[Infowarrior] - Groups warn travelers to limit laptop data

[Richard Forno]

Groups warn travelers to limit laptop data
Robert Lemos, SecurityFocus 2008-05-02

http://www.securityfocus.com/news/11516?ref=rss

A recent federal district court ruling upholding seizures of electronic
devices, such as laptops and iPhones, at the U.S. border has traveler- and
civil-rights organizations worried that personal and sensitive data could be
put at risk.

On Thursday, almost three dozen organizations -- including civil-rights
advocates, academic groups, and religious and minority groups -- sent an
open letter to four congressional committees, asking that their members
consider legislation to "protect all Americans against suspicionless digital
border inspections." The letter came ten days after a federal appeals court
in the Central District of California ruled that border agents could search
laptops without reasonable suspicion of illegal activity. The appeals court
overturned a lower court's ruling that stated the evidence of such searches
would not be admissible in court.

While the case in question involved the discovery of what investigators
believe is illicit pornography, the ability to search any person's computer,
personal digital assistants or cell phones violates the protections against
"unreasonable searches" contained in the Fourth Amendment of the U.S.
Constitution, the letter argued.

"In a free country, the government cannot have unlimited power to read,
seize, store and use all information on any electronic device carried by any
traveler entering or leaving the nation," the signatories stated in the
letter.

The level of surveillance by the United States government has become an
increasing worry to civil-rights advocates as well as professional, minority
and religious groups that believe their members could be targeted. As part
of its "War on Terror," the Bush Administration has instituted a program to
eavesdrop on Internet and phone communications, an initiative that violates
the Foreign Intelligence Surveillance Act (FISA) and has become the focus of
a battle in Congress to craft a new law to govern such wiretapping.

In the latest battle, 34 organizations and seven technologists have asked
both the Judiciary and Homeland Security Committees in the U.S. House of
Representatives and the U.S. Senate to consider legislation that would limit
digital border searches and make the process and conditions for such
searches more open. The Electronic Frontier Foundation, a digital-rights
group and one of the sponsors of the letter, has requested information on
the conditions that would trigger a digital search by border agents.

"We don't really know what the Department of Homeland Security's procedures
and practices are here," said Marcia Hofman, a staff attorney with the EFF.
"And the courts are not holding them accountable. That's why we want
Congress to step in."

The case at the heart of the debate concerns whether evidence from the July
2005 search of a laptop owned by then-43-year-old Michael Arnold can be used
by prosecutors. Returning from a three-week trip from the Philippines,
Arnold was stopped by customs agents in Los Angeles International Airport
and asked to show that his laptop was functioning, according to court
filings. When custom agents inspected the computer, they found two folders
on the desktop labeled "Kodak Pictures" and "Kodak Memories." Perusing
through the files in those folders, the agents found pictures of two nude
women and decided to conduct a more thorough investigation, which turned up
suspected child pornography.

Arnold filed a motion to suppress the evidence. A federal district court in
Los Angeles agreed with the defendant that the search had been unreasonable.
However, in April, the U.S. Court of Appeals for the Ninth Circuit
overturned the lower courts ruling and allowed the evidence from the search.
In their ruling, the three-judge panel likened the process to a previous
case where a cursory search of a van at the Canadian border revealed video
camera that contained footage of a tennis match focusing "excessively on a
young ball boy." A further search of the van found several photo albums
depicting suspected child pornography, according to court documents.

While the search led to grim evidence of an alleged crime, the letter's
signatories argued that the power of unregulated digital searches will be
abused. The ruling has worried international workers, whose laptops may
contain proprietary company information, financial data or sensitive
records. The Association of Corporate Travel Executives, one of the letter's
signers, recommended that workers not use their personal laptops for
international travel and limit the amount of proprietary and personal data
stored on any notebook computer taken across borders.

"In a time of heightened international security, it will take a brave
Congress to rule that parties may not be subject to suspicionless searches,"
Susan Gurley, the executive director of ACTE, said in a statement.

Other organizations that signed the letter included the American Association
of University Professors, the Multiracial Activist, Muslim Advocates and the
Republican Liberty Caucus.

Following the ruling, there is nothing preventing authorities from a more
comprehensive search program, said Fred Schneider, a privacy and security
expert and professor of computer science at Cornell University.

"There is a drift in this country toward more surveillance and less civil
liberties, and it is eroding step-by-step," Schneider said. "More people
might complain if they were searching people at the Lincoln Tunnel, and I
don't see how this case is different from that."

The Electronic Frontier Foundation argues that searches of electronic
devices at the border will likely only become more frequent, as forensics
tools get significantly better. This week, Microsoft announced a set of
software tools that fits on a USB drive and gives law enforcement officers
the ability to run more than hundred commands quickly and automatically.

"It won't be long before customs agents can efficiently perform a thorough
search on every machine," Jennifer Granick, civil liberties director at the
EFF, said in a discussion of the impact of the ruling. "So long as there are
no protocols or oversight for these searches, every traveler's personal
information is at risk."

Encrypting the hard drive, having a separate account on the PC owned by the
worker's company, or traveling with a clean laptop and using an encrypted
VPN to access data are all possibilities, Granick said. As an example of the
difficulty that unregulated searches add to international travel, Granick
uses a hypothetical "Alice," an attorney.

"Attorney Alice needs to have confidential attorney-client privileged
information overseas," she wrote. "Before departure, she removes unnecessary
information, encrypts her hard drive with strong crypto and sets up a login
for a protected account and a travel account on her computer. To access the
confidential data, one would need to first login to the protected account,
and then open the encrypted files. Only Alice¹s employer (The Law Offices of
Bob) knows the passwords to the account and encrypted data, and keeps them
secret until Alice arrives at her destination. Bob then sends the passwords
to Alice in an encrypted email message."

Yet, Granick's discussion is peppered with uncertainty. Because the U.S.
government has not complied with requests for more information through the
Freedom of Information Act (FOIA), the attorney cannot make any strong
recommendations.

"There are no options that provide perfect privacy protection, but there are
some options that reduce the likelihood that a legitimate international
traveler's confidential information will be subjected to arbitrary and
capricious examination," she wrote.