
How to Get Past Customs Without Giving Up Your Digital Privacy - mikecarlton
https://www.wired.com/2017/02/guide-getting-past-customs-digital-privacy-intact/
======
rdl
It's really depressing that this kind of thing is even needed for the US. As a
citizen with a lot of privileged status, I'd personally be pushing back a lot
if any US CBP person ever asked me for anything beyond proof of citizenship
and the bare minimum to show I'm not carrying contraband. I'd consider
standing up to that as a way to help other people who can't as easily stand up
to it. On the other hand when I'm visiting a foreign country on a visa, I'm in
a similarly disadvantaged position.

(As an aside, if anyone in security is ever looking for a trustworthy and
accurate journalist, I strongly endorse Andy Greenberg; consistently good at
respecting "on the record" vs. "off the record", and he actually asks good
questions.)

~~~
ndh2
> I'd consider standing up to that

What does that even mean? They'll detain you or deny entry. Then what?

~~~
rdl
I'm a US citizen. Aside from "is this actually Ryan Lackey, the US citizen?",
immigration has no power to keep me out of the country.

"Do you have reason to believe I'm someone other than the US Citizen in this
passport? Please articulate your specific reasons for concern." is itself a
pretty solid validation of "this guy is 1) a US citizen 2) knows the law 3) is
likely to have >50 lawyers as friends and will pursue the matter happily. I'm
really polite/friendly with ICE/CBP -- usually all I get is "welcome home",
very infrequently they ask "where were you?" \-- but in principle they can
hassle people.

Customs has some additional power -- do they believe you're transporting
contraband -- illegal items, untaxed items, or dangerous items (agricultural
contact). But since I never travel with illegal items, and generally have
everything very nicely organized and minimalist, the only real thing they
could claim is "you have digital files we want to access", and that is 1) an
emerging area of law and 2) exactly the battle I want to fight. In general the
law is on the side of citizens not turning over data at borders, although it's
nowhere near as settled as most other things.

~~~
sithadmin
>I'm a US citizen. Aside from "is this actually Ryan Lackey, the US citizen?",
immigration has no power to keep me out of the country.

This is a dangerously simplistic view of the US security apparatus that will
almost certainly backfire on you if you actually try to test it out.

If you happen to resist inquiries in any meaningful way, there's a significant
chance that they will seize everything you're carrying, find a means to force
you into unlocking your digital devices, then hit them with a fine-toothed
comb until they find enough to a straw-man justification to continue detaining
you and making your life hell. A few sarcastic or otherwise
disestablishmentarian remarks to a CBP offer it all it takes to turn a minute-
long interaction into a days or weeks-long holiday in a detention cell.

And sure, the extent to which CBP has the right to pry into your digital life
is still an emerging area of law, but in the status quo, things lean very much
in CBP's (and whatever other law enforcement agencies they decide to pull in)
favor.

Sure, if you're a US citizen, they'll likely need to _eventually_ let you in,
but that doesn't necessarily mean that you're out of trouble at that point
either. At the very least, you're now a strong candidate for continued
surveillance, if not further sanctioning, depending on how the information
collected during your re-entry to the country might correlate you with various
'risks to national security'.

~~~
rdl
I would be exceptionally surprised if they did anything beyond ~hours of
detention and confiscating as much stuff as they possibly could to
"investigate" (essentially as punishment).

------
danjoc
2FA? With a mobile number? Did the author completely forget Snowden, and how
all the major phone companies give NSA direct access? Did the author forget
the broad NSA information sharing that Obama enacted just before leaving
office? Even that damned Coast Guard can get your 2FA code now.

~~~
willstrafach
> Even that damned Coast Guard can get your 2FA code now.

Posting unsourced and absolutely false claims does not help anyone, honestly.
I would even consider it harmful.

~~~
danjoc
Before Snowden, they liked to call it tin foil hats.

[https://theintercept.com/2017/01/13/obama-opens-nsas-vast-
tr...](https://theintercept.com/2017/01/13/obama-opens-nsas-vast-trove-of-
warrantless-data-to-entire-intelligence-community-just-in-time-for-trump/)

One of those agencies is the Coast Guard. If the message crosses national
boundaries, it's fair game.

[http://www.nytimes.com/2013/08/08/us/broader-sifting-of-
data...](http://www.nytimes.com/2013/08/08/us/broader-sifting-of-data-abroad-
is-seen-by-nsa.html)

And before you pass through customs, you are considered outside the country.

All legal. Checkmate.

Fortunately, I've just discovered that the SMS option isn't required on a
Google account. Now you just have to remember to remove your travel yubikey
from the account before you fly home.

~~~
willstrafach
Please review the post linked from the beginning of the linked The Intercept
article, here: [https://icontherecord.tumblr.com/post/155766682978/fact-
shee...](https://icontherecord.tumblr.com/post/155766682978/fact-sheet-on-
eo-12333-raw-sigint-availability)

You'll see that SIGINT sharing is not a free-for-all in any manner, it is
restricted. It seems dishonest to tell people the Coast Guard can use it to
compromise SMS 2FA (I'd be far more worried about other countries compromising
SMS 2FA in a close-access scenario, using an "IMSI catcher" or similar device
to intercept the incoming message).

~~~
danjoc
>You'll see that SIGINT sharing is not a free-for-all in any manner, it is
restricted.

Before Snowden, we were told investigatory powers were "restricted" as well.
Then we learned linux journal readers were put on watch lists as extremists,
and system administrators are routinely targeted for compromise.

The point being, there's no _technical_ reason to stop them from intercepting
the 2FA over SMS, so they will. That's been clearly demonstrated by earlier
leaks. Those people weren't fired/jailed/etc. They'll just do it again.

~~~
willstrafach
> Before Snowden, we were told investigatory powers were "restricted" as well.
> Then we learned linux journal readers were put on watch lists as extremists,
> and system administrators are routinely targeted for compromise.

Again, I'm sorry but none of this is true at all. I could absolutely believe
that a journalist misunderstood something they read in a leak and then made
such a claim (Happened with most of the Snowden leaks), but that does not make
it true.

> The point being, there's no technical reason to stop them from intercepting
> the 2FA over SMS, so they will. That's been clearly demonstrated by earlier
> leaks. Those people weren't fired/jailed/etc. They'll just do it again.

To the contrary. When you say "clearly demonstrated by earlier leaks" I
believe you may be mixing up an inquiry made to NSA with regards to improper
access to DNI (Or perhaps that was not supposed to be a public response and
was indeed leaked? Not certain). Action was taken against these individuals
who "tested the system" by trying to look up themselves and/or someone they
knew, even if the system blocked the query from actually running due to the
fact that they were prevented from targeting US persons.

I believe you are being genuine about your concerns, but again, it can be
harmful to spread falsehoods when people reading these comments may not know
better and could believe what you're saying to be true (Especially in a thread
like this).

~~~
danjoc
>Again, I'm sorry but none of this is true at all.

[http://www.linuxjournal.com/content/are-you-
extremist](http://www.linuxjournal.com/content/are-you-extremist)

It's you against the world here. Trying to rewrite history?

>I could absolutely believe that a journalist misunderstood something they
read in a leak

Literally, the document title is "I hunt sys admins"

[https://theintercept.com/2014/03/20/inside-nsa-secret-
effort...](https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-
hack-system-administrators/)

There's nothing to misunderstand. They used automated attacks on readers of
Slashdot and LinkedIn.

[http://www.ibtimes.com/edward-snowden-reveals-quantum-
insert...](http://www.ibtimes.com/edward-snowden-reveals-quantum-insert-nsa-
gchq-used-fake-linkedin-slashdot-pages-install-spyware)

Compromising system admins is a routine part of their job. It's one way they
collect private keys to decrypt internet traffic. That is an established fact
from the Snowden leaks.

~~~
willstrafach
1\. It is a false claim. Their evidence is an XKS configuration file which
they decided to add unsubstantiated context to, not sure why. Linux Journal
then appears to have responded as they trusted the reporting website to be
telling the truth.

2\. The article you've linked contains no evidence to indicate "system
administrators are routinely targeted for compromise" though. It contains
evidence showing his methodology of accessing target systems by looking into
the sysadmins who manage it (You are free to have your opinions on this
practice of gaining entry to a target, but it is dishonest to change the
context to indicate something being done on a wide scale).

3\. When you say "They used automated attacks on readers of Slashdot and
LinkedIn" I would counter that the sentence is poorly phrased. If you mean
"all readers of Slashdot and LinkedIn" then that is false. If you mean
specific employees at the targeted company, who were targeted and had their
connections MitMed, there does indeed appear to be evidence that it was used
as a successful access method on the specific target(s). If your opinion is
that you do not like IC agencies using CNE, you absolutely have a right to
that opinion of course. My only issue with that claim is that the phrasing
could be misinterpreted.

------
ndh2
Step 1: Don't travel to the U.S.

------
hprotagonist
step 0: use a password manager. step 1: use randomly generated passwords for
every account in that manager. step 2: neglect to bring that password file, or
any means of accessing it, across a border.

Them: Give us your password! You: I literally cannot. Your move!

~~~
x1798DE
Them: Ok, we're denying you entry to this country.

Alternatively, if you are a citizen:

Them: We'll just keep these devices, then. When you get the password maybe you
can get them back after we've searched them. Just wait here for 6-24 hours
while we do our alternative background check.

~~~
rdl
If you're a US citizen and are harassed by CBP at the border (and you know
you're not doing anything wrong), you should stand up for your rights.

~~~
x1798DE
Sure, I'm just saying that they aren't going to just be impressed with your
awesome op-sec, they are going to seize your devices as evidence and harass
you to the full extent that their inappropriately broad powers allow. If
you're not ready for that to happen, probably best to make other arrangements.

~~~
rdl
Yeah, and I'm saying that if you can do this, you should, to help the many
people who can't. I'd get more lulz value out of a $250 chromebook being taken
for 6mo on bogus grounds than the cost of the chromebook.

It's not a solution (since they can easily pre-sort citizen vs. non-citizen,
and treat one group dramatically worse, even beyond the legal or threat-model
requirements), but it's a start.

