Yves here. I assume another option is to wipe your hard disk, although that supposedly makes the device police very unhappy. But if you smile and say it was a company laptop and it’s your employer’s policy because they have confidential client information, they might be less hostile since you’d be depicting it as not your decision.
By Gaius Publius, a professional writer living on the West Coast of the United States and frequent contributor to DownWithTyranny, digby, Truthout, and Naked Capitalism. Follow him on Twitter @Gaius_Publius, Tumblr and Facebook. GP article archive here. Originally published at DownWithTyranny
It used to be that when most people crossed the U.S. border, their electronic devices — computers, smartphones, tablets — were not routinely searched. This is no longer the case. As Murtaza Hussain notes at The Intercept, searches are up sharply, from 5,000 in 2015 … to 5,000 in just last February alone.
It’s not just ICE agents whose jobs are “fun” again, it’s the men and women at the U.S. Border Protection service too.
Lawsuit Seeks Transparency as Searches of Cellphones and Laptops Skyrocket at Borders
A lawsuit filed today by the Knight First Amendment Institute, a public interest legal organization based at Columbia University, seeks to shed light on invasive searches of laptops and cellphones by Customs and Border Protection officers at U.S. border crossings.
Documents filed in the case note that these searches have risen precipitously over the past two years, from a total of 5,000 searches in 2015 to 25,000 in 2016, and rising to 5,000 in the month of February 2017 alone. Among other questions, the lawsuit seeks to compel the federal government to provide more information about these searches, including how many of those searched have been U.S. citizens, the number of searches by port of entry, and the number of searches by the country of origin of the travelers.
The obvious problem — that pesky Fourth Amendment aside — is, as the author puts it, “the wealth of personal data often held on such devices.” Seizure and search of these devices puts that highly personal treasure trove in the hands of the Trump-led, even-more-muscular government and its agents, to do with as they will. (And don’t discount the possibility that Trojan horse software could be implanted. Not that our government would do that, mind you — that would be wrong — but still.)
Of course, the border agents can’t order you to surrender your devices and unlock codes — not exactly — though intimidation and coercion is in their repertoire. How long, for example, are you willing to put your life on hold while you defy them and they wait you out … at the airport, with a flight to catch or a job to get to?
Hussain again:
A number of recent cases in the media have revealed instances of U.S. citizens and others being compelled by CBP agents to unlock their devices for search. In some instances, people have claimed to have been physically coerced into complying, including one American citizen who said that CBP agents grabbed him by the neck in order to take his cellphone out of his possession.
With that in mind, I thought I’d offer a few suggestions, as a partial answer to questions I’m seeing more and more, asked by people who have reason to believe they may be on the “outs” with the brave new world in Washington and its agenda.
How to Safeguard Your Data From Searches at the Border
The first set of suggestions comes from the New York Times. Brian Chen, the author of the piece, gives a nice introduction to the problems encountered by those who cross the U.S. border, closing with the admonition, Do not lie about your passwords. That would not only be wrong, it would be punishable.
That said, here are his suggestions. Note that many of them hinge on not crossing the border with your data to begin with — or not crossing the border with your passwords, even in your head. Chen:
Consider a cheap device
The best way to prevent your information from being searched is to travel with a device that never had any of your data in the first place.
It’s a wise idea to invest in a so-called travel device, a cheap smartphone or computer that you use only abroad … So leave your fancy equipment — along with your photo album, Facebook, Snapchat and Twitter apps — at home.
Which devices to buy? The Wirecutter, the product recommendations site owned by The New York Times, published a guide on budget Android phones, including the $100 Moto G4 Play that comes unlocked so that it can work with foreign SIM cards. For cheap computers, consider a $550 Acer laptop or a $430 Dell Chromebook.
When it comes to phones, you could even forego a local phone and, as an East London friend suggests, buy a cheap smartphone or even a “dumbphone” at your destination. Then load a pay-as-you-go SIM card into it and use it exclusively. You could even abandon it before leaving if you’re feeling really bold. (Remember when travelers didn’t feel incomplete if they didn’t have a phone in their pocket? That could be you.)
If you want it back, I’m sure a friend would be glad to mail it to you after you leave — or you could simply mail it to yourself before you depart.
Three more small pieces of advice before one major one:
Disable fingerprint readers
…[In] the United States, law enforcement agencies have successfully used warrants to compel people to unlock their cellphones with a fingerprint. But because of your right to remain silent, it would be tough (though not impossible) for the federal government to force you to share your passcode. So disabling your fingerprint sensor when traveling is generally a safer move. …
Encrypt your devices
Whether you are using a burner device or your own, always make sure to lock down the system with encryption, which scrambles your data so it becomes indecipherable without the right key.
Desktop apps like BitLocker or Apple’s FileVault let you encrypt your hard drive, requiring a passphrase to decrypt your files. To avoid surrendering this passphrase, you could jot it down and hand it to a friend and contact that person for the passphrase after crossing the border. [emphasis added]
Back up to the cloud, then wipe before you cross
…[To have access to your data while abroad] back up your data to a cloud service and then wipe, or erase, all the data from your device before arriving at the border, Mr. Zdziarski said. After passing through customs, you could then restore your information from the online backup.
I want to focus on the comment above about your passphrase for a moment. You can’t surrender your passphrase (a more complex form of password) if you don’t know it. So, when you encrypt your device, use a complex passphrase that you (1) don’t memorize, and (2) give to someone not traveling with you.
If You Don’t Know Your Passwords, You Can’t Surrender Them
Which leads to the final piece of advice, a major one:
Don’t memorize your passwords
The best way to protect your passwords is to not know them. When resisting a data frisk, it is easier to say you didn’t memorize your password as opposed to refusing to provide it to border agents, Mr. Grossman said.
“If you don’t know them it’s hard to compel you to give them over if you don’t know how,” he said. “Even if somebody put a gun to my head, I don’t know it.”
Password management apps like 1Password and LastPass can automatically create strong, lengthy passwords for all your online accounts and keep them stored in a vault that is accessible with one master password.
However, Mr. Grossman said you are better off traveling without your password management software loaded on your devices so that you won’t be asked to hand over the master password to your vault. You could store a copy of the password vault on a cloud service like Dropbox and get access to your vault of passwords when you reach your travel destination, he said.
An alternative to using a password-managing app is to write your passwords down and leave them with someone you trust. After getting through customs, contact that person and ask him or her to read off your passwords.
What’s really needed, of course, is for someone who can put her life on hold — and who has a great lawyer prepared to defend her — to challenge these searches and seizures in court. Some lawyers I spoke to don’t think they’re legal — though note the strong objections to that opinion here.
Suggestions from the CIA
The other suggestions I want to offer come from the CIA. This isn’t related to carrying electronic devices per se, but to how to comport yourself during screenings. WikiLeaks has leaked internal documents from the CIA that advise its own agents how to behave when they cross the border. After all, if you’re a spy with a cover story, you don’t want it blown by some border cop who pulls you out of line for a random secondary check and spots your nervousness.
Those documents are here:
CIA Advice for Operatives Infiltrating Schengen [Countries] (pdf)
Happy traveling.
71 comments
Comments are closed.
There are cases where “not remembering” your decryption password allows the state to hold you indefinitely.
It seems the best options are the cheap devices, or backing up to a local drive that doesn’t travel with you, from which you restore when you are home (if you are not into cloud backups).
Not if you are a US citizen. You cannot be denied entry, but as a wag put it, “your stuff can be”. Longest case a lawyer who deals in this knew of anyone being delayed was 36 hours, and he was Muslim, natch.
If you are foreign, they can’t hold you for all that long either. They send you back.
The case I was thinking of wasn’t specifically at a border crossing, but I don’t think it would take much to expand this legal line of reasoning to include citizens at border crossings.
Ars Technica – Man jailed indefinitely for refusing to decrypt hard drives loses appeal
It would be terrible if a child porn case ended up being the bellwether for this type of forced decryption, or rot in jail scenarios.
The authorities already know he’s guilty, therefore he has no rights? Well that was wonderfully clarifying.
Precrime is just around the corner! But don’t worry, unless you are thinking illegal thoughts.
I heard somewhere* that Chris Christie has admitted to getting funny feelings in his nether regions when looking at pictures of pizza.
So we must assume powerful people do take these things seriously and are taking action to protect us from these urges.
* That could be fake news. It’s so hard to keep track.
“Foregone Conclusion” means something different in legalese.
I believe it means that he has admitted that he owns the hard drive or the state has strong evidence that can show that he does own it.
/not a lawyer
Even if he owns it, the issue being forced to provide a password (which is more strongly protected than biometric measures) that may give the State incriminating evidence. It’s like the State saying “we know you are guilty of something, we don’t have the evidence, and until you turn over the incriminating evidence you can sit in jail.”
How do they reach a foregone conclusion if they don’t have particular evidence that the specific data is on the drive?
What if the method they used to check the hashes is flawed?
Well, it could be sexy pizza pics, too.
“Back up to the cloud, then wipe before you cross”
Yes, and use Tor too!
Spooky McCloud
Central Registry of Briars
My advice is don’t bring anything. Think USSR, only with many more goons and guns and fewer “blyats” given about their use.
Keep your files, applications and work-related things at home on a server, using Citrix, VMWare, X-Server, VNC, etc. whatever your business supports. Always access through a non-US based VPN service.
I use pencil & paper a lot anyway, I can’t think properly in front of a computer. I mostly use the computer to clean up my notes and scribbles.
A used Lenovo Laptop, Core i5, 6 GB of ram, with two years of warranty on it from the used hardware pusher, is about 300 EUR (Swap the HDD it comes with with a new SSD device, about 80 EUR, and it will make the computer blazingly fast).
On the new HDD do a clean install of something really simple, a Linux Distro, perhaps. It only needs to access the applications running on the server at home and show pictures of them. Don’t bother to encrypt anything at all, lame password is OK too. Since there is now literally nothing on the device that is not also on the internet already, we simply have nothing to hide.
Once you get there, use the VPN service to access whatever computer services you actually work with.
If customs takes your device out of sight, then it is probably infected when it returns. One must assume that they would use something persistent, It will not be safe to just reformat the HDD and reinstall. The slightly immoral person will sell the device on eBay, or forget it in the taxi, it will give “them” something to track.
Hmm. What does it take to set up a server at home?
Ask Hillary Clinton.
Now that was a raging success, wasn’t it?
:-)
Doesn’t take much but if you open up your port to two way access, you may find yourself hacked even with a firewall.
Quite A lot of reading and tedious computer work!
It may be worth paying a techie to set it up too. I used to build datacenters and I am already a bit “rusty”, since I switched back to working with electrical engineering about 5 years ago.
One at least need a router that can handle incoming VPN connections, probably also a firewall/switch with VLAN support too so one can split the networks in a Demilitarized Zone (DMZ), where the network-facing things live, an internal network for the secure things, one network where the “Internet of Crap Things” connect to, maybe even a guest network too, to stop the IoT-Crap from attacking the guests.
Management, something like CFEngine so that one does not have to always log into lots of “computers” to update and install things. And a small server for hosting the Management (or a slice of a server in the form of a virtual machine on top of the free hypervisors KVM, Xen, or VirtualBox) …. Xen is probably what I would use for my home.
Xen Hypervisor used to be good, KVM seems to be rising with Docker, but the management is command-line mostly. VirtualBox is Oracle so there is a shafting waiting to happen eventually. Or one can pay for VMWare, the small licenses are OK, the larger ones Obscene.
In this setup, if the management server or the server hardware bricks, then one cannot login and use the management system to fix it with, usually there is an “Intelligent Lights Out” (ILO) service for that on the server hardware – this service is something that should be well protected.
The basic hardware for a simple home network setup with VLAN and VPN support would be about USD 1000.
The application server can be as expensive as one wants – however it is wise to consider the electric bill. The “beginners”, “pizza-box”, “HP Proliant dl380” (I think) are ludicrously powerful computers already in the standard configuration (noisy too, sucks kW’s at full load).
Something much smaller, like the “Dell PowerEdge T20” or “Fujitsu Primary TX1310 M1” is probably better for the home server.
I now prefer Dell (very cheap, OK systems) or Fujitsu (the Toyota of IT, reasonable price, very reliable, even the cheap end) rather than the HP’s because HP, those swine, have started limiting functionality such as BIOS updates to people with HP service agreements, which sucks to pay, especially on a 300 USD micro-server!
I’ll see it I can dig up a CISCO or OpenWRT How-To for the network part.
Just a quick personal note: Xen poses a pretty large learning curve to get configured correctly. OTOH, VMware provides their esxi server for free and runs pretty much out of the box.
I run pfSense as my router/firewall/intrusion detection platform, and I’ve been pretty happy with its performance over the past year.
hmm. Makes one think, for someone that doesn’t intend to recoup this investment in time, learning and effort by getting a full time job in IT, that it may be worth the risk to just get a cloud service.
Yep! That makes sense too.
It is always the prospects that are the most dangerous – we don’t worry about getting whacked by the Yakusa or such, while dangerous people, they are not even operating in the same stratosphere as us.
Prospects, however, are someone we may meet. They are always virtue-signaling how “gangsta” they are in the hope of the made people noticing. That is something we need to worry about.
TLA, DHS … are prospects too. They all want to be the equals of the big players like NSA or CIA, and are really keen to show off their attitude.
While keeping things in the cloud will not keep the NSA & Co away, probably nothing will if they really want our data, but it will thwart the more immediate threat from the intelligence service wannabe in the airport.
I am a software developer. I have a Linux server running at home used as a backup for various laptops.
The server is an ancient Mac Pro running Debian Linux release Jessie.
Its used mostly as a git server (git is a configuration management program) for software development.
The various laptops are totally encrypted and backed up daily, mostly because they could be lost or stolen or dropped at any moment. The home server is my long term record of my activities.
I treat my laptop(s) as totally volatile and disposable. When a laptop dies, I wont loose more than a days worth of work.
Why do I do this? Murphy’s Law(whatever can go wrong, will) Murphy is alive and well and is determined to get me.
I have yet to cross a border using this configuration of data storage. I’m not sure what I would do, but services like Spideroak provide inspiration. Spiperoak encrypts data without remembering the encryption key. Because I’m Linux based, tarsnap is another cloud service with similar functionality.
My main motivation is to protect against Murphy with a home server. For redundancy it helps to have a cloud server. As an afterthought, a cloud server protects against Big Brother and his snooping.
Gotta ask, you seem technically capable. More technically capable that 99% of people, probably.
Could you build a server that can withstand an attack by the US nat sec state?
If you can’t do that, how are less technically capable people supposed to do it?
Given the ability of China to deeply penetrate US state secrets, I’d have to say that the number of people/entities that could withstand a sophisticated, focused state-level attack probably approaches 0%.
The main goal is to be too much of a bother to spend resources, and to remain below the general level of interest to demand additional resources.
If you follow that line of thinking, you quickly end up in the veal pen.
“Use Tor to surf safe!”
Tor was set up by us intel, and they are still the largest donors and users. You went from a giant pool to a much smaller pool, sharing it with much bigger fish.
“encrypt!”
First you have to find an OS that you control. Good luck. If you’re playing with that stuff, you stick out like a sore thumb, and are, once again, jumping into a very small pool dominated by intel/spooks.
“VPN”
You’re sending your “encrypted” data “overseas”, in order to protect it? I can’t imagine a better way to make yourself, and your traffic, completely and legally owned. They already admit they check international stuff, and have claimed for some time that the don’t need any sort of permission to do this, let alone any sort of legal paper. What stops intel from setting up these honeypots? In what court of law can, or would you want to, file suit against the VPN provider for turning over your data?
First up, there’s the problem of admitting it’s “your”… isn’t what you got the VPN for right, to remain anonymous?
Let’s recall the ability of Israel’s do-badders to “deeply penetrate US state secrets,” let us never forget… And, indeed, to “hack” US elections and the whole American political apparatus, to suit the preferences of people who very clearly are “not our friends…” and who refer amongst themselves to the US as “Uncle Sucker…”
$5 billion a year,, plus another $38 billion, plus wars and conflicts started and maintained to in significant measure, have the US and “Nato” and the UN dancing clumsily to the Likudniks’ minor-key tune…
> Yves here. I assume another option is to wipe your hard disk, although that supposedly makes the device police very unhappy. But if you smile and say it was a company laptop and it’s your employer’s policy because they have confidential client information, they might be less hostile since you’d be depicting it as not your decision.
Of course, you should only consider saying this if it’s actually true. Lying to a federal agent is a felony.
In my case it would be true and I suspect anyone with an accommodating boss could get him to declare that if they used a device for company business overseas, they’d need to wipe it before returning. In fact, if you alerted said boss to the issue, they’d probably be glad that you volunteered to go through that hassle. You’d just have to take the “company laptop” out if you were using a personal device.
I agree with that, but I’d be most comfortable if the boss would implement a written policy to that effect and applies it to all employees. That way you’d have written evidence to back up your statement to the border agents.
Yes, I don’t see any reason to come up with a story that doesn’t even work for personal devices. Just wipe your phone. What are they going to say? “You don’t have enough phone numbers in here, clearly you’re hiding something”? “Oh, ok, I guess you should lock me away.”
What they’re doing is exploiting the gray area at the border to hoover up your confidential personal papers and effects. For them to complain about you avoiding their wiggle room would be pretty nakedly Big Brother of them, which is a much easier case to fight. This is no different than choosing not to bring your entire desk of paperwork with you when you travel, or mailing a box of documents to your hotel so you don’t have to fly with it. I guess that’s gonna be illegal too, so I better give a copy of my house key to the Border Patrol.
Sorry, you need to think in terms of a laptop. This is way more complicated than than a phone..
I only have a dumb phone and never carry it across borders because I pretty much never have time to get a local SIM card, I’m scheduled too tight. If I really need a phone, I’ll ante up for a rental at the airport. Although there might be merit in taking a dumb phone just to prove one is a tech Luddite.
Ditch electronic memory devices. Get yourself some brain hacking-gear/substance and develop photographic memory.
…or just rely on the chaos caused by the paranoia of the current zietgeist to disable the institutions of information.
And anyway, do you really think you’re going to be able to travel to foreign parts for much longer?
Anybody shorting the International airline corporations?
Sorry but some of us need to work while on the road. Not realistic.
As a European I am fascinated by the institutional paranoia enveloping the United States. Evil Russkies are everywhere, hacking everything and the kitchen sink. Terrorists and criminals are crossing the borders with alarming regularity, using social media and cloud services to plan and store the details of their evil deeds. But thank God for those armies of federal agents, going through all your personal details, throwing you in jail or generally making your life miserable if you do not instantly supply them with at least all your passwords and access codes, or your physical equipment.
Has everybody gone out of their collective minds?
Do people really believe that terrorists or other evildoers will enter the United States with their laptop, tablet or phone conveniently filled with all the details of their criminal organisations, financial ties or intricate plans for causing mayhem, death and destruction, for federal agents to peruse? Or just having published a graphical description on their personal Facebook account and ditto some grisly images on Snapchat or Instagram? Or, if a device with seemingly sensitive information is indeed discovered, that this will not be filled with disinformation carefully set up by somebody making good use of the paranoia of all these laptop-peekers?
Gimme a break.
The real danger is not terrorists or criminals, but officials with room-temperature IQ that get away with fascist harassment of millions of innocent travelers, while the really terrifying people slip through the net because they are too smart to be caught by these rude and heavy-handed measures.
“Fiddling while Rome burns” seems like an apt description.
> The real danger is not terrorists or criminals, but officials with room-temperature IQ that get away with fascist harassment . . .
The real danger are the terrorists and criminals. Officials with room temperature IQ’s are dangerous in that a skilled terrorist or criminal can get past them, so I am certain there are not very many like that.
Imagine yourself in that jawb.
From the Wikileaks: CIA Assessment on Surviving Secondary Screening
With the exception of Israel’s Ben Gurion airport and a few others, immigration inspectors conducting primary screenings generally lack the time and tools to conduct in-depth examination of travelers’ bona fides. EU norms stipulate that passport checks take no longer than 20 seconds per traveler. Dutch Royal Military Police (KMAR) officers at Schiphol Airport in Amsterdam are under instruction to spend no more than 10 seconds evaluating each passport although few officers achieve this speed, according to July 2009 liaison reporting. (S//OC/NF)
Everyone should read that CIA report. It’s a great tourist’s guide to getting through customs with the least hassle.
“…Has everybody gone out of their collective minds?…”
As an American, I am fascinated as well. I would only take issue with your characterization of ‘officials with room-temperature IQs’ – because the officials in charge of this are in no way stupid…they know *precisely* what they are doing…its what they have lived for the last 20 or 30 years and are happy as pigs in mud to finally establish their police state to protect the graft, corruption, and rackets that enrich them.
On the positive side: an increasing number of people are waking up every day…awaking that is to the sad knowledge that their federal government has become infested with sociopaths, goons, authoritarians, stasi-wannabes, and other assorted detritus, who don’t even bother to hide it anymore.
But not enough people to make much of a difference…yet. They may be awake but they are not yet clear on the remedy. They still hold out hope that their ‘Red team’ or their ‘Blue Team’ will carry a ball over some mythic goal line and save the day.
On the negative side – was it George Carlin that said “…Think of how stupid the average person is, and realize half of them are stupider than that…”?
If voting no longer changes the system to the benefit of the 99%, then what?
Perhaps the answer to 1984 is 1776.
Has everybody gone out of their collective minds?
Pretty Much.
As a European (Danish), I am shocked and appalled that “we” first went to Afghanistan and Iraq. Then, having learned nothing, we went once again and provided free air support for Jihadists in Libya, then, after the catastrophic failure of that “regime-change” was well established and documented to be a disaster, “our” media pushed really hard for even more of the same in Syria. This time we were only saved by The Moderate Jihadists posting their atrocities to liberally on all SoMe-channels.
Then, having pissed off all these people by bombing and regime changing them, then removing their barrier of entry like with the Libya cluster-fuck, it turns out that everyone in the EU has absolutely no clue how to deal with the fallout in the form of an invasion of immigrants, some of which are surely terrorists, more are just dead-enders with zero prospects and of course some are real refugees but no-one are prepared to deal with them. Basically, everyone just lets them roam around freely, paperless and “living off the land”. Total insanity!
I believe there is a quantum connection between “mind” and “universe”. Perhaps, right now we are moving through a region of reality where the quantum-based processes running our brains are severely weakened, possibly this weakening will go on right until our minds cease to function.
The 0.1% are informed about this this and are determined on having one last orgie of bloody carnage, looting and fraud before they go out (and if we donate, they bet nobody will remember).
It’s the only rational explanation for their leadership behavior.
* The once respectable newspaper politiken.dk is today mostly a channel for neo-liberal agitprop, and opinion pieces, one assumes are sourced from a secret server run by a CIA subsidiary.
“Has everybody gone out of their collective minds?”
no.
This is implementing the Total Information Awareness program – defunded by Congress in 2003 because it was too intrusive – by other means, one piece at a time.
“The Information Awareness Office (IAO) was established by the Defense Advanced Research Projects Agency (DARPA) in January 2002 to bring together several DARPA projects focused on applying surveillance and information technology to track and monitor terrorists and other asymmetric threats to U.S. national security by achieving “Total Information Awareness” (TIA).[4][5][6]
“This was achieved by creating enormous computer databases to gather and store the personal information of everyone in the United States, including personal e-mails, social networks, credit card records, phone calls, medical records, and numerous other sources, without any requirement for a search warrant.[7] This information was then analyzed to look for suspicious activities, connections between individuals, and “threats”.[8] Additionally, the program included funding for biometric surveillance technologies that could identify and track individuals using surveillance cameras, and other methods.[8]
“Following public criticism that the development and deployment of this technology could potentially lead to a mass surveillance system, the IAO was defunded by Congress in 2003. However, several IAO projects continued to be funded and merely run under different names, as revealed by Edward Snowden during the course of the 2013 mass surveillance disclosures.”
https://en.wikipedia.org/wiki/Information_Awareness_Office
You are witnessing a stereotype. Some people really are as paranoid as you say. But most others know this for what it is … which is mostly the establishment coopted media. Of course, some people really ARE as paranoid as this. That’s what makes it a stereotype.
For personal devices, a Chromebook “powerwashed” and configured on border crossing day to login to an alternate, unused Google account that’s bereft of personal files, along with a cheap smartphone that’s been similarly wiped and depersonalized (using the same decoy account if it’s an Android), will raise the least suspicion and avoid risking exposure of any data you need on both sides of the border. Use a simple, easy to remember, password for speeding through inspection.
For company gear: follow your employer’s instructions _to the letter_ (get it in writing) and never use them for anything but strictly business purposes. That means not even e-mailing, texting or Skyping family using those devices (which you should avoid even when home because of the liklihood your employer engages in intrusive surveillence of company owned devices as a risk avoidance measure).
Oh, and welcome to what it felt like to across the Iron Curtain in the 1980’s. Who won the Cold War, Mr. Reagan?
I’m an immigrant. We came here to Canada in 1967 from Scotland, we have family in the US. We have been crossing the land border for 50 years, and are very familiar with the US customs officers.
After 9/11…it all went to hell, border guards treated everyone like criminals and, if possible, it’s getting worse. To the point where if we didn’t have family we would no longer go over. I hear that refrain from many Canadians.
We don’t have electronic devices nor even a cell phone and we fear being pulled over and what will happen when we fail to produce one.
We have always said that the border guards behave like bullies, they make up the rules as they go along and depending what mood they are in. We realise we have no recourse and most advice to crossing is keep your mouth shut and expect the worst.
I have heard thousands of horror stories….the one that sicks out is the family heading to Florida. They were pulled in for secondary inspection. Their little dog was left in the car in it’s carrier. The customs agents opened the carrier to search it and the little dog got out and was lost….never to be recovered.
Sorry eh!
buy a backup computer to take across the border from goodwill/ebay. Decent ones under $100 unless you’re in Mac-world or need very high-end specs.
Or run important things on a “virtual machine” on your primary machine—and backup + wipe the virtual machine file when needed.
FYI—“wiping” you computer hard drive leaves tell-tale traces that it was wiped, ie your hard drive is noticeably randomized.
And of course “people with nothing to hide wouldn’t wipe their drives”. (sarcasm)
i’d recommend a cheap expendable backup computer for other reasons too
—-as i’m more confident of my skills at avoiding getting my laptop bag stolen in Anytown USA than Paris or on a train in Italy—lots of organized petty crime in Europe. just sayin.
‘buy a backup computer to take across the border from goodwill/ebay.’
Yep. You can buy perfectly decent refurbished laptops that’ll last for years for well under $200 — I have a half-dozen of them at this point — unless you want 17 inch screens like the HP Pavilion serious and those cost about $320 refurbed.
As additional reading on the topic, the Electronic Frontier Foundation has a 50-page “Whitepaper” report with 117 footnotes, dated 08 March 2017, as an online article and as a downloadable PDF, entitled “Digital Privacy at the U.S. Border: Protecting the Data On Your Devices and In the Cloud”. There is a three-page executive summary of the three report sections, which are
PART 1: DIGITAL PRIVACY GUIDE FOR TRAVELERS
PART 2: CONSTITUTIONAL RIGHTS, GOVERNMENT POLICIES, AND PRIVACY AT THE BORDER
PART 3: THE TECHNOLOGY OF PRIVACY PROTECTION
The EFF is hopelessly conflicted. Google is their largest “donor”. Put more accurately, the EFF is a marketing arm of google, burnishing the brand, while google works with the ISP’s to remove any privacy you might have-
For those who keep asking, the Google FCC letter in which they supported ISPs in exposing your browsing history.
https://ecfsapi.fcc.gov/file/100319291940/2016-10-03%20Google%20Letter%20(WC%2016-106).pdf
https://twitter.com/matthewstoller/status/847579430041997312
“Yes, Google supports letting ISPs get access to all your data. #DontDoEvil”
For the next hero who goes to the mat at the border, the police state’s weakness is not its Soviet-style US municipal law, which permits anything, including torture, but the ICCPR, in particular, Article 17. Suspicionless searches at the border are arbitrary, unnecessary, disproportionate, and demonstrably discriminatory in application. The interpretive principles governing treaty party compliance are here:
http://hrlibrary.umn.edu/gencomm/hrcom16.htm
When you cross the border a US-trained attorney will likely knuckle under, leaving you in the lurch. You need support from an NGO that has consultative status with treaty and charter bodies. Even the apple-polishers of the ACLU do this now.
Forget US courts. US judges are picked and bought or blackmailed to reflexively permit state privacy interference. They’re also operant-conditioned to reflexively deny the supreme-law status of privacy rights with little slogans that they’re taught in law school. You have to go over the government’s head to the HRC, the Human Rights Council, and the IACHR, which can demand an explanation for US bad faith in breach of the peremptory norm pacta sunt servanda. Your surest vindication is US national disgrace in the world’s most public forum.
Here’s yer disposable device
https://litebook.store/
Nice.
They can search my 2007 dumb phone all they want.
I’d like to see them download data from that dumb phone or plant a virus into it. Of course the finest of ICE wouldn’t recognize a dumb phone even if it bit’em in the ass!
It’s all for show anyway. They got people excited about this issue when they’re picking your pocket somewhere else.
I keep a LOT of files of different reference materials for work on 3T “Passport” but nothing that would be of any interest to anyone outside my minuscule field. Do these storage devices have any possibility of having any trojans/viruses planted on them?
My thought was to just take the storage device into Canada when visiting relatives but if that is a bad idea I would like to know about it, untechie that I am. I suppose I should probably get a backup to my backup and erase everything on anything that is touched by border investigators.
Sure they do. Don’t take it with you when you go.
OH! Thank you. I am fortunate that I can upload all my literature to our server that I can access through FTP but it is just not as convenient.
My phone is so dumb that I don’t worry about it. My wife calls it Smoke Signals 2.0
Yup. See, http://spritesmods.com/?art=hddhack – a HDD firmware update that creates an account on a server using the HDD if a special line is written to a log file or something.
Very neat work. The TLA’s can certainly do the same thing and make an easy toolkit that anyone can use at the border inspection.
This discussion is interesting in the light of the ban on electronic devices larger than a cell phone on flights to the US and UK from specific airports. If the terrorists have demonstrated an ability to make electronic devices into bombs then the issue of carrying electronic devices becomes more complex. On cell phones I might go a step further and suggest a dumb cell phone, and don’t populate the contact list. Further consider the number of cases where laptops got stolen and they contained information about people that have happened. All an argument for companies to require only remote terminal access to their infrastructure.
But lets step back a second what happens with an address/date book at the border? Is it searched all be it with time limits given to immigration there would have to be some suspicion to spend an hour or two searching it.
Sadly, depressingly, the only real solution is: Don’t cross a US border unless:
1. For work or academic reasons. Minimize this by using the web as much as possible for such interactions e.g. WebEx.
2. To visit family and friends (*). Even then if you/they can afford it they should come to you.
This implies, of course, no tourism so that trip to SXSW will just have to go on hold this year, and the next, …
(*) Even here only the closest friends apply.
I’m going to leave this contrary opinion from a well-known security researcher here:
Stop fabricating travel security advice.
This is incorrect in that it treats confiscation for further inspection as equivalent to permanent loss. Rather discredits the piece. They do send the devices back after taking them for further inspection, although it can take quite a while.
The article is tantamount to “Submit, you have no choice” and I don’t accept that.
Another option not discussed for those who carry laptops is removing the hard disk and sending it back separately or just tossing it if you did a backup right before you left the US (which you should do anyhow) and then copied it back to another HD. But that is a hassle too.
He’s a bit of a wildcard. The gruqq sometimes gives good advice, but then also gives horrible advice/opinions in other instances.
His level of understanding may be higher that 99% of people out there, I don’t question that. I question his motives, and recommendations.
The basic issue is that the chief threat to the survival of the United States is its own national (in)security agencies. It’s not obvious that the problem can be fixed.
Rule of thumb-
As soon as you use any “tech”, you’re already under surveillance. You’re up against state level actors with unlimited resources, some already deployed into the tech you are using.
If you are that worried about “the gov” getting it, don’t get it anywhere near any “tech”.
I can’t think of any situation where tips like this are of any use. I applaud the effort of the author, but it’s all marketing and vaporware. Security, personal security of “tech”, doesn’t exist.
You’re just going to end up making more trouble for yourself, without helping the security of your person, or data.
If I may refine that argument a bit:
First, I would say any “tech” really means any digital information. And digital information is inherently less easy to secure than analogue information. From what I can see, there are only two ways to secure digital information (in this case, to keep your private information, private). One, the digital information is stored on a device (computer, laptop, tablet, smart phone) that is not connected to any network of any kind. Then it is accessible only to those who can physically access the device. Two, if the information is on a private device (your personal computer, laptop, tablet, etc.) you password protect or lock either the software that access the information (like having a password on your computer or tablet) or encypting the information itself and using a password to access the data.
If the information is on a public device or a device that you don’t own (as is the case for social media or email), then that information should not be thought of as private, accessible only to you and those you allow. It isn’t. That data is open to any and all actors, not just you. And so you shouldn’t think that social media information or email information, for example, is securable by you.
So that’s it. Digital information that you can truly control, is on a device that you fully control. And if it is not on a device that you control, don’t consider the information secure at all.
So I think the argument really is what digital information should be stored where. The individual will have to choose. For me, on a recent trip to the States, I chose to left my laptop with private information in my office (didn’t bring it with me), in effect, leaving my digital information off line. But I brought my tablet with me, since I don’t have information on my tablet that I wish to remain private. And as for social media information and passwords? Well, I’m an old fuddy, my social media footprint is almost zero. So no big deal there. But as for my email account – there I am vunerable. So while I ‘delete’ my email from the gmail & hotmail servers, I’m not so naive as to think that information is trully gone. Messrs Gates and Clapper can access my email still, I’m sure.
” Digital information that you can truly control, is on a device that you fully control.”
Name one. Just one. I don’t think it exists. There’s lots written about this hypothetical device, but no real world example of it.
And even if it fits your test case when it’s invented, there’s nothing that limits the pace of attacks into the future. History tells us that someone will find a window, if they can’t come through the front, or back.
IMO, in all these lectures about data security, from google for example, they always emphasize the back and side doors. The intel state doesn’t have to go though the side door when they can show up at the front door with cash, and get much better results. They just have to stand in line with the rest of the people trying to buy your data from google.
18 layers for encryption defeated by one well placed snitch, subpoena, or bribe.
Good God. How have we come to this?
I despair for our nation. They have us by the throat and we do nothing.
Use a cheapie smartphone =$60. On return, take out and discard all sim cards and visible batteries; leave in taxi or airport seat. Police/spies will get it eventually. Good luck to them.
To really mess with their tiny minds, visit BUCK-NAKED friendship society (or similar); leave photos on phone.
I’m just an RN and until they come for us gays (which may not be that long) I have nothing to hide. Of course I understand the horrific implications of an authoritarian state which will do anything to maintain total control over everyone not in the elite. It appears to me that this fight can never be truly won on an asymmetrical technological battlefield. The authoritarian state controls not only the legislatures and courts that make the rules and the agencies that enforce the rules; but also either develops the technology that enables skirting of the rules or can hack into the systems of those who would design technology to skirt the rules. It seems to me that this battle can only be won politically, and we are just about out of time for a political solution.
“I have nothing to hide” If someone in the security apparatus wants to get you (or use you), I’m sure that won’t cause them too much difficulty.
I’m crossing the border for this year’s solar eclipse. I’m leaving my laptop and Android phone at home for the trip.
Certainly true. When I was growing up in Texas, I heard over and over “If the police want to, they can find grounds to arrest anyone at anytime”. The authoritarian type personality usually thinks that this is a good thing. Of course just because a person is not in a persecuted class at the moment is no excuse for that person not to fight for “liberty and justice for all” at all times.
i have hipaa protected information on my laptop. it is illegal for me to reveal it except with either 1. the explicit written permission of several thousand individuals, or 2. a court order.
any thoughts on how this would play out?
Consider physically segregating sensitive information like hipaa, VA, Soc. Security records, anything that could be used for identity theft or other sensitive information. In general, do not put such data on a laptop. If you need these files for home or mobile work download the data onto a fast, strongly encrypted, USB thumb drive (flash drive). Too many laptops are stolen.
I’m not recommending this brand necessarily. Just putting up this link as examples of the kind of encrypted thumb drives available.
http://www.kingston.com/us/usb/encrypted_security
i use true crypt for the folders with the confidential info, and have a newer laptop as backup which uses whole-drive encryption.
my question was more about the legal issues. if i were stopped and told to unencrypt my folders/drive i MUST refuse under the hipaa law, barring a court order.
i’ve considered using an encrypted thumb drive, and went so far as to buy a kingston. however, i’m more worried about losing the usb drive than having my laptop stolen. i’ve been using a laptop for work since 1992 and have yet to lose one.
All of the oh-so-clever schemes described for protecting your stuff from the government 4th-amendment disregarders would seem to have major flaws which the border Nazis could easily work around:
[1] Back your stiff up to the cloud: If they can force you to give your device password, why would they not be able to do same for your cloud password? Clearly, you are shifting data to the cloud in order to evade a [*cough*] legal border search, so you’ve just given them even more reason to be suspicious of you. That’s not to mention various clouds having their own data protection issues.
[2] Encrypt your stuff and have a trusted friend define the passphrase: So when the border Nazis ask you who has the passphrase and refuse to let you go until you contact that person to get it, what do you do?
I’m afraid the only genuine recourse against this tyranny is to rise up against it en masse and abolish it. But as long as most people fall for the “we are doing this to keep you safe” BS, they will continue to elect governments which engage in ever-more-Orwellian versions of this Stasi-style Ausspionierung.