[ISN] Clarity Sought on Electronics Searches

From: InfoSec News (alerts@private)
Date: Thu Feb 07 2008 - 23:40:02 PST


http://www.washingtonpost.com/wp-dyn/content/article/2008/02/06/AR2008020604763.html

By Ellen Nakashima
Washington Post Staff Writer
February 7, 2008

Nabila Mango, a therapist and a U.S. citizen who has lived in the 
country since 1965, had just flown in from Jordan last December when, 
she said, she was detained at customs and her cellphone was taken from 
her purse. Her daughter, waiting outside San Francisco International 
Airport, tried repeatedly to call her during the hour and a half she was 
questioned. But after her phone was returned, Mango saw that records of 
her daughter's calls had been erased.

A few months earlier in the same airport, a tech engineer returning from 
a business trip to London objected when a federal agent asked him to 
type his password into his laptop computer. "This laptop doesn't belong 
to me," he remembers protesting. "It belongs to my company." Eventually, 
he agreed to log on and stood by as the officer copied the Web sites he 
had visited, said the engineer, a U.S. citizen who spoke on the 
condition of anonymity for fear of calling attention to himself.

Maria Udy, a marketing executive with a global travel management firm in 
Bethesda, said her company laptop was seized by a federal agent as she 
was flying from Dulles International Airport to London in December 2006. 
Udy, a British citizen, said the agent told her he had "a security 
concern" with her. "I was basically given the option of handing over my 
laptop or not getting on that flight," she said.

The seizure of electronics at U.S. borders has prompted protests from 
travelers who say they now weigh the risk of traveling with sensitive or 
personal information on their laptops, cameras or cellphones. In some 
cases, companies have altered their policies to require employees to 
safeguard corporate secrets by clearing laptop hard drives before 
international travel.

Today, the Electronic Frontier Foundation and Asian Law Caucus, two 
civil liberties groups in San Francisco, plan to file a lawsuit to force 
the government to disclose its policies on border searches, including 
which rules govern the seizing and copying of the contents of electronic 
devices. They also want to know the boundaries for asking travelers 
about their political views, religious practices and other activities 
potentially protected by the First Amendment. The question of whether 
border agents have a right to search electronic devices at all without 
suspicion of a crime is already under review in the federal courts.

The lawsuit was inspired by two dozen cases, 15 of which involved 
searches of cellphones, laptops, MP3 players and other electronics. 
Almost all involved travelers of Muslim, Middle Eastern or South Asian 
background, many of whom, including Mango and the tech engineer, said 
they are concerned they were singled out because of racial or religious 
profiling.

A U.S. Customs and Border Protection spokeswoman, Lynn Hollinger, said 
officers do not engage in racial profiling "in any way, shape or form." 
She said that "it is not CBP's intent to subject travelers to 
unwarranted scrutiny" and that a laptop may be seized if it contains 
information possibly tied to terrorism, narcotics smuggling, child 
pornography or other criminal activity.

The reason for a search is not always made clear. The Association of 
Corporate Travel Executives, which represents 2,500 business executives 
in the United States and abroad, said it has tracked complaints from 
several members, including Udy, whose laptops have been seized and their 
contents copied before usually being returned days later, said Susan 
Gurley, executive director of ACTE. Gurley said none of the travelers 
who have complained to the ACTE raised concerns about racial or ethnic 
profiling. Gurley said none of the travelers were charged with a crime.

"I was assured that my laptop would be given back to me in 10 or 15 
days," said Udy, who continues to fly into and out of the United States. 
She said the federal agent copied her log-on and password, and asked her 
to show him a recent document and how she gains access to Microsoft 
Word. She was asked to pull up her e-mail but could not because of lack 
of Internet access. With ACTE's help, she pressed for relief. More than 
a year later, Udy has received neither her laptop nor an explanation.

ACTE last year filed a Freedom of Information Act request to press the 
government for information on what happens to data seized from laptops 
and other electronic devices. "Is it destroyed right then and there if 
the person is in fact just a regular business traveler?" Gurley asked. 
"People are quite concerned. They don't want proprietary business 
information floating, not knowing where it has landed or where it is 
going. It increases the anxiety level."

Udy has changed all her work passwords and no longer banks online. Her 
company, Radius, has tightened its data policies so that traveling 
employees must access company information remotely via an encrypted 
channel, and their laptops must contain no company information.

At least two major global corporations, one American and one Dutch, have 
told their executives not to carry confidential business material on 
laptops on overseas trips, Gurley said. In Canada, one law firm has 
instructed its lawyers to travel to the United States with "blank 
laptops" whose hard drives contain no data. "We just access our 
information through the Internet," said Lou Brzezinski, a partner at 
Blaney McMurtry, a major Toronto law firm. That approach also holds 
risks, but "those are hacking risks as opposed to search risks," he 
said.

The U.S. government has argued in a pending court case that its 
authority to protect the country's border extends to looking at 
information stored in electronic devices such as laptops without any 
suspicion of a crime. In border searches, it regards a laptop the same 
as a suitcase.

"It should not matter . . . whether documents and pictures are kept in 
'hard copy' form in an executive's briefcase or stored digitally in a 
computer. The authority of customs officials to search the former should 
extend equally to searches of the latter," the government argued in the 
child pornography case being heard by a three-judge panel of the Court 
of Appeals for the 9th Circuit in San Francisco.

As more and more people travel with laptops, BlackBerrys and cellphones, 
the government's laptop-equals-suitcase position is raising red flags.

"It's one thing to say it's reasonable for government agents to open 
your luggage," said David D. Cole, a law professor at Georgetown 
University. "It's another thing to say it's reasonable for them to read 
your mind and everything you have thought over the last year. What a 
laptop records is as personal as a diary but much more extensive. It 
records every Web site you have searched. Every e-mail you have sent. 
It's as if you're crossing the border with your home in your suitcase."

If the government's position on searches of electronic files is upheld, 
new risks will confront anyone who crosses the border with a laptop or 
other device, said Mark Rasch, a technology security expert with FTI 
Consulting and a former federal prosecutor. "Your kid can be arrested 
because they can't prove the songs they downloaded to their iPod were 
legally downloaded," he said. "Lawyers run the risk of exposing 
sensitive information about their client. Trade secrets can be exposed 
to customs agents with no limit on what they can do with it. Journalists 
can expose sources, all because they have the audacity to cross an 
invisible line."

Hollinger said customs officers "are trained to protect confidential 
information."

Shirin Sinnar, a staff attorney with the Asian Law Caucus, said that by 
scrutinizing the Web sites people search and the phone numbers they've 
stored on their cellphones, "the government is going well beyond its 
traditional role of looking for contraband and really is looking into 
the content of people's thoughts and ideas and their lawful political 
activities."

If conducted inside the country, such searches would require a warrant 
and probable cause, legal experts said.

Customs sometimes singles out passengers for extensive questioning and 
searches based on "information from various systems and specific 
techniques for selecting passengers," including the Interagency Border 
Inspection System, according to a statement on the CBP Web site. "CBP 
officers may, unfortunately, inconvenience law-abiding citizens in order 
to detect those involved in illicit activities," the statement said. But 
the factors agents use to single out passengers are not transparent, and 
travelers generally have little access to the data to see whether there 
are errors.

Although Customs said it does not profile by race or ethnicity, an 
officers' training guide states that "it is permissible and indeed 
advisable to consider an individual's connections to countries that are 
associated with significant terrorist activity."

"What's the difference between that and targeting people because they 
are Arab or Muslim?" Cole said, noting that the countries the government 
focuses on are generally predominantly Arab or Muslim.

It is the lack of clarity about the rules that has confounded travelers 
and raised concerns from groups such as the Asian Law Caucus, which said 
that as a result, their lawyers cannot fully advise people how they may 
exercise their rights during a border search. The lawsuit says a Freedom 
of Information Act request was filed with Customs last fall but that no 
information has been received.

Kamran Habib, a software engineer with Cisco Systems, has had his laptop 
and cellphone searched three times in the past year. Once, in San 
Francisco, an officer "went through every number and text message on my 
cellphone and took out my SIM card in the back," said Habib, a permanent 
U.S. resident. "So now, every time I travel, I basically clean out my 
phone. It's better for me to keep my colleagues and friends safe than to 
get them on the list as well."

Udy's company, Radius, organizes business trips for 100,000 travelers a 
day, from companies around the world. She says her firm supports strong 
security measures. "Where we get angry is when we don't know what 
they're for."

Staff researcher Richard Drezen contributed to this report.

Copyright 2008 The Washington Post Company


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Thu Feb 07 2008 - 23:57:02 PST