Aug 05 2008

More "Travel with Laptops" Woes

Published by under Thoughts

“They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety” — Benjamin Franklin

As if the airlines and TSA haven’t made traveling hard enough for the leisure or business traveler it has now become even harder. The Washington Post reported on August 1st in their article, Travelers’ Laptops May Be Detained At Border :

Federal agents may take a traveler’s laptop computer or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed.

Also, officials may share copies of the laptop’s contents with other agencies and private entities for language translation, data decryption or other reasons, according to the policies, dated July 16 and issued by two DHS agencies, U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement.

(Nakashima, Ellen, Travelers’ Laptops May Be Detained At Border, The Washington Post, August 1, 2008 )

These policies apply to anyone entering the country through any means — not just at airports but at border crossings from Canada, Mexico, or at seaports throughout the United States. The search and seizure can occur without any probably suspicion by the officials and the items taken can be held for an indefinite period of time. Laptops are not the only items that can be taken for examination

international travelers have reported that their laptops, cellphones and other digital devices had been taken — for months, in at least one case — and their contents examined.

The policies state that officers may “detain” laptops “for a reasonable period of time” to “review and analyze information.” This may take place “absent individualized suspicion.”

The policies cover “any device capable of storing information in digital or analog form,” including hard drives, flash drives, cellphones, iPods, pagers, beepers, and video and audio tapes. They also cover “all papers and other written documentation,” including books, pamphlets and “written materials commonly referred to as ‘pocket trash’ or ‘pocket litter.’ ”

(Nakashima, Ellen, Travelers’ Laptops May Be Detained At Border, The Washington Post, August 1, 2008 )

What this means is that even your personal diary can be taken and examined by DHS at their discretion even though you may have no connection to terrorism, narcotics trafficking, child pornography or any other of a multitude of crimes. What would be interesting is if someone writes in a diary that confesses to a lessor crime – say cheating on their federal taxes – and this is discovered during one of these inspections that apparently would be actionable. According to the policies released by DHS on July 16 2008 the

examinations of documents and electronic devices are a crucial tool for detecting information concerning terrorism, narcotics smuggling, and other national security matters; alien admissibility; contraband including child pornography, monetary instruments, and information in violation of copyright or trademark laws; and evidence of embargo violations or other import or export control laws.

(Department of Homeland Security, “Policy Regarding Border Search of Information“, July 16 2008, as found on the Center for Democracy and Technology‘s website)

As can be seen from this excerpt, any infraction found by DHS can be actionable — whether it is something major like information related to terrorism or something minor like a confession in a diary that you feel like you may have cheated on your taxes or ran a red light. This policy appears to be in violation of the 4th amendment of the U.S. Constitution

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized

The U.S. 9th Circuit Court of Appeals ruled in the case of U.S. v. Arnold that searches of laptops at the border without reasonable suspicion does not constitute a violation of the 4th amendment because the laptop is considered a “closed container” and the U.S. courts have long held that “searches of closed containers and their contents can be conducted at the border without particularized suspicion under the Fourth Amendment” (United States v. Arnold, No. 06-50581,(9th Cir April 21, 2008 )). Previous court rulings have allowed for the searches of briefcases and luggage, purses, wallets, pockets, pictures, films and other graphic materials when these items cross the border.

However, while this may not be a violation of a person’s 4th amendment, the fact remains that such unwarranted searches are a violation of their privacy. Officially, the items gathered by the Customs and Border Patrol (CBP) agents during such a search can be held for further inspection for a “reasonable period.” The policies do not specify any specific length of time. The policies do, however, specify that if no reasonable suspicion is found then the information gathered must be destroyed. However, in section B of the policy it states “Nothing in this policy limits the authority of an officer to make written notes or reports or to document impressions relating to a border encounter.”
(Department of Homeland Security, “Policy Regarding Border Search of Information“, July 16 2008, as found on the Center for Democracy and Technology‘s website).

So, if you’re a business person and you are traveling with confidential information, a CBP agent can inspect your documents or your laptop, make notes of what they find, and then return your documents to you. If they make copies of the documents, then, when the search is concluded, those copies must be destroyed but the notes they take do not have to be destroyed. Additionally, CBP can share the information they copy with other agencies and the policy does not require those other agencies to destroy their copies of the information gathered even if CBP determines that there is no probable cause. Now, the information they gather must be handled properly — especially in cases of business confidential information and other similar documents. However, the fact that any border agent can rifle through your personal notes and diary looking for anything leaves the distasteful feeling that the 4th amendment is quickly being chipped away by the government in the name of fighting terrorism. Remember that the next time you travel outside the United States — just leave that manuscript for your novel at home.

Note: See here for how to try and protect your personal information when traveling overseas.

One response so far

Aug 01 2008

Be Careful When Traveling Overseas With a Laptop

Published by under Encryption,Privacy,Thoughts

In the case U.S. vs. Arnold, the U.S. Ninth Circuit Court issued an opinion in April of 2008 that Customs and Border Protection agents can search your laptop and other digital devices without limitation when you enter this country from an overseas trip. The opinion holds that that the Fourth Amendment does not require government agents to have reasonable suspicion before searching laptops at the border as well as at international airports. (“U.S. vs. Arnold“, The Electronic Frontier Foundation, May 2008 ) The impact to privacy concerns is dramatic. According to the EFF, Customs and Border Protection (CBP) has not published any protocols they use “in searching digital devices and copying, storing and using travelers’ data.” (Granick, Jennifer, Protecting Yourself From Suspicionless Searches While Traveling, The Electronic Frontier Foundation, May 1, 2008 )

Given this, what can you do to protect your information in case you go overseas and take your laptop (whether it’s a personal or your business laptop) with you? You can utilize full-volume encryption software such as Vista’s BitLocker, PGP Encryption, or others. Essentially full-volume encryption encrypts the hard drive entirely so that all data, no matter where it’s stored is encrypted. Does this stop CBP from searching your laptop? Not necessarily.

One possibility is that the agent will simply give up and let the traveler pass with her belongings. Other possibilities are that the agent will turn the traveler and her machine away at the border, or that he will seize the laptop and allow the traveler to continue on. I suspect that on most occasions, CBP agents confronted with encrypted or password-protected data tell the owner to enter the password or get turned away, and the owner, eager to continue her voyage or to return home, simply complies.

If you don’t want to comply, CBP cannot force you to decrypt your data or give over your password. Only a judge can force you to answer questions, and then only if the Fifth Amendment does not apply. While no Fifth Amendment right protects the data on your laptop or phone, one federal court has held that even a judge cannot force you to divulge your password when the act of revealing the password shows that you are the person with access to or control over potentially incriminating files.

If, however, you don’t respond to CBP’s demands, the agency does have the authority to search, detain, and even prohibit you from entering the county. CBP has more authority to turn non-citizens away than it does to exclude U.S. persons from entering the country, but we don’t know how the agents are allowed to use this authority to execute searches or get access to password protected information. CBP also has the authority to seize your property at the border. Agents cannot seize anything they like (for example, your wedding ring), but we do not know what standards agents are told to follow to determine whether they can and should take your laptop but let you by.

(Granick, Jennifer, Protecting Yourself From Suspicionless Searches While Traveling, The Electronic Frontier Foundation, May 1, 2008 )

Encryption is not a guarantee for protecting your information from this search if it turns out that CBP can try and force you to reveal your password or passphrase to decrypt the laptop. So what else can you do?

For one, you can scrub the laptop of personal, private, or sensitive information. That could be a significant task. Another option would be, if you’re on a business trip, to take a forensically “clean” laptop that just contains the necessary software you would need to conduct your business overseas. Also, be aware that if you think that you can keep your data stored on a USB drive and use a forensically clean laptop the USB drive can also be subject to a search. The same applies to cell phones and smart phones. Also be aware that if you use a clean laptop for your work overseas, be sure to connect back to your home office using a VPN and if you use Microsoft’s Exchange and Outlook for e-mail do not use the Outlook client itself but rather use Outlook Web Access (OWA). If you use the Outlook client you will end up with a local cache of all of your e-mail on the local machine in the form of a .ost file. Using OWA provides you with a secure connection to the Exchange server using Secure Sockets Layer (SSL) and you can easily delete any local information in the cache by deleting the temporary files that Internet Explorer (or other browser that you may use) writes.

Another idea would be to create a second account on the laptop and use it to allow the CBP agents to search your machine. While not perfect, since many forensics tools could easily find the documents in the original account, it does provide something that could be used to allow a cursory inspection of the laptop. There are ways to protect yourself from these searches and to protect your privacy. Until Congress acts and enacts legislation that protects travelers from suspicionless searches when crossing the border it is important to take steps to protect your information yourself.

For more information see:

Protecting Yourself From Suspicionless Searches While Traveling

Congress Must Investigate Privacy Violations at U.S. Borders

3 responses so far