Archive for the 'Encryption' Category

Aug 01 2008

Be Careful When Traveling Overseas With a Laptop

Published by under Encryption,Privacy,Thoughts

In the case U.S. vs. Arnold, the U.S. Ninth Circuit Court issued an opinion in April of 2008 that Customs and Border Protection agents can search your laptop and other digital devices without limitation when you enter this country from an overseas trip. The opinion holds that that the Fourth Amendment does not require government agents to have reasonable suspicion before searching laptops at the border as well as at international airports. (“U.S. vs. Arnold“, The Electronic Frontier Foundation, May 2008 ) The impact to privacy concerns is dramatic. According to the EFF, Customs and Border Protection (CBP) has not published any protocols they use “in searching digital devices and copying, storing and using travelers’ data.” (Granick, Jennifer, Protecting Yourself From Suspicionless Searches While Traveling, The Electronic Frontier Foundation, May 1, 2008 )

Given this, what can you do to protect your information in case you go overseas and take your laptop (whether it’s a personal or your business laptop) with you? You can utilize full-volume encryption software such as Vista’s BitLocker, PGP Encryption, or others. Essentially full-volume encryption encrypts the hard drive entirely so that all data, no matter where it’s stored is encrypted. Does this stop CBP from searching your laptop? Not necessarily.

One possibility is that the agent will simply give up and let the traveler pass with her belongings. Other possibilities are that the agent will turn the traveler and her machine away at the border, or that he will seize the laptop and allow the traveler to continue on. I suspect that on most occasions, CBP agents confronted with encrypted or password-protected data tell the owner to enter the password or get turned away, and the owner, eager to continue her voyage or to return home, simply complies.

If you don’t want to comply, CBP cannot force you to decrypt your data or give over your password. Only a judge can force you to answer questions, and then only if the Fifth Amendment does not apply. While no Fifth Amendment right protects the data on your laptop or phone, one federal court has held that even a judge cannot force you to divulge your password when the act of revealing the password shows that you are the person with access to or control over potentially incriminating files.

If, however, you don’t respond to CBP’s demands, the agency does have the authority to search, detain, and even prohibit you from entering the county. CBP has more authority to turn non-citizens away than it does to exclude U.S. persons from entering the country, but we don’t know how the agents are allowed to use this authority to execute searches or get access to password protected information. CBP also has the authority to seize your property at the border. Agents cannot seize anything they like (for example, your wedding ring), but we do not know what standards agents are told to follow to determine whether they can and should take your laptop but let you by.

(Granick, Jennifer, Protecting Yourself From Suspicionless Searches While Traveling, The Electronic Frontier Foundation, May 1, 2008 )

Encryption is not a guarantee for protecting your information from this search if it turns out that CBP can try and force you to reveal your password or passphrase to decrypt the laptop. So what else can you do?

For one, you can scrub the laptop of personal, private, or sensitive information. That could be a significant task. Another option would be, if you’re on a business trip, to take a forensically “clean” laptop that just contains the necessary software you would need to conduct your business overseas. Also, be aware that if you think that you can keep your data stored on a USB drive and use a forensically clean laptop the USB drive can also be subject to a search. The same applies to cell phones and smart phones. Also be aware that if you use a clean laptop for your work overseas, be sure to connect back to your home office using a VPN and if you use Microsoft’s Exchange and Outlook for e-mail do not use the Outlook client itself but rather use Outlook Web Access (OWA). If you use the Outlook client you will end up with a local cache of all of your e-mail on the local machine in the form of a .ost file. Using OWA provides you with a secure connection to the Exchange server using Secure Sockets Layer (SSL) and you can easily delete any local information in the cache by deleting the temporary files that Internet Explorer (or other browser that you may use) writes.

Another idea would be to create a second account on the laptop and use it to allow the CBP agents to search your machine. While not perfect, since many forensics tools could easily find the documents in the original account, it does provide something that could be used to allow a cursory inspection of the laptop. There are ways to protect yourself from these searches and to protect your privacy. Until Congress acts and enacts legislation that protects travelers from suspicionless searches when crossing the border it is important to take steps to protect your information yourself.

For more information see:

Protecting Yourself From Suspicionless Searches While Traveling

Congress Must Investigate Privacy Violations at U.S. Borders

3 responses so far