I have a small SSD in the primary disk in my T420s, it has just enough to get me through the flight. I keep the primary in the UltraBay with a simple adapter, takes one reboot and no tools to put it back in place. Done. Happy searching! I can't log into anything even if I wanted to because I physically do not have my password store https://www.passwordstore.org/ with me. (https://github.com/chx/ykgodot I wrote this trivial script to automate yubikey neo with pass)
Alternative: encode the entire primary disk https://github.com/cornelinux/yubikey-luks and FedEx the yubikey. Yanking the disk is better, though.
If you ever get asked that question at the US border, please don't acquiesce to that request. They have the right to ask, and they even have the power to search it regardless of your permission, but despite an alarming drift towards a total surveillance, they have not established the right to force you to unlock/decrypt anything.
I'm flying into SFO tomorrow, and I am taking similar precautions as chx so that my laptop doesn't contain any meaningful data.
However, if asked to unlock my laptop, I plan to say "No, of course I cannot do that; it violates the most basic security practices and I could and should be fired if I exposed sensitive company data in that manner." And then just sticking with it. It will be inconvenient, especially if they seize my laptop and detain me, but as citizens it is up to us to resist the normalization of behaviors that push the nation further towards the precipice of idiotism.
: As an American citizen, I have routinely done this when traveling to authoritarian nations like China; it's hard to express how outraged I am that my own country has degenerated to the point where sound security practices now require these kinds of procedures when traveling to the USA.
Absolutely agreed. I will do this. I'm a U.S. citizen with the unequivocal right to enter the country once my citizenship has been established. U.S. citizens are the only ones who can stand up to this madness--either at the border or by influencing and electing people who can change the written law and how it is enforced--and it's our responsibility to do so.
I've entered the country several times and have never gotten more than a "passport, please" request (except, oddly, when driving south from Canada; they're rather surly at the Peace Arch, in my experience), which I recognize is very lucky of me. When I travel, I'm enough of a worry-wart that I build in a lot of spare time to get to and from my destination. "Do you want to fly today" and "you'll be screened for four additional hours" are threats that hold no weight with me, thankfully. I'm in no hurry.
I'm the ideal test case. I have oodles of paid vacation time, a family full of lawyers, and a ornery streak a kilometer wide. Bring it.
0 - I can't say "I have done this" because it's never come up but I'm resolute. "No" is my answer, if it ever does, and I'm sticking with it.
After being locked in secondary with no comms, food, or water for hours on hours enough times, one gives up. CBP once kicked me out of a border control point in northern Vermont, in a snowstorm, in February. I had to hitchhike simply to not freeze (my sim didn't work, so no way to call a cab, and they had sent the bus on without me, hours earlier).
I've been searched, both well and also simply as intimidation, more times than I can remember. Most searches are not thorough in any capacity, but simple displays of power and dominance.
My foreign partners have been repeatedly groped by these pigs. Vacations have been ruined simply by traveling together - they deny foreigners entry.
The file still haunts me. Every time I enter, secondary - with associated 30-500 minutes of delay.
There's no recourse.
I cringe every time I exit the US, for the 2-10 hours I will lose upon my next re-entry.
Their capacity to waste your time
is infinite. Your time is finite.
PS: they can also take all your devices for imaging and keep them
for 48 hours - but you will likely have to sue them to get them back after that time. Crossing in can be a >$10k/entry affair if they wish it to be, for you.
Out of curiosity, do you know if there are any people trying to challenge these rulings/treatment they receive in court?
Actually is that possible in the US or do the border officials still have a stick up their arse? I mean if you work for a big multinational IT company, surely they can provide a few hundred bucks to bribe someone to skip security. Bribing the police is normal in a lot of countries.
-sir, we have to strip your car to search it for contraband.
-Ok, how long it's going to take?
- About 24-48 hours, but it might take longer if we see anything suspicious
- ok, what do I do in the meantime?
- you can sit on the bench there
- for 48 hours?
- that's correct
- I happen to have this nice bottle of vodka, would you like it as a thank you for your hard service?
- hmmmm I have to check with my superior [ comes back 5 minutes later] - that's fine, we don't need to check your car today, have a safe journey"
Nowadays I'm being told that this practice has been eradicated almost everywhere, but it basically relied on border control agents making your life as miserable as physically possible in hope that you will pay up. If you decided not to, they would eventually let you go, but you're wasting only your own time, they had infinite amount of it and perfect justification for everything they did.
Please elaborate on that.
Amazon: "Employees may not bribe anyone for any reason, whether in dealings with governments or the private sector. " 
Apple: "Apple does not offer or accept bribes or kickbacks in any form, and we do not
tolerate corruption in connection with any of our business dealings." 
Google: "The rule for us at Google is simple – don’t bribe anybody, anytime, for any reason."
For future, for the rest of us, I'm wondering what civil disobedience would look like. Something akin to malicious compliance, work to rule, or...? Actions (or inactions) that we can take to make the whole process infeasible.
For example... Whenever a telemarketer cold calls me, I try to take up as much of their time as possible. Increase their costs, reduce their conversion rate.
I also try to lie as much as possible for forms, surveys, etc. Muddy the data. Increase their costs.
You don't really want them back, anyway. So you just don't carry anything valuable, in any sense.
That's called a vacation.
What you describe is simply impractical for a person in my line of work.
I guess I could get a fourth phone, the one I use only for talking to my Airport Phone Guy, who would somehow be incorruptible enough to not hijack my bitcoin wallet or take copies of my camera roll (which, if used strategically, could alternately make or ruin entire careers or companies).
I'll be over here in the Real World.
This was back in the 1990s, when asking for your password wasn't a thing I've ever heard of them doing, but also when me bringing 128-bit encryption software (aka the US version of Netscape Navigator) to Japan, where I was a foreign student, was a serious crime akin to arms smuggling.
Of course, I never found out for sure why I was on that list, and eventually I apparently wasn't on it anymore. But during that time I did read a fascinating article in some magazine, by Nathan Myhrvold (the now-infamous patent troll scumbag). Apparently, he was on the same list, despite being a super rich fat white guy from Microsoft.
His theory was that he got on the list by buying one-way plane tickets in cash. That resonated with me, because I often did the same thing back then… I just never really knew when I wanted to come back, and I didn't have much credit on my one credit card.
That's obviously both circumstantial and anecdotal, however I don't think it really takes too much to get on one of these secret (and very probably unlawful, but effectively un-challengeable) lists.
What could the "fat" part of that possibly have to do with anything related to targeting, other than as a cheap excuse for you to denigrate Myhrvold?
But also, yeah: fuck Nathan Myhrvold. He's a smarmy piece of shit whose parasitical exploitation of America's societal weaknesses and dysfunction far outweighs all the modest contributions he's ever made. I hope he trips and falls face-first into one of his large sous-vide contraptions.
(That time, I was denigrating him on purpose.)
NSA didn't want to allow Microsoft to build RSA into Windows and export it. Even though the cat was out of the bag and foreign OEMs and vendors were already selling RSA. NSA wanted Microsoft to not give users more than 40 bits of encryption keys.
So Myhrvold, as President of Microsoft, flippantly offered to pad the keys generated by Windows with NSA's public RSA key. Win Win. Users can export more than 40 bits, and NSA gets a backdoor.
Microsoft won and was allowed to export software using RSA.
No doubt that little stunt put Myhrvold on some Watchlist for Life.
It's too bad he became evil after he became a billionaire and started only caring about money and Yachts and hob knobbing with other 1% elites.
Border guards have the power to prevent you from entering the country if they believe your business is unlawful, and asking those questions is one of the ways they decide. We can question whether border guards ought to exist, but, given that they do, refusing to answer their questions seems like a ticket to a back room for hours.
You really never answered their questions on every entry?
If exercising my human rights is "a ticket to a back room for hours", then something is fundamentally broken in our society. You should try it; without doing so you actually have no data about the practical perimeter of your basic rights. This stuff isn't printed in the newspaper.
Yes, I really never answered their questions, except the ones about citizenship and nationality and place of birth—which I answered by presenting my passport.
"Business or pleasure?" is a vague, leading question designed to get you to volunteer as much information as possible. Sometimes I replied "no" or "yes" to that one, with an occasional "On advice of my attorney I decline to answer questions from police except in writing and via counsel" thrown in to break up the monotony.
Never talk to the police.
No. The USA can never deny entry to citizens (nor any other country). They may arrest you on the spot, but can't deny you entry.
Green card holders is a different story, they have no right to enter and are at the discretion of the authorities.
You have to balance your civic duty as a citizen with whatever else is going on. But hopefully our default mode is to emphasize our responsibility as democratic citizens to lead by example, and to resist degenerate behavior whenever we can...
Scratch that last bit. There is no need to reveal that, and it could sound suspicious (like you are trying to hide something specific by circumventing their checks, and trying to look clever (and/or make them look dim) by doing so to boot).
Just be honest without giving extra information: "yes sir, this is a travel machine and it just contains what I'm going to need while I'm between locations" if they ask why you would do that then "in case the laptop gets stolen, the less that is on it the less of a worry that could be" strikes me as a perfectly valid reason to be careful. Or perhaps "all the other data and programs I'm going to need are already with the clients/suppliers/other I'm visiting" (which it is as you've posted it, but you don't have to say the thing that might unnecessarily raise suspicion).
Are there any examples of laptops / ssds being searched in international mail?
Are you protecting against "drive-bys", the casually curious, motivated low-resource targeted attacks (e.g. disgruntled former employees, hated neighbors), "small" resource targeted attacks (<$50k?), high-resource attacks or state entities?
I mean many "average" people get searched on airports, but i don't see why they would intercept an average guys Fedex shipped harddisk and do some voodoo on it. Unless of course you know you're being targeted for some specific reason.
Snowden leaks already show NSA has badbios-style firmware viruses targeting every manufacturer, every model, going back a decade. Imagine what they have today. Why not mass infect all hard drives at the factory? Targeting individuals or "thematic warrants" are still too clunk and doesn't scale.
All these folks who say "I'll out smart them, I'll encrypt my SSD and Fedex it" are "Not Even Wrong."
Also, not to mention most of my hard drives are made by China, whom seem not to like the NSA very much. This leads me to believe that they may struggle with the mass infection part.
"I'm denying you the ability to enter the country. Next time you let me see everything instead of being a wise guy."
They can deny foreigners, but I've always read that they cannot deny Americans in unless their citizenship gets revoked, I guess.
The future is simply interdiction of every device.
Actually, every device will just be bugged with a thousand backdoors. The end.
Cory Doctorow - general computing is the enemy of governments.
In addition to removing the data from the device, cheers, don't you also need to be able to honestly say you can not provide access to it?
Ways to honestly answer, "not possible", and mean it:
- schedule a time period where no password is accepted.
- enable whitelist/blacklist zones via geolocation.
- set a new password that you give to a trusted friend/coworker/spouse that you must contact to retrieve.
Some combination of the above for ease-of-use, and ploys like emailing yourself the new password after a period of time for redundancy/safety.
Of course the real answer is to avoid the business hostile USA (or at least the border)
There is, however, a "functional equivalent" of the border in every international airport that grants ICE these powers over arriving citizens (which makes sense).
If there is any kind of setting that lets you control travel mode, border control could just make it standard procedure to change that setting.
And if you're not a US citizen, "I'm not physically able to unlock the account right now" doesn't buy you anything. There's no obligation that says if you do all you can physically do to accommodate their wishes, that you get to enter. If they want access, you either grant access or you get back on a plane. The only thing not having your 1Password credentials with you does is remove the choice of which you want to do.
In that sense, Travel Mode sort of defeats the purpose -- all the border agent needs to know is that Travel Mode exists, and then ask you to turn it off.
You just lied to someone at border control. Which is an offense.
Every vendors main business is in the USA.
95% of our clients are not in Canada.
If I want to avoid the USA, I would have to change industries... Which isn't gonna happen hopefully anytime soon.
I have to goto states 3x times a year and hate the traveling aspect going through customs (I have a trip in a few weeks, already dreading it).. but once I pass through the border, it is rather nice.
"I can't. I left my password at home, and the account is tied to an email address I do not have access to."
I suppose they tell you to go home at that point. Such a sad state of affairs.
In reality, they do. They are not asking you for every password you know and access to all the remote systems you have access to, and any that you can get access to if you ask someone, etc, etc.
It's been said further down, but they can't possibly have carte blanche to compel that you reveal all data you have access to anywhere, which is what this would require.
The logical conclusion here, is to decide, what is more important: Gaining entry, or keeping your data. In the first case you're just fucked. If you get searched, you have to give up your stuff (even if you can claim you can't; they can then just not let you in). In the second, just encrypt your shit, rescind your request for entry when it looks like they might be interested in you and don't give up your password.
HN makes this much too complicated, again. And forgets that this is a legal and social problem, not a technical one.
Yep. There's this tendency to say "I beat their rules, so they have to let me go!" The CBP aren't fairies, they aren't bound to stay within some narrow precommitment. At least if you're not a US citizen, these things are almost totally discretionary. Not only can they bar you for not unlocking Facebook, they can bar your for genuinely not having Facebook if they decide you're lying. When even simple truth isn't a defense, clever tech tricks don't count for anything.
In my cynical moments, this outlook strikes me as a disease caused by excess programming - living in a world of contracts and invariants blinds people to how much of the world runs on "screw you, you know what I mean."
I think you are confusing TSA with CBP here.
This is exactly the approach I took with my password vault application (android only, far less well-known than 1password). I added a location-lock feature that allows the user to store a number of "safe locations" outside of which the vault simply will not decrypt, even if the correct password is entered.
The app also makes it very clear that location lock is enabled and that the user is outside of all "safe zones" and therefore will not unlock. The only way a border agent is getting access is to figure out the GPS coordinate encryption method and adding a new set into the sqlite db or physically driving to one of the safe locations and unlocking it there.
Do they provide wifi for that? I doubt it.
Not bringing something with you is inherently different from hiding it.
I think many of us would equally argue there isn't any 'reasonable justification' for forcing phone unlocks on random strangers in airports, but that still happens. I think you are asking for a reasoned distinction from people incapable of drawing them, and that while what you say makes sense, we are not dealing with a sensible system.
I can absolutely envisage some asshole airport security staff member causing grief over these kind of features should they grow in popularity - the existing interactions over phone unlocks are already in a weird constitution-free legal grey area in the US, even for US citizens. For foreigners the situation is worse still - basically zero options but compliance, or feel free to go home and never be granted entry ever again.
If they can't access my sent email when I send it from abroad without a warrant, then how does me entering the country without a phone or computer allow them access to my email?
It's like moving your private files from a device before travelling, you're not hiding anything you just didn't bring it.
However, they are hoping that people don't know that and do it anyway, even though they don't have to. Also, a lot of CBP employees probably don't understand that distinction anyway. It feels like it's all "on the phone".
Of course that distinction between data in your possession on your device and data that's hundreds or thousands of miles away might not matter if enough precedent accumulates to support forcing people to go fetch things when they're at the border. So we need to stand up for freedom from government intrusion now!
Except they are allowed to deny your entry if you don't satisfy their whims.
You should use your right to be silent rather than answer any questions of course, but that right disappears at the border.
Still, lying to a customs agent isn't a felony (at least not in the US). (If so, please cite the law). If you're not a citizen of the country you are entering, the most they can do is refuse entry. If you are a citizen, well there is where it can get complicated.
False: the relevant statute, 18 USC § 1001, doesn't mention the word "oath" once, and applies to "any matter within the jurisdiction of the executive, legislative, or judicial branch of the Government of the United States".
This is unfortunately far from the truth. See this recent post: http://www.wisenberglaw.com/Articles/How-to-Avoid-Going-to-J...
See also: https://www.youtube.com/watch?v=d-7o9xYp7eE
Other forms of lying can also be illegal, however.
But you don't have access to your notebook once in the country. The 1Password travel mode is not for while you're in the country, but specifically just for the border crossing.
You really, really don't want to get into a rules-lawyering match with Federal fucking prosecutors over whether "clever technological solution" counts as "hiding" something or not. They have all of the guns in this situation, and you have a demonstrably inaccurate understanding of the relevant statute.
You WILL lose.
Your position seems to be that if you were carrying your checkbook (as an American) and then decided against it because you were worried someone might get your bank account number then you somehow risk getting into a debate over technicalities with a border agent. I would strongly recommend not getting into that debate as well by not bringing it up.
You have deliberately chosen to make certain information not available during the search period and are planning to make it available again once the search is over. I can absolutely see how that counts as "hiding".
What if my laptop had similar capabilities?
If it's going to bother you why not just use a dumb device and a VPN to access your sensitive data?
Your adversary here is a group of humans. Not a Bash script.
This is an awfully good summary. There are a thousand different questions that would invalidate this, and the idea that maybe-possibly-sort-of outwitting one question solves the problem is insane. Any reasonable plan has to be prepared for a question that can't be invaded - whether that means "yes, here's the data", or "yes, but I can't get the data", or "no comment, I want a lawyer".
First you must ask them to not use loaded terminology like "hiding" when dealing with information you own and don't feel like accessing. Don't answer "yes" or "no" to whether you're hiding something. If you use their words then they have a huge advantage.
If I had to go there for work from Australia, I'd request a laptop and new credentials to be provided to me at the destination. For emergency comms during travels I'd wipe my mobile device and use a new prepaid mobile/cell service SIM card in it, from a different carrier, leaving the original one behind.
As such I'd not be bringing any 2FA that'd let me access my Lastpass which has just about all my stuff, and I'd be able to honestly state as much.
>If you’re a team administrator, you have total control over which secrets your employees can travel with. You can turn Travel Mode on and off for your team members, so you can ensure that company information stays safe at all times.
In which case, you as a user literally can't access the information without communicating with an admin at your organization. If CBP ever starts requiring that you call a third party to retrieve confidential information, well... I hope we never get to that point.
What would they do, do you think, if said third party was a foreign citizen—of a country with no deportation treaty with the US—and upon getting the person you have in hand to call them (presumably under duress), they just said "I don't negotiate with hostile governments" and hung up?
I'm not sure what this means, afaik there's no such thing as a "deportation treaty" (perhaps you're thinking of extradition?). If you aren't a citizen, you can be deported, no treaty necessary. Furthermore, if you're at the border you're not even being deported, you're just being denied entry - you get to not pass customs at all and sleep in the airport lounge until you can secure a flight back to your home country, if the CBP decides to turn you away for any reason they choose. As a non-citizen outside the border, you really have no rights at all, and no recourse against any decision the CBP chooses to make.
If US CBP catches a low-level gang member from the UK, they can use their testimony to get an extradition order for higher-ranking gang members—so CBP are incentivized to detain low-level gang members and grill them to see what they know, even if they haven't done anything. But if it's e.g. a low-level Russian or Chinese or Iranian gang member, then the "extradite" part of the "use testimony as evidence to extradite higher-level members" plan doesn't work, so there's relatively little point to grilling such people.
EDIT: Another way to put this: Is there an expectation that a border agent could, for example, ask for the password to my bank account? If not, how would there be an expectation that if that used to be on my iPhone it should still be there when I travel?
If you are a citizen, it's not clear that anything at all can be demanded, even logging into an account already on the device. It just hasn't been put to an unambiguous court challenge.
Some of the responses on this thread make it sound like there are people who would actually start explaining travel mode unprompted because they arrived at it by some twisted logic about what 'hiding' means.
If a border agent asks you directly, "Did you remove information from this device to prevent us or others from seeing it when entering or within this country?" the only truthful answer is "Yes", but travel mode has still achieved its goal. Even if they confiscate your device, they can't access the credentials. You may have other issues entering the country but your data is kept secure and private.
Nice mental gymnastics, though. I'm genuinely curious whether the first Federal judge to see this argument laughs or issues a contempt citation first.
The data isn't on the computer they are searching, it's on a server thousands of miles away. The data was erased from the device. If they can force you to sign into that service, they could also force you to sign into your bank, github, etc.
If you're a non-citizen attempting to enter the US under a visa waiver program, from certain countries, yes, they can.
i don't have a facebook account. she said this was really suspicious.
oh and she also found suspicious that i had two us entry stamps within a week of each other and didn't accept my explanation that i had gone through the us to go to england with my wife (even after i pointed to the GB entry stamp).
i hate going through the us border control.
I bet they'll mark you as suspicious if you travel without any electronics too, because that has become uncommon.
Isn't that what passport and visa are for?
The big questions is for Americans, who also have fewer rights at the border (4th amendment for example). Can they force you to sign into external services at the airport if you're a citizen? Everyone should refuse to do this.
Yes, they can ask you if you've deleted things, or if you have things elsewhere, but that's not generally what they ask or look for, or the issue at hand.
Look, you can twist the words however you want. At the end of the day, if a CBP agent or Federal prosecutor clues to the fact that you're using this functionality, their interpretation is almost certainly going to be "'late2part is hiding something!", and they will bring their (considerable) powers to bear in response to that, in order to figure out what that is.
Your indignation about or lack of understanding of that reality aren't going to change it.
Remember: if you're this far down the rabbit hole at immigration, the machine is out of your bag, open, and unlocked. They can take it, while in this state, and image it. If there is evidence that you've been even unintentionally untruthful with the CBP folks, you're screwed. Not only have you lied, but you may have handed over evidence of obstruction of justice/tampering with evidence.
Federal charges like that stack up quickly. If they want to fuck with you, they will.
Now "travel mode" simply removes the local git repository. The data still exists in the cloud, but you have to actively go out and log in to their service to retrieve it. Are you "hiding something" because you deleted a local copy of something from your device? There isn't something on your device that is somehow hidden. It's not there.
Otherwise, they could get your for "traveling with more than $X" because you have more than $X in a bank account somewhere that you could get via ATM.
Why should the actual answer be any different with data than it would be with the drugs?
Also, the case law is iffy on whether a one-word answer of 'no' can be used in an obstruction charge. (read about 'exculpatory no doctrine').
Looking up 'exculpatory no' implies that the matter was clearly settled in 1998 by the Supreme Court, which decided the doctrine is wholly invalid and the obstruction charge can be applied.
If there's iffy case law here, I'm not finding it successfully.
I feel like I saw a recent exception to this, but even if I didn't:
1998 is pre-9/11, pre-TSA, pre- the large riots of the 2000s and 2010s like ferguson and occupy. It's pre-snowden, pre-aaron swartz. It's pre-iphone which means its pre every case about recording cops in public. It's pre stop and frisk.
Criminal justice has changed a lot since 1998.
Edit: Yes, US citizens are allowed to ask for a lawyer (at the U.S. Border). But, the 4th Amendment is mostly out the window.
Customs is sort of a different issue, they can go through your physical and digital belongings and search you.
Answer yes, always, because: I have client data I'm most certainly hiding from you on my computer because they'd in general be worried if it i didn't, also I have passcodes to friends mail servers I manager for them I'm hiding from you, also I'm hiding from you all the emails I've sent to my parents, I'm also hiding from you all the pics of my gonads I sent to my lover. So yes, I'm hiding information from you. What country is this anyway? <asks the person arriving to the US from Germany>
Edit: Besides, if I ever travel out of country with my work phone, if anyone wants access to it they'll need to call my work's legal office as I'm not allowed to let anyone access that phone without their permission.
Who is it that is running into all these scenarios with border control? I've gone on international flights, including to the us, dozens of times, and have seen around me thousands upon thousands of travelers, and I've never seen anyone asked to open their laptop, no to mention being grilled on hidden partitions.
Not that I'm doubting this ever happens. But from these comments, someone would get the feeling that this is routine, rather than a 1-in-an-X occurence for a probably very high X.
The release goes on to show that this is nearly twice as frequent as the equivalent period last year.
So this is great! -- I think. My only concern is that if the authorities are already suspicious of you, and find no password vaults (or practically nothing in your password vault), they may just detain you until you reveal what you haven't disclosed to them.
There's clearly a technical solution to the problem of protecting data across borders but they do not work so well under duress. Is there any technical way to convince an adversary you are not hiding anything else or did not delete something?
Instead of removing the password data off the device, replace it with "junk" data.
"Low security" accounts that you wouldn't mind the "adversaries" having, sacrificial accounts, or even just a randomly generated selection of fake passwords for a selection of accounts, etc...
It still won't fully protect you (obviously a "targeted" adversary would know that you have an account at "X" with "Y" username and the password in your vault doesn't work
for that so tie him up!), but being able to hand over something when being questioned might be better than nothing for some.
Or simply don't have anything to hide. If you have a guilty conscience that is going to manifest itself in your body language and mannerisms.
More than once, the customs officer has asked me "you don't look people in the eye, do you?" I just say, "no, I don't." (They're apparently happy with that answer.)
So you can be questioned without having a guilty conscience; I just look down a lot.
What if I am an anxious guy?
What if I carry some business secrets?
What if I don't want some TSA agent look at my SO pics I have on my devices/social media?
I'd basically tell them to fuck off (in a more diplomatic sense) until it reached the point of being either blocked entirely from traveling or detainment. At that point you gotta ask yourself if the juice is worth the squeeze and turn back or play their game.
Also this is more than just an issue with the Trump administration and the TSA... I don't travel to Canada any longer due to the treatment I have received at the border there.
If it's hard, make up an appropriate story beforehand and rehearse it until it is second nature and you believe it yourself.
On iOS about the only thing you would lose is your message history during the trip. It might be an annoyance if you wanted to play games that had non-cloud-based saved player state, but I can't think of too many other issues with doing this.
There's also the general concern -- although I don't know if it's ever been proven to have happened anywhere -- of border agents installing tracking software / malware. They often take the phone out of sight for a while. This is probably more of an issue with Android phones but again if you are a journalist or human rights activist or anyone with legitimate reasons to be concerned, I would absolutely want to wipe the phone as soon as possible after a border crossing if agents had forced me to hand it over for inspection.
I agree with both you and the parent poster. It's sad that we're paying a privacy tax on something that should be constitutionally protected.
Real talk, if you play games they will find a way to fuck you up, and even if it is not strictly legal, even if you with some kind of relief later (not likely a nice settlement), you will still have to deal with getting fucked pretty bad at the time. Not a great outcome.
By asking you to sign in and sync, they're not just requesting access to information on your person -- that's an enormous expansion of their search powers.
This isn't true. Encrypting your device is not illegal, and they do not have the legal authority to compel you to unencrypt it or make you sign in to anything. They can make your life miserable, but the constitution still applies.
This is just another version of the "why do you need privacy unless you have something to hide" argument.
It's true, if they really want to make someone give up the info, they can arguably detain that person until the timer expires. But that move is much more costly to the government, as well as subject to all kinds of interesting potential legal challenges. So a timer makes the data strictly more secure, even if not perfectly secure.
For me, the time lockout changes the claim you can make to an official from "I don't know the passwords, I have a record that I didn't bring with me, but can retrieve online" to "I don't know the passwords and have no ability to retrieve them while here". For me, that distinction is valuable and the benefits outweigh the risks. But everyone has different requirements and risk sensitivity.
The other options, like IP and 2FA are more likely to result in failure demand by non-expert users. It's really tricky to get the balance right, as it's hard to justify to yourself a full wipe when going to a relatively low but nonzero risk country.
Hence, I only use WiFi sync for 1Password. It would be nice if 1Password added a sync option through my own WebDAV server. I'd then be happy to pay for a 1Password cloud account just for the TravelMode feature, as long as the vault data itself wasn't stored anywhere outside of my control. Having my own server would mean the the NSA (or whoever) would have to do a targeted attack on me personally, which is a whole different ballgame from everybody's encrypted vaults sitting on agilebit's servers.
In the meantime, if I had to cross the US border (as a non-citizien!), I would probably delete the whole 1Password app from my phone before crossing, and then restore the entire phone from backup afterwards.
Look at it from the perspective of the government. By bringing information from elsewhere into the US, you're importing it. It just so happens that the import security is tight in airports. So you use 1Password to delay importing this data until you can reach it through an alternative import method which is much harder to regulate - the Internet.
What's going to happen is that they'll spend much more effort on tightening up the "import security" from the Internet. Things like SSL/TLS MITMing and deep packet inspection will be used to enforce compliance.
Don't get me wrong. The ability to be able to do this is incredibly important. If they had marketed this as anything other than a travel mode specifically, and let users work it out themselves, it'd probably be better. But as it is, they've created something which is basically publicly stating that it exists to break import security, and as a result it's going to get a lot of attention from the wrong people. I worry that the existence of this mode this is going to be used by the government as an excuse to have a "Great Firewall of America".
If they beat encryption, everything is over anyway.
The most secure way I can think of is to either encrypt your drive (or wipe for travel and online restore once arriving) and physically mail the new password (or hand over to a trusted friend/store location) to the destination. Then there is no way of restoring at the airport.
Of course, then they can just detain you indefinitely for not revealing the password you don't know...
However, non-travel-safe vaults a) won't show up on your devices, so they can't ask for what they don't know the existence of, and more importantly b) there is no evidence on the device of "hidden" vaults, or that you're in travel mode, so they doubly don't know the existence of those vaults.
So, if they take the actual password, as opposed to having you log in for them, then they can easily go to 1password's web interface.
I'm not sure if there is a legal barrier to taking that step, but there is no real barrier there if the credentials are the same.
Perhaps if there were also travel credentials, that would be useful. With the travel creds there would be no indication that you were in travel mode and no access to additional data.
Both can be defeated (they can detain you at the airport for a whole day, or they can spoof GPS) but neither of these mechanisms holds up to mass surveillance: you can't detain everyone who goes through the airport, or even all people with 1Password, for a day, nor can you spoof GPS at the security checkpoint because it'll probably leak to airplanes. You have to pick individual travellers and put them in a Faraday cage with a Stingray and an internet connection.
I'm not sure what the threat model really is, but it's possible that this will require enough time and resources to disincentivize asking for even more passwords when there's not a very specific suspicion, which might be good enough.
If you are a foreign citizen, you are looking at about twenty four hours, and then refusal of admittance.
This information is the case for keeping a cheap back up device(s).
IIRC, the border agent has the power to turn you back, visa or no visa. So there might be a price to pay for getting too cute. They want what they want and trying to avoid that might make them angrier.
If you are a US citizen they can make you wait in a room for a few hours and maybe add your name to the "make his life miserable every time he flies" list.
It looks similar to hidden partition in TrueCrypt
Of course, you do need to be able to log in to turn travel mode back on, so if I were to use this I'd probably do something like set up a service to securely send me my account key after I'm expected to have finished crossing the border, or maybe just store it on a remote server that I have access to under the expectation that the TSA can't demand that I SSH into a remote server (especially one they don't even know about). Though if I'm traveling alone (instead of with my wife) I'd probably just call her and ask her to turn travel mode off for me.
I'm not sure what you mean. I don't think it's unreasonable for anyone, migrants included, to tell CBP "I don't feel safe traveling with sensitive data, so I don't have any of that data on my computer". What's the 'gotcha' here? CBP isn't the only reason to want to have Travel Mode, there's also the increased risk of having your laptop stolen or misplaced.
> Only if you know them. ... You can't log into the website without that account key.
To mean that you'd openly have access to information in front of the guard, and then let them know that you can't access it at this time because of your elaborate scheme (e.g. tell them that it exists, but that they can't have it).
That's quite different to just not travelling with the data (or evidence of it existing) at all.
> CBP isn't the only reason to want to have Travel Mode
No, but it's the only 'reason' that's likely to use serious, life-altering coercion to make you to disable it, if they detect that it exists. It may be better to have no data that suggests capabilities, than openly posses partially disabled capabilities.
There's no way for a border agent to tell if you're refusing to disable travel mode because you won't or you can't (and little reason for them to care).
Nobody will ever do this.
What we really need is plausible deniability - if they don't know you use 1password, they don't know to ask for it.
I'm not really sure how you'd refer to the concept "they don't know I have it, so they don't know to ask". Security through ignorance?
My thought on this whole situation is to simply not take my phone or laptop. I don't live nor work in the US, however, so I don't have the issues being faced by people in this thread.
The whole travel with a clean laptop isn't feasible beyond a simple "access data remotely via VPN" scenario.
Company laptops are often so full of custom software (bootloaders & up) that it's impossible to replicate/reinstall a working environment over VPN.
They're crazy sensitive: e.g. On ours if you go too long away from the core network it freaks out and locks everything down. And recovering from that...well:
I've literally had IT tell me that my options are 1) Fly to the nearest office and connect to core network 2) They fedex me a fresh laptop that has recently been connected to the core.
Don't travel with sensitive data, and openly explain that you don't do so.
The frustrating part is the UX, and the fuss when you land.
I've found that this works:
- Burner android (burner account explicitly for travel) for music, podcasts, light browsing, etc.
- Cheap ThinkPad for headscratching / hacking (work over SSH, keys on a Yubikey, IP in your head. YubiKey as second factor for password manager as browser extension (uninstall before the border))
Would work like this : When forced to enter / give the password to your vault, you enter/give this one, and everything the vault contains is wiped out before the vault is unlocked.
A better idea is to change our laws so that our constitutional rights are respected. If that's not possible then the next solution is to change our elected officials.
In America, who you vote in has very little effect on public policy, and by very little I mean a near zero/statically insignificant amount (unless you're part of the top 10% of income earners):
Counterpoint: My friends and associates do amazing things. Marriage equality, marijuana legalization, DREAM Act, etc, etc. I (a yeoman) also do what I can.
Maybe think of politics, society, culture like thermodynamics:
Organization requires continuous effort, to mitigate entropy.
I'm not saying people shouldn't be active. Groups like The Anti-Corruption Act (https://www.youtube.com/watch?v=lhe286ky-9A) are doing a lot, not to mention the group that pushed Maine's ranked voting amendment.
But the vote itself is not very useful. There are other forms of activism that are more worthwhile; those that seek to slowly and fundamentally change the system. Focusing on the left right paradigm will ultimately lead people to being angry at two parties that are essentially the same.
Liberal supreme court judges do not materialize out of thin air, do they?
Oooookay, sure. We'll get right on that one. In the mean time, I'll take a technical solution.
Start there and work your way out.
18 U.S. Code § 1519 defines it as "Whoever knowingly...conceals...with the intent to impede...the proper administration of any matter within the jurisdiction of any department or agency of the United States"
So technically, entering travel mode for the purpose of hiding your stuff from border agents could be interpreted as a violation of that statute, regardless of whether there was an active investigation or legal proceeding.
Of course, it would trigger a massive backlash if a federal prosecutor went after people for this. But it's there...
And what if I don't take the laptop at all? Am I „concealing” anything? Theoretically — yes.
There has to be a limit to how far one can take the application of that law.
Furthermore, I don't think there's anything productive at all about making the argument that federal prosecutors will get you no matter what you do. That's just shutting down the discussion entirely.
Well, it is true that if the government wants to come after you- as in, you specifically- then it is basically true that they will get you no matter what you do. But that's not the point I was making in my previous posts, so let's drop it.
The point I was trying to make was that this 1Password feature will not help you, legally, if CBP realizes you're using it and they want to make a fuss. Maybe if you rolled your own PW manager and decided not to sync the incriminating data, you'd have a case. But this feature is literally advertised as "protect your data from unwarranted searches [clearly implying, searches by the government] when you travel". The technical implementation (your "deleting" vs. "not having" distinction) does not matter: the intent is clear.
We are hinging on the subtle difference between deletion and non action. If I choose not to bring my phone with me to the border, and an agent remarks on the suspiciousness of that fact, if I were to reply, "I didn't bring it because I didn't want to travel with it," did you commit a crime?
Even if you were arrested for that statement, dor a prosecutor to convince a jury that you didn't bring data with you because you didn't want it to be inspected at the border vs you didn't bring it because you didn't want it to get stolen/whatever does not seem likely, but that is just my opinion.
> We are hinging on the subtle difference between deletion and non action.
I agree, and my argument is that "activating Travel Mode" is clearly the former, regardless of its technical implementation, because it requires positive action.
If I have a laptop and phone with sensitive work information on them, and simply choose not to take them with me on a trip, would you argue that's a crime? After all, the reason I chose not to take them with me was to "conceal... with the intent to impede" CBP's ability to access all that data.
What if someone just refuses to travel to the US as long as policy allows this type of search? Would they need to be extradited for their act of concealment?
I'd also argue that I could've purchased a completely new device immediately prior to travel and brought that along, with the intention of being able to say that the device had never contained information that I was trying to hide.
I think that part of the point is that they'd have to prove intent. It's easiest to prove if you refuse to unlock the device, harder to prove if you provide a destrutive password, harder still if you remove your passwords and keys before leaving, and essentially impossible if you have a device that never contained sensitive data in any form.
I'd like to see a short story based on this premise: man is arrested and tried for crossing the border with a brand new phone, having left his usual phone at home. The prosecution argues that since he presumably usually keeps sensitive information on his phone, not copying that data to the phone he was carrying proves his intent to hide information from border police.
Wouldn't they have to argue that he was a person of interest for some time now. That they have records of him traveling two and from countries of interest. That he is on a watch list?
For the average Joe. I don't think this would get very far.
My response would be. "What sensitive information are you looking for?"
Hard to apply ordinary statutes & case law here because the 4th amendment doesn't seem to apply to border agents.
That way if you need to use unsafe PC from a hostel, you can log in with that password.
Sure, you would need that ssh daemon running on the computer, but I bet it could it could be retrofitted to use qr codes or something.
I'm sorry, what in the world is Medium thinking? This is a step backwards from a user/password model.
Medium still isn't winning any security points here.
Sure they are. Removing a credential—in this case, passwords—is strictly more secure. It's the same rationale as to why 2FA with just a TOTP app is more secure than TOTP app + SMS backup. And the emailed links are analogous to password reset links so there's no erosion of security there, provided they're properly secured (one time use, time bounded, etc.).
Also, realistically, if they used passwords, many of their users would probably re-use the same email,password pair at other sites. If any of those other sites use bad password hashing hygiene AND get hacked, then the users' account security is busted.
EDIT: Ok, TOTP was wrong in my recollection. They use pregenerated one-time passwords:
So, two steps authentication is not a great option. And from my experience traveling, this kind of situation happens a lot.
Edit: Apparently LastPass has this option: https://helpdesk.lastpass.com/your-lastpass-icon/loggin-in/o...
P.S. I love the USA, don't get me wrong. I hope some day the madness on the borders gets less paranoid.
And Android can have multiple users, can you set up a new user and boot into that one automatically?
Another hack would be one's own BIOS, that lies to Windows saying "This disk is 100 GB", but given the correct unlock signal, will admit to the OS "this disk is 500 GB big".
Does anyone have any insight if this is a pure business decision or there's something holding them back technically?
I think they are focusing on money before all else. They do still make a good product, but the direction they are moving towards eliminates their support for many threat levels that they had previously.
Now you have to have a cloud account and you have to store your stuff there because their supposed "cross-platform" client cannot work on their own vault format on Windows.
They might respond saying the version 4 of the windows client supports working with these vaults, but version 4 does not support OTPs so if you want to use the modern features without relying on their cloud storage...they don't care.
If you go to their forums and read the response from the community about windows not supporting creating or editing of local vaults you will see they are by and large dismissive. So I think it's really about money and resources.
Edit: I missed this bit below:
> even if you’re asked to unlock 1Password by someone at the border, there’s no way for them to tell that Travel Mode is even enabled.
However, it won't take very long for authorities to wise up, know that 1password has a travel mode, and tell you to turn off Travel Mode, eh? Or am I missing something?
I believe they already ask for your social media accounts, don't they? That is ridiculous in itself. Why not ask for my bank logins while you're at it?
One step at a time.
Then you could say: "Even if I agreed to give you my password, you wouldn't be able to unlock my device with it for another 24 hours".
Time delays only work for the entity in power. The bank has your money, you’ll just have to wait to get it. But the border people have power, not you; they can make you wait if they want.
1) Intercept your emails
2) Store the fact that you're a 1P user
3) Match up your email address to you, as a person at the border
4) Stop you at the border for questioning
5) Force you to unlock your phone
6) Recognize that your phone does not have the 1P app installed
7) Force you to install the app + unlock it
For certain people, they may do that. But for the vast majority of people, they will not.
1P does not enjoy the popularity that Facebook is at. In the western world, one can reasonably expect any random given person to have a Facebook profile. The same cannot be said for 1P.
In the US, it will probably get you denied entry, possibly permanently, for "lying to a customs officer" (if a non-citizen), or the device possibly being confiscated if you're a citizen, (and a note in a file somewhere that says you've probably lied to a federal agent — particularly if they happen to catch any security camera footage of you stupidly using your device shortly after exiting the international arrivals area).
Though it's not difficult to remove the app/vault and then reinstate it after customs...
One idea is to allow users to define how many concurrent sessions they can have so they can manage those slots and require something sign out before their credentials can sign in again.
The other is to allow users to configure a schedule when their credentials work so you can block most of the world and probably most of most days too.
To be considered a democracy a country needs to provide its citizens more than the ability to elect a legislative body. There needs to be some basic freedoms and guarantees as well, like strong protections against unlawful detentions (habeas corpus) and unlawful seizures.
Border control agents are provided exceptions to the normal rules. They can check your luggage for weapons or illicit goods without any probably cause. The logic behind these exceptions is that it has a deterrence effect on criminals that would like to bring in illegal goods.
But going through your digital information makes no sense in that regard. If you were "up to no good" you would be able to send that information digitally without stepping foot in the country. Going through someone's private information is not about ensuring the safety of the country. It is an invasion of privacy and an intimidation tactic. The deterrence effect is not against criminals. The government uses this power to intimate people they do not like. For instance Loira Poitras and Glenn Greenwald are routinely subjected to this, for political reasons. Many muslims are subjected to this, simply because they are muslims.
These are the tactics of non democratic regimes. It is sad to see them becoming more and more widespread in the US.
I think the only way to get around this shit is to have another person hold at least part of the key. Border security can't force you to lie to your employer on the phone, so they're not getting access.
Considering my usual work contracts, complying with letting border control look into my fully encrypted work laptop would actually be a breach of my work contract.
How do you guys handle this?
I'd make it your employer's responsibility. If you have to go to the US on business, it's your employer's responsibility to help. Or to not send you to the US.
Same for devices - they have you unlock the device, then take it away, plug it into a PC/whatever, which sucks down a complete image of the device. Then they give it back, if they feel like it.
Obviously, if they do this with your email & facebook, they're also sucking in all your connections - your social graph: everyone you've ever emailed or has emailed you, everyone you're connected to on facebook.
Obviously that doesn't work for laptops - but for a phone it is in the realm of possible.
Why not make this feature tied to a geo-location? Like the hotel or the conference centre I will be attending.
Once you're out of their hands, ask for it back and change it again.
Even if the friend is in the US, they cannot compell her/him to release it easily, US laws apply.
There must be a way to also encrypt the new temporary password with 2 keys so that the trusted friend cannot access your encryped content without your own key.
So they don't just search your laptop they try and search online accounts also.
Only dissidents in despotic regimes need to resort to these kind of workarounds for lack of other options. Why should citizens of a democratic country have to workaround anything?
The solution to privacy, surveillance and overreach issues in democratic countries has to be political, and not technical.
It sucks, and it many mean a lot of hassle ranging from confiscated equipment to being held at the border to being refused entry, but this is just one of the new risks of travel. Border security only gets away with this because people say yes.
Companies need to make clear to their employees (and the public) that sharing passwords is a terminable policy violation. You should be able to say, honestly and credibly, "I won't unlock my laptop because I don't want to get fired."
in my case, that would mean deportation due to not being american. i either get deported and lose all the traveling plans or i get searched.
US citizens, however, can choose to deny them and go through any hassle that CBP may want to put them through, but they cannot deny them entry.
Deportation is the expulsion of someone who's actually in the country, past the border, and resident or visiting.
Really, for non-Americans the best advice is just don't go in the first place. Second best advice is just comply with border security personnel.
Any tricks like leaving the battery empty, bringing a burner, not bringing a laptop and getting a loaner when you get there etc, they do nothing but raise suspicions.
as i said on another comment, even not having social media is suspicious. which is insane, because it means you cannot have privacy if you want to go to another country.
i know at least another 5 people that are not going to the us because of that.
> Good luck getting a visa next time if you've ever been
> "denied entry".
Oh god, no. Technical measures - of course - do work. So does erasing data from phones, laptops, hard drives, etc.
Do not let the security theater scare you into obedience.
If you're not a citizen? You can be denied for literally anything the agent feels like. They feel you're suspicious because you claim (falsely or not) you don't have a facebook account? You're not coming in. Visa denied.
> Visa denied.
you know what's shitty? i have a b1/b2 visa. cost me 100 usd and two working days. i also visited the us ~6 times, never overstayed by an hour. but even then, i'm suspicious because i'm brazilian (that's a theory, of course. i have no proof other than brazilian friends also having problems with cbp).
Not appearing suspicious is an important part of protecting your privacy. While it's true that acting stupid or careless can bring you in trouble this is not sufficient to deny the utility of privacy enhancing behavior.
Just one of the new risks of travel. (Well, not new that they can send you back, but a new reason for the little tinpot dictators who revel in their power)
Good luck with that when faced with a border nazi & zero rights.
I just leave my personal laptop behind when travelling to countries with dubious personal freedom policies...like the US.
So which is a better option?
Losing a job (or) refused entry/detention/harassment after 24+ hours on the plane/getting treated like a criminal....?
(not that criminals need to be treated badly)
The right solution to this problem is saner laws and educating the public about privacy and related topics
It's one thing to decide not to go to the US, it is quite another to be force to it in order to defend my employer shareholders interest on a trip mandated by them. If you send me to the US, you implicitly agree the company is fine with US borders to do whatever they want with the company data.
It is 2016, I can rebuild a whole laptop from scratch with my whole data anywhere in the world. There are affordable ways to work around the problem: provisioning a VDI and even buying a laptop on site is a fraction of the cost of flight and accommodation.
Considering the history of the civil rights movement in the US, we're not going to get saner laws without a little civil disobedience. It sucks to bear the brunt of this harassment, but saying "yes" only enables the system to harass everyone more efficiently.
But now I don't even opt out.
Instead I tell them that I can't raise my arms above my head. They direct me around the scanner (sometimes the metal detector too), swab my hands, and call it done. I often skip 10-15 people in the process. If they ask why, I tell them I have a medical condition and they're not allowed to ask further so I don't explain.
Hopefully the bad guys never figure it out!
The real solution is that people from the country protest when such an abusive policy is introduced.
The plan was to go to NYC, now the plan is either Paris or Tokyo instead for the 70+ employees.
If you enter the United States as a non-citizen and don't submit you will be denied entry for 5 years or life, still have your devices seized, and any visas or permanent residency can be cancelled. Possibly be jailed.
The USG has shown that it is perfectly happy to kneecap entire domestic industries (aerospace, semiconductor) for the sake of "national security" via ITAR. You really think they give a shit about one person's job?
Companies cannot tell their employees to not comply with lawful request of a federal officer, and some companies specifically underline that in a company policy.
A better solution is to not allow people to travel with anything that would be catastrophic if lost. My former employer would give employees loaner devices for travel to certain countries.
If not, it is probably way to easy to make such a statement.
Your job matters exactly fuck-all to a CPB agent.
You (the notional you) aren't even from here. If you say no, you've identified yourself as a potential threat, and can just sit in a room by yourself for as long as it takes to put you on the next flight back to wherever you came from, at your expense. And you probably won't be allowed to return.
If you're a citizen and say no, they might confiscate the device, and might make you wait around long enough to miss your connecting flight (and maybe even the next couple, if they're feeling particularly peevish), but that's about all they can do.
They may get that drilled into their skulls, but I think it's more that they just don't want their boss to yell at them.
No police officer arrests a DUI and says "but I'm just doing my job." It's only when the other person (the traveler in this case) has an entirely legitimate reason to resist them that "I'm just doing my job" comes out, with an implied threat that the authority they're appealing to (that they themselves don't have) will come down on everyone involved, and they don't want that.
Also, they don't have any personal liability for anything that goes wrong in this process, except perhaps that the company they work for will lose the contract (unlikely here). Again, "boss will yell at me."
These people are better thought of as clerks than cops. And yes, they can inconvenience you, but that's not the same thing as compliance.
The policy might change to include cells at the borders where people are detained until they hand over login details or voluntarily decide not to enter.
HN needs to stop living in a bubble. Only 1/3 of the US even bothered voting in the Trump v Clinton presidential election. I'll let you think about that for a moment. Now think about border searches. Has your phone been searched? Neither has mine. I'll go back to my company catered lunch now.
My phone has not been searched, either, but the issue here is to stand up for your rights. If you have never been wronged by a person or organization in position of authority in US government then consider yourself lucky. I and most people I know living in the US have.
1. No one once reaching the age of majority should have their voting rights taken, for any reason including criminality
2. The figures also do not include people of age who are ineligible to vote or have not registered. The "Have not registered" is a key part because many stated in the last 2 election cycles have been passing a number of laws to disenfranchises segments of the populations making it harder and harder to register
3. The concept of our nation is "Consent of the people", that is all people, not just those voting. the majority of PEOPLE reject the 2 candidates put forth buy the corrupted and unethical political parties then the government can not claim to have the consent of THE PEOPLE...
Many many many Americans feel complete disenfranchised by the political systems that gives them 2 Choices that are equally terrible and corrupt. Forcing a defensive vote that is mainly against the person you do not want to win instead of voting for a qualified person you actually want to be in office.
As a life long Libertarian, I have no interest in voting for either a Republican or Democrat
Seriously? You need to register to have the privelige of voting in your country? That is beyond fucked up.
Obviously, if you don't plan on voting, you won't bother to register.
Why would anyone want to go through that on their vacation? Unless you enjoy that sort of thing, go somewhere pleasant instead. (And if you enjoy that sort of thing, there are far easier ways...)
I say this as a US citizen who will be sad if it comes to pass, but this bullshit won't stop unless the rest of the world refuses to put up with it. Your average US citizen doesn't travel internationally (only about 10% of the population has a passport), so they don't notice unless it hits their wallets.
Please force us to stop.
honestly? the us is a beautiful country, with amazing people. i love visiting and love going to weird towns to meet different people. (also, my sister is married to an american citizen, and i want to meet her every once in a while).
but at the same time, it's really fucking awful to be treated as a criminal every time you try to go to the country.
I would never go there now that a dangerous buffoon like Trump is in office, also for a long time now it's been known that outsiders will be treated like a criminal at the border for no reason. And I mean literally no reason because I could easily not have all my masses of terrorist information on the laptop and just download it from the terrorist servers when I get there. So there is literally zero reason to be searching my digital property, and I'm not about to take the gamble that I could be prevented entry or delayed enough to possibly cause thousands of dollars personal cost for no good reason. The security theatre is ridiculous.
Outsiders are obviously not welcome so I'm not coming.
There are plenty of sane countries around the world to go to, why would I go to the US?
I hope the American people can find the motivation to vote and pressure their representatives to actually do something about their own freedoms. Not only border patrol but your militarised and outrageously unaccountable police force.
Sorry but that's just, like, my opinion, man.
I'm glad your frequent travels are eased through customs to the point where you don't see what happens. But allow me to suggest that a frequent traveler through one port once a month is an insufficient data set from which to draw conclusions?
If nothing else, you have available the fact that a software vendor sees sufficient demand to invest in this feature, to go along with your google skills to find counterexamples to your experience. I don't know if that's sufficient to get you past your blithe dismissal of others' concerns and lived experience and on to a skeptical but open view or not.
 Which would be typical; one of the easiest tactics to steer public discussion is to pick and choose what data to collect and release. The US has a long history of this tactic, especially with issues that touch on law enforcement. The lack of decent data on killings committed by police is well-known; categorical refusal to allow studies on various drugs is too. But this is a frequent problem; hammering on killer cops with video is provoking grudging, slow change on the first and incremental legalization of pot is changing the second. But there are lots of issues over which this happens.
I'm not a criminal, and I will not be fingerprinted.
This is a form of "citizen duty".
Oh also I'm white.
All: upvoting such blatant violations of the site guidelines also causes accounts to lose voting privileges on HN.
What? I'm not sure I believe the grandparent's post, and it would be nice if it were sourced or clarified as opinion rather than stated as fact (as briandear (https://news.ycombinator.com/item?id=14406689) and Banthum (https://news.ycombinator.com/item?id=14407293) urged), but your reaction seems grossly hostile and unconstructive.
Is there any actual data source on this, or is it just a narrative you prefer?
The story with stealing citizens' personal information is entirely different; there is almost certainly no legitimate legal basis to fuck over US citizens for excercizing the basic rights explicitly protected by the 4th and 5th amendments, just because they happen to be at a border area.
The Supreme Court has actually weighed in on this and granted it a legitimate legal basis.
I guess the reasonable next step, when all the outrage has fizzled, is pre-screening. Pay for the government to have all of your passwords all the time, and save yourself the hassle.
Lol, on what planet is that the "reasonable next step"?? Do they want to see my dick pics and login to my bank accounts as well? My poetry or whatever rambling I may write? Am I not entitled to any privacy at all?
The actual reasonable next step is not to go to, or deal with, the US at all.
> the border agent asks "are you hiding any information from us?"
Hope this comment didn't come across as negative. I'm a big 1password fan.