justageek

http://www.nytimes.com/2006/11/07/business/07road.html

[...]

anecdotal evidence indicates a growing number of laptops are being randomly and legally scrutinized, and some are even being seized without a reason given by customs agents when travelers return to the United States.

[...]

Last Friday, on behalf of a corporate client, the law firm of Arent Fox filed a Freedom of Information request with the Department of Homeland Security seeking all information related to “searches, forensic searches, temporary or permanent seizures and/or confiscations” of laptops at airports or other border crossings. The law firm also requested information about how many of these searches or seizures have been conducted randomly.

[...]

One e-mail correspondent told me that at Dulles International Airport several months ago as he returned from a business trip to Europe his laptop was seized in what he said he was told was a random search.

“After giving me and my shoes a thorough search, they moved on to my laptop,” he wrote. “On the desktop I had a folder named ‘Blueprints’ which contained, as labeled, blueprints for several potential designs for our company’s expansion in Madrid and Houston.”

He added, “My laptop was initially searched by one person, but he called for backup” when he saw the blueprints. “It seemed they were convinced I was sent to plant bombs in those nonexistent buildings.” He said he hasn’t seen the laptop since.

Eddie Baron, a professor of physics and astronomy at the University of Oklahoma, suggested that a “simple solution to the possible confiscation of a laptop is subterfuge.” He said that all data should be kept on a flash drive “that goes in your checked luggage or is Fedexed back and forth.”

[...]

GUWonder

Encrypted transmission, storage and retrieval of data is going to make DHS's activity in this area even more wasteful over time. And then they'll get more arrogant and start behaving like the Communist Chinese and Taliban Saudis when it comes to international communications.

cpx

can we make them sign a non-disclosure agreement before they inspect the
notebooks?

GUWonder

As a matter of practice, they'll routinely refuse to sign one -- or buy time -- and/or go ahead with their procedures and process regardless; and often enough they'll talk about what was discovered anyway.

MsEverywhere

So what are my options? I was required to encrypt my hard drive on my work laptop PC. If I refuse to give DHS the password, then I guess they can refuse to return the PC to me. I'll make sure that I back up my hard drive before each trip and leave the backup at home. Then I'll let the CEO of my (enormous) company demand my laptop back.

skAAtinsteph

When I would travel for work our laptops (separate travel laptop from in office laptop) had heavy layers on encryption including numerous password layers, some passwords up to 25 mandatory characters long. If you incorrectly entered you password too many times or typed in a "certain" password it would just get rid of all your files for you! We were also told to never save to the laptop anyways but rather to two encrypted memory sticks. Before you leave to fly back home one copy of everyone's memory stick go in a FEDEX envelope and the other one with you.

They can take away your laptop all day long and they won't have any of your data. In foreign countries customs will take your laptop to specifically steal data from you. If you don’t have the proper import / export paperwork filled out for all your software on your computer they can take your laptop as well.

studentff

My main concern/question is could ICE detain the person for refusing to reveal passwords.

My company laptop is required to have a hard drive password (not a BIOS password, but a hard drive password that I understand will prevent anyone who doesn't have the password from accessing the hard drive unless they open up the drive and put the platters on another controller), and all highly confidential data is supposed to be encrypted strongly when stored on the drive. All my sensitive personal data is also strongly encrypted.

All work-related contents of the machine are also backed up daily (as long as I'm somewhere with a network connection), though I would lose some personal photos and such from the trip if they took the machine as such personal files are not part of the automatic backup. So if ICE wants to confiscate/steal the machine, my preference would be to refuse any requests for cooperation and just let them take it. As soon as I get home, IT would give me a new laptop and restore it from the last backup in about 30 minutes. I'm out nothing other than my personal photos. The company would almost certainly be madder at ICE than at me.

But this plan breaks down if ICE can detain me in an attempt to extort the passwords.

skAAtinsteph

That's why there's the "special" password that basically opens the computer up but makes it look like a band new computer with absolutely no data on it!

You know they ought to do that for ATM cards so if you're being robbed you just put in your special PIN and it shows you have a balance of like $10 and that's all it lets you take out! (Of course this is no help to you if you actaully have only $10 in there)

dfyant

What countries do this (eg, where should we be worried about this ?)

bocastephen

How long can you be detained if you refuse to supply a requested password? If you're a visitor, I imagine they can arrange to send you home, but if you're a citizen or permanent resident...surely they cannot detain you indefinately.

Deeg

Not without some legal wrangling, no. The laptop could certainly be detained until the computer forensics guys manage to get into it. And ICE could probably also get a court order compelling you to divulge the password. Some not-quite-on-point court rulings have found a computer password to be similar to fingerprints or a voice exemplar in that it can be compelled over 5th and 6th amendment rights. Should you defy that order, there's always contempt proceedings. But I've never heard of things ever going that far.

(Disclaimer: IANAL, and I'm waaaay too lazy to search for references right now.)

You could make an argument that an alien is not cooperating with the inspection and therefore cannot be properly inspected. That would result in the person being refused admission. But, again, that's purely theoretical. I've never heard of it happening, and given the customer-oriented mindset taking over CBP, I don't see it happening without a darn good reason.

rufflesinc

i suppose if you're really paranoid you could have a dummy login that erases the info upon login (50x wipe of course)

bocastephen

Not to go off topic here, but what customer-oriented mindset? They can still be every bit as hostile and beligerant to citizens, residents and visitors alike as they have been for years now.

Did some new rule come down from HQ in the last 30-60 days?

swampcritter

In the event you are working for a large company with an IT department, then Swampy wonders what all the fuss is about.

Swampy flies because his company requires him to do so. He takes his laptop because the company requires it. The security procedures on the computer have been reviewed and approved by the IT department.

So if DHS were to seize the laptop and broadcast confidential information, Swampy couldn't care less -- its the IT department that will be fired, not Swampy. Its not his job or position to spend one quanta of brainpower worrying about it.

Swampy has worked in companies where he has had to make policies regarding data security (including for his personal machine), and in that case, obviously, it is different matter entirely. However, Swampy has a policy of traveling low tech if he is going to a poorer nation, but that is more out of risk of theft

Swampy would like to know what the magnitude of the problem is, so hopes that there will be a follow up article describing what happened to the FOIA request mentioned in the article.

exerda

Our corporate laptops have multiple layers of encryption. We have also been told by IT and our security folks that if challenged by Customs, to not give the passwords and to immediately contact the security department--particularly since this means they will likely seize the laptop.

As I have not had to travel internationally for the company, it's not been an issue for me yet.