
US Border Patrol says they can create central repository of traveler emails - hispanic
https://viewfromthewing.com/us-border-patrol-says-they-can-create-central-repository-of-traveler-emails-keep-them-for-75-years/
======
ip26
Sounds like a call to start crossing the border more frequently- with a
suitcase full of "suspicious" drives.

How many petabytes of mirroring before the whole operation becomes too
expensive to justify?

~~~
jpitz
Or a hard drive shell with a Raspberry PI inside doing the equivalent of
piping out /dev/random to the interface.

~~~
gruez
If it's encrypted it will probably end up in blob storage, which is low cost.
If you want to hit them where it hurts, generate tons of fake text (stored as
emails, documents, texts, etc.) with GPT-3 to clog up their elasticsearch
server and/or NLP classifiers.

~~~
mxcrossb
That works fine until GPT-3 generates inadvertently generates a bunch of
incriminating evidence!

~~~
pisky
Looking forward to the first gpt-3 version of 'it was the best of times, it
was the blurst of times'.

------
wffurr
Too bad neither party shows any signs of reigning in this kind of overreach by
CBP. Doesn't seem like this can be fixed by voting.

~~~
slg
Neither party might go as far as you want, but it is also a mistake to think
both parties are completely identical in their views of this sort of behavior.

~~~
sthnblllII
How could two organizations of thousands of people ever be completely 100%
identical, and why does that matter at all if neither party has rolled back
these massively unpopular policies, even when controlling both houses of
Congress and the executive?

~~~
Someone
Game theory. If people vote for the party promising policies closest to (using
whatever metric) their ideals, and there are only two parties, optimal
strategy for each party is to move as close to the center as possible.

They wouldn’t lose voters with ‘extreme’ ideals because, if they decided to
not vote, parties would counteract by moving towards the new center, which
would be further removed from the ideals of those voters abstaining from
voting.

~~~
aftbit
How do you square that with the rise of the Tea Party and the Alt-Right? It
seems like they've found that they can motivate people to vote by moving
_further_ from the center, and the moderates continue to vote the party line
of whichever party they prefer.

~~~
Someone
Alt-right or the tea party would lose an election against a center-line party,
big time.

Motivating people with ‘extreme’ opinions from one side of the spectrum to
vote moves the center, so it can make both parties move in that direction.

Let’s (in a very simplistic model) say we have 100 voters on a 1 to 100 scale,
so centered around 50.5.

If, normally, the extremes of 1 to 10 and 91 to 100 don’t vote, the center
stays at 50.5. Convince the 1 to 10 people to vote, and the center moves to
45.5, so the two major parties move in that direction, too.

There’s an assumption here that most politicians are willing to, somewhat, go
against their beliefs in order to get elected. I think that’s true, and
unavoidable in a two-party system (which, in turn, is hard to avoid in a
system with “winner takes all” elections), but if it weren’t, parties can
easily replace candidates that object to a course change with others that
either have different ideals or are willing to sacrifice some of that a bit in
exchange for their career.

~~~
save_ferris
> so it can make both parties move in that direction.

This is the opposite of what we’re seeing on the right. Centrist republicans
have been pushed out of the party for not being conservative enough over the
last 4 years, and primary candidates go out of their way to outdo each other
in terms of conservative positioning.

Nobody seriously running on the right is trying to be a moderate Republican on
the federal level because being a “RINO” is political suicide.

------
luiperd
What's a reasonable way to protect yourself here? Other than wiping and
restoring. Are there any encryption tools, or ways to keep your emails and
other data on your device safe?

Can CBP make you unlock your own phone?

~~~
traceroute66
One word. Jurisdiction.

What is on the device in their hands, on US soil, is subject to their
stupidities, whatever those stupidities may be on the day their grubby hands
get hold of your phone.

What is located remotely, in a privacy conscious jurisdiction, say
Switzerland, is outside of their remit. I know US courts like to think they
have power over the world, but they don't. US courts and US law power stops at
US borders.

The trick is to make sure nothing gets cached on your local device (including
authentication credentials, obviously). A bit like the old Thin Client
computing really.

If you want to go one step further, don't travel with working credentials.
Rely on someone outside of US jurisdiction to provide you the last piece of
the jigsaw in a secure manner once you are in a safe location.

~~~
aneutron
Well, in theory, yes. In practice, there have been recorded instances where
the US Government has asked people to disclose their social media [1] and in
other ones (I failed to find the source) refused access to people who refused
to log into their accounts.

Also, if you're a non-american traveler, all the constitutional rights you're
afforded as an American don't apply. So they can pretty much ask whatever and
refuse you access for any reason.

It's like the US is becoming more and more like China. But it's a worlwide
trend, really, with old men screaming "We're gonna be in the dark !" ... It's
thoroughly depressing.

Edit: As written down in the comments, the part about foreigners' rights is
wrong. See comment for correction.

[1]: [https://www.theverge.com/2016/12/22/14066082/us-customs-
bord...](https://www.theverge.com/2016/12/22/14066082/us-customs-border-
patrol-social-media-account-facebook-twitter)

~~~
2OEH8eoCRo0
>if you're a non-american traveler, all the constitutional rights you're
afforded as an American don't apply.

False

[https://www.maniatislawoffice.com/blog/2018/08/do-non-
citize...](https://www.maniatislawoffice.com/blog/2018/08/do-non-citizens-
have-constitutional-rights/)

~~~
aneutron
Thank you, I was under the misconception that as a foreigner I wasn't afforded
these right s.

~~~
iso947
Many Americans don’t get those rights in practice - although I don’t think
there have been any cases of the third ammendment being broken recently.

~~~
samatman
In fact, the Third Amendment came up recently, when some hotels in Washington
DC kicked the National Guard out.

Their right to do so wasn't challenged, so there's one plank of the Bill of
Rights which hasn't rotted through...

~~~
iso947
I’ve always considered America’s uniform worship to make the 3rd irellevent, I
guess it goes to show that ensuring rights via law is good even if you think
it unnecceraary

------
jarym
Really, the US system of manually extracting data from peoples physical
devices seems so much more old-fashioned compared to the Great Firewall of
China.

There really isn't much difference conceptually between the two systems.

~~~
karaterobot
That's an overstatement. The conceptual difference is that the U.S. system is
limited to specific, known, legally prescribed situations, while the Chinese
system is constant and ubiquitous. The U.S. system is far from perfect when
you get down to specifics, but I'd definitely take it over the Chinese system.

~~~
jarym
> limited to specific, known, legally prescribed situations

Not sure crossing the US border in either direction or being within 100 miles
of it (the 'extended border area') is particularly 'limited'?

~~~
Hnrobert42
30,000 device searches annually is WAY too many, but it is far more limited
than than the system in China. Are you really trying to argue that border
searches, no matter how much overreach, is the same as the Chinese Firewall?

------
biddlesby
Is there a list online somewhere of all the crazy shit that can legally happen
to you in the US? How long you can be detained for, what data can be extracted
from you, and so on? Like if you had a _really_ bad day and the authorities
exercised all of the powers over you they legally have.

~~~
tmpz22
They can put a knee on your neck for seven minutes and 43 seconds until you
are dead and be home watching TV The next day.

~~~
StartupTree
I thought that cop was charged with murder? I must have got confused, thanks
for updating me.

~~~
gruez
Only after public outcry. What do you think would have happened if there
weren't anyone watching?

------
SippinLean
There are a handful of state courts in the US that find passwords testimonial,
and therefore the Fifth Amendment prevents compelled production of passwords.
[1]

Could that apply here?

1
[https://www.techdirt.com/articles/20191124/09372943445/penns...](https://www.techdirt.com/articles/20191124/09372943445/pennsylvania-
supreme-court-says-compelled-password-production-violates-fifth-
amendment.shtml)

~~~
tenuousemphasis
Borders are constitution-free zones, didn't you know?

~~~
Hnrobert42
Actually, the First Congress okayed border searches. Given that many of them
were authors of the Constitution, it stands to reason that border searches
were always intended to be allowed under the Constitution, even if not stated
explicitly.

[https://www.law.cornell.edu/constitution-
conan/amendment-4/b...](https://www.law.cornell.edu/constitution-
conan/amendment-4/border-searches)

~~~
ceejayoz
Did they expect the definition of “border” to get quite so mangled, though?

[https://www.aclu.org/other/constitution-100-mile-border-
zone](https://www.aclu.org/other/constitution-100-mile-border-zone)

I also suspect they did not anticipate it being both feasible and normal to
have one’s entire private writings on one’s person at all times like modern
phones permit.

------
dbg31415
I'm going to start traveling with a 10 TB Encrypted NAS full of static. They
can download that and save it if they want.

What sucks is that I know this is probably being stored on AWS. Tech companies
enable this kind of shit, and even push sale of larger and larger systems to
governments. And they are massively rewarded for doing so.

This isn't the government... this is a sales guy at AWS pushing them to store
things for 75 years... he knows he gets a helluva commission check on that
deal.

Gross oversimplification, but not really. We, as technologists, have to take
responsibility here.

------
aboringusername
The easiest thing to do is to simply not take electronic devices with you
anywhere in the world, otherwise there is a slight risk of someone wanting to
understand the information contained within it.

If you think there is a risk, and you take a device, obviously FDE is a
requirement, although, that could be seen as "suspicious".

The easiest thing to do is to fill up TB's of HDD's with useless information.
Random pictures, documents, perhaps thousands of people's contact information
downloaded from a public source. Store any "important" documents as random
file names, perhaps inside archives or volumes that need decrypting. Or not at
all, instead "in the cloud" but still encrypted so that you can travel without
worrying about somebody accessing your information. Make deliberate
"suspicious" file names, make them believe a file is encrypted (a 50GB file
named "totally not a hidden volume.hiddenvolume") and maybe they will waste
time trying to open the volume only to realize it contains thousands of
pictures of naked molerats.

Clearly you need to be smart about crossing borders with electronic
information these days, and not having any with you seems to be the best
course of action.

~~~
ianleeclark
> The easiest thing to do is to simply not take electronic devices with you
> anywhere in the world, otherwise there is a slight risk of someone wanting
> to understand the information contained within it.

I think people seriously misunderstand the range that the Border Patrol has--
its far more than the US and Canadian borders. Portland Oregon, for example,
is within their grasps due to the coast + 100 miles being considered part of
the border.

So, you could be never leave the country and be caught up in their web quite
easily. I wouldn't be surprised if 70% of the population of the US lived
within their range.

~~~
bcrosby95
I've always wondered - why is this border considered to be at the coast,
rather than at the start of international waters?

~~~
samatman
That's easy to answer: the beginning of international waters is defined as a
certain distance from the border.

Which is the coastline, for the most part; international law considers
countries to control land, and lakes, bays (some) and harbors, but not the
seas and oceans.

------
est31
> Information is stored for 75 years although if it’s not related to any crime
> it may be deleted after 20 years.

I wonder if you have your house burned down and you want your digital pictures
back, can you ask them to give you a copy of their backups? That's the only
thing that storing this data for this period of time is useful for, but I
guess they won't hand it over.

~~~
neltnerb
It may still be useful to the endless parade of hackers that get access to the
confidential documents "procured" by CBP in this way and stored in what I
sincerely doubt will be some impenetrable database.

Not to mention that given their track record regarding things like facial
recognition software, individual unmonitored CBP agents will probably be able
to just you know, steal all the private information taken on people they're
stalking.

The police have already been caught abusing these databases when they were
minimal, increasing the amount of available stored is idiotic until we solve
the problem of oversight and security.

------
sumanthvepa
I'm not a US citizen, and I used to travel to the US from India occasionally
before the pandemic. In reality there is no data that I have with me on my
laptop or mobile device, that isn't already accessible to a nation state like
the US. There is really no point trying to play games with US customs and
immigration. You'll just irritate them and it won't end well.

The best strategy is to simply comply with all relevant US law and orders
issued by officials at the border. And one should understand that at the
border, a foreigner such as me will have very limited protections. In practice
there are really no protections at all. People like me essentially rely on the
goodwill of the US officials at the border.

For the most part they are polite and business-like. Its best to keep all
interactions with them on a cordial basis and cooperate immediately and
completely when ordered.

~~~
AsyncAwait
> The best strategy is to simply comply with all relevant US law and orders
> issued by officials at the border.

The best strategy is not to travel to the US at all, if you can avoid it.

It's not even about not handing over data that they could have if they really
wanted it. It's about sending a message that this behavior isn't OK and that
foreigners are human beings too.

The US doesn't care about your privacy, but it does care about its economy and
so voting with your wallet is still the most power you have. Continuing to
degrade yourself at the border at their whims condones their abuses, however
implicitly.

~~~
samatman
Every border on Earth already reserves the right to search your personal
effects as thoroughly as they please, without any concept of probable cause
being applicable.

If they don't extend that into data located on devices you're carrying across
the border, it isn't because they don't reserve the right, but merely because
they lack the means or interest.

~~~
AsyncAwait
> Every border on Earth already reserves the right to search your personal
> effects as thoroughly as they please

You're correct, however this does not mean they all treat you like you should
be the most thankful person of Earth for them letting you in and not harassing
you endlessly.

The U.S. even requires you to hand over social media passwords in some cases
and a lot of personal information before you even get on the plane.

The outright contempt for foreigners is not as common elsewhere.

P.S. And of course, you have borders like between EU countries where you
barely even notice you crossed a country border, (as an EU citizen).

~~~
Hnrobert42
I have experienced a lot more contempt from border officials in Europe than
anywhere else, specifically Ireland and Italy.

I haven’t seen anything where the U.S. requires gratitude. Is that a new
policy, or just your opinion?

~~~
AsyncAwait
I guess it all depends on personal experience, but [1] seems pretty extreme to
me.

1 - [https://www.bbc.co.uk/news/world-us-
canada-48486672](https://www.bbc.co.uk/news/world-us-canada-48486672)

~~~
Hnrobert42
I don’t like that program, but I am not sure I would call it contemptuous.

------
sixhobbits
The interesting thing about this is that it affects people who have never been
to the US and never intend to go, or those who do but take 'precautions' to
protect their privacy (secondary devices, double encryption etc) as most of
the data in anyone's inbox is not generated by them.

That's pretty scary.

~~~
Joeri
It also affects U.S. citizens who don’t even have a valid passport and no
intention to leave the country. According to the CBP being in the extended
border zone is enough to be crossing a border and therefore be subject to a
warrantless search.

------
mlazos
Hmm could you not just encrypt your data and leave the key at your house and
throw one away before you reach the border. They can have all of the “data”
that they want.

~~~
kayodelycaon
And then they can deny you entry into the country.

If you’re a citizen, I don’t know if they can seize property, but if they can,
you won’t be able to cross the border with it.

~~~
tenuousemphasis
The article says this is for people both entering and leaving the country. And
applies anywhere within 100 miles of a "border" (including coasts).

------
WarOnPrivacy
What's super awesome is nearly every US voter (including the ones reading
this) will vote for the jackwads that enable and fund bulk surveillance abuses
like this.

In and outside the US, non US citizens serve as a proving ground, for tech
that US Gov will eventually deploy against it's own citizens.

US Gov does this because it can, because news orgs are more interested in
sportball, because both parties have successfully set citizens at each other
throats for decades and because the public keeps gorging on whatever fear-
filled plate of nonsense is put in front of us.

Ten years from now, an entirely new regime of surveillance abuses will be
added to those already deployed against us. More than any other reason, this
will happen because we endlessly reelect the people who are ultimately
responsible.

We could do better.

~~~
stallmanite
I 100% agree with you. What can a voter do until the EFF fields a candidate?
There are copyright and surveillance maximalists running both parties
apparently. The DMCA, the Patriot Act, and the all the other BS seems to the
type of stuff that everyone in power agrees on and no candidate that I’m aware
of is trying to do anything about it.

------
swyx
> a federal judge in Boston ruled that forensic searches of cell phones
> require at least reasonable suspicion “that the devices contain contraband.”

outside of illegal porn, what exactly constitutes digital contraband? is this
defined anywhere? any well known example cases?

~~~
klyrs
If you hack somebody and steal their data, that'd probably count. If you've
exfiltrated confidential data from your employer, that could count. For a
time, exporting strong crypto was illegal; we might see a return to that.

------
dannyw
I hope someone challenges this in court.

~~~
TedDoesntTalk
EFF or ACLU, I hope.

------
hamiltont
Really wish I could enter a fake password on my Android device to launch a
fake persona

~~~
zabana
this is a great idea actually. or simply manage fake social media accounts
with a fake persona that you update semi frequently either by hand or through
an automated script. Login to these accounts upon arrival, then switch back to
your real ones when you're clear.

~~~
StartupTree
This would be a serious offence which would get you banned from the US for
life, after serving a jail sentence.

------
RyJones
If this is the case, I’ll leave the country with basically naked devices which
I’ll restore on the other side of the checkpoint.

~~~
curiousgal
They'll just consider that suspicious and confiscate the devices ¯\\_(ツ)_/¯

~~~
Scoundreller
Dunno about CBP, but I know the Canadian border agents are restricted to
searching the phone only.

So anything in the cloud (e.g. webmail) is off limits unless you download to
your phone.

~~~
snazz
Do they put it in airplane mode to enforce that?

~~~
Scoundreller
I think officially that’s supposed to be step 1. Makes sense so you can’t
remote wipe it.

Legally they are only allowed to inspect what you are bringing into the
country, so stuff in the cloud is out-of-scope.

It’s an open question about whether they can compel you to decrypt anything or
get you to unlock. They could always seize to inspect later though.

------
sys_64738
Surely you'd need to be a person of interest to have them process your data.
The data is likely encrypted so how do they decrypt it? They can socially
engineer a way in but does that work? Do people break down and give up their
passcode?

Would they really process the data just because? It seems like a severe amount
of data to process and evaluate. How much compute power is set aside for this
and how much online storage is used? Do they use a cloud service for this?

It'd be interesting to hear from somebody in the know about what is they real
can do and what is heresy.

~~~
LeifCarrotson
In the past, a human was required for most policing operations. Economically,
that meant you'd need to be a person of interest or at least incidentally
connected to one to be subject to an investigation. It meant that judges and
legislators could say stuff like "it's fine for the police to run arbitrarily
license plates, that's public information" because running license plates
meant there was a cop with a pad of paper walking through a parking lot,
bringing the notes back to a clerk to manually tab through the registration
files. Storing the data and processing it used to happen at human speed and
cost on the order of $20/hr, assuming they weren't working overtime rates on
nights, weekends, and holidays, now it runs at gigabits per second and costs
$0.05/hr to run 24/7.

I'm not in the know, but I know that all the email content I've ever written
is trivial to fit on a $50 hard drive, and with that I can search through 20
years in under 20 seconds.

It's not a question of "could they do it" but "would they do it", your answer
to that question depends on social and political issues, not technology. It's
why I prefer technical solutions like encryption to political problems like
privacy.

------
ff7c11
So do I just need to fill my computer with porn? Or use stenography to put all
my files inside porn.

~~~
sleavey
That bit I don't get. Why are they happy to upload arbitrary data to their
servers unless it's porn?

~~~
arkanciscan
"US tax dollars paying to store petabytes of porn, news at eleven"

------
pseudosavant
Remind me to travel with terabytes of encrypted garbage data. Just to be a
costly pain in the ass. I'd love to watch an incompetent CBP agent try to
figure out how to move 10TB of disk images with USB thumbdrives.

~~~
gruez
Your time is probably a bigger issue. Hard drives maybe average 200MB/s
transfer speed, so a 10TB disk would take a little under 14 hours to image. I
don't know about you, but I'm not too inclined to waste a day just to troll
the CBP.

------
arkanciscan
My takeaway; they have to search for porn first because they can't be amassing
a huge porn collection, so store your sensitive info in your porn folder!

------
monkin
At least now I can be like Jason Bourne, and have lockers in different parts
of the world with laptops and phones... ;)

------
JumpCrisscross
> _Before uploading it to their network they check to make sure there’s no
> porn on it_

What happens if there’s porn?

------
mlthoughts2018
I wonder what implications this would have for business travel. Devices may be
required to be encrypted and giving a business password may violate employment
law in the home country for non US travelers. It could be illegal to grant US
border agents access to the phone and also illegal not to.

Even if you could grant access, businesses may very rightly feel the content
shouldn’t be accessed by US border agents and if it’s stored by border agents,
it means now some US government server could fall under the juris diction of
GDPR or something (eg my work phone or laptop had a photo with sensitive
customer data or something).

On top of that, it’s increasingly mandatory to use your personal phone for
business data, eg PagerDuty, Slack, company email, company social media tools.
So while it may be your personal device, you may still run into crazy
conflicting issues of whether you are allowed to unlock it.

How are you going to comply with “delete my account” requests when some
business data is on US government servers for 75 years?

US agencies have deeply poor and incompetent information security, so how long
before this is subject to a data breach, or a rogue employee exfiltrating and
selling it? Will people be able to sue the US government for substantial per-
person damages when that happens?

The conflicting and incompatible privacy issues of this are bananas. What an
arrogant and deeply stupid thing to do by the border agency.

~~~
coronadisaster
Businesses are first class citizens, unlike real people, so you should be ok.

------
Yc4win
I know they market this product for security researchers, and I've read all
sorts of good reviews about the "anonymous" version. May everyone expand on
this concept:

[https://usbkill.com](https://usbkill.com)

~~~
yosito
It would be interesting to have one of those built into a smartphone as an
antitheft device. It could thwart someone who steals your phone or otherwise
tries to get unauthorized access. Does anyone know the legal status of setting
traps for intruders into private property?

------
HenryKissinger
Imagine the private letters of people in 1945 being of any use to a border
agency in 2020.

~~~
rudiv
I'd love to see your private correspondence, Mr. Kissinger. Preferably as part
of the legal process of discovery.

(Sorry, it's off topic but I couldn't resist)

------
icodestuff
> Before uploading it to their network they check to make sure there’s no porn
> on it (so they search your devices to find porn first).

"Stenographically encode your important documents into your porn" is what I'm
reading here.

------
dvduval
Uninstall everything before crossing the border? The 100 miles thing is the
weirdest though, especially if enforceable on someone who has not
recently/ever crossed the border.

------
progfix
Can't they just ask the NSA for the Emails?

~~~
coronadisaster
They probably don't even have to ask because they have a direct pipe.

------
hansvm
It sounds like a person needs a filesystem that generates a few exabytes of
GPT-2 output on the fly.

------
supernova87a
I guess the studios wanted to get their copyrights extended one way or the
other.

------
WarOnPrivacy
I hate the world in which my own Gov is the nation state I need to fear.

------
Havoc
How long till burner devices are necessary for traveling to the US?

------
modzu
defund the border patrol. seriously

------
hatenberg
Cue the inevitable breach.

------
submeta
When I was a kid in the 80s, I had a US flag on my wall. What happened to the
US in the past fourty years? It became a country that I don't really want to
visit anymore. Every civilized nation behaves differently, at least towards
citizens of allied nations. We are no enemies. Ain't no reason to treat us
non-US citizens like people without any rights. - I am deeply saddened to see
the US come this way, and I have no hopes that this will change in the
forseeable future.

Edit: Look at how non-US citizens exchange ideas for how to avoid handing over
all their personal data at border-crossing. What a shame.

~~~
myaltacct415
My simple answer: we became afraid. 9/11 showed us we were not invincible.
Technology to enable mass surveillance had quick answers for our collective
fears. Stoking our fears is a profitable industry. Here we are today.

~~~
submeta
I can totally understand the need to protect your citizens, but I rather think
that this kind of behaviour damages the reputation of the US deeply. In the
long run, you might have gotten your hands on someone's data that would like
to harm the US (but are these guys so stupid to put their malicious plans on a
handheld device they use at border crossing?)

Actually after the Snowden revelations: aren't the three letter agencies able
to access our data without us knowing it anyways? If we are on their radar,
they can get whatever info they want from us anyway. That's my understanding.
So why harrass the normal person crossing the border?

~~~
save_ferris
Short answer is because they can.

Since the border has become such a focal point of our political conscious, the
culture of some of these agencies is really being brought to light. Just look
at the private Facebook groups of current and former CBP agents comparing
migrants to animals and whatnot.

When the culture of an agency gets toxic, you start to see enablement of this
kind of behavior.

------
coleifer
What are the use-cases, and when would such a policy have led to a drastically
different outcome (in the case of a crime being committed, industrial
espionage, or what-have-you)?

If I have a laptop encrypted with luks or whatever, then what? What are the
consequences of non-compliance?

~~~
Shared404
Not sure why this got killed. I would like to have the answers to these
questions myself.

