[Infowarrior] - EFF Guidance on Border Laptop Protection

[Richard Forno]

May 1st, 2008
Protecting Yourself From Suspicionless Searches While Traveling
Posted by Jennifer Granick

http://www.eff.org/deeplinks/2008/05/protecting-yourself-suspicionless-searc
hes-while-t

The Ninth Circuit's recent ruling (pdf) in United States v. Arnold allows
border patrol agents to search your laptop or other digital device without
limitation when you are entering the country. EFF and many civil liberties,
travelers¹ rights, immigration advocacy and professional organizations are
concerned that unfettered laptop searches endanger trade secrets,
attorney-client communications, and other private information. These groups
have signed a letter asking Congress to hold hearings to find out what
protocol, if any, Customs and Border Protection (CBP) follows in searching
digital devices and copying, storing and using travelers¹ data. The letter
also asks Congress to pass legislation protecting travelers¹ laptops and
smart phones from unlimited government scrutiny.

If privacy at the border is important to you, contact Congress now and ask
them to take action!

In the meantime, how can international travelers protect themselves at the
U.S. border, short of leaving their laptops and iPhones at home?

Many travelers practice security through obscurity. They simply hope that no
border agent will rummage through their private data. Too many people enter
the country each day for agents to thoroughly search every device that
crosses the border, and there is too much information stored on most devices
for agents to find the most revealing and confidential tidbits. But for
travelers who may be targeted based on their celebrity, race or other
distinguishing factor, obscurity is not an option. As last week's news that
Microsoft is giving away forensic tools that can quickly search an entire
hard drive on a USB ³thumb drive² shows, it won't be long before customs
agents can efficiently perform a thorough search on every machine. So long
as there are no protocols or oversight for these searches, every traveler's
personal information is at risk.

Encryption is one (imperfect) answer.

If you encrypt your hard drive with strong crypto, it will be prohibitively
expensive for CBP to access your confidential information. This answer is
imperfect for two reasons‹one is practical, the other is technological.

Practically, the government has not disclosed CBP's laptop search practices,
despite our Freedom of Information Act lawsuit for these documents. We don't
know what a border patrol agent will do when confronted with an encrypted
machine. One possibility is that the agent will simply give up and let the
traveler pass with her belongings. Other possibilities are that the agent
will turn the traveler and her machine away at the border, or that he will
seize the laptop and allow the traveler to continue on. I suspect that on
most occasions, CBP agents confronted with encrypted or password-protected
data tell the owner to enter the password or get turned away, and the owner,
eager to continue her voyage or to return home, simply complies.

If you don't want to comply, CBP cannot force you to decrypt your data or
give over your password. Only a judge can force you to answer questions, and
then only if the Fifth Amendment does not apply. While no Fifth Amendment
right protects the data on your laptop or phone, one federal court has held
that even a judge cannot force you to divulge your password when the act of
revealing the password shows that you are the person with access to or
control over potentially incriminating files. See In re Boucher, 2007 WL
4246473 (D. Vt. November 29, 2007).

If, however, you don't respond to CBP¹s demands, the agency does have the
authority to search, detain, and even prohibit you from entering the county.
CBP has more authority to turn non-citizens away than it does to exclude
U.S. persons from entering the country, but we don't know how the agents are
allowed to use this authority to execute searches or get access to password
protected information. CBP also has the authority to seize your property at
the border. Agents cannot seize anything they like (for example, your
wedding ring), but we do not know what standards agents are told to follow
to determine whether they can and should take your laptop but let you by.

Technologically, encryption is imperfect because even strong crypto can be
cracked when someone obtains the keys. Border agents can demand the keys
from travelers unwilling to face seizure or detention. Agents may also be
able to extract and use keys that are stored on the machine itself.
Generally, if you keep your keys with the laptop, in your head or on your
disk, then the encryption is easier to socially engineer or break than if
you keep the keys elsewhere. (Discussion of what encryption techniques to
use or avoid is beyond the scope of this post.)

Encryption aside, there may be other ways you can show CBP that your laptop
is indeed a normal computer and that you mean no harm while keeping
confidential information from prying eyes. Most operating systems let users
to create multiple accounts on a single machine. A traveler could allow CBP
to examine his own account, while storing client data or trade secrets in a
separate account ³owned² by his law firm or corporation. Under typical
border search circumstances, this might satisfy CBP concerns. However,
simply storing information in a different account‹even one protected by a
password‹is not the same as encrypting it. If CBP is interested, the most
commonly used forensic search tools can access and search non-encrypted data
in every account on the machine.

Law firms, corporations and other entities that routinely deal with
confidential information are handing their business travelers forensically
clean laptops loaded with only what the traveler needs for that particular
business trip. Leaving unnecessary data, like five years of email, behind
may be the best thing. Of course, if trade secrets or client information are
the reason for the trip, this plan will not help.

Another option is to bring a clean laptop and get the information you need
over the internet once you arrive at your destination, send your work
product back, and then delete the data before returning to the United
States. Historically, the Foreign Intelligence Surveillance Act (FISA)
generally prohibited warrantless interception of this information exchange.
However, the Protect America Act amended FISA so that surveillance of people
reasonably believed to be located outside the United States no longer
requires a warrant. Your email or telnet session can now be intercepted
without a warrant. If all you are concerned about is keeping border agents
from rummaging through your revealing vacation photos, you may not care. If
you are dealing with trade secrets or confidential client data, an encrypted
VPN is a better solution.

Finally, however useful these techniques might be to protect laptops,
travelers do not have this array of options for protecting data stored on
less configurable smart phones. Of course, many phones do have a lock or
password protection option, which travelers might consider enabling before
heading to the airport.

In sum, while you must submit yourself and your electronic devices to
warrantless and suspicionless searches at the border, you are not legally
obligated to decrypt information or reveal passwords. However, if you fail
to do so, the border agents may detain or search you, or even seize the
device. There are no options that provide perfect privacy protection, but
there are some options that reduce the likelihood that a legitimate
international traveler's confidential information will be subjected to
arbitrary and capricious examination.

Example Security Precaution

Attorney Alice needs to have confidential attorney-client privileged
information overseas. Before departure, she removes unnecessary information,
encrypts her hard drive with strong crypto and sets up a login for a
protected account and a travel account on her computer. To access the
confidential data, one would need to first login to the protected account,
and then open the encrypted files. Only Alice¹s employer (The Law Offices of
Bob) knows the passwords to the account and encrypted data, and keeps them
secret until Alice arrives at her destination. Bob then sends the passwords
to Alice in an encrypted email message.