Thursday, March 30, 2017

Crossing the U.S. Border with Electronic Devices


(Source; click to enlarge)

by Gaius Publius

It used to be that when most people crossed the U.S. border, their electronic devices — computers, smartphones, tablets — were not routinely searched. This is no longer the case. As Murtaza Hussain notes at The Intercept, searches are up sharply, from 5,000 in 2015 ... to 5,000 in just last February alone.

It's not just ICE agents whose jobs are "fun" again, it's the men and women at the U.S. Border Protection service too.
Lawsuit Seeks Transparency as Searches of Cellphones and Laptops Skyrocket at Borders

A lawsuit filed today by the Knight First Amendment Institute, a public interest legal organization based at Columbia University, seeks to shed light on invasive searches of laptops and cellphones by Customs and Border Protection officers at U.S. border crossings.

Documents filed in the case note that these searches have risen precipitously over the past two years, from a total of 5,000 searches in 2015 to 25,000 in 2016, and rising to 5,000 in the month of February 2017 alone. Among other questions, the lawsuit seeks to compel the federal government to provide more information about these searches, including how many of those searched have been U.S. citizens, the number of searches by port of entry, and the number of searches by the country of origin of the travelers.
The obvious problem — that pesky Fourth Amendment aside — is, as the author puts it, "the wealth of personal data often held on such devices." Seizure and search of these devices puts that highly personal treasure trove in the hands of the Trump-led, even-more-muscular government and its agents, to do with as they will. (And don't discount the possibility that Trojan horse software could be implanted. Not that our government would do that, mind you — that would be wrong — but still.)

Of course, the border agents can't order you to surrender your devices and unlock codes — not exactly — though intimidation and coercion is in their repertoire. How long, for example, are you willing to put your life on hold while you defy them and they wait you out ... at the airport, with a flight to catch or a job to get to?

Hussain again:
A number of recent cases in the media have revealed instances of U.S. citizens and others being compelled by CBP agents to unlock their devices for search. In some instances, people have claimed to have been physically coerced into complying, including one American citizen who said that CBP agents grabbed him by the neck in order to take his cellphone out of his possession.
With that in mind, I thought I'd offer a few suggestions, as a partial answer to questions I'm seeing more and more, asked by people who have reason to believe they may be on the "outs" with the brave new world in Washington and its agenda.

How to Safeguard Your Data From Searches at the Border

The first set of suggestions comes from the New York Times. Brian Chen, the author of the piece, gives a nice introduction to the problems encountered by those who cross the U.S. border, closing with the admonition, Do not lie about your passwords. That would not only be wrong, it would be punishable.

That said, here are his suggestions. Note that many of them hinge on not crossing the border with your data to begin with — or not crossing the border with your passwords, even in your head. Chen:
Consider a cheap device

The best way to prevent your information from being searched is to travel with a device that never had any of your data in the first place.

It’s a wise idea to invest in a so-called travel device, a cheap smartphone or computer that you use only abroad ... So leave your fancy equipment — along with your photo album, Facebook, Snapchat and Twitter apps — at home.

Which devices to buy? The Wirecutter, the product recommendations site owned by The New York Times, published a guide on budget Android phones, including the $100 Moto G4 Play that comes unlocked so that it can work with foreign SIM cards. For cheap computers, consider a $550 Acer laptop or a $430 Dell Chromebook.
When it comes to phones, you could even forego a local phone and, as an East London friend suggests, buy a cheap smartphone or even a "dumbphone" at your destination. Then load a pay-as-you-go SIM card into it and use it exclusively. You could even abandon it before leaving if you're feeling really bold. (Remember when travelers didn't feel incomplete if they didn't have a phone in their pocket? That could be you.)

If you want it back, I'm sure a friend would be glad to mail it to you after you leave — or you could simply mail it to yourself before you depart.

Three more small pieces of advice before one major one:
Disable fingerprint readers

...[In] the United States, law enforcement agencies have successfully used warrants to compel people to unlock their cellphones with a fingerprint. But because of your right to remain silent, it would be tough (though not impossible) for the federal government to force you to share your passcode. So disabling your fingerprint sensor when traveling is generally a safer move. ...

Encrypt your devices

Whether you are using a burner device or your own, always make sure to lock down the system with encryption, which scrambles your data so it becomes indecipherable without the right key.

Desktop apps like BitLocker or Apple’s FileVault let you encrypt your hard drive, requiring a passphrase to decrypt your files. To avoid surrendering this passphrase, you could jot it down and hand it to a friend and contact that person for the passphrase after crossing the border. [emphasis added]

Back up to the cloud, then wipe before you cross

...[To have access to your data while abroad] back up your data to a cloud service and then wipe, or erase, all the data from your device before arriving at the border, Mr. Zdziarski said. After passing through customs, you could then restore your information from the online backup.
I want to focus on the comment above about your passphrase for a moment. You can't surrender your passphrase (a more complex form of password) if you don't know it. So, when you encrypt your device, use a complex passphrase that you (1) don't memorize, and (2) give to someone not traveling with you.

If You Don't Know Your Passwords, You Can't Surrender Them

Which leads to the final piece of advice, a major one:
Don’t memorize your passwords

The best way to protect your passwords is to not know them. When resisting a data frisk, it is easier to say you didn’t memorize your password as opposed to refusing to provide it to border agents, Mr. Grossman said.

“If you don’t know them it’s hard to compel you to give them over if you don’t know how,” he said. “Even if somebody put a gun to my head, I don’t know it.”

Password management apps like 1Password and LastPass can automatically create strong, lengthy passwords for all your online accounts and keep them stored in a vault that is accessible with one master password.

However, Mr. Grossman said you are better off traveling without your password management software loaded on your devices so that you won’t be asked to hand over the master password to your vault. You could store a copy of the password vault on a cloud service like Dropbox and get access to your vault of passwords when you reach your travel destination, he said.

An alternative to using a password-managing app is to write your passwords down and leave them with someone you trust. After getting through customs, contact that person and ask him or her to read off your passwords.
What's really needed, of course, is for someone who can put her life on hold — and who has a great lawyer prepared to defend her — to challenge these searches and seizures in court. Some lawyers I spoke to don't think they're legal — though note the strong objections to that opinion here.

Suggestions from the CIA

The other suggestions I want to offer come from the CIA. This isn't related to carrying electronic devices per se, but to how to comport yourself during screenings. WikiLeaks has leaked internal documents from the CIA that advise its own agents how to behave when they cross the border. After all, if you're a spy with a cover story, you don't want it blown by some border cop who pulls you out of line for a random secondary check and spots your nervousness.

Those documents are here:

Happy traveling.


Labels: , , , , , ,


At 3:30 PM, Anonymous Anonymous said...

When I still worked, everyone was forbidden from taking company electronics to about 2 in 3 foreign nations. Then it was fear of theft and espionage (cloning of phones, for instance). But it was also suggested that taking your personal stuff across was a bad idea for the same reasons.

And now this.

My next trip across a border, I'll get a crap phone with limited minutes for the trip. I'll copy a small number of contact numbers (family, friends and so on) and that's it. My photos from the trip will be transferred to a thumb drive or something so I don't lose them... and if the motherfuckers want to take the phone when I come back, the motherfuckers can have it.

I can only add that voters asked for this time after time and they now have it. So... well done assholes. Enjoy never having privacy ever again.

At 4:37 PM, Blogger Gaius Publius said...

Amen, Anonymous. When this finally bites the broad public, it will bite hard.


At 12:09 AM, Anonymous Anonymous said...

What border agent, encountering an apparently password-protected device, will believe the device's owner who claims that he/she does not know his/her own password?

And, what border agent, deciding that a particular traveler is to be searched, will believe that the traveler is without such a device?

I'd suggest that eventually one needs to travel without electronic devices AND be prepared to unpack/repack at border entry points.

For an idea of the chances of being searched, the number of international border crossings into the US needs to be known and compared with the reported number of searches (reported, above, at some 60,000 and obviously rising quickly.)

Easily obtained data shows 200 million US international airline passengers in 2016.

Presumably this is some combination of exits and entries. Assuming searches are conducted only on exits, so far, cut the number in half.
(Note, of course, this data does not include entry by motor vehicle.)

So, roughly, the current chances of being searched are on the order of 60K divided by ~100 million. This is 0.06 per cent or 1 search out of 1500-2000 entries.

Of course, we can assume the searches are skewed toward those who are young and of swarthy appearance.

John Puma

PS, anon @ 3:30PM:
Do NOT assume thumb drives will be immune to demands to be searched. Send data to some "cloud" source before travel. Don't even look like you have a secret cloud data stash and, eventually, be prepared to "prove" that you don't have a cloud data stash - even in the absence in your luggage of any device that could access one.

At 12:12 AM, Anonymous Anonymous said...

That is "Assuming searches are conducted only on ENTRIES .... "

At 7:38 AM, Anonymous Anonymous said...

Thanks John. I am aware. But a thumb drive can be hidden pretty easily. Or even mailed home before I board the plane. I'm more worried about cloud hacking than most since I've been hacked already.

At 7:58 AM, Anonymous Anonymous said...

To Anon @ 7:38 AM

I was in NO way endorsing "cloud" data storage but only emphasizing that no hardware should be carried .... and that the situation will get a LOT worse before it gets any better.



Post a Comment

<< Home