. Based on this thread, I think I'll leave the laptop at home and use the business center at the hotel or hope to find a cyber-cafe. Too much important stuff on my laptop to lose it for ANY reason.

This is just wrong, people. It's just wrong.

GG

This was partially why I went with a blackberry. most of the time I was using my laptop to check email. Now, I just use my phone :)

This was partially why I went with a blackberry. most of the time I was using my laptop to check email. Now, I just use my phone :)
Does that work in Europe? I have a Sidekick II for a phone and was wondering about that.

GG

Does that work in Europe? I have a Sidekick II for a phone and was wondering about that.

GG

Check with your provider. several of them offer international plans.
they also have international unlimited plans.

Check with your provider. several of them offer international plans.
they also have international unlimited plans.
I have T-mobile with an international plan. It works fine. Sidekicks are unique. They may not work off T-mobile, however, T-moblie covers most of europe. My blackberry is more universal, as most carriers support them, so roaming off t-moblie hasn't been an issue.

Wow, This is now just out of control. Do they not want us to fly with ANY luggage or carry-on luggage? Us poor biz travlers that need their laptops, phones, blueberries, treo's, etc. I want a computer for a brain then I don't need to carry anything.

*hit's side of head* DIAL TSA HQ.....

*tap left foot big toe* EMAIL Kip@TSA.GOV

*hit forehead on WMD* REBOOT

Wow, This is now just out of control. Do they not want us to fly with ANY luggage or carry-on luggage? Us poor biz travlers that need their laptops, phones, blueberries, treo's, etc.
We can ship our equipment to the work site. That way, our laptops go unscreened into the cargo hold alongside the SEMTEX, C4, TNT, etc. :p

I have T-mobile with an international plan. It works fine. Sidekicks are unique. They may not work off T-mobile, however, T-moblie covers most of europe. My blackberry is more universal, as most carriers support them, so roaming off t-moblie hasn't been an issue.


If you have tri/quad band instrument, you should be fine.

850/900/1800/1900 Mhz

850/1900 for US and 900/1800 for the rest of the planet.

Well, we'll see what the FOIA requests come back with.Dollar to your favorite charity for every piece of evidence that comes back. :-)

Update: I checked with T-Mobile and indeed, my Sidekick II will work in Europe. They turned on International Roaming and for a mere 99 cents/minute, I can check on my cats and father back home while I'm in Paris, and can also surf the web. However, with the ability to make phone calls for a reasonable rate, I won't really have to worry much about that. If I NEED to e-mail anyone, I'll use a cyber-cafe.

Thank God most of my business is web-based and even if I have to travel, I won't have to do much laptop work. Don't know if that will be true in the future, but for now, at least I don't HAVE to take the laptop with me. :rolleyes:

GG

Let's see, there is something like a $4.50/person fee to get on a plane, and in November the TSA expects (http://www.faa.gov/airports_airtraffic/airports/pfc/monthly_reports/media/stats.pdf) to collect $221M. That's around 49M passengers.

Figure 25% of them are carrying laptops: 12.25M laptops.

"Evidence" of a half dozen or so being examined over some period a LOT more than a month. Call it a dozen to make the math easy.

0.0001% liklihood of having a laptop issue. Per month.

I would worry more about losing my laptop.

[Disclaimer: my company's old VC's asked me never to do math in public, so YMMV.]

Let's see, there is something like a $4.50/person fee to get on a plane, and in November the TSA expects (http://www.faa.gov/airports_airtraffic/airports/pfc/monthly_reports/media/stats.pdf) to collect $221M. That's around 49M passengers.

Figure 25% of them are carrying laptops: 12.25M laptops.

"Evidence" of a half dozen or so being examined over some period a LOT more than a month. Call it a dozen to make the math easy.

0.0001% liklihood of having a laptop issue. Per month.

I would worry more about losing my laptop.

[Disclaimer: my company's old VC's asked me never to do math in public, so YMMV.]

I don't know which airport you are flying into the US, but the ones I'm flying into certainly have less than 25% of passengers travelling with a laptop. There is the coach cabin. ;)

Dollar to your favorite charity for every piece of evidence that comes back. :-)
Why the smilely face? Is government secrecy a good thing?

I don't know which airport you are flying into the US, but the ones I'm flying into certainly have less than 25% of passengers travelling with a laptop. There is the coach cabin. ;)
Ok, so make it 10x more likely and you have a 0.001% chance in having a laptop problem per money. Max. So for every thousand flights you might expect to have a problem.

Ok, so make it 10x more likely and you have a 0.001% chance in having a laptop problem per money. Max. So for every thousand flights you might expect to have a problem.

Then my time is coming soon. :eek:

Why the smilely face? Is government secrecy a good thing?No, but think about it for a minute. Someone has to be keeping records, across several hundred airports. And then the person getting the FOIA has to figure out who that is. Then they have to scrub the numbers to CYA.

Liklihood seems low.

No, but think about it for a minute. Someone has to be keeping records, across several hundred airports. And then the person getting the FOIA has to figure out who that is. Then they have to scrub the numbers to CYA.

Liklihood seems low.

I don't know if the DHS numbers are accurate or not, but they certainly used to supply data about people searched at customs and provide consolidated reports. But with the latest government nonsense (i.e., the non-disclosure, we're-not-accountable tone set from the top in the Executive Branch), who knows now.

No, but think about it for a minute. Someone has to be keeping records, across several hundred airports. And then the person getting the FOIA has to figure out who that is. Then they have to scrub the numbers to CYA.

Liklihood seems low.
Well they certainly have to keep records of what they're seizing, even if they don't keep records of inspections. If they can't keep track of the taking of people's property, then we have an even bigger problem on our hands.

In the wake of the VA laptop data and Personally Identifiable Information (PII) incident, the federal Office of Management and Budget (OMB) has issued a memorandum requiring (in part) encryption of mobile data with PII on it, as well as 2-factor authentication with encryption for remote access to PII, along with 2 other points.
See http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf
(List by fiscal year ... remove file name from URL.)

This is in essence from the White House / Executive Branch when you see OMB, who was originally tasked with computer security (OMB Circular A-130, esp. Appendix III, which led to the NIST Special Publications 800 series -- SP 800-xxx, [see http://csrc.nist.gov, especially SP 800-37 and SP 800-53 as focal points]. NIST (part of Dept. of Commerce) is now driving federal IT security compliance -- which is finally being taken seriously by the OIGs and DCAA auditors, et al). This all rolls up into FISMA (E-Government Act of 2002) for the non-military and DIACAP for the military/DoD sectors, with offshoot Certification and Accreditation Programs (xxxCAP; NISPOM) for federal / DoD contracts.

Other compliance efforts in the government and industry sectors are also driving more IT security, such as HIPAA, NERC-CIP (electricity sector), various privacy and incident reporting laws, etc. Sarbanes-Oxley is more focused on fraud and validity of data, and not just security.

Please translate that last response into plain English for those of us who don't speak bureaucratese?

Please translate that last response into plain English for those of us who don't speak bureaucratese?


I can understand most of it.. but I think I missed the point too. :confused:

I can understand most of it.. but I think I missed the point too. :confused:From what I can tell it means that the government is also worried about people stealing data from or perusing the data on laptops and that it has recently strengthened its guidelines regarding encrypting/securing said data.

The problem here is that this thread is about the government doing the stealing or perusing!

i suppose if you're really paranoid you could have a dummy login that erases the info upon login (50x wipe of course)

Now that would probably get you in real trouble. You go from refusing to help to actively interfering with their search. Anyways, the wipe would take a LONG time to do. IANAL.

In the wake of the VA laptop data and Personally Identifiable Information (PII) incident, ...OMB memo M-06-16:
See http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf .

From what I can tell it means that the government is also worried about people stealing data from or perusing the data on laptops and that it has recently strengthened its guidelines regarding encrypting/securing said data.

True, xyzzy, as per the title and first posts in this thread. OK, here is your translation, since folks were talking about how their companies or agency require encrypted hard disks, different laptops when traveling abroad, mailing data home, export encryption laws, etc. in the first few posts. All very true, and are best practices for IT security (my job) for travel, especially internationally. I, too, am concerned about the abuse of power in the TSA or Customs (ICE) of DHS on the home front, less so if they simply want a device turned on, but more so if they peruse, make copies, keep data, or confiscate a device/laptop.

The NYTimes article quoted in the first post told of the Exec. Dir of the Corporate Travel Executives writing a letter to "officials at the Department of Homeland Security. She asked to know what the specific policies were. “Are copies made of the information?” she asked. “What safeguards do you have in place? Is the information destroyed? Is the downloaded and/or mirrored information stored somewhere and if yes, for how long? Who has access to it?” " As DHS is a federal agency, all the fed regs for computer security in FISMA (Federal Information Security Management Act of 2002) and the NIST standards I mentioned come into play. If you identify your laptop (or flash drive or smart phone) as having "PII" or sensitive data, they are to responsibly protect it under those, and other applicable federal laws.

I was going to quote from the OMB memo on this latest new Fed requirement, but I hate quoting Fed docs. You can read the first page of the link above for the new Fed push to secure laptops/smart phones/flash drives/floppies by encryption (and perhaps tape backups to offsite storage), as well as remote access, "forced timeouts", and logging of sensitive database access. The good news is that our Fed contracts have actually gotten OIG pressure to comply with it!!!
Now here is the "corker", which has us rolling on the floor, laughing out loud until we shed 3+ oz of tears...:
"Most departments and agencies have these measures already in place..."
...Nonsense. The OMB wanted this done by all Fed agencies within 45 days (August 7, 2006 by my calculation). Again, no way...

The power game by the TSA is another issue. One could say that due to either proprietary information, data on "critical infrastructure" that needs to be protected by you (a buzzword to DHS, whether civilian, contractor or Fed), or the level of clearance required, you are not able to show them information present on the computer without proof of their level of clearance specific to your information and specific authorization from -your- superior...then hold your ground. Access may not be granted by your employer without an approved "need to know" (another buzzword) and written clearance. Ask them if they have authority to violate a direct order from -their- superior...blah, blah....neither do you. It's not your decision, of course :-D. Gee whiz, you'd love to help, but (national) security takes priority.

In a stare-down, you could claim that to do otherwise, your access will be logged by timestamp (true: login) with logs regularly reviewed, and that you have a duty to report their access to this "sensitive information" to the Inspector General (fed, over their department) or Audit department (commercial/contractor), with full information on them, with possible consequences. (Use caution if you mumble/fudge something about this becoming a permanent government/legal record, accessible to background checks, blah, blah. Best to shake your head and look grim, get out pen and paper, and ask how to verify their clearance level.)

You, of course, are dealing with a power game, with this bully trying to show you his/her "power" by manipulation. If you can convince them that their cooperation with you to continue to "protect" your data is a good fight in the war on terror (and of course that is why they are there, isn't it...), and you are both on the same side with the need for him/her to support that protection, then you may diffuse the power confrontation. "Honey attracts more flies than vinegar."

In a stare-down, you could claim that to do otherwise, your access will be logged by timestamp (true: login) with logs regularly reviewed, and that you have a duty to report their access to this "sensitive information" to the Inspector General (fed, over their department) or Audit department (commercial/contractor), with full information on them, with possible consequences. (Use caution if you mumble/fudge something about this becoming a permanent government/legal record, accessible to background checks, blah, blah. Best to shake your head and look grim, get out pen and paper, and ask how to verify their clearance level.)

You, of course, are dealing with a power game, with this bully trying to show you his/her "power" by manipulation. If you can convince them that their cooperation with you to continue to "protect" your data is a good fight in the war on terror (and of course that is why they are there, isn't it...), and you are both on the same side with the need for him/her to support that protection, then you may diffuse the power confrontation. "Honey attracts more flies than vinegar."If you were at a BICE checkpoint they would tell you that you had two choices 1) (if you're lucky) go back to where you came from or 2) let them examine your data. The more you complained the less likely they would be to let you choose option #2, as you clearly were trying to hide something. I would imagine most other checkpoint drones would behave the same way.

If you were at a BICE checkpoint they would tell you that you had two choices 1) (if you're lucky) go back to where you came from or 2) let them examine your data. The more you complained the less likely they would be to let you choose option #2, as you clearly were trying to hide something. I would imagine most other checkpoint drones would behave the same way.

If you are going to allow them to look, which probably emboldens them to ask this of more people, the idea of innocuously-named directories is good (NYTimes). It is also possible to name a Wiindows directory with something as simple as a comma or underscore, and make it look empty. Even a few layers of this above will stop most casual manual searchers. A Linux/UNIX trick is to name a file or directory with a period or two periods, as if it were part of the directory structure itself.

To hide a Windows directory or file: From the directory, the Tools, Folder Options, View tab is by default set to "Do not show hidden files and folders." One can make a folder or file "hidden" by right-clicking it, Properties, and checking the "hidden" box.
-----------------

Bart of the TSA (same Bart as in this forum), by the way, had some insight on this back in 2004, at the TSA-screeners site forum: http://tsa-screeners.com/start/index.php?name=PNphpBB2&file=viewtopic&t=455&highlight=laptops+privacy in two posts:
"No TSA checkpoint requires passengers to turn their computers on as part of the screening process. ..." and
"(If I recall correctly, we haven't required laptops to be turned on---at least at my airport----since early 2002, but I may be mistaken.) ... The author of the article implies that this is TSA current policy. It is not; hasn't been for over two years.... Could be that an overzealous TSA screener went the extra step and had the author power up his computer (I find that very hard to believe; there is nothing in our procedures that even hints at turning on laptop computers). "

Another screener also affirmed this: "No TSA checkpoint requires passengers to turn their computers on as part of the screening process."
Other posters had to disagree, of course...

Years and years of flying and countless border crossings... I've never once been asked anything about my laptop at any stage in the journey by an official. This includes an incident at LHR that resulted in my getting a 45 minute interview and having EVERY ITEM in my luggage inspected. They never so much as opened the laptop.

Years and years of flying and countless border crossings... I've never once been asked anything about my laptop at any stage in the journey by an official. This includes an incident at LHR that resulted in my getting a 45 minute interview and having EVERY ITEM in my luggage inspected. They never so much as opened the laptop.

Going along TierFlyer's line, your time is getting closer too. :eek: Just need to get to 1000 international arrivals into the US by plane. :D

I'm curious how much more this happens at US airport customs checks than at US land-border crossings customs checks as a percentage of persons arriving into the country.

Years and years of flying and countless border crossings... I've never once been asked anything about my laptop at any stage in the journey by an official. This includes an incident at LHR that resulted in my getting a 45 minute interview and having EVERY ITEM in my luggage inspected. They never so much as opened the laptop.


i've never been questioned about my notebook computer either, but it does
happen.