Hacker News new | comments | ask | show | jobs | submit login
1Password Travel Mode: Protect your data when crossing borders (agilebits.com)
1004 points by nthitz on May 23, 2017 | hide | past | web | favorite | 521 comments

"May I search your laptop?" "Certainly." "But... this is practically empty." "Yes sir. I FedEx'd my SSD to the destination."

I have a small SSD in the primary disk in my T420s, it has just enough to get me through the flight. I keep the primary in the UltraBay with a simple adapter, takes one reboot and no tools to put it back in place. Done. Happy searching! I can't log into anything even if I wanted to because I physically do not have my password store https://www.passwordstore.org/ with me. (https://github.com/chx/ykgodot I wrote this trivial script to automate yubikey neo with pass)

Alternative: encode the entire primary disk https://github.com/cornelinux/yubikey-luks and FedEx the yubikey. Yanking the disk is better, though.

It's a practical approach, and my comment here isn't necessarily aimed at you, chx (since I don't know your citizenship status), but I would add this entreaty to American citizens like me:

If you ever get asked that question at the US border, please don't acquiesce to that request. They have the right to ask, and they even have the power to search it regardless of your permission, but despite an alarming drift towards a total surveillance, they have not established the right to force you to unlock/decrypt anything.

I'm flying into SFO tomorrow, and I am taking similar precautions as chx so that my laptop doesn't contain any meaningful data[1].

However, if asked to unlock my laptop, I plan to say "No, of course I cannot do that; it violates the most basic security practices and I could and should be fired if I exposed sensitive company data in that manner." And then just sticking with it. It will be inconvenient, especially if they seize my laptop and detain me, but as citizens it is up to us to resist the normalization of behaviors that push the nation further towards the precipice of idiotism.

[1]: As an American citizen, I have routinely done this when traveling to authoritarian nations like China; it's hard to express how outraged I am that my own country has degenerated to the point where sound security practices now require these kinds of procedures when traveling to the USA.

> If you[, a citizen of the United States,] ever get asked that question at the US border, please don't acquiesce to that request.

Absolutely agreed. I will do this[0]. I'm a U.S. citizen with the unequivocal right to enter the country once my citizenship has been established. U.S. citizens are the only ones who can stand up to this madness--either at the border or by influencing and electing people who can change the written law and how it is enforced--and it's our responsibility to do so.

I've entered the country several times and have never gotten more than a "passport, please" request (except, oddly, when driving south from Canada; they're rather surly at the Peace Arch, in my experience), which I recognize is very lucky of me. When I travel, I'm enough of a worry-wart that I build in a lot of spare time to get to and from my destination. "Do you want to fly today" and "you'll be screened for four additional hours" are threats that hold no weight with me, thankfully. I'm in no hurry.

I'm the ideal test case. I have oodles of paid vacation time, a family full of lawyers, and a ornery streak a kilometer wide. Bring it.

0 - I can't say "I have done this" because it's never come up but I'm resolute. "No" is my answer, if it ever does, and I'm sticking with it.

I have been that guy. All of 2009-2013 or so.

After being locked in secondary with no comms, food, or water for hours on hours enough times, one gives up. CBP once kicked me out of a border control point in northern Vermont, in a snowstorm, in February. I had to hitchhike simply to not freeze (my sim didn't work, so no way to call a cab, and they had sent the bus on without me, hours earlier).

I've been searched, both well and also simply as intimidation, more times than I can remember. Most searches are not thorough in any capacity, but simple displays of power and dominance.

My foreign partners have been repeatedly groped by these pigs. Vacations have been ruined simply by traveling together - they deny foreigners entry.

The file still haunts me. Every time I enter, secondary - with associated 30-500 minutes of delay.

There's no recourse.

I cringe every time I exit the US, for the 2-10 hours I will lose upon my next re-entry.

Their capacity to waste your time is infinite. Your time is finite.

PS: they can also take all your devices for imaging and keep them for 48 hours - but you will likely have to sue them to get them back after that time. Crossing in can be a >$10k/entry affair if they wish it to be, for you.

This sounds like the reprisals citizens of the totalitarian states in the Warsaw Pact had to endure. Heads up for pushing against it.

Out of curiosity, do you know if there are any people trying to challenge these rulings/treatment they receive in court?

At least in those - and I'm sure this still happens - you could bribe the officials.

Actually is that possible in the US or do the border officials still have a stick up their arse? I mean if you work for a big multinational IT company, surely they can provide a few hundred bucks to bribe someone to skip security. Bribing the police is normal in a lot of countries.

Yeah. My father described the experience of crossing borders between East Germany/Poland/Belarus/Ukraine in the 80s early 90s as the exact same theatre -

" -sir, we have to strip your car to search it for contraband.

-Ok, how long it's going to take?

- About 24-48 hours, but it might take longer if we see anything suspicious

- ok, what do I do in the meantime?

- you can sit on the bench there

- for 48 hours?

- that's correct

- I happen to have this nice bottle of vodka, would you like it as a thank you for your hard service?

- hmmmm I have to check with my superior [ comes back 5 minutes later] - that's fine, we don't need to check your car today, have a safe journey"

Nowadays I'm being told that this practice has been eradicated almost everywhere, but it basically relied on border control agents making your life as miserable as physically possible in hope that you will pay up. If you decided not to, they would eventually let you go, but you're wasting only your own time, they had infinite amount of it and perfect justification for everything they did.

You can get a 10 year prison sentence or so for bribery. In any country in the world, you can be prosecuted there, or in the US or Europe. You will probably also be fired.

> You will probably also be fired.

Please elaborate on that.

Any large company has an ethics code. Bribing government employees is usually a rather big no-no in that code.

Any large company also makes allowances for differences in local laws and customs when applying their ethics code.

Yeah... no. (The FCA[4] makes that fairly hard)

Amazon: "Employees may not bribe anyone for any reason, whether in dealings with governments or the private sector. " [3]

Apple: "Apple does not offer or accept bribes or kickbacks in any form, and we do not tolerate corruption in connection with any of our business dealings." [2]

Google: "The rule for us at Google is simple – don’t bribe anybody, anytime, for any reason."[1]

[1] https://abc.xyz/investor/other/google-code-of-conduct.html [2] http://files.shareholder.com/downloads/AAPL/0x0x803576/DAFD8... [3] http://phx.corporate-ir.net/phoenix.zhtml?c=97664&p=irol-gov... [4] https://en.wikipedia.org/wiki/Foreign_Corrupt_Practices_Act

Thank you for sharing your experiences.

For future, for the rest of us, I'm wondering what civil disobedience would look like. Something akin to malicious compliance, work to rule, or...? Actions (or inactions) that we can take to make the whole process infeasible.

For example... Whenever a telemarketer cold calls me, I try to take up as much of their time as possible. Increase their costs, reduce their conversion rate.

I also try to lie as much as possible for forms, surveys, etc. Muddy the data. Increase their costs.

> PS: they can also take all your devices for imaging and keep them for 48 hours - but you will likely have to sue them to get them back after that time.

You don't really want them back, anyway. So you just don't carry anything valuable, in any sense.

If only running three companies afforded me the ability to be without a computer, phone, or tablet for 24-48h while they are shipped/replaced.

That's called a vacation.

What you describe is simply impractical for a person in my line of work.

If you're running three companies, you can carry throwaway devices.

You misunderstand me; it is not the issue of the cost of the device, but the 2-4h on each side of imaging and restoring (for mobiles) or the 4-8h on each side for computers.

Employees can handle imaging and restoring. You can send an employee in advance, who will have devices ready for you on arrival. So all that gets handled while you're in transit.

When you can't even trust your own Blood Boy [1] not to get stoned, eat twinkies, and write a tell-all expose about you, how are you supposed to hire an employee trustworthy enough to handle all of your most sensitive keys and information? (Let alone three of them, one for each company.)

[1] https://www.theverge.com/2017/5/22/15676696/hbo-silicon-vall...

If you have any methods for hiring employees trustworthy enough to backup and reimage my most secure computing device with the most sensitive data, and somehow do so on notice given only via ESP, at several major world airports, please do let me know.

I guess I could get a fourth phone, the one I use only for talking to my Airport Phone Guy, who would somehow be incorruptible enough to not hijack my bitcoin wallet or take copies of my camera roll (which, if used strategically, could alternately make or ruin entire careers or companies).

I'll be over here in the Real World.

I don't know smartphones. But for machines with SSDs or HDDs, imaging and restoring software FDE volumes doesn't involve decryption. I don't know about hardware-based FDE, however. I use Linux VMs, and you can just copy LUKS-encrypted VDI files. If you're paranoid, you can backup and wipe the LUKS header, and send it separately.

Thanks, but my phones and tablet are my primary systems and even just resyncing breadwallet alone takes a half hour or more. You have no idea what you are talking about.

Can you just keep your devices stateless? This works for me.

Any idea why this happens to you? Your story suggests some targeting.

I was once on a list that got me secondary searching every single time I flew in the USA, for several years.

This was back in the 1990s, when asking for your password wasn't a thing I've ever heard of them doing, but also when me bringing 128-bit encryption software (aka the US version of Netscape Navigator) to Japan, where I was a foreign student, was a serious crime akin to arms smuggling.

Of course, I never found out for sure why I was on that list, and eventually I apparently wasn't on it anymore. But during that time I did read a fascinating article in some magazine, by Nathan Myhrvold (the now-infamous patent troll scumbag). Apparently, he was on the same list, despite being a super rich fat white guy from Microsoft.

His theory was that he got on the list by buying one-way plane tickets in cash. That resonated with me, because I often did the same thing back then… I just never really knew when I wanted to come back, and I didn't have much credit on my one credit card.

That's obviously both circumstantial and anecdotal, however I don't think it really takes too much to get on one of these secret (and very probably unlawful, but effectively un-challengeable) lists.

> he was on the same list, despite being a super rich fat white guy from Microsoft.

What could the "fat" part of that possibly have to do with anything related to targeting, other than as a cheap excuse for you to denigrate Myhrvold?

Well, I really just meant it more in the sense of him being a typical/normal/mainstream/not-unusual American.

But also, yeah: fuck Nathan Myhrvold. He's a smarmy piece of shit whose parasitical exploitation of America's societal weaknesses and dysfunction far outweighs all the modest contributions he's ever made. I hope he trips and falls face-first into one of his large sous-vide contraptions.

(That time, I was denigrating him on purpose.)

Thank you for this.

Probably means he looked more "safe" and "complacent" and that didn't stop them.

Myhrvold is a scumbag now, but back in the 90's he pulled off a heroic fuck you to NSA.

NSA didn't want to allow Microsoft to build RSA into Windows and export it. Even though the cat was out of the bag and foreign OEMs and vendors were already selling RSA. NSA wanted Microsoft to not give users more than 40 bits of encryption keys.

So Myhrvold, as President of Microsoft, flippantly offered to pad the keys generated by Windows with NSA's public RSA key. Win Win. Users can export more than 40 bits, and NSA gets a backdoor.

Microsoft won and was allowed to export software using RSA. No doubt that little stunt put Myhrvold on some Watchlist for Life.

It's too bad he became evil after he became a billionaire and started only caring about money and Yachts and hob knobbing with other 1% elites.

For five years or so, I (a US citizen) politely but firmly refused to answer a single question put to me whilst re-entering the United States, as is my human right.

Not even "Was your trip business or pleasure?"

Border guards have the power to prevent you from entering the country if they believe your business is unlawful, and asking those questions is one of the ways they decide. We can question whether border guards ought to exist, but, given that they do, refusing to answer their questions seems like a ticket to a back room for hours.

You really never answered their questions on every entry?

The fifth amendment does not go away suddenly at the border (4A notwithstanding).

If exercising my human rights is "a ticket to a back room for hours", then something is fundamentally broken in our society. You should try it; without doing so you actually have no data about the practical perimeter of your basic rights. This stuff isn't printed in the newspaper.

Yes, I really never answered their questions, except the ones about citizenship and nationality and place of birth—which I answered by presenting my passport.

"Business or pleasure?" is a vague, leading question designed to get you to volunteer as much information as possible. Sometimes I replied "no" or "yes" to that one, with an occasional "On advice of my attorney I decline to answer questions from police except in writing and via counsel" thrown in to break up the monotony.

Never talk to the police.

> Border guards have the power to prevent you from entering the country if they believe your business is unlawful

No. The USA can never deny entry to citizens (nor any other country). They may arrest you on the spot, but can't deny you entry.

Green card holders is a different story, they have no right to enter and are at the discretion of the authorities.

I don't believe they can prevent US citizens from entering the US.

Is the goal to resist normalization of the behavior or is to get through the security theater?

Both, but for non-Americans, getting through the security theater is not guaranteed, so they have to focus on that. For Americans, their rights are clearer and they are guaranteed to get through the security theater, so they can afford to fight the normalization of this.

It depends. Sometimes, it's really important, and you have to make it through quicky even if that means sacrificing other principles.

You have to balance your civic duty as a citizen with whatever else is going on. But hopefully our default mode is to emphasize our responsibility as democratic citizens to lead by example, and to resist degenerate behavior whenever we can...

Obviously veidr's goal is to resist normalization of the behavior.

I am a dual Canadian-Hungarian citizen, residing in Vancouver, BC, Canada. I work remotely for a USA client. Avoiding the USA is hard / impossible.

> "May I search your laptop?" "Certainly." "But... this is practically empty." "Yes sir. I FedEx'd my SSD to the destination."

Scratch that last bit. There is no need to reveal that, and it could sound suspicious (like you are trying to hide something specific by circumventing their checks, and trying to look clever (and/or make them look dim) by doing so to boot).

Just be honest without giving extra information: "yes sir, this is a travel machine and it just contains what I'm going to need while I'm between locations" if they ask why you would do that then "in case the laptop gets stolen, the less that is on it the less of a worry that could be" strikes me as a perfectly valid reason to be careful. Or perhaps "all the other data and programs I'm going to need are already with the clients/suppliers/other I'm visiting" (which it is as you've posted it, but you don't have to say the thing that might unnecessarily raise suspicion).

> I FedEx'd my SSD to the destination.

Are there any examples of laptops / ssds being searched in international mail?

If you take the time to FedEx your SSD to avoid customs you certainly made sure the disk was encrypted...

NSA can probably modify the firmware to create some sort of backdoor, if you actually look like that would be worthwhile?

Maybe the NSA can, maybe the NSA can't - but even if they could, I guarantee that customs/postal workers won't have access to it. Unless the NSA is specifically intercepting your particular SSD (in which case you have much bigger problems), standard enterprise-grade encryption will be good enough for shipping purposes.

This goes back to the level of protection you need/want, from whom, and whether you're a target of opportunity or a specific target.

Are you protecting against "drive-bys", the casually curious, motivated low-resource targeted attacks (e.g. disgruntled former employees, hated neighbors), "small" resource targeted attacks (<$50k?), high-resource attacks or state entities?

That would take a lot more work than just "searching through someone's private stuff on an airport" though;

I mean many "average" people get searched on airports, but i don't see why they would intercept an average guys Fedex shipped harddisk and do some voodoo on it. Unless of course you know you're being targeted for some specific reason.

If this is in your threat model, you shouldn't be taking advice from a forum thread.


Snowden leaks already show NSA has badbios-style firmware viruses targeting every manufacturer, every model, going back a decade. Imagine what they have today. Why not mass infect all hard drives at the factory? Targeting individuals or "thematic warrants" are still too clunk and doesn't scale.

All these folks who say "I'll out smart them, I'll encrypt my SSD and Fedex it" are "Not Even Wrong."


As most encryption takes place at the software level, not the hardware level, wouldn't it be difficult to infect all hard drives with some virus targeting encryption?

Also, not to mention most of my hard drives are made by China, whom seem not to like the NSA very much. This leads me to believe that they may struggle with the mass infection part.

You forgot the end of the story:

"I'm denying you the ability to enter the country. Next time you let me see everything instead of being a wise guy."

If you are an American citizen, can they prevent you from entering the country? I understand they can delay you, but I don't think it can be indefinite.

^ This right here.

They can deny foreigners, but I've always read that they cannot deny Americans in unless their citizenship gets revoked, I guess.

Not even that. Your right to enter the country, as a US citizen, is "Absolute, Unconditional, and Irrevocable."

"Why did you FedEx your SSD to the destination? Do you have something to hide? You're gonna have to follow us."

"everybody's got something to hide! I've got nothing hidden that's illegal."

If they find even one pirated song on your drive, they've got you on a felony. "Lying to federal officials" is a great catchall they regularly use to force a deal.

That's now.

The future is simply interdiction of every device.

Actually, every device will just be bugged with a thousand backdoors. The end.

Cory Doctorow - general computing is the enemy of governments.

If you are refusing to enter the password, access to the device, or to disable travel mode, then good luck to you. IANAL, but the border agent doesn't care if the data is technically in the cloud, rather than on the device, because it restores when you unlock it.

In addition to removing the data from the device, cheers, don't you also need to be able to honestly say you can not provide access to it?

Ways to honestly answer, "not possible", and mean it:

- schedule a time period where no password is accepted. - enable whitelist/blacklist zones via geolocation. - set a new password that you give to a trusted friend/coworker/spouse that you must contact to retrieve.

Some combination of the above for ease-of-use, and ploys like emailing yourself the new password after a period of time for redundancy/safety.

If you read the article, there is no "tell" that 1Password is in Travel Mode. The only impact is that most of your passwords are missing from the password vault, but the agent would have no way of knowing what's missing. It's not like it pops up a big "Travel Mode" banner.

Customs read these articles just like us. What if they ask you if travel mode is turned on? Will you lie?

I was thinking this (and no I wouldn't lie to customs), but the second half of the article details how to let a remote administrator enforce these policies, ie blame your employer for wanting to secure their data from unauthorised access.

Of course the real answer is to avoid the business hostile USA (or at least the border)

The definition of "border" is surprisingly vast too -- if you're within 100 miles of any "external boundary". Two thirds (!) of Americans live within this "border" area.


This is a bit of an exaggeration, which has frequently been de-bunked. In brief, if you didn't recently cross a border, then immigration officials have no special powers within this zone.

There is, however, a "functional equivalent" of the border in every international airport that grants ICE these powers over arriving citizens (which makes sense).


Does it matter? Just say "yes", and your employer / the account manager should be the only one that should be able to disable it.

Yes, how can they prove anything?

At a guess, subpoena 1password for account and timestamp info on use of travel mode to catch someone in lying to a federal agent.

That's the part I didn't get thought. If there is no way to tell then how exactly do you turn it off? (At some point, you want to turn it off after all)

If there is any kind of setting that lets you control travel mode, border control could just make it standard procedure to change that setting.

In the article, the author mentions that you enable/disable travel mode online. Sadly, it doesn't look like this applies to those of us who have 1Password without a monthly subscription.

So, if they're already in the business of demanding your passwords (otherwise this whole thing is irrelevant), why don't they just ask you to log into your 1Password account and see if you're in travel mode there?

They could, which is why I'd recommend not having your 1Password password with you. Disable travel mode once you return home.

It doesn't really matter. If you're an American citizen, you can just refuse and they have to let you enter. They might confiscate your device, but they can't turn you away from the border.

And if you're not a US citizen, "I'm not physically able to unlock the account right now" doesn't buy you anything. There's no obligation that says if you do all you can physically do to accommodate their wishes, that you get to enter. If they want access, you either grant access or you get back on a plane. The only thing not having your 1Password credentials with you does is remove the choice of which you want to do.

You can only change that setting by logging into their website. The setting is not available in the app itself.

Well, they might have sigint indicating that you have Gmail account, a Facebook account and a WhatsApp account, for example.

For this to really work, you need to also prove to a border agent that you can't access it.

In that sense, Travel Mode sort of defeats the purpose -- all the border agent needs to know is that Travel Mode exists, and then ask you to turn it off.

There is no sign in the app that you are in Travel Mode. I suppose if you are well and truly targeted and they have a really knowledgeable specialist on-hand, they could know that Travel Mode exists and ask you to disable it. But, I think that's going beyond the boundaries of a border search, which is limited to searching things that you are actually carrying across the border.

"Are you using travel mode?"


You just lied to someone at border control. Which is an offense.

Yep. Civil disobedience, unsurprisingly, includes breaking the law.

Yes. If you are a US citizen. If you are not, this can mean waiting for the next pane back in handcuffs and being banned from entering the US for life.

Why go there in the first place? Doesn't sound very appealing.

I live in Canada working in medical/tech industry.

Every vendors main business is in the USA. 95% of our clients are not in Canada.

If I want to avoid the USA, I would have to change industries... Which isn't gonna happen hopefully anytime soon.

I have to goto states 3x times a year and hate the traveling aspect going through customs (I have a trip in a few weeks, already dreading it).. but once I pass through the border, it is rather nice.

To live the American nightmare and be in the land of the caged. lol!

Civil disobedience does not need you to be a citizen of America..

"Are you using travel mode?"


"Disable it"

"I can't. I left my password at home, and the account is tied to an email address I do not have access to."

I suppose they tell you to go home at that point. Such a sad state of affairs.

Yeah, but you have to login to a cloud service to turn it off, which they can't necessarily force you to do supposedly.

> the border agent doesn't care if the data is technically in the cloud

In reality, they do. They are not asking you for every password you know and access to all the remote systems you have access to, and any that you can get access to if you ask someone, etc, etc.

>don't you also need to be able to honestly say you can not provide access to it?

It's been said further down, but they can't possibly have carte blanche to compel that you reveal all data you have access to anywhere, which is what this would require.

Of course they have that carte blanche, at least if you are not a citizen (and since you are travelling internationally, I'd assume that you're not a citizen on at least one of the legs). Normally, they can ask whatever the eff they like to decide whether to grant you entry or not.

The logical conclusion here, is to decide, what is more important: Gaining entry, or keeping your data. In the first case you're just fucked. If you get searched, you have to give up your stuff (even if you can claim you can't; they can then just not let you in). In the second, just encrypt your shit, rescind your request for entry when it looks like they might be interested in you and don't give up your password.

HN makes this much too complicated, again. And forgets that this is a legal and social problem, not a technical one.

> Normally, they can ask whatever the eff they like to decide whether to grant you entry or not.

Yep. There's this tendency to say "I beat their rules, so they have to let me go!" The CBP aren't fairies, they aren't bound to stay within some narrow precommitment. At least if you're not a US citizen, these things are almost totally discretionary. Not only can they bar you for not unlocking Facebook, they can bar your for genuinely not having Facebook if they decide you're lying. When even simple truth isn't a defense, clever tech tricks don't count for anything.

In my cynical moments, this outlook strikes me as a disease caused by excess programming - living in a world of contracts and invariants blinds people to how much of the world runs on "screw you, you know what I mean."

> The TSA aren't fairies, they aren't bound to stay within some narrow precommitment. At least if you're not a US citizen, these things are almost totally discretionary.

I think you are confusing TSA with CBP here.

Thanks, fixed that.

>enable whitelist/blacklist zones via geolocation

This is exactly the approach I took with my password vault application (android only, far less well-known than 1password). I added a location-lock feature that allows the user to store a number of "safe locations" outside of which the vault simply will not decrypt, even if the correct password is entered.

The app also makes it very clear that location lock is enabled and that the user is outside of all "safe zones" and therefore will not unlock. The only way a border agent is getting access is to figure out the GPS coordinate encryption method and adding a new set into the sqlite db or physically driving to one of the safe locations and unlocking it there.

>border agent doesn't care if the data is technically in the cloud, rather than on the device, because it restores when you unlock it.

Do they provide wifi for that? I doubt it.

Counter: the border agent asks "are you hiding any information from us?". answer yes, and they get you to disable travel mode. answer no, and you just committed a felony.

Answer no, and it's just as valid as if you had a hand-written notebook full of work-related records that you left in your office back home before traveling. There aren't any reasonable justifications for requiring you to bring all information you physically have access to you with you when traveling, regardless of the format it's stored in.

Not bringing something with you is inherently different from hiding it.

> There aren't any reasonable justifications for requiring you to bring all information you physically have access to you with you when traveling... regardless of the format it's stored in.

I think many of us would equally argue there isn't any 'reasonable justification' for forcing phone unlocks on random strangers in airports, but that still happens. I think you are asking for a reasoned distinction from people incapable of drawing them, and that while what you say makes sense, we are not dealing with a sensible system.

I can absolutely envisage some asshole airport security staff member causing grief over these kind of features should they grow in popularity - the existing interactions over phone unlocks are already in a weird constitution-free legal grey area in the US, even for US citizens. For foreigners the situation is worse still - basically zero options but compliance, or feel free to go home and never be granted entry ever again.

Exactly. People are already forced to log into social media accounts and such. So it appears anything you're able to access online is considered fair game.

It's not really the same thing at all. Something you leave in your office is something you won't have access to at your destination - so it's logical that it wouldn't be subject to customs. Something online, regardless of physical storage location, is something you will have access to at your destination, so it should be subject to customs.

So if you travel without your phone, they still have the right to demand access to your email account? How does that make any sense?

I don't know whether or not they have the right - do they have the right to read some sealed-up documents in your briefcase? Whatever your answer to that question is, it should probably be the same answer to the e-mail question. All these trick arguments about "oh but the e-mail's not actually on my phone, it's in the cloud!" don't hold water for me; it's information you're bringing into the country. Either it's subject to search or it isn't.

But how are you "bringing your email into the country" any more than you would be if you just sent an email?

If they can't access my sent email when I send it from abroad without a warrant, then how does me entering the country without a phone or computer allow them access to my email?

Lying to a federal employee is a felony; if you know you are answering untruthfully and the USG can prove it then you are probably going to prison.

What lie has been told?

From what I understand, it removes everything but ones marked as safe therefore you're not hiding anything.

It's like moving your private files from a device before travelling, you're not hiding anything you just didn't bring it.

That's how I understand it. It is the physical presence of data that allows the warrantless search in the first place. Leaving data off of your device would be treated no different than leaving your device at home entirely.

So how does the whole "show us Facebook" thing work then? They're interested in your Facebook bits stored on the internet, not the bits on your device.

Right. And there is absolutely no legal justification for requesting you go fetch those bits from a data center hundreds of miles away and show them to the CBP employee.

However, they are hoping that people don't know that and do it anyway, even though they don't have to. Also, a lot of CBP employees probably don't understand that distinction anyway. It feels like it's all "on the phone".

Of course that distinction between data in your possession on your device and data that's hundreds or thousands of miles away might not matter if enough precedent accumulates to support forcing people to go fetch things when they're at the border. So we need to stand up for freedom from government intrusion now!

>And there is absolutely no legal justification for requesting you go fetch those bits from a data center hundreds of miles away and show them to the CBP employee.

Except they are allowed to deny your entry if you don't satisfy their whims.

I don't think lie detection using ultrasonography is very reliable...

I think we need a lawyer here, but this seems totally wrong. You're only committing a crime if you lie under oath, either to a court or congress. Cops lie to people all the time.

You should use your right to be silent rather than answer any questions of course, but that right disappears at the border.

Still, lying to a customs agent isn't a felony (at least not in the US). (If so, please cite the law). If you're not a citizen of the country you are entering, the most they can do is refuse entry. If you are a citizen, well there is where it can get complicated.

> You're only committing a crime if you lie under oath, either to a court or congress.

False: the relevant statute, 18 USC § 1001, doesn't mention the word "oath" once, and applies to "any matter within the jurisdiction of the executive, legislative, or judicial branch of the Government of the United States".

> You're only committing a crime if you lie under oath, either to a court or congress.

This is unfortunately far from the truth. See this recent post: http://www.wisenberglaw.com/Articles/How-to-Avoid-Going-to-J...

Very much not true. Counter to the way we think America should work perhaps, but many people have gone to prison for lying to federal officials while not under oath. Martha Stewart being one of the most famous. Your best strategy when confronted with uncomfortable questions by federal officials in the US is to say "I wish to consult with my attorney before answering any questions." The result might be a lot of unpleasantness and delay, but they cannot throw you in prison for saying those words.

I think you are thinking of "Perjury" - https://www.merriam-webster.com/dictionary/perjury

Other forms of lying can also be illegal, however.

> Not bringing something with you is inherently different from hiding it.

But you don't have access to your notebook once in the country. The 1Password travel mode is not for while you're in the country, but specifically just for the border crossing.

Travel mode, especially on a Team plan though, is essentially asking one of your co-workers to scan and e-mail the notebook to you after having crossed the border.

As a general comment to so many of the follow-ups to this post:

You really, really don't want to get into a rules-lawyering match with Federal fucking prosecutors over whether "clever technological solution" counts as "hiding" something or not. They have all of the guns in this situation, and you have a demonstrably inaccurate understanding of the relevant statute.

You WILL lose.

If the question is "are you hiding any information" then the obvious (and true) answer is no. If the question is "did you use travel mode for 1password" then that's a very different question. Unless you can point out a statute that requires you to travel with certain information on your device it's hard for me to see the problem.

Your position seems to be that if you were carrying your checkbook (as an American) and then decided against it because you were worried someone might get your bank account number then you somehow risk getting into a debate over technicalities with a border agent. I would strongly recommend not getting into that debate as well by not bringing it up.

I don't think searches of accounts are in any way excusable either, but for the purpose of rules-lawyering:

You have deliberately chosen to make certain information not available during the search period and are planning to make it available again once the search is over. I can absolutely see how that counts as "hiding".

And crucially, "can see how" is all that matters here. If the argument isn't prima facie absurd, then you get to go to court with the government, where you won't win and will face horrible harms even if you somehow do. "But I'm technically right!" doesn't count here, only "but there's reason to dispute that".

Therefore, if you had a device to withdraw money remotely that required entering your pin, and if the security agent asked you for your pin, would you provide it?

What if my laptop had similar capabilities?

The bank PIN isn't really comparable as government agents can access bank info (in UK at least); the only purpose of the PIN is money withdrawal - surely there is no situation where a border agent would be legally asking for that PIN?

If it's going to bother you why not just use a dumb device and a VPN to access your sensitive data?

More than that, everyone is getting up on the wording of the particular hypothetical question posed above. It could easily be replaced with "Did you remove any data from your device so that we wouldn't be able to see it?", or "Did you enable Travel Mode in 1Password?", or even "Please sign this form affirming that you have not hidden anything from us or employed anything from this list of loopholes thought up by cheeky engineers."

Your adversary here is a group of humans. Not a Bash script.

> Your adversary here is a group of humans. Not a Bash script.

This is an awfully good summary. There are a thousand different questions that would invalidate this, and the idea that maybe-possibly-sort-of outwitting one question solves the problem is insane. Any reasonable plan has to be prepared for a question that can't be invaded - whether that means "yes, here's the data", or "yes, but I can't get the data", or "no comment, I want a lawyer".

Looks like there is a business opportunity for an airport located on-demand lawyer practice.

It honestly sounds like it would be irresponsible to travel to the US without a lawyer with you. In fact, sometimes the US sounds like you need a lawyer on hand at all times.

It's a pretty good rule of thumb.

This is especially true if you allow them to frame the action as "hiding". L

First you must ask them to not use loaded terminology like "hiding" when dealing with information you own and don't feel like accessing. Don't answer "yes" or "no" to whether you're hiding something. If you use their words then they have a huge advantage.

I'm gonna bet that trying to "language-lawyer" how your CBP agent phrases their questions is a one-way ticket to a private interview, because that's not suspicious at all.

You don't have to explain yourself to them. They don't know the legalities involved, they are grunts. Just tell them simply that you will only answer the question a single time, and the answer is no, and you will ignore future questions about the matter. And ask for your lawyer. If you aren't going to allow access into your personal devices to begin with, you're probably getting that interview regardless.

This whole saga just makes make me want to not visit the US for any reason whatsoever.

If I had to go there for work from Australia, I'd request a laptop and new credentials to be provided to me at the destination. For emergency comms during travels I'd wipe my mobile device and use a new prepaid mobile/cell service SIM card in it, from a different carrier, leaving the original one behind.

As such I'd not be bringing any 2FA that'd let me access my Lastpass which has just about all my stuff, and I'd be able to honestly state as much.

Same here. It's ridiculous when it's getting to a point where I'd take at least as many precautions travelling into the US as China.

Based on this wording, it sounds like a team admin might be able to enforce travel mode such that the user can't disable it.

>If you’re a team administrator, you have total control over which secrets your employees can travel with. You can turn Travel Mode on and off for your team members, so you can ensure that company information stays safe at all times.

In which case, you as a user literally can't access the information without communicating with an admin at your organization. If CBP ever starts requiring that you call a third party to retrieve confidential information, well... I hope we never get to that point.

> If CBP ever starts requiring that you call a third party to retrieve confidential information

What would they do, do you think, if said third party was a foreign citizen—of a country with no deportation treaty with the US—and upon getting the person you have in hand to call them (presumably under duress), they just said "I don't negotiate with hostile governments" and hung up?

>of a country with no deportation treaty with the US

I'm not sure what this means, afaik there's no such thing as a "deportation treaty" (perhaps you're thinking of extradition?). If you aren't a citizen, you can be deported, no treaty necessary. Furthermore, if you're at the border you're not even being deported, you're just being denied entry - you get to not pass customs at all and sleep in the airport lounge until you can secure a flight back to your home country, if the CBP decides to turn you away for any reason they choose. As a non-citizen outside the border, you really have no rights at all, and no recourse against any decision the CBP chooses to make.

Yes, that's the one I was going for, extradition treaty—I was referring to the fact that CBP can't just lean on the other country to send them the person they actually want to interview (i.e. extradite them for a crime they've been implicated in by the testimony of the person they just interviewed), so they really are stuck with just getting the detained person to call them up and negotiate.

If US CBP catches a low-level gang member from the UK, they can use their testimony to get an extradition order for higher-ranking gang members—so CBP are incentivized to detain low-level gang members and grill them to see what they know, even if they haven't done anything. But if it's e.g. a low-level Russian or Chinese or Iranian gang member, then the "extradite" part of the "use testimony as evidence to extradite higher-level members" plan doesn't work, so there's relatively little point to grilling such people.

So are you required to have all the data that's ever been on your device at the time that you cross an international border? Are you required to copy passwords that were never in 1password onto your device before you travel?

EDIT: Another way to put this: Is there an expectation that a border agent could, for example, ask for the password to my bank account? If not, how would there be an expectation that if that used to be on my iPhone it should still be there when I travel?

Are you a citizen? Because if not, the answer to all of this is "whatever the hell border patrol wants". As far as I know, you absolutely could be asked for your bank account password. You wouldn't be, because any agent asking would probably be fired to avoid a media circus, but it's not actually against any rule. Border patrol discretion for non-citizens is almost absolute.

If you are a citizen, it's not clear that anything at all can be demanded, even logging into an account already on the device. It just hasn't been put to an unambiguous court challenge.

This issue seems to be a bit of a geek trap. Yes, border agents have a fair amount of authority. No, you're not required to twist your mind into a pretzel trying to decide whether what you choose to put on your device constitutes hiding the things you left off. If an agent is asking you something as specific as "did you enable travel mode in 1password" you've probably already triggered some suspicion.

Some of the responses on this thread make it sound like there are people who would actually start explaining travel mode unprompted because they arrived at it by some twisted logic about what 'hiding' means.

The point of travel mode isn't to dodge border control policies or questioning; the point is to prevent the exposure of credentials when travelling, even if the exposure is to a border agency.

If a border agent asks you directly, "Did you remove information from this device to prevent us or others from seeing it when entering or within this country?" the only truthful answer is "Yes", but travel mode has still achieved its goal. Even if they confiscate your device, they can't access the credentials. You may have other issues entering the country but your data is kept secure and private.

At some point, you're going to have to have a separate device for international travel. Then they'd have to ask: "Do you have another device back home that you didn't bring because it contains sensitive information?"

Even back in the 90s, I knew people who would bring a separate travel laptop that would just have the basic set of apps and a VPN client. So, once you got to your destination, you'd login via VPN and download what you needed. This was at Nortel, so it's not like it was a very high security company, just moderately secure. Not everybody did that, but certainly enough people did. The department kept a couple spare laptops for just this purpose that would get wiped and restored to their default config after the travel.

Literally removing your access to data isn't the same thing as hiding it. Having a TrueCrypt partition on your drive that you can still unlock if you know it's there is hiding it. Securely erasing that partition is not.

Is there any difference between securely erasing a TrueCrypt partition vs forgetting the password?

Yeah, in the former the information is truly gone, but in the latter, you're trying to convince people that you forgot something you used to know, and they may not believe you.

Don't most secure erase tools just write a stream (over several passes) of pseudo-random noise? If so, then it should be indistinguishable from a TrueCrypt partition.

This is closer to the former than the latter. You aren't erasing the data that's protected under the vaults. You're just temporarily removing the vaults from local storage, disabling access and obscuring its presence. It's trivial to re-enable that access, so you are hiding, not destroying.

Nice mental gymnastics, though. I'm genuinely curious whether the first Federal judge to see this argument laughs or issues a contempt citation first.

Can the border patrol ask you to sign into any online service? Because that's essentially what this is.

The data isn't on the computer they are searching, it's on a server thousands of miles away. The data was erased from the device. If they can force you to sign into that service, they could also force you to sign into your bank, github, etc.

> Can the border patrol ask you to sign into any online service?

If you're a non-citizen attempting to enter the US under a visa waiver program, from certain countries, yes, they can.

a border officer searched for me on fucking facebook when i was going into the us in march. she said "i just want to know who you are and why you are coming".

i don't have a facebook account. she said this was really suspicious.

oh and she also found suspicious that i had two us entry stamps within a week of each other and didn't accept my explanation that i had gone through the us to go to england with my wife (even after i pointed to the GB entry stamp).

i hate going through the us border control.

Actually they ask for social media accounts when applying for a visa waiver now, e.g. ESTA.

I bet they'll mark you as suspicious if you travel without any electronics too, because that has become uncommon.

> she said "i just want to know who you are and why you are coming".

Isn't that what passport and visa are for?

Then you can just turn around and be deported. Non-citizens don't have many rights at the border.

The big questions is for Americans, who also have fewer rights at the border (4th amendment for example). Can they force you to sign into external services at the airport if you're a citizen? Everyone should refuse to do this.

I'm not a lawyer, and I hate having to preface that. But Hell No they can't. They can ask. They can threaten. But once they know you're a US citizen, they either detain you or they let you go (on to customs).

They can confiscate your belongings though.

I don't understand your logic. Facts matter. Either you have the data on your laptop or you don't. If it's been removed, you don't.

Yes, they can ask you if you've deleted things, or if you have things elsewhere, but that's not generally what they ask or look for, or the issue at hand.

The data is still on the device. Only the password "vaults" have been wiped, obscuring the presence of the data and removing its access.

Look, you can twist the words however you want. At the end of the day, if a CBP agent or Federal prosecutor clues to the fact that you're using this functionality, their interpretation is almost certainly going to be "'late2part is hiding something!", and they will bring their (considerable) powers to bear in response to that, in order to figure out what that is.

Your indignation about or lack of understanding of that reality aren't going to change it.

The vaults are the data. I'm not sure what data besides the vaults you're referring to that's still on the device. The fact that the data is still on a server somewhere is irrelevant for searching the device. However if they ask to login to your 1Password account that's a different matter.

Does "travel mode" remove all the cookies, local storage, and any other indications that you're a user of the site(s) in the removed vault?

Remember: if you're this far down the rabbit hole at immigration, the machine is out of your bag, open, and unlocked. They can take it, while in this state, and image it. If there is evidence that you've been even unintentionally untruthful with the CBP folks, you're screwed. Not only have you lied, but you may have handed over evidence of obstruction of justice/tampering with evidence.

Federal charges like that stack up quickly. If they want to fuck with you, they will.

I would say this is more like a local git repository than what you said. When you add passwords to a vault, then it gets saved to your local copy and then synced to the server. When changes are made elsewhere, it downloads the changes and syncs your local repository.

Now "travel mode" simply removes the local git repository. The data still exists in the cloud, but you have to actively go out and log in to their service to retrieve it. Are you "hiding something" because you deleted a local copy of something from your device? There isn't something on your device that is somehow hidden. It's not there.

Seems like it's a tough argument though, I never have all my email on my phone, or all my dropbox files, etc. If I choose to not sync certain GMAP labels to IMAP, does that mean I am 'hiding' them?

Have you kept the data off your phone specifically for the purpose of not letting them see it, intending to sync back up afterwards?

What if I don't sync the data back to my phone until I return home? Is that concealing? Is it any different than leaving sensitive items from my wallet (say social security card) at home while I travel?

You literally don't have the data on you so you're not concealing anything. Just because you can download it later seems like flimsy reasoning.

Otherwise, they could get your for "traveling with more than $X" because you have more than $X in a bank account somewhere that you could get via ATM.

You're not hiding anything, you're creating a legal barrier to someone accessing it. This is the privacy vs secrecy conversation.

"Are you hiding any drugs from us?" "Oh yeah, I've got lots in my apartment in $ANOTHER_COUNTRY"

Why should the actual answer be any different with data than it would be with the drugs?

Have you set things up so the drugs will be available to you once you have gone through security?

If you're a citizen you don't have to answer any question until you've been accused of a crime and have a lawyer present.

Also, the case law is iffy on whether a one-word answer of 'no' can be used in an obstruction charge. (read about 'exculpatory no doctrine').

...can you clarify this?

Looking up 'exculpatory no' implies that the matter was clearly settled in 1998 by the Supreme Court, which decided the doctrine is wholly invalid and the obstruction charge can be applied.

If there's iffy case law here, I'm not finding it successfully.

I'm not a lawyer so don't trust my take on what's safe to say to the cops.

I feel like I saw a recent exception to this, but even if I didn't:

1998 is pre-9/11, pre-TSA, pre- the large riots of the 2000s and 2010s like ferguson and occupy. It's pre-snowden, pre-aaron swartz. It's pre-iphone which means its pre every case about recording cops in public. It's pre stop and frisk.

Criminal justice has changed a lot since 1998.

I don't know, I think the border is a no-man's land. They can pretty much keep you in limbo as long as they want.

Edit: Yes, US citizens are allowed to ask for a lawyer (at the U.S. Border). But, the 4th Amendment is mostly out the window.

That's not really true. As a US Citizen, on basic legal principle, I believe that once Immigration has established you are a US Citizen, they have to let you leave unless they suspect you of a crime.

Customs is sort of a different issue, they can go through your physical and digital belongings and search you.

They have to let you in, but they can confiscate everything you have with you at the border crossing.

Answer "There is no hidden information on this computer, or any of my other devices".

How is setting software to "travel mode" hiding anything?

It's not the software set to travel mode, it's the account.

> the border agent asks "are you hiding any information from us?"

Answer yes, always, because: I have client data I'm most certainly hiding from you on my computer because they'd in general be worried if it i didn't, also I have passcodes to friends mail servers I manager for them I'm hiding from you, also I'm hiding from you all the emails I've sent to my parents, I'm also hiding from you all the pics of my gonads I sent to my lover. So yes, I'm hiding information from you. What country is this anyway? <asks the person arriving to the US from Germany>

The data is actually removed from your device so you aren't hiding anything. Like someone else said it would be ridiculous if you were forced to have all your data on your device when you travel.

At first, I thought the same thing. But if they ask that question, then no, I'm not hiding it from the border agent. I'm disabling a feature while I travel so that nobody has the potential to get to it.

Edit: Besides, if I ever travel out of country with my work phone, if anyone wants access to it they'll need to call my work's legal office as I'm not allowed to let anyone access that phone without their permission.

you can't disable it from the app

I'm struggling to understand all the comments here, but it feels like I'm living in an alternate universe. All of these questions like "but do the customs agents search for hidden partitions", etc...

Who is it that is running into all these scenarios with border control? I've gone on international flights, including to the us, dozens of times, and have seen around me thousands upon thousands of travelers, and I've never seen anyone asked to open their laptop, no to mention being grilled on hidden partitions.

Not that I'm doubting this ever happens. But from these comments, someone would get the feeling that this is routine, rather than a 1-in-an-X occurence for a probably very high X.

According to a CBP press release from April, "in the first six months of FY17, CBP searched the electronic devices of 14,993 arriving international travelers, affecting 0.008 percent of the approximately 189.6 million travelers arriving to the United States."

The release goes on to show that this is nearly twice as frequent as the equivalent period last year.

Thanks very much, I had been e-mailed a copy and didn't have the link handy.

The implementation looks sound, and it's easy to use. Props to Agile Bits for making this feature a priority.

So this is great! -- I think. My only concern is that if the authorities are already suspicious of you, and find no password vaults (or practically nothing in your password vault), they may just detain you until you reveal what you haven't disclosed to them.

There's clearly a technical solution to the problem of protecting data across borders but they do not work so well under duress. Is there any technical way to convince an adversary you are not hiding anything else or did not delete something?

Could they try to go with the truecrypt method?

Instead of removing the password data off the device, replace it with "junk" data.

"Low security" accounts that you wouldn't mind the "adversaries" having, sacrificial accounts, or even just a randomly generated selection of fake passwords for a selection of accounts, etc...

It still won't fully protect you (obviously a "targeted" adversary would know that you have an account at "X" with "Y" username and the password in your vault doesn't work for that so tie him up!), but being able to hand over something when being questioned might be better than nothing for some.

Definitely not great. It would create much more suspicion to have 1Password installed and not to have any data on it. Just uninstall 1Password before travel and re install it back after customs. Travel mode is a way worse solution.

The article says you can choose which vaults to have available in Travel Mode. So you could just leave some vaults you don't care about in there.

Empty/useless vaults aren't any better. Even if you went to the lengths of creating fake social profiles and adding their passwords to your fake vault, that's not any better either.

Social engineering. Confidence. At some point technology needs to be abandoned and you need to be a human being during those scenarios.

Or simply don't have anything to hide. If you have a guilty conscience that is going to manifest itself in your body language and mannerisms.

> If you have a guilty conscience that is going to manifest itself in your body language and mannerisms.

More than once, the customs officer has asked me "you don't look people in the eye, do you?" I just say, "no, I don't." (They're apparently happy with that answer.)

So you can be questioned without having a guilty conscience; I just look down a lot.

> Or simply don't have anything to hide. If you have a guilty conscience that is going to manifest itself in your body language and mannerisms.

What if I am an anxious guy?

What if I carry some business secrets?

What if I don't want some TSA agent look at my SO pics I have on my devices/social media?

Being anxious is something you can work on. Business secrets are perfectly legal to carry across a border. Not wanting the TSA to look at your shit is something I can understand.

I'd basically tell them to fuck off (in a more diplomatic sense) until it reached the point of being either blocked entirely from traveling or detainment. At that point you gotta ask yourself if the juice is worth the squeeze and turn back or play their game.

Also this is more than just an issue with the Trump administration and the TSA... I don't travel to Canada any longer due to the treatment I have received at the border there.

Just out of curiosity, how's the treatment at the border in Canada?

10 years ago I was working in Canada; couple of friends and I (Australian, British and Québécois) decided to go and ski in Montana for a few days. We had a few beers on the way down and stopped just before customs to drop off open cans before we crossed the border. Being 11pm, we were the only people at the crossing. As we circled round they decided something wasn't right (probably justified although not in their jurisdiction) - 4 hours later we were allowed into the US having been fingerprinted and our car searched on a ramp for what I assume was explosives or drugs. 3 days later we returned to the border travelling the other direction - the CBSA officer looked at the cover of all three different nations' passports before saying "I'm sure there's a visa in there somewhere, have a nice day."

As the above comment states, confidence. Confidence is everything. It's hard to detect a confident liar without serious equipment and verification.

If it's hard, make up an appropriate story beforehand and rehearse it until it is second nature and you believe it yourself.

Best to avoid the USA, basically.

This is a nice feature, but ultimately if you are concerned with border agents requiring a phone search then you should just backup and install a fresh OS before traveling, then restore when you get back. Log into the minimal number of apps after you've entered the destination country, and optionally delete/logout of said apps prior to return travel if the return border crossing is also a concern. Admittedly if you use a password manager you might need still want to make use of a feature such as the one in this article, or install the password manager app after entering the country, or just write down the passwords that you will need and hide them somewhere unfindable with your stuff.

On iOS about the only thing you would lose is your message history during the trip. It might be an annoyance if you wanted to play games that had non-cloud-based saved player state, but I can't think of too many other issues with doing this.

That may be a solution, but I'm never going to have the time to do that personally.

But are you concerned with border agents searching your phone? If you are then any time spent on this is time well spent. Although protecting your password manager is obviously of vital importance, there's a lot more to be concerned about sitting around on your phone if they can get in.

There's also the general concern -- although I don't know if it's ever been proven to have happened anywhere -- of border agents installing tracking software / malware. They often take the phone out of sight for a while. This is probably more of an issue with Android phones but again if you are a journalist or human rights activist or anyone with legitimate reasons to be concerned, I would absolutely want to wipe the phone as soon as possible after a border crossing if agents had forced me to hand it over for inspection.

Then it's a burner phone for you. Can't afford that? According to the security state, then you pay by risking your information.

I agree with both you and the parent poster. It's sad that we're paying a privacy tax on something that should be constitutionally protected.

Can't they order you to sign into iCloud or equivalent and then just sync whatever they want, photos, texts, emails, apps (and then order you to sign into those apps like Facebook, Whatsapp, Gmail)? Bottom line is they can get you AND everything you have access to. And it you try to circumvent it by i.e. temporarily encrypting everything for 24hr boom you just committed a felony. This is my understanding at least.

You know what's strange? I just can't remember my password to this account.

Real talk, if you play games they will find a way to fuck you up, and even if it is not strictly legal, even if you with some kind of relief later (not likely a nice settlement), you will still have to deal with getting fucked pretty bad at the time. Not a great outcome.

Yeah, no shit. "Oh, you can't remember your password? That's OK, we have a nice place here for you to sit until you do."

IANAL and I don't have an answer to this, but I would be deeply alarmed if this were the case. I can understand them making the case that anything on your personal is searchable (though I disagree that this should be allowed).

By asking you to sign in and sync, they're not just requesting access to information on your person -- that's an enormous expansion of their search powers.

I mean, aren't they forcing you to give Facebook passwords now?


Isn't it established that they'll ask for social media credentials which sync old data automatically?

"And it you try to circumvent it by i.e. temporarily encrypting everything for 24hr boom you just committed a felony"

This isn't true. Encrypting your device is not illegal, and they do not have the legal authority to compel you to unencrypt it or make you sign in to anything. They can make your life miserable, but the constitution still applies.

>This is a nice feature, but ultimately if you are concerned with border agents requiring a phone search then you should just backup and install a fresh OS before traveling

This is just another version of the "why do you need privacy unless you have something to hide" argument.

This feature really should ask you to commit to your duration of travel beforehand. It's no use if you can be compelled to readd the data.

Yes, THIS. THIS. Lying to a federal agent brings a world of hurt (obligatory disclaimer: I am a law professor but I am not YOUR lawyer...). Right now any customs agent with a brain can just ask "do you have that travel mode turned on? Ok, turn it off," and most courts will allow them to force compliance with that order. It would be really useful to be able to honestly say "I can't."

It's true, if they really want to make someone give up the info, they can arguably detain that person until the timer expires. But that move is much more costly to the government, as well as subject to all kinds of interesting potential legal challenges. So a timer makes the data strictly more secure, even if not perfectly secure.

Better, the feature should _always_ show both "Enable Travel Mode" and "Disable Travel Mode" buttons so that it's not possible to tell whether or not it's enabled. Disabling travel mode should prompt for a password, then return a message like "all vaults protected with this password are now enabled" no matter what the result of the operation is.

So if you're in Travel Mode and you don't want them to know, you'd intentionally put in the wrong password to unlock? I agree that sounds like the best option. It's a lot like TrueCrypt's concept of having an encrypted drive with one password, and another, hidden encrypted drive in the same file with a different password. No-one can prove you have the second hidden one.

Yes, exactly. It would be impossible to tell whether you even had any Travel-Mode-hidden vaults without exhaustively testing every possible password.

That doesn't solve the problem, because you could be detained until the data is accessible again.

I admit, my threat model doesn't include indefinite detention at a border, but that is a valid concern depending in where you are going. Unfortunately, it's common not to believe people that say they don't know their password, otherwise the solution would be to just change your password and leave it at home without learning it.

For me, the time lockout changes the claim you can make to an official from "I don't know the passwords, I have a record that I didn't bring with me, but can retrieve online" to "I don't know the passwords and have no ability to retrieve them while here". For me, that distinction is valuable and the benefits outweigh the risks. But everyone has different requirements and risk sensitivity.

It's beyond disturbing that we have reached the point where we are discussing this as a potential feature, and not a plot element of a dystopian scifi.

No you can't be detained indefinitely (unless they have evidence to charge you with a crime). You could have your devices confiscated, and as a non-citizen, you could be denied entry.

I believe you can be detained indefinitely, and without probable cause, by border agents.

Setting GPS locations where the vault can be readded to your device and disallowing it everywhere else would be good.

GPS location can easily be spoofed, and your ID has an address on it.

Came here to make the same suggestion, and strongly agree. I should not be able to re-add the vault if I am not in my house.

I thought about mentioning this too, as well as things like IP addresses and 2FA. The problem with GPS is proving that the location or request isn't spoofed. Ultimately, the phone is trusted when it supplies coordinates, so a determined adversary can easily circumvent it (for example, a SDR running a GPS spoofer). That's not to say it's a bad idea, as it certainly inproves security, but we are talking about state level targeting here.

The other options, like IP and 2FA are more likely to result in failure demand by non-expert users. It's really tricky to get the balance right, as it's hard to justify to yourself a full wipe when going to a relatively low but nonzero risk country.

I'm a little sad that this would require me to use the 1Password cloud-service. I would never want my 1Password vault to be on any server outside of my control. While I completely trust agilebit's intentions, I feel that their cloud service adds a very major attack surface. Someone like the NSA would certainly be able to obtain copies of the encrypted vaults, which means that everyone's vaults are just one bug/backdoor in the cryptographic stack (remember Debian RNG bug?) away from being exposed.

Hence, I only use WiFi sync for 1Password. It would be nice if 1Password added a sync option through my own WebDAV server. I'd then be happy to pay for a 1Password cloud account just for the TravelMode feature, as long as the vault data itself wasn't stored anywhere outside of my control. Having my own server would mean the the NSA (or whoever) would have to do a targeted attack on me personally, which is a whole different ballgame from everybody's encrypted vaults sitting on agilebit's servers.

In the meantime, if I had to cross the US border (as a non-citizien!), I would probably delete the whole 1Password app from my phone before crossing, and then restore the entire phone from backup afterwards.

I think this is an incredibly worrisome move on 1Password's part. Coming from the right motives, but ultimately it'll end up being used against us.

Look at it from the perspective of the government. By bringing information from elsewhere into the US, you're importing it. It just so happens that the import security is tight in airports. So you use 1Password to delay importing this data until you can reach it through an alternative import method which is much harder to regulate - the Internet.

What's going to happen is that they'll spend much more effort on tightening up the "import security" from the Internet. Things like SSL/TLS MITMing and deep packet inspection will be used to enforce compliance.

Don't get me wrong. The ability to be able to do this is incredibly important. If they had marketed this as anything other than a travel mode specifically, and let users work it out themselves, it'd probably be better. But as it is, they've created something which is basically publicly stating that it exists to break import security, and as a result it's going to get a lot of attention from the wrong people. I worry that the existence of this mode this is going to be used by the government as an excuse to have a "Great Firewall of America".

The difference is: with physical access, "they" are in control (during import). Importing over the internet, the user is in control (by using proper encryption).

If they beat encryption, everything is over anyway.

Isn't the counter simple; they ask for your logins to the 1Password vault? I guess this just adds an extra layer of obfuscation.

The most secure way I can think of is to either encrypt your drive (or wipe for travel and online restore once arriving) and physically mail the new password (or hand over to a trusted friend/store location) to the destination. Then there is no way of restoring at the airport.

Of course, then they can just detain you indefinitely for not revealing the password you don't know...

They can ask for logins for the vaults they see on your device. But those vaults are the ones you've marked "travel-safe", so you're accepting the risk of these being breached by invasive governmental searches.

However, non-travel-safe vaults a) won't show up on your devices, so they can't ask for what they don't know the existence of, and more importantly b) there is no evidence on the device of "hidden" vaults, or that you're in travel mode, so they doubly don't know the existence of those vaults.

How is the web interface handled? Essentially, where do you turn this on and off? Wouldn't it become standard ptotocol to just demand web credentials for 1Password? This feature is only for subscription based 1Password accounts, so it would seem to me it would just be easiest to delete the app and re-download after crossing?

Demanding web logins rather than local logins for anything is a step beyond the fuzzy legal authority currently given to the TSA.

If you're a resident, they eventually have to let you in. But if you aren't, they can reject you for any reason. This isn't something you can solve with tech. Those of us who are citizens of the US need to vote for politicians who make privacy a priority, and be more politically active in general. I feel like you could even make the play that it's bad for business, because it's impeding business travel. You could even point to this very post as evidence that many companies consider it a Big Deal - the idea that they have to explicitly hide their company secrets in this way because border agents are out of control.

Not CBP though, which is the relevant institution for international border crossings.

web login is likely the same as app login credentials. I don't use 1password, but that's the generate case with LastPass (at least last time i used its mobile app).

So, if they take the actual password, as opposed to having you log in for them, then they can easily go to 1password's web interface.

I'm not sure if there is a legal barrier to taking that step, but there is no real barrier there if the credentials are the same.

Perhaps if there were also travel credentials, that would be useful. With the travel creds there would be no indication that you were in travel mode and no access to additional data.

There is an additional key/identifier that you don’t have to carry with you that would prevent them from logging in even if you had to give them your vault password.

They already ask for social media account logins.

One option is to lock out the passwords for some amount of time, or to do geolocation.

Both can be defeated (they can detain you at the airport for a whole day, or they can spoof GPS) but neither of these mechanisms holds up to mass surveillance: you can't detain everyone who goes through the airport, or even all people with 1Password, for a day, nor can you spoof GPS at the security checkpoint because it'll probably leak to airplanes. You have to pick individual travellers and put them in a Faraday cage with a Stingray and an internet connection.

I'm not sure what the threat model really is, but it's possible that this will require enough time and resources to disincentivize asking for even more passwords when there's not a very specific suspicion, which might be good enough.

There are competing reports, but the maximum detention time for US citizens crossing the US border is about four hours.

If you are a foreign citizen, you are looking at about twenty four hours, and then refusal of admittance.

This information is the case for keeping a cheap back up device(s).

I thought that, according to the NDAA Obama signed, that the military can detain Americans indefinitely without reason.

"Then there is no way of restoring at the airport."

IIRC, the border agent has the power to turn you back, visa or no visa. So there might be a price to pay for getting too cute. They want what they want and trying to avoid that might make them angrier.

If you are a US citizen they can make you wait in a room for a few hours and maybe add your name to the "make his life miserable every time he flies" list.

,,even if you’re asked to unlock 1Password by someone at the border, there’s no way for them to tell that Travel Mode is even enabled.''

It looks similar to hidden partition in TrueCrypt

Any subscription-based 1Password can be accessed from the web. Couldn't they just demand those credentials?

Only if you know them. I don't know about you, but I don't have my long random account key memorized (only my master password). You can't log into the website without that account key.

Of course, you do need to be able to log in to turn travel mode back on, so if I were to use this I'd probably do something like set up a service to securely send me my account key after I'm expected to have finished crossing the border, or maybe just store it on a remote server that I have access to under the expectation that the TSA can't demand that I SSH into a remote server (especially one they don't even know about). Though if I'm traveling alone (instead of with my wife) I'd probably just call her and ask her to turn travel mode off for me.

That's a great solution if you're a US citizen and want to enjoy showing off to a border guard before being guaranteed entry, but for migrants (who are most affected by this), this kind of 'gotcha' logic would likely be considered insubordinate grandstanding, and get them denied entry.

> this kind of 'gotcha' logic would likely be considered insubordinate grandstanding

I'm not sure what you mean. I don't think it's unreasonable for anyone, migrants included, to tell CBP "I don't feel safe traveling with sensitive data, so I don't have any of that data on my computer". What's the 'gotcha' here? CBP isn't the only reason to want to have Travel Mode, there's also the increased risk of having your laptop stolen or misplaced.

In your original post, I took

> Only if you know them. ... You can't log into the website without that account key.

To mean that you'd openly have access to information in front of the guard, and then let them know that you can't access it at this time because of your elaborate scheme (e.g. tell them that it exists, but that they can't have it).

That's quite different to just not travelling with the data (or evidence of it existing) at all.

> CBP isn't the only reason to want to have Travel Mode

No, but it's the only 'reason' that's likely to use serious, life-altering coercion to make you to disable it, if they detect that it exists. It may be better to have no data that suggests capabilities, than openly posses partially disabled capabilities.

There's no way for a border agent to tell if you're refusing to disable travel mode because you won't or you can't (and little reason for them to care).

Of course it's not unreasonable, but 'reasonable' is not the relevant criterion here.

Yes, it does. And you provide them to the password for the local vault. Since you activated travel mode, they'll be able to see your "travel safe" passwords, but no indication that there are other passwords that were recently removed from the vault, and no indication that you entered travel mode.

> physically mail the new password

Nobody will ever do this.

Just travel with a dedicated traveling phone and have your main phone mailed to your destination.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact