
Canada Border Services seizes lawyer's phone, laptop for not sharing passwords - cpncrunch
https://www.cbc.ca/news/business/cbsa-boarder-security-search-phone-travellers-openmedia-1.5119017
======
gruez
>Wright refused, telling the officer both devices contained confidential
information protected by solicitor-client privilege.

>He said the officer then confiscated his phone and laptop, and told him the
items would be sent to a government lab which would try to crack his passwords
and search his files.

Can this be used to get whatever case(es) he was defending thrown out because
solicitor-client privilege was violated or parallel construction was used?

~~~
sandworm101
>> Can this be used to get whatever case(es) he was defending thrown out
because solicitor-client privilege was violated or parallel construction was
used?

That isn't what this is about. Nobody is talking about what this is really
about and it isn't anything to do with him being a lawyer. This guy (1) was
traveling alone (2) to a distant (3) and poor (4) country without preexisting
business ties (5). Those are all red flags for sex tourism.

I cannot say this strongly enough: I would never say this guy is a sex
tourist, nor would boarder services. But they do run a program that targets
people who meet certain criteria, criteria that this guy seems to have fallen
into. Most famously, a bishop returning from Thailand had his laptop
"randomly" searched by this program.
([https://en.wikipedia.org/wiki/Raymond_Lahey](https://en.wikipedia.org/wiki/Raymond_Lahey))
There have been other less-pubic successes too. The program is controversial
but within the bounds of Canadian law.

So before everyone goes nuts about terrorism and attorney-client privilege,
realize that this innocent person was caught up in a program that has nothing
to do with those things. Canadians are polite, especially when dealing with
sensitive matters. Canadian cops don't shout things from rooftops. Because of
the nature of what they are looking for, boarder services isn't going to give
any public explanations. They will hold the electronics for some time, as is
their right, but they likely regret "randomly" selecting this particular
person. In the future they will probably add "not a lawyer" to the criteria.

~~~
lohszvu
What is wrong with sex tourism?

~~~
DoreenMichele
In most parts of the world, sex workers don't exactly have strong human rights
protections. In a poor country, it's generally worse.

A relatively wealthy, privileged person going someplace poor for sex is
probably doing it because it facilitates doing rather nasty things in a way
that is comfortable for them. They don't need to be ugly about it. Someone
else will be ugly about it on their behalf while making them feel great about
spreading their money around.

This often means they are raping children or otherwise indulging sexual
predilections too unseemly for sex workers in more well-heeled parts of the
world.

So _sex tourism_ is generally understood to be a polite term for exceedingly
depraved behavior with a veneer of civility.

~~~
sandworm101
This. Anyone who thinks they are targeting people visiting Amsterdam's red
light district, or Nevada's bunny ranch, needs to read more. This is about
people seeking underage sex in countries where it is more accessible than in
Canada. Thailand, Vietnam, all of south america ... a single male with no
family ties, returning alone from such countries should expect some attention
at the Canadian boarder. They are looking for the pictures, the possession of
which is a serious crime in Canada.

------
LeonM
I have asked this question before, but never really got a satisfiable answer:
why do governments (not just USA/canada) spend these resources to check data
physically at a border?

It's not like you need to 'smuggle' any form of data physically.

I mean, any data considered to be dangerous (like terrorist attack plans,
atomic bomb designs or political inside information) can be accessed across
borders via the internet. You don't need to have those on any of your devices.

And even if you had the data on a laptop, how does border patrol even know
what they are looking at?

~~~
bonestamp2
This might partially answer your question...

I had my laptop searched at the border once. It was my work laptop. They told
me the same thing, if I didn't share the password they would confiscate my
computer.

It felt wrong that they should be able to search my computer, but I also felt
bullied because I was going to need my computer the next day if I wanted to
work and I think most people, including my boss at the time, would not see a
problem with the search, so I let them search.

All they did was open up Windows Explorer and do a search for *.jpg. Then she
looked up at me and said, "What kind of images am I going to find on your
computer today?"

I don't remember what I said, but basically it took about 30 minutes for
Windows to display all the results. She looked through them all and then I was
free to go. I got the impression that they were looking for child pornography,
but I don't know that for sure.

Either way, it was a pretty innocuous search, but this was also about 10 years
ago. From what I understand, they now pull all the files off your computer and
index the contents. They likely have a list of keywords that it searches
against immediately and then it's indexed for when they add more keywords
later.

~~~
majos
Why do you think they did this kind of invasive search? It's very weird to me
that border patrol would randomly search all the images on someone's computer.
This doesn't even seem like an efficient way to catch criminals. Power trip?

~~~
9HZZRfNlpR
Maybe just "a randomized search". Sounds very inefficient.

I think they are just looking for crimes like drug mules, people coming to
work with tourist visa etc. Everyone here talks about nuclear plans but I
doubt.. probably bully too but against simple minded criminals it can work.
Texts of arranging work or when is the package going to arrive etc.

~~~
majos
Right, but parent comment said they just searched all images (or jpgs). Hard
to think of any motivation beyond finding child pornography, no? But that
doesn't seem like something you'd reasonably become suspicious of during a
short interaction.

------
seanalltogether
> Officers uncovered a customs-related offence during 38 per cent of those
> searches, said the agency.

I really want to understand what kind of digital data is considered a customs-
related offence.

~~~
claudiawerner
There are cases at the Canadian border in which the investigators search for
"boy" or "girl" using the Windows search tools to see if there is child
pornography on your device. In other circumstances, they uncover hentai[0]
showing characters that appear to be underage - and bringing that into Canada
is illegal (in fact, much like Australia and New Zealand, any sexual depiction
of fictional minors is illegal, and that can include stories or other text).
There are anecdotal and well-documented cases for the latter[1]. One Reddit
user claimed that the investigators at the border found browser-cached
_thumbnails_ of such material (since it used to be permitted on Redddit) and
he was jailed for a day or something like that.

Not to suggest that all of the 38% count for that, but with the popularity of
drawn pornography I'd wager it makes up a sizable chunk.

[0] Hentai refers to anime-style drawings of fictional characters.

[1] [https://www.google.com/search?client=firefox-
b-d&q=canadian+...](https://www.google.com/search?client=firefox-
b-d&q=canadian+border+hentai)

~~~
beagle3
Is there an exception for religious texts? There are Is more than one common
religions whose holy texts depict sexual activity with minors.

Also, if I have a copy of Nabokov “Lolita” on my kindle, will I get in
trouble? Stephen King’s It? An apt pupil?

~~~
ghjjjj
“Also, if I have a copy of Nabokov “Lolita” “

Enforcement is selective.

------
Benjamin_Dobell
It's stuff like this that makes me want to build after-market privacy-oriented
Samsung firmware, that at a low level (secondary bootloader) supports dual
booting. By default you'd boot into the "non-private" environment. That way if
customs asks to see your device, you simply boot it up and hand it over. Could
make life a lot easier for lawyers, doctors, C-level executives etc.

I should note, dual-booting Android phones isn't a new concept, it's just
generally performed at a higher (less secure) level. In particular, the
secondary bootloader implements Loke (flashing protocol)[1], so a custom
secondary bootloader could also prohibit flashing of unsigned images.

[1] source, I'm the developer of Heimdall - [https://github.com/Benjamin-
Dobell/Heimdall](https://github.com/Benjamin-Dobell/Heimdall) \-
[https://gitlab.com/BenjaminDobell/Heimdall](https://gitlab.com/BenjaminDobell/Heimdall)

~~~
numakerg
Would this system come with plausible deniability?

Also, does anything like this exist for desktop operating systems?

~~~
bitcoinmoney
Yeah. You can install GRUB snd default load it to windows 10 fresh install.
Put some dummy files in the desktop, make it cluttered with oictures of cats
and articles about meditation. This might sound like a great idea maybe i
should try it!!

~~~
andai
People say they scrape the filesystem (rather than copying everything), maybe
they'd detect *nix systems too.

------
KingMachiavelli
I've always preferred having a dedicated desktop that acts as a personal
server and then a small cheap laptop that I use to remotely access it.

While this preference is mostly driven by capitalizing on the
performance/price/size difference between desktops and laptops, it has lots of
advantages when it comes to these situations.

My Dell XPS 13 only has 128GB of storage so none of the data exists solely on
that device; it acts mostly as a dumb terminal that I use to SSH to my
desktop. I suppose upon booting the machine they could request SSH key
passwords and then search my desktop but this seems unlikely.

While most of the issues with these border searches are privacy/ideology
based. These types of security theatre can easily be circumvented.

Of course, just using Linux may get you detained for a bit which makes it all
moot. Maybe having a business card saying I'm a systems administrator (which
is true) would make Linux an easy explanation.

If these searches increase and become normal, I think it's only a matter of
time before Apple implements a cloud based 'data refuge' that would allow
users to temporarily offload encrypted sensitive data to the cloud while
crossing borders and traveling to countries with weak or no privacy laws.

~~~
RandomGuyDTB
Do you have a citation on how using Linux can get you detained?

~~~
freedomben
I haven't heard of Linux getting people detained at border crossings, but it
definitely gets you more scrutiny from other government organizations like the
NSA[1].

[1] [https://www.eweek.com/security/linux-lands-on-nsa-watch-
list](https://www.eweek.com/security/linux-lands-on-nsa-watch-list)

------
erik
Digital privacy while crossing borders seems to increasingly be an issue. And
I'm worried that it's not going to improve any time soon. Politicians and very
rich people don't deal with border security the same way normal people do.

~~~
mrtksn
That’s my main issue with the recent trend to make international travel
harder.

There’s a huge push to assume that travelers are criminals and all kind of
inconveniences, expenses or outright humiliations are O.K.

~~~
tfha
I've certainly reduced my tourism levels on account of CBP. Can you not rip my
car to shreds every time I cross the border?

~~~
isostatic
Thus reducing CO2 and working towards saving the planet

~~~
fao_
if you took cars away from the entire population that would only account for
up to 25% of the CO2 being released. So, on this small a scale it's doing
almost nothing.

~~~
saagarjha
A 25% reduction in CO₂ is a massive undertaking the likes of which have never
been attempted before.

~~~
fao_
And yet it still is not enough. Not to mention that banning car usage will
disproportionately affect poor, disabled, rural, and mentally ill people.

------
shiado
Many of the services which could be accessible from those devices are American
services with data residing on American servers. I wonder if it is possible to
use hacking laws as a means of dissuading border agents from looking at
devices. A Canadian agent might have jurisdiction in Canada but what if the
get charged under the CFAA in the USA for accessing a server they aren't
legally allowed to access. Perhaps it would be possible to design a specific
legal/digital service for people to install with servers all over the world as
a type of legal landmine meant to punish agents searching data by using
hacking laws in many jurisdictions. Think of it like copyleft for stopping
agents from snooping.

~~~
panarky
_CBSA officers are directed to disable any internet connection and only
examine content that is already stored on a device_

~~~
shiado
Perhaps one could add a specific sort of legal DRM crypto layer and then get
them for anti-circumvention. No internet connection required.

~~~
zerocrates
As you might expect, law enforcement is specifically exempt from the DMCA's
antcircumvention provisions. I would imagine that's true for other countries'
equivalents as well.

Same with the CFAA.

------
fencepost
He's suing to get them back and for compensation for having to "temporarily"
replace them, but even if he wins he probably shouldn't trust either device in
the future (possibly more so for the laptop).

~~~
gruez
>he probably shouldn't trust either device in the future (possibly more so for
the laptop).

Seems risky for the government to put any firmware/hardware implants on those
devices. The user is naturally going to be suspicious of it because the
government had unrestricted access for days/weeks. So there's a high chance
that the user might not even use it or will send it to an expert for analysis.
If discovered, it's going to look extra bad for the government because there's
no doubt that they did it.

~~~
mattnewton
Suspicious, sure, but most users aren’t equipped to do that kind of diagnosis,
and many won’t be able to afford new devices, and maybe it will look even
worse for the government but I am certain absolutely nothing bad will happen
to the people who added the malware.

~~~
chopin
But in this case the EFF would love to do a forensic examination.

------
jrandm
Why doesn't everyone simply refuse to share passwords, as is mentioned
numerous times on various Canadian government websites? Basic search finds
tons of pages from all sorts of departments
[https://www.canada.ca/en/sr/srb.html?q=share+password](https://www.canada.ca/en/sr/srb.html?q=share+password)

A few samples

> 95% [of polled Candians] know not to share their passwords

[https://www.getcybersafe.gc.ca/cnt/rsrcs/vds/nln-sft-
stck-p/...](https://www.getcybersafe.gc.ca/cnt/rsrcs/vds/nln-sft-stck-p/index-
en.aspx)

> don’t share your PIN, password or personal security questions and answers
> with anyone, not even family members

[https://www.canada.ca/en/financial-consumer-
agency/services/...](https://www.canada.ca/en/financial-consumer-
agency/services/banking/online-banking.html)

> If you’ve shared passwords with friends, now would be a good time to change
> them

[https://www.getcybersafe.gc.ca/cnt/blg/pst-20180913-en.aspx](https://www.getcybersafe.gc.ca/cnt/blg/pst-20180913-en.aspx)

> Protect your password, don’t write it down or share it with anyone and
> change it often

[https://www.canada.ca/en/employment-social-
development/progr...](https://www.canada.ca/en/employment-social-
development/programs/homelessness/hifis/training/administrative/module-1/thinking-
security.html)

A few days of every single traveler saying "no" would force them to either
begin seizing all electronic devices or to drop the entire endeavor as
untenable. This problem doesn't need a technical solution beyond making sure
locked devices are actually secure.

~~~
jason0597
Because border police have authority

~~~
jrandm
Could you elaborate on that thought?

Individuals also have the authority to assert their rights, one of which in
Canada is the freedom from unreasonable search and seizure[0]. R v Fearon[1]
places limitations on this exact type of search one could easily argue aren't
met given the descriptions of these searches I've read.

[0]
[https://en.wikipedia.org/wiki/Section_8_of_the_Canadian_Char...](https://en.wikipedia.org/wiki/Section_8_of_the_Canadian_Charter_of_Rights_and_Freedoms)

[1]
[https://en.wikipedia.org/wiki/R_v_Fearon](https://en.wikipedia.org/wiki/R_v_Fearon)

~~~
tiglionabbit
You don't have any rights at the border. The moment they decide to search you
they will ask for your passwords. If you don't give it, they'll detain you
until you do.

~~~
jrandm
> You don't have any rights at the border.

This is, to the best of my knowledge, factually untrue.

> Canadian courts have generally recognized that people have reduced
> expectations of

> privacy at border points. In this context, privacy and other Charter rights
> continue to apply

> but are limited by state imperatives of national sovereignty, immigration
> control, taxation

> and public safety and security. The Canadian courts have not yet ruled on
> whether a

> border officer can compel a person to turn over their password and on what
> grounds, so

> that their electronic device may be searched at a border crossing.

[https://www.priv.gc.ca/en/privacy-topics/public-safety-
and-l...](https://www.priv.gc.ca/en/privacy-topics/public-safety-and-law-
enforcement/your-privacy-at-airports-and-borders/)

It goes on to specify that while the law is unclear, an _unpublished_ Canada
Border Services Agency policy states searches "should not be conducted as a
matter of routine; such searches may be conducted only if there are grounds or
indications that “evidence of contraventions may be found on the digital
device or media.”" [nested quotes sic from page, presumably from this
unpublished policy]

IANAL (nor Canadian) but the Canadian Charter of Rights and Freedoms and the
Customs Act, and probably many more documents and judicial rulings, define the
rights available to anyone crossing the Canadian border. CBSA policy may not
be legal, and only by exercising their rights and refusing to cooperate with
illegal orders will citizens be able to affect change.

Many brave people in the past have risked detainment, property seizure, and
worse in order to protect the civil rights of millions of others. Apparently,
in regard to safeguarding personal data privacy, this is again necessary.

~~~
ghjjjj
The Charter is an embarrassment/joke -> see not withstanding clause.

------
mLuby
Fighting this is all well and good, but we should look into the near future to
when brain scanning or lie detecting has improved.

The fundamental problem is that governments believe they deserve to know
citizens and travelers' thoughts. (Cell phone contents are a close proxy.) I
disagree, and believe they can still provide adequate border and intranation
security without it.

------
throw2016
This is the definition of a police state, with law enforcement officers
empowering themselves and demanding to go through your personal papers, how
dehumanizing is this?

What is the difference between this and the stasi or the police of any
totalitarian state demanding to go through your personal papers? There is a
huge difference between physically checking your laptop or phone and demanding
to go through its contents and your personal data and thoughts. This is hugely
invasive and dehumanizing and is the definition of totalitarianism. The word
democracy by definition cannot include this.

Even more disturbing is the cognitive dissonance of those who have complete
moral clarity when condemning police state tactics in some third country and
then stretching credulity to normalize the exact same thing when done by their
own governments or 'democracies'. The is the dangerous road to totalitarianism
where values are not defined by actions but actors.

------
albertgoeswoof
So what’s the Canadian governments real position on this?

Are individuals and companies allowed to store private and confidential data,
or is all information seizable by the government without a warrant at the
border?

They can pick one...

~~~
bonestamp2
It's not that black and white. Private and confidential data is allowed;
however, customs and border patrol also have legal authority to inspect such
private and confidential data when you cross the border. They do not have the
right to inspect it, without warrant, elsewhere.

This is the same in the US, maybe even worse in the US. Customs can inspect
your home if you live within 100 miles of any border...

[https://www.citylab.com/equity/2018/05/who-lives-in-
border-p...](https://www.citylab.com/equity/2018/05/who-lives-in-border-
patrols-100-mile-zone-probably-you-mapped/558275/)

------
dontbenebby
Why do border services think they can seize a device and send it to a lab?

If a border officer suspected I had a hidden compartment in my suitcase could
they ship it off to a special lab?

I don't agree with (but can see the logic in) them copying data off your HD
and trying to crack it later.

But I don't understand what legal argument is to be made for arbitrarily
seizing property at the border.

~~~
noarchy
>But I don't understand what legal argument is to be made for arbitrarily
seizing property at the border.

It looks an awful lot like garden variety theft, to me, which makes me
question whether or not we should use their vocabulary here ("seize", versus
"steal"). That said, I hesitate to wager on whether or not a court will side
with the victim.

------
dmix
> He said the officer then confiscated his phone and laptop, and told him the
> items would be sent to a government lab which would try to crack his
> passwords and search his files.

Hopefully they were powered down and used proper full-disk encryption.

~~~
Zombieball
Do you think its better to have an iPhone powered down or on?

I am wondering if it would be possible to leverage remote wipe features, but
maybe the border agents power off the device or put it in a bag / container
that blocks cellular signals.

~~~
mikeash
Shouldn’t matter. The key thing is to have a strong password, and disable any
biometric authentication beforehand. (You can do this by squeezing the side
buttons for a few seconds until the “power off” screen appears. The phone will
then require a password before reenabling biometric authentication.)

~~~
floatingatoll
Will that also terminate the in-memory ephemeral key that’s set up at first
login to permit background app refreshes?

~~~
mikeash
Good question, I forgot about that. I'd have to read through the security
guide again. I wouldn't personally worry about that, as I think the system is
sufficiently robust against external attacks, but obviously other people's
priorities and levels of paranoia may differ.

------
ivl
Personal computers (and cell phones) contain more information than people
could have ever imagined when polices around searches at borders became a
thing. It's really unfortunate that there's no desire to respect that. You
could find more from someones smartphone than you could via a search of their
home with a warrant.

I'm pretty glad I travel a lot and can afford a second phone as a total burner
that I keep nothing on, and a new m.2 SSD and a clean install for my laptop.
It's saved so much hassle, as the one time I was asked to look at them, it was
an easy "Sure officer, go right ahead. I hope you're quick though, there's
nothing on either."

------
Max-q
> Officers uncovered a customs-related offence during 38 per cent of those
> searches, said the agency.

This is hard for me to comprehend. Does anyone have an idea of what 38% of the
phones can have stored on them, that is illegal to have when crossing the
border?

~~~
tomschlick
> Does anyone have an idea of what 38% of the phones can have stored on them,
> that is illegal to have when crossing the border?

Generally it's things like text messages from friends/family/potential
employers that lead agents to think the person isn't going to abide by their
non-work/short term visa.

~~~
jameshart
that isn't a customs-related offence, though - that's an immigration related
offence. Customs is concerned with the movement of goods, not movement of
people.

~~~
tomschlick
They handle both at the border.

------
hestefisk
It’s even worse in Australia:

[https://www.theguardian.com/world/2018/aug/25/sydney-
airport...](https://www.theguardian.com/world/2018/aug/25/sydney-airport-
seizure-of-phone-and-laptop-alarming-say-privacy-groups)

------
bgitarts
Why aren't plausible deniability passwords a feature in operating systems?
Especially since many now offer full disk encryption.

What would happen to these searches if plausible deniability passwords became
more widely used?

~~~
brooksgarrett
I took a workshop on custom Kali builds where they specifically spoke about
LUKS headers and shipping them via email/gdrive to yourself and removing them
from the physical device. It renders the partition useless. This was viewed as
a better alternative than something like TrueCrypt with decoy passwords since
if the government can ever prove you did it then that's obstruction. With the
headers gone and no local copy you can't provide what you don't possess.

~~~
brandon272
> This was viewed as a better alternative than something like TrueCrypt with
> decoy passwords since if the government can ever prove you did it then
> that's obstruction.

If that qualifies as a type of legally actionable obstruction, it would seem
that intentionally wiping your device before you cross a border and then
reloading data onto it once you arrive at your destination would also qualify.

~~~
brooksgarrett
In one, you intentionally give false information and lead the government
believe you in good faith complied. In the other, the data is inaccessible and
the government is aware it is inaccessible. They can then evaluate risk and
seize the device or take some other action from that knowledge. IANAL and I
don't play one on TV.

ETA: To complete the threat analysis, and if they seize two devices, one with
a password protected key and a LUKS volume without headers? I'll take LUKS.

~~~
brandon272
> In the other, the data is inaccessible and the government is aware it is
> inaccessible.

Because the person made it inaccessible with the intention of concealing it
from law enforcement and others. There is still a means to decrypt the data.

All of the actions described in this thread - whether it's decoy passwords,
encrypted volumes with headers, burner devices, or wiping data and then
restoring at the destination, all seem like they could be construed by law
enforcement as a person obstructing their ability to sift through the
individual's data.

(But IANAL either.)

------
imroot
I really can't be the only person who travels internationally with a burner
phone and burner laptop. I'll generally wipe them both sitting at the airport
waiting for my flight home, just so that I can have the e-passport application
up by the time that I land and go through customs. (Admittedly, I should just
upgrade my TSA Precheck to Global Entry, but, I'm not even sure that I want to
go through with that process).

~~~
tiglionabbit
When I was working at Google I had to go through some training videos that
explained that you should never bring corporate devices across the border for
this very reason -- that they could be searched, thus breaking the NDA.
They'll ship you a clean laptop instead.

------
8fingerlouie
Cases like these makes me want to take extreme precautions when traveling.

I recently returned from a trip to the US, and prior to boarding (in any
direction) i wiped my browser history, and logged out of iCloud, wiping all
message history etc. When i arrived at my destination i simply restored from
the last iCloud backup, and things "magically" reappeared.

Reading the comments here made me realize that it's much more than just
personal emails/notes, but also things like Uber history, frequent locations,
frequent calls, etc. Basically anything you do that has a pattern to it, or
matches a list of keywords.

As i don't see the need nor justification for any government to profile me in
detail, I'm seriously considering doing a complete wipe of the phone for my
next trip, setting it up as a basic _phone_ and restore a backup once i
arrive. For a laptop i would probably set it up as new, and bring an
installation media with me, reinstalling when i arrive.

------
vba
Do you actually have to tell the officer’s your password or do you need to
just unlock the device. Also, are you allowed to be there while they are
searching it to see what they’re looking at/searching for?

------
thinkingkong
I never really understood the reason for seizing an electronic device anyway.
Surely if something was important / secret enough it wouldn't be _on_ the
phone. What are they looking for, exactly?

~~~
javagram
Most criminals don’t actually have great OpSec.

I’m sure there are tons of phones that have incriminating photographs in the
default camera app, or incriminating text messages or saved voicemails or who
knows what.

~~~
fjsolwmv
Most people don't have great opsec, and most people are technically criminals.

------
emptybits
If you demonstrate that government employees changed files all over your hard
drive during a "search" then I wonder if recourse or compensation or legal
action is possible.

I understand the law permits CBSA agents to perform warrantless searches. e.g.
_reading_ the contents of your hard drive. This is, rightly, controversial.
But then does the law also permit them to _modify_ the contents of your hard
drive?

The act of logging in and browsing your computer will make many changes to
system log files, to metadata of documents (e.g. last accessed date), etc.
(Just thinking out loud about technicalities and other angles on this.)

------
hackermailman
Same thing happened to me last year, flagged by Canada customs as some kind of
potential sex criminal being a solo male traveller and I just gave them my
unlocked phone to search through so I could get out of there after a 12hr
flight.

I had keepassx android 3rd party app installed to keep financial info and
passport pics in case my bank cards and other things were stolen, totally
forgot it was there and they didn't even ask me for the pw, returning my phone
and letting me go. If I was a degenerate criminal I could have had anything in
there was surprised they didn't notice it.

------
rjf72
Exactly how many meaningful crimes have been prevented or busted because of
this behavior?

I think sacrificing liberty for security is generally a bad idea. But it seems
we're increasingly sacrificing liberty for nothing, which is a rather worse
idea. We're creating a dystopia for what? To get people to click on ads on one
front, and on fronts like this - the pretext is mostly to stop terrorism, but
that's something that should be cleanly quantifiable. So let's quantify it.
How many terrorist attacks has this stopped? I think the safe ballpark is
exactly 0.

I also don't understand why more people don't seem to ask this question. Can
governments do this is going to be an extremely difficult to answer question
that few of us lack the expertise to even begin to delve into. Even for those
of us with it, there are contradictory views. It seems much easier to answer
_should_ governments do this. And if they're driving a meaningful
deterioration of society, as I would call the stripping of basic rights of
individual privacy, and have nothing of substance to show for it - then this
is something for which there is no ambiguity whatsoever.

------
notyourday
> He said the officer then confiscated his phone and laptop, and told him the
> items would be sent to a government lab which would try to crack his
> passwords and search his files.

I'm breathlessly waiting for the "We will not go to Canada! Move the
conferences out of Canada!" posts.

------
dijital
Just enable guest mode. Pretty sure they're not employing top notch cyber
investigators for security searches. They aren't smart enough to know the
difference and it'll meet their "requirements". Fucking assholes

------
Amygaz
Considering he is a lawyer and a politician and civil liberties activist, he
knew CBPA’s rights very well, and this is a public stunt to encourage the
government to change the law.

A simple search about this nick wright, reveals that this is not his first
encounter with the authority. He is definitely more active about civil
liberties than the average person. He has been arrested during a G20 event,
and his story then sounds a bit like this one.

So, we either have case of lightning striking the same person twice, or he
likes to play games with the law.

~~~
mrunkel
> So, we either have case of lightning striking the same person twice, or he
> likes to play games with the law.

Or he's being targeted now because of his past activism.

------
ElCapitanMarkla
Something I wish iOS had is the dummy password to unlock the phone into a
sandboxes type area without any of my personal data. “Yeah sure i’ll unlock
it, nope that’s all I have on there”

~~~
Macross8299
I think this might backfire, though.

It's the same problem with Veracrypt/LUKS hidden volumes. If they know about
the sandbox capability, they could easily say "okay, now unlock the real one"
if they find nothing incriminating. What happens if you _did_ unlock the real
volume/sandbox in the first place and have nothing incriminating on it?

Only remedy for this is having arbitrarily many sandboxes.

~~~
lalos
You could get away with it if you could download sandboxes from iCloud and be
allowed to have multiple sandboxes.

------
ada1981
I’d love to have a second password that when I enter it automatically encrypts
the phone and simultaneously loads a dummy user account.

This way I can give them my password, let them look around at some basic
programs, benign emails, photos, etc. and then hand me back the phone.

Perhaps even a couple dummy passwors so I can keep a password like “1111” to
generate a false positive if they try to brute force my phone.

I’m surprised this doesn’t exist a jailbreak feature.

If it does, please let me know as I’ve looked.

~~~
iwalton3
The problem is if these features become common enough you will start getting
asked about them. Even worse, if you aren't using them you may be asked to
provide something that is impossible to provide.

~~~
ada1981
So the answer I suppose is as stated. Cloud backups and when traveling,
clearing our devices.

------
antpls
I don't know the past of that lawyer, I don't know if that story is true or
not, but it worries me even if I am 6000km away.

------
p2t2p
On Linux, one could use dm-crypt in plain mode with keys on number of flash
drives. Good thing about keys, they look like unformatted disks, so you can
send flash drives via mail in advanced. Whenever you open a laptop like this
without a key inserted, it look like it has no bootloader, no OS. There is no
metadata, no nothing.

Get ready to have your devices seized though =).

------
DoofusOfDeath
Is it legal to take steps to intentionally frustrate any future searches that
may be done against the device by border agents, in cases where the is no
other crime being covered up?

For example, having a trusted remote party encrypt your data, and that party
will only decrypt it once you've cleared customs?

~~~
scarlac
The problem here is that they confiscate regardless. Even when it's very clear
they do not have the means to break the encryption at all. Any excuse,
reasonable or not, will dissatisfy them and they'll confiscating either
permanently or temporarily (both seem to have happened).

~~~
Zak
It seems to me that the best option is to keep sensitive data on encrypted
removable storage devices while having light security on the internal storage
of a laptop or phone.

Access could then be granted to the laptop/phone, but refused for the external
storage device. You want to indefinitely detain my $20 SD card if I won't give
you the password? That's not a sufficient threat to convince me.

~~~
paulkon
They could also refuse entry or detain you if your not a citizen for
obstruction of justice.

These laws that give border security unfettered search and seizure authority
along with issuing punishment for non-compliance is the problem.

~~~
Zak
I agree, the laws are the problem. I can't do a whole lot to change the laws,
and I am a citizen of the country I think is most likely to try something like
that, so the technical solution is really all I have. So far, I have not had
to employ it.

------
ccozan
While for a laptop one can use xen ( or grub, or similar ) to default boot
into a pretty boring image of, let's say, windows 10, with some fake-but-good-
looking documents, photos, etc, I wonder what are the possibilities on a
smartphone? Would this be possible on an Android?

~~~
dawnerd
That really wont fool them though. EFF recommends against it too.

~~~
snazz
What exactly is wrong with this approach? It should get you through the border
with no further suspicions, since I’m guessing they don’t have the time to be
checking for hidden partitions for every traveler they pull over.

~~~
panarky
1) Because this can give officers probable cause to detain you. Just like if
they find a hidden compartment in your luggage, even if there's no contraband
in it, you'll be held many hours in a freezing cold room while they examine
every detail of you and your property.

2) Because it could be a crime. Failure to disclose an encryption key if
requested by UK Police and Customs authorities is a breach of The Terrorism
Act, for which you can be arrested.

3) If they ask if you have hidden or encrypted data, and you lie about it, in
the US you're now guilty of a federal crime -- even the hidden volume itself
is empty or innocuous.

~~~
ccozan
Yes, true.

But if you are at the border and give to the officers all what they want (
access to your laptop and phone ), why would they have further suspicions to
interrogate and/or detain and deep search your devices, if you are really a
clean person, dunno, white, 30-40 years, suit up, good clothing, no strange
stuff in traveling history..etc.?

------
JustSomeNobody
I remember signing documents that said I (basically) would not allow anyone
access to my work phone or laptop. This would put me in quite a pickle if work
council wasn’t immediately available I would think.

Glad I don’t travel for work outside the US.

------
sonnyblarney
"During 38 per cent of those searches, officers uncovered evidence of a
customs-related offence — which can include possessing prohibited material or
undeclared goods, and money laundering, said the agency."

If this is true ... wow.

------
x0054
Next project: figure out how to add a fake user to my MacBook and only have
the real HD / user boot if a key combo is placed. Apple should add users and
this as an option if they care about security, to iOS.

~~~
tiglionabbit
They should show just one account, but give it two passwords: a real one, and
one that secretly takes you to a different account that's also customizable.

------
coldacid
Even for Canada, standard disclaimers apply to any hardware taken by the
government: Don't connect them to anything else, bleach them and burn them.

------
adad95
[https://borderprivacy.ca/](https://borderprivacy.ca/) Its a site trying to
campaign about this issue.

------
craftinator
I'm planning a trip overseas sometime in the future, and I'm sorely tempted to
write up some malware that will activate if someone attempts to download my
hard drive in the wrong way. I'll provide the password, along with a statement
that I'm not authorizing a search of the drive, and if they want to break the
law they are doing so at their own expense. Any lawyers know if I would still
be liable for the outcome?

------
kenneth
I think the best solution to that is to have a "honeypot" account, at least on
your laptop. Have a random account with some photos / random documents that
you login to by username. Hide the main account's home folder and hope the
authorities aren't savvy enough to look properly. They probably aren't.

Perhaps add something to its login files that'll automatically wipe the main
account data.

------
drivebycomment
Get a Chromebook, factory reset before going through security, go through the
security, then login. Same for the phone for android. Nowadays both Chromebook
and Android recover almost all states back fairly quickly and smoothly that
you can do this with minimal hassle.

i.e. There's no password to share if the devices are fresh.

------
karmakaze
I think there could be a market for backup/wipe/restore services. Very
feasible for phones leave minimally needed contact info during travel.

For laptops keep the is on device and user data on external pulled and put in
checked luggage. Security's annoying but lazy.

Edit: removable storage on mobile could get popular as a privacy feature.

~~~
paulkon
I imagine an service which makes an image of your system and launches it as a
remote VM that you can access or store to an encrypted external disk.

If your encrypted disk gets through then you can restore your data or boot
from it.

If not then you can remote into your machine in the cloud or download the
image if you have access to a fast connection at your destination.

------
yaiu
Just set a duress password
[https://github.com/rafket/pam_duress](https://github.com/rafket/pam_duress)
[https://github.com/jcs/login_duress](https://github.com/jcs/login_duress)

~~~
justadudeama
Pretty sure this can count as lying to / misleading a boarder agent.

~~~
ultrarunner
Is "now, listen, you knew what we meant" a valid response, though?

------
helsinki
Something similar happened to me. One of the most uncomfortable moments of my
life.

------
octosphere
These cases keep on cropping up and you see people suggesting to do some sort
of technical trick like taking the hard-disk out of the laptop and carrying a
TailsOS live USB flash device for your computing. Other tricks might include
mailing a USB flash disk to a hotel reception with the intent of picking it up
when you arrive. These are all fraught with risk and you could appear extra
suspicious by doing these. Another 'trick' I see people advocating for is
trying to act like a so called 'normie' and having normal average joe files on
your computer and maintaining an innocent-looking browsing history where you
can be seen visiting cnn.com or even cbc.ca for your news and not some left-
wing conspiracy websites. The only caveat with the 'normie' method is that you
_will_ need to access your more controversial/sensitive files at some later
stage, so this could mean logging into Dropbox and then downloading an
encrypted Veracrypt container onto your machine and proceeding to work with
those files in the privacy of your hotel/where-ever.

~~~
joe_the_user
Well, I'm not sure if one wants to just call security approaches "tricks". A
"trick" approach is often one that can be undone if your adversary knows about
it (keeping your files hidden somewhere in your luggage would be a "trick"). A
cohesive approach should be unbreachable if minimal conditions are met.

If you can assure a "trustworthy" base computing environment (one that isn't
keylogged etc), then having your valuable files encrypted in a remote location
should work (which is the idea of tailsOS boot + a remote drive). How
determined the adversary would determine how hard they might fight again you
getting such a trustworthy environment.

Just sayin'

~~~
snazz
The “tricked-out-bootloader” approach also seems to be brought up often: have
your hard drive portioned into two sections (or even have two hard drives),
then configure your bootloader to start up the non-encrypted, not suspicious
partition unless you press a specific key combo at boot and enter your disk
encryption password.

------
Havoc
I guess America no longer has a monopoly on that unique brand of freedom.

------
connorcodes
He did the right thing... Even if it was illegal.

------
idlewords
Since he's a lawyer, there is a 99% chance his password is 'password123', and
that it is written on a legal pad in his laptop bag.

------
jijji
carry two phones, one used only when traveling across the border. Swap sim
cards when needed.

------
pard68
New Zealand just got a lot closer...

------
wolco
This is one problem asking for a sass solution. What services exist to help
this situation?

~~~
paulkon
if a solution were to be created, could the company be held liable for
obstruction of justice via aiding and abetting?

I guess this could be taken care of with an extended terms of service which
lay out how the product shouldn't be used to prevent search and seizure by
government officials...

~~~
wolco
Not if it is marketed as an online desktop or backup.

------
levlaz
Well, at least it’s not just the US that abuses this.

------
richardhod
(2012)

~~~
glenneroo
> Posted: May 05, 2019 4:00 AM ET | Last Updated: 10 hours ago

~~~
richardhod
weird. thanks for the correction, some phone glitch there

