[ISN] Protecting Yourself From Suspicionless Searches While Traveling

From: InfoSec News (alerts@private)
Date: Tue May 06 2008 - 01:36:35 PDT


Posted by Jennifer Granick
May 1st, 2008

The Ninth Circuit's recent ruling [1] (pdf) in United States v. Arnold 
[2] allows border patrol agents to search your laptop or other digital 
device without limitation when you are entering the country. EFF and 
many civil liberties, travelers’ rights, immigration advocacy and 
professional organizations are concerned that unfettered laptop searches 
endanger trade secrets, attorney-client communications, and other 
private information. These groups have signed a letter asking Congress 
to hold hearings to find out what protocol, if any, Customs and Border 
Protection (CBP) follows in searching digital devices and copying, 
storing and using travelers’ data. The letter also asks Congress to pass 
legislation protecting travelers’ laptops and smart phones from 
unlimited government scrutiny.

If privacy at the border is important to you, contact Congress now and 
ask them to take action! [3]

In the meantime, how can international travelers protect themselves at 
the U.S. border, short of leaving their laptops and iPhones at home?

Many travelers practice security through obscurity. They simply hope 
that no border agent will rummage through their private data. Too many 
people enter the country each day for agents to thoroughly search every 
device that crosses the border, and there is too much information stored 
on most devices for agents to find the most revealing and confidential 
tidbits. But for travelers who may be targeted based on their celebrity, 
race or other distinguishing factor, obscurity is not an option. As last 
week's news that Microsoft is giving away forensic tools that can 
quickly search an entire hard drive on a USB “thumb drive” shows, it 
won't be long before customs agents can efficiently perform a thorough 
search on every machine. So long as there are no protocols or oversight 
for these searches, every traveler's personal information is at risk.

Encryption is one (imperfect) answer.

If you encrypt your hard drive with strong crypto, it will be 
prohibitively expensive for CBP to access your confidential information. 
This answer is imperfect for two reasons—one is practical, the other is 

Practically, the government has not disclosed CBP's laptop search 
practices, despite our Freedom of Information Act lawsuit for these 
documents. We don't know what a border patrol agent will do when 
confronted with an encrypted machine. One possibility is that the agent 
will simply give up and let the traveler pass with her belongings. Other 
possibilities are that the agent will turn the traveler and her machine 
away at the border, or that he will seize the laptop and allow the 
traveler to continue on. I suspect that on most occasions, CBP agents 
confronted with encrypted or password-protected data tell the owner to 
enter the password or get turned away, and the owner, eager to continue 
her voyage or to return home, simply complies.

If you don't want to comply, CBP cannot force you to decrypt your data 
or give over your password. Only a judge can force you to answer 
questions, and then only if the Fifth Amendment does not apply. While no 
Fifth Amendment right protects the data on your laptop or phone, one 
federal court has held that even a judge cannot force you to divulge 
your password when the act of revealing the password shows that you are 
the person with access to or control over potentially incriminating 
files. See In re Boucher, 2007 WL 4246473 (D. Vt. November 29, 2007).

If, however, you don't respond to CBP’s demands, the agency does have 
the authority to search, detain, and even prohibit you from entering the 
county. CBP has more authority to turn non-citizens away than it does to 
exclude U.S. persons from entering the country, but we don't know how 
the agents are allowed to use this authority to execute searches or get 
access to password protected information. CBP also has the authority to 
seize your property at the border. Agents cannot seize anything they 
like (for example, your wedding ring), but we do not know what standards 
agents are told to follow to determine whether they can and should take 
your laptop but let you by.

Technologically, encryption is imperfect because even strong crypto can 
be cracked when someone obtains the keys. Border agents can demand the 
keys from travelers unwilling to face seizure or detention. Agents may 
also be able to extract and use keys that are stored on the machine 
itself. Generally, if you keep your keys with the laptop, in your head 
or on your disk, then the encryption is easier to socially engineer or 
break than if you keep the keys elsewhere. (Discussion of what 
encryption techniques to use or avoid is beyond the scope of this post.)

Encryption aside, there may be other ways you can show CBP that your 
laptop is indeed a normal computer and that you mean no harm while 
keeping confidential information from prying eyes. Most operating 
systems let users to create multiple accounts on a single machine. A 
traveler could allow CBP to examine his own account, while storing 
client data or trade secrets in a separate account “owned” by his law 
firm or corporation. Under typical border search circumstances, this 
might satisfy CBP concerns. However, simply storing information in a 
different account—even one protected by a password—is not the same as 
encrypting it. If CBP is interested, the most commonly used forensic 
search tools can access and search non-encrypted data in every account 
on the machine.

Law firms, corporations and other entities that routinely deal with 
confidential information are handing their business travelers 
forensically clean laptops loaded with only what the traveler needs for 
that particular business trip. Leaving unnecessary data, like five years 
of email, behind may be the best thing. Of course, if trade secrets or 
client information are the reason for the trip, this plan will not help.

Another option is to bring a clean laptop and get the information you 
need over the internet once you arrive at your destination, send your 
work product back, and then delete the data before returning to the 
United States. Historically, the Foreign Intelligence Surveillance Act 
(FISA) generally prohibited warrantless interception of this information 
exchange. However, the Protect America Act amended FISA so that 
surveillance of people reasonably believed to be located outside the 
United States no longer requires a warrant. Your email or telnet session 
can now be intercepted without a warrant. If all you are concerned about 
is keeping border agents from rummaging through your revealing vacation 
photos, you may not care. If you are dealing with trade secrets or 
confidential client data, an encrypted VPN is a better solution.

Finally, however useful these techniques might be to protect laptops, 
travelers do not have this array of options for protecting data stored 
on less configurable smart phones. Of course, many phones do have a lock 
or password protection option, which travelers might consider enabling 
before heading to the airport.

In sum, while you must submit yourself and your electronic devices to 
warrantless and suspicionless searches at the border, you are not 
legally obligated to decrypt information or reveal passwords. However, 
if you fail to do so, the border agents may detain or search you, or 
even seize the device. There are no options that provide perfect privacy 
protection, but there are some options that reduce the likelihood that a 
legitimate international traveler's confidential information will be 
subjected to arbitrary and capricious examination.

Example Security Precaution

Attorney Alice needs to have confidential attorney-client privileged 
information overseas. Before departure, she removes unnecessary 
information, encrypts her hard drive with strong crypto and sets up a 
login for a protected account and a travel account on her computer. To 
access the confidential data, one would need to first login to the 
protected account, and then open the encrypted files. Only Alice’s 
employer (The Law Offices of Bob) knows the passwords to the account and 
encrypted data, and keeps them secret until Alice arrives at her 
destination. Bob then sends the passwords to Alice in an encrypted email 

Related Issues: Privacy, Travel Screening
Related Cases: US v. Arnold

[1] http://preview.tinyurl.com/3nsffc
[2] http://www.eff.org/cases/us-v-arnold
[3] http://www.eff.org/action/bordersearch

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Tue May 06 2008 - 01:47:47 PDT