

Documents Shed Light on Border Laptop Searches - driverdan
https://www.aclu.org/blog/technology-and-liberty-immigrants-rights-national-security/documents-shed-light-border-laptop

======
grey-area
Is the best strategy here to leave your devices at home and just bring a
burner phone on holiday or other travels and no other devices?

It's strange as an ordinary citizen who might choose to contribute to someone
like Manning's defence fund, or post statements supportive of Snowden online,
to have to consider that GCHQ or the Homeland Security might put your name on
a list for questioning and confiscation at the border, requiring drastic
action like this.

Given the abuse of them in many countries including the US and UK (which was
inevitable), I can't see any case for these powers of arbitrary detainment and
confiscation to be given to the police in any country.

~~~
TheCraiggers
I leave mine behind whenever I travel outside the US, not so much because I am
afraid to be on a list (although after reading this article, that fear has
risen somewhat) but because I employ encryption on my laptop. If they do
search my device for anything illegal, they will inevitably ask for my
password, which I don't want to give for philosophical reasons. Then it's
pretty much guaranteed that I'll be detained and/or my laptop will be taken.

You are right that, as a US citizen, this is a very strange revelation to have
when packing for an overseas trip. Personally, this very real possibility
opened my eyes on just how far we've fallen.

~~~
m_ram
"I don't remember my password."

~~~
grey-area
It's illegal not to provide your password in the UK, not sure what the rules
are under these special powers in the US.

~~~
aplusbi
Then change your password to something that you don't actually know.

Generate a random password before your trip and print out a few copies. Take
one with you and secure the remaining ones. Before you fly through the UK,
change the password on your computer to the random one and destroy the
printout. When you get back home use the remaining printouts to change your
password back and then destroy them.

~~~
TheCraiggers
These sorts of techniques make great comments, but are nearly useless in
reality.

First of all, even if you're being truthful, saying "I don't know my password"
will likely not be believed. Explaining the process you went through to
safeguard your password will merely elicit suspicion by a border agent. Why
would you go through such pains if you had nothing to hide? And once they are
suspicious of you, you will almost surely be detained and have your equipment
seized.

Yes, the government might not be able to decrypt it for years, but they still
have _your_ laptop, and they are still in possession of _your_ data, encrypted
as it may be. So, I ask you, who won this little battle? It sure wasn't you.

IMHO, the only valid approach here is to host everything on an external
server, and VPN / SSH into it to do your work. Don't store the connection info
locally, and don't store any passwords / keys locally. Make sure no
confidential files ever touch your hard drive, even in a cache. Most agents
have no idea how that process works, and unless you have a shortcut on your
desktop / home directory labeled "connect to home fileserver" they probably
won't even think to ask you for any further info.

EDIT: Stupid spelling error. Thanks, recursive.

~~~
thangalin
> Why would you go through such pains if you had nothing to hide?

Why would you not want a camera in your bathroom, if you have nothing to hide?

~~~
TheCraiggers
Please note that I personally hate the phrase "if you have nothing to hide,
you have nothing to fear." I was using it in this case because many people
still operate like that and because, for better or worse, I assume all 'police
type' people fall into this category.

I merely figured the HN community would pick up on the sarcasm.

So please do not patronize me.

------
salmonellaeater
EFF guide to defending your privacy at border crossings:

[https://www.eff.org/wp/defending-privacy-us-border-guide-
tra...](https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-
carrying-digital-devices)

------
revelation
Obviously the officials involved in this case were let go, right? Because who
would enter into an official database that they want to abuse border searches
to search an _attorney_ for a person in an ongoing case with the government,
and for that _exact_ reason?

~~~
jellicle
No one in government considers it to be an abuse. That's the problem.

------
kintamanimatt
The fact such an article has to be written at all is highly concerning. What
kind of free society are we living in when we have to guard heavily against
our devices being confiscated and snooped through just because a border agent
feels like it? To my knowledge there's only precedent of this happening in the
UK and US, but I wouldn't be surprised if other countries are going to join in
on these shenanigans.

------
fry_the_guy
I guess you need to make sure all your backups are in order before crossing
the border.

~~~
mortov
I guess you need to make sure your devices are wiped or left at home.

A backup just means you have your own copy of what just got taken off you at
the border for no good lawful reason.

Having my own copy would not reassure me of much.

~~~
lambda
Or make sure that they have full-disk encryption and are cold shutdown when
you cross the border.

While jurisprudence is still a bit fuzzy on this (it has flipped back and
forth on a few appeals in a few separate cases, and never been conclusively
decided by the Supreme Court), there have been ruling upholding the fact that
you can't be forced to hand over your password due to the fifth amendment,
unless the Government can already show that they know via other means that you
have incriminating files on there.[1]

On the border, you would probably be safe from mandatory disclosure of your
password without the border patrol getting a court order, and of course the
whole point of this complaint is that the government is using border crossing
as an end-run around the courts, being able to do searches that a court
wouldn't otherwise approve.

So, using full-disk encryption that you trust, on all electronic devices that
you carry, and making sure that they are cold shutdown, is probably
sufficient. You should of course have a backup as well, as the border patrol
may impound your devices while they try to decrypt them.

All in all, how much effort we have to do to defend ourselves from our own
government is getting ridiculous. I don't know how to convince the American
public of this, but we are not only violating the privacy of tons of people,
but killing people who choose to drive rather than fly[2] due to the excess
hassle that our "security" systems provide.

1:
[https://en.wikipedia.org/wiki/Key_disclosure_law#United_Stat...](https://en.wikipedia.org/wiki/Key_disclosure_law#United_States)
2:
[https://www.schneier.com/blog/archives/2013/09/excess_automo...](https://www.schneier.com/blog/archives/2013/09/excess_automobi.html)

~~~
andrewpi
After the past week's NSA revelations, just what full disk encryption system
should we be trusting? I think it's fair to assume that any commercial
implementation is compromised.

~~~
lambda
[TrueCrypt]([http://www.truecrypt.org/](http://www.truecrypt.org/)) or [dm-
crypt]([https://en.wikipedia.org/wiki/Dm-
crypt](https://en.wikipedia.org/wiki/Dm-crypt)) are both open source
(technically, TrueCrypt has source available but doesn't meet the definition
of an open-source license, though there's some debate on that point), and thus
publicly auditable.

Also, I'm less worried about FDE being vulnerable to Border Patrol than about,
say, SSL vulnerabilities across the whole network. The plausible deniability,
which they would need to use to protect their sources if they found
information, is a lot lower if you know you have been stopped and your laptop
searched, rather than just tapping all internet traffic so you don't even know
when you've been searched. Mac OS X's File Vault 2 and Windows's BitLocker are
probably sufficient if if you aren't particularly paranoid about being
individually targeted for something big, but I would be more inclined to trust
the open solutions.

------
calbear81
Would this only apply to files that are physically on the hard drive or would
this also mean they may have access to connected cloud storage accounts like
Dropbox or iCloud?

~~~
mbq
They already have your data on Dropbox and iCloud.

------
Aloisius
Anyone know what happens if your laptop is dead when you go through border
control? I mean, they probably don't keep laptop chargers for every model
around.

I've gone through airport security with a dead laptop before at a time when
they would occasionally ask people to turn on their laptop. They just waved me
through.

------
drill_sarge
I have asked this before but didn't get an answer: Do such "you have to hand
out your passwords" laws apply to me if I am just a visitor to such countries
and my home country does not have such a law?

------
aheilbut
They say that there were ~5000 such searches per year, which makes them
extremely rare occurrences given the hundreds of millions of people crossing
the borders in a year.

~~~
Todd
Yes, but they are targeting individual US citizens and using the broad
authority that has been granted to them "to evade the constitution," as the
article states. Ostensibly, this authority was granted in order to protect our
borders.

------
philip1209
Make sure your SSH keys have a password.

~~~
chris_mahan
don't store ssh keys.

~~~
betterunix
SSH keys need to be stored _somewhere_ if they are to be useful. Perhaps the
safest bet is to move the keys to a smartcard, carry that with you while you
travel, then destroy the card before re-entering the USA.

~~~
chris_mahan
I don't store ssh keys. I remember the (long) passwords.

