Abusive electronics searches at the border
 

Not that I approve of all hacking activity (esp. not "black-hat" variety), but it seems that CPB is intercepting & copying laptop hard drives at the border, apparently in response to other federal agencies that can't get warrants for legitimate searches:

It's my understanding (IANAL) that before formally entering the US (i.e. before passing *through* customs) that you have no rights. After all, you aren't in the US yet...

Now days folks who are concerned about their data, for whatever reason, can keep it "in the cloud" and access it via internet and wipe it from their hard drives before crossing borders. Google "cloud data backup" for lots of references. Sure, there can be security issues there, also, but it's generally out of the reach of customs.

I've heard of some companies *requiring* their employees who carry laptops to wipe their disks and carry no copies of information.

Kevin

Bitlocker and/or PGP. Screw 'em.

FYI

http://www.cbp.gov/linkhandler/cgov/.../elec_mbsa.pdf

http://www.cbp.gov/xp/cgov/travel/ad...op_inspect.xml

This is so wrong...downright evil. Welcome to the USSR.

I only travel with a disposable 150$ netbook, solid state 16g drive and its always wiped virgin. whatever i need while im travelling i can access remotely on my home network and if there's a document i must carry, its encrypted, stegged and hidden in my phones micro sd card.
hehehehe i really do have nothing to hide which makes them look even closer lmao

That's an overstatement. The Supreme Court has held that even the guys locked up in Guantanamo Bay (not in the US) have rights.

Welcome to the USSA. Please submit all documents physical and electronic for copy and search.

The next booth is for searches of your person and property.

Then you will give a testament of your travels with explanation for your activities. Pray we do not deem them "unamerican."




I've only traveled internationally once in the last year but when I did my laptop drive was fully encrypted with a long, random key the only copy of which I gave to a trusted person who was instructed to call with it the evening after passing through customs.

Recall that there are regulations against "interfering" with the screening process. One could then (and the government undoubtedly will at some point) interpret refusing to decrypt your computer for them as "interfering." So, if you want to avoid breaking federal regulations I would suggest not just encrypting your device but literally being unable to decrypt it at customs.

If you want to use your laptop in route then create a separate partition. One encrypted to a key you don't have and the other a fresh install of things you don't mind having searched.

Whatever you do, remember to always be vigilant in the United Soviets States of America. Uncle Sam is watching and listening to your phone calls and reading your emails and tracking your cellphone and car all without warrants and that's just what they admit to....

Those of us who spent half our lives in the Cold War where we were told over and over that we had to FIGHT to keep the commies from taking our freedom just are crazy how after the USSR collapsed, our fellow Americans are doing the job they were supposedly bent on. Which means the trillions spent on intimidating Russia and China were totally wasted.

Thank you truecrypt, hardware biometrics, and 10+ character alpha-numeric non-english mispelled passwords, with multiple duress passwords.

Not that it matters with the TSA BS going on right now.

The courts are going to review your agency's [ab]use of the border search exception for searches of laptops and is going to put severe restrictions on it and the next 5 years. (Ari's prediction).

Abuse means looking at computers not because a Customs violation is suspected, but because Uncle Sam wants a look see for other reasons. Our government appears to be using this exception as a way around the warrant requirement.

Could you just ship it back and pick it up at FedEx or UPS?

This is actually not that good of an idea. The fifth amendment would protect you from being forced to disclose the key, but it would not protect your friend -- the protection is only against SELF incrimination, so your friend COULD be compelled to reveal the key.

Where does a "friend" come into this?

What if the "friend" was a foreign citizen living outside the USA?

In general, this is old news, I haven't traveled with a laptop for 2 years, when traveling internationally, and I wipe my phone of all personal data before departing (it'll resync the next time I plug in back home).

For people who are (admittedly) so smart (such as the person in his article), these people must not want privacy, as there's tons of ways to do this now (remote-desktop, etc). There are statements to be made, and you darn well know that if it's really important it's not on them, and chances are they left a message on the laptop.

Not saying if this is right or wrong (that's a completely different reply), yet one of the first rules of "hacking" is... work with the environment you're given, and identify how to work within it.

OK, but why not just do the simple -- memorise the key, and refuse to hand it over. They cannot compel you to.


True, but as the article notes, once a CBP agent has taken your laptop out of your sight, you have no idea what has been done to it -- they could have installed keystroke logger or even malicious software. Whether they actually have or not is irrelevant, the fact is, once they do that, you need a new laptop -- it's not right.

There's a case in the UK about someone being sent to prison for about a year, for not surrendering their 50-bit key. It's out there somewhere in google.

Part of this discussion is legal/illegal, part is right/wrong, part is how to deal with the environment. It's probably legal, it's probably wrong, and it's definitely dealable with. You deal with the situation, while trying to change the situation.

A few points here:

As to "rights" before entering the US, the proper way of looking at it is that the Constitution limits what the government can do. There's nothing restricting that limitation to only people who are physically in the US. However, the courts have long ruled that the government has a sufficiently-compelling interest in preventing contraband from entering that searches are permitted at the border which would otherwise require cause elsewhere. One way to look at this that the 4th Amendment doesn't prevent all searches, only "unreasonable" ones and the courts have ruled that the definition of "unreasonable" is different at the border. But the 4th Amendment (and all others) still apply.

As to encryption keys, you're much better off having it yourself than giving it to a friend. The courts have ruled that it's a 5th Amendment violation to be forced to reveal an encryption key (technically, revealing the key itself is not, but revealing that you know it is and there's no way to reveal the key without revealing that you know it) in the US (but you can in the UK). However, there's nothing preventing your friend from being compelled to reveal the key.

Others have previously suggested here that you should give the only copy of your key to your attorney because attorney-client privilege then likely protects the key.

I also agree that it's likely there'll be laws and/or court decisions that limit the goverment's power to do this in the not-too-distant future.

The 50 character key is here: Teen jailed for refusing to disclose PW

Someone needs to wake the CBP/DHS up and tell them 'Hey there is this amazing thing out there called the interwebz and even more amazing is this E-lectronic Mail. They both enable people to send and store things away from their computers!'

I believe those agencies and many others are well aware of that. There are many methods to obtain information. Both sides of the equation, the ones that want to hide information and the ones that want to find information continue to and will continue to evolve with the changes in technology.

FB

In response to your first paragraph, that may very well be the case. The policy is not a new one though at all. It has been updated at least a couple of times in the past 13 years that I have been exposed to it.

In response to your second paragraph, In those 13 years I have looked at a quite a few laptops, cell phones, and cameras etc. I have only, in those 13 years, seen one laptop actually detained. My experience is not that the devices are being looked at for other agencies but for the purposes of locating Immigration and Customs violations. The most common things that are being looked for are evidence of employment in the United States. This most often takes the form of computerized invoices, work orders, business correspondence etc. This is no different than when we would find the paper counterparts in briefcases before computers were so prevalent. The other thing that is looked for most often is child porn. That was the circumstances that surrounded the laptop detention that I witnessed. It was also the case that the judge in Vermont ruled that the subject did not have to give up his password.

I am not saying that what describe doesn't happen. I am saying that I don't believe that it happens with the regularity that is implied. I just haven't seen it and I have worked at ports of significant size both land and air that handle a large amount of traffic and have never encountered it.

FB

It would have to be since the technology has changed a few times in the last 13 years!

I absolutely believe that the vast, vast majority of laptop serches or detentions are conducted for the purpose of locating Immigration and Customs violations. (Please forgive me for making a hyper-technical point: You say that the devices are not being looked at by other agencies, but doesn't ICE frequently do the review and isn't that another agency technically? It would still be for Immigration and Customs violations, though).

Interesting; I would have thought kiddie porn would be the more popular search than for work.

That is the theory behind the laptop search, but it is not entirely the same in the case that people carry their whole lives on their laptops. It would be like rolling several personal file cabinets through customs every time one travels as opposed to just carrying a briefcase of papers. It is different.

That's because it is testimonial-- admitting you know a password to a computer is admitting that you have access it and anything on it, a statement which could be incriminatory. In a recent case in the 7th Circuit, the issue of who had access to files on a computer came up and his 'confession' to knowing the password was tossed because the police violated Miranda. It is a funny case. In other words, that knowing a password is incriminating evidence not a novel concept in regular child porn cases and it it was just a question in the Customs context. At least the 5th Amendment still applies there. :p

I'm sure you haven't seen it, but I think its happening once is one too many times. Your agency's policy of zero suspicion for laptop searches (endorsed by the coruts) means that you could search every traveler's laptop, not just those you suspect contain evidence of C&I violations. Your agency's position seems to be that "we don't abuse that power so don't worry about it". It seems like we are seeing evidence of abuse now.

Another way of saying that is paper is bulkly and people don't normally carry more than they have an immediate need for. So, before the laptop era, it was reasonable to assume that almost all papers in somebody's possession when they cross a border relate to the trip they're completing and thus examing those papers is part of the legimate government interest in protecting borders.

But nearly all the material in a laptop is not related to the travel that is being completed and hence is out of bounds of that legitimate interest. The pre-laptop analog of looking at every file in a laptop would be that whenever a person crossed the border, the government would look at every piece of paper in his home and place of work. Clearly, that's not permissible. So why is a laptop search?

If a person has child pornography on his laptop or has documents on his laptop related to his illegal employment in the country or of his involvement in people smuggling, the only way to find those files is to examine the laptop in its entirety. All of the games, recipe files, family photographs, and all of the other legal stuff on the computer would be of no interest to the government, but it still may be given a cursory glance as part of the search for the illegal stuff. It's the same with a person's suitcase. The examining officer would be looking for the illegal (or dutiable or prohibited or regulated) things. Searching through one's dirty underwear and feminine hygiene products may seem personal, but those items are being looked at merely as a by-product of the search for the bad stuff.

Even then, the border search exemption does not extend to READING documents a traveller is carrying with them. Yes, of course, they can go through a briefcase, open a file folder, shuffle through a stack of documents to verify there isn't some contraband or dutiable goods secreted inside. But they cannot decide, "oooh, this looks interesting, let's have a closer look at this draft patent application, or these notes from an interview with a dissident or whistle-blower, or this MoU on a planned merger, let me take a few minutes and have a read through this before I call my broker". That's true whether you are talking about a hard or a soft copy.

That is indeed the other side of the argument, but doesn't negate what I said: the probability of having unrelated objects (that the government isn't entitled to search) in a suitcase is far less than in a computer. The courts will have to fashion some way to deal with issue. I agree that it's not straightforward.

Here's a situation where the documents in a suitcase had immigration consequences. Somebody was coming into the US and was claiming to be a tourist. However, in their suitcase was a bunch of cookbooks. CBP correctly determined that this person was instead coming to work in somebody home because a tourist wouldn't be carrying that. But if those cookbooks had instead been on their computer, it would not be suspicious because why delete cookbooks from your computer when you travel? That's yet another example of the fundamental difference.

Again, the suitcase contains only what one plans to bring on a trip-- the correct analogy would be searching a person's entire closet and not just the stuff a person travels with-- including the items they want no one to see. When you put together your suitcase, you know it might be searched so you don't put anything in it you don't want seen. With a laptop is just isn't that simple.

No one is saying the method isn't effective, but do you see why many people consider it an invasion of privacy different than just searching through papers?

Yes, excellent example. And similarly, whilst items in a travellers possession may support or contradict the "story" they giving the immigration officer, so might things they left at home. But that doesn't the agency has the right to look at them just because they are crossing a border. Cookbooks may suggest someone is actually coming to do some professional cooking, lack of outdoor gear might suggest that someone is not actually travelling to do some hiking in mountains as they say they are. But obviously what they leave behind is almost always more useful in verifying a visitor's honesty, but agencies have no right of access to that. That shouldn't change just because computers make it possible to bring a lot more stuff with you.

Why did the kid "refuse" to give the 50-bit key?

How hard is it to say "I forgot the 50-character password..." ?????

Heck, I can't even recall what my ATM card PIN# is and that's only 4 numbers! :)
(probably because I have the PIN# tattooed under my armpit for security)

Seem to me the solution is to create a data partition, backup an image of it before traveling, format the data partition, travel, return, restore the data partition at home. If you take anything in that partition on your trip, make it only absolutely needed on the trip. Makes good sense anyway in case you lose the laptop.

It's been done by our government for quite some time. Using border control (on arrival into and/or on departure from the country) as an opportunity for counter-espionage-related searches -- FISA-type warrants or warrantless -- has been a growth industry of sorts.

Please tell me more about "duress passwords." How does those work?

I don't know how it works on a computer, but my bank offers a simlar "duress" PIN#. Let's say my ATM card's normal PIN# is 1234, the duress PIN# is 4321. If someone holds a gun to my head and demand that I give them the PIN#, I can just give 4321 and the ATM card. With the 4321 code, it will allow the robber to draw around $300 in US dollars and the receipt will show "account overdrawn" after that. (so the robber/kidnapper can't continue to draw money from it) Not sure if US banks offer this type of ATM card?

Thanks, but I'm specifically interested in my computer, as I travel with it internationally often. In Windows, only one password is allowed for. Is there software available that supplies the duress function?

I thought that reverse PIN thing was an urban myth.

Yes, that's pretty much exactly how TrueCrypt works.

TrueCrypt's bootloader will be the first thing you see when you turn on your computer, before Windows even starts. One password takes you to your normal Windows partition, the other takes you to your duress partition, which of course contains nothing you care about. To the person who has compelled you to give them your password, it's impossible to tell that they're looking at your duress partition.

I'm guessing it's one way of setting a password that if you enter it, it'll wipe the computer (or at least the important data) in the background, and look like it's doing normal work in the foreground.

I've had one for a building access code pin, it'll disarm the alarm, yet alert to entry-by-duress.

I swap hard drives in my laptop before traveling across borders. One is a "clean" version that has only the stuff I need when traveling, the other is my regular drive. It takes longer to apply the software patches than it does to swap drives.

I suppose some are like that, but Truecrypt uses it to access a different partition.

IronKey thumb drives do a hardware data destruction if the wrong password is entered a set number of times.

That's common, too.

http://www.truecrypt.org/docs/?s=plausible-deniability

Is a good link to how it works, alternative program would be PGP, but i like truecrypt.

My system (as well as external drives) i go beyond passwords and use biometrics as well as my laptop has a fingerprint scanner to unlock things. In cases of being forced to give up a password under duress i will use the duress password and duress finger to unlock. With that it wont show the my real data but more or less look like a fresh install of XP with no real data they can look all they want but there not going to find anything and cracking truecrypt is not likely even if they put it on a supercomputer running anti-encryption tools.

The other method i can do is with a USB key/dongle but I dont use that so much anymore because its getting harder and hard to find dongles as they can be easily damaged.

Truecrypt FDE
 

I use Truecrypt full-disk encryption on a disposable laptop which is imaged before I travel. I take a prepaid cellphone that has a factory firmware erase and a fresh SIM card when I travel.

Just give me receipts for what you take .. and have fun with AES256 (and I know how to generate key entropy .. it's not the dog's name you morons). Just don't make me stand there for 4 hours arguing about it. NO, YOU CAN'T HAVE THE PASSWORD.

Don't travel with anything you aren't prepared to loose.