Hacker News new | comments | ask | show | jobs | submit login
Questions for TSA after reports of laptop and phone searches on domestic flights (theguardian.com)
207 points by pmoriarty 10 months ago | hide | past | web | favorite | 203 comments

I guess they didn't read Riley v California[1]. In the opinion of the SCOTUS:

> Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans “the privacies of life". The fact that technology now allows an individual to carry such information in his hand does not make the information any less worthy of the protection for which the Founders fought. Our answer to the question of what police must do before searching a cell phone seized incident to an arrest is accordingly simple -- get a warrant.

Given that the SCOTUS unanimously ruled searching a phone without a warrant is unconstitutional incident to an arrest, the same requirement must also hold for Terry stops and simple safety inspections.

[1] https://en.wikipedia.org/wiki/Riley_v._California

Im not sure that matters. They may make it a condition of travel; you do not have to let the TSA search your phone, but you will not be allowed to proceed into the airport without doing so.

That is what all the TSA searches have appeared like to me. Just a denial of service for maintaining a level of privacy.

This kind of argument is starting to piss me off. "You can express your freedom of speech, but not in this public park, because it's privately owned" "You can state your opinions, but not on this website, because dispite being a major communications hub on the internet, and despite advertising ourselves as a place of free expression, we actively derank, ban or erase any opinion we dislike" "You can decline the EULA, you just have to stop using our vital service" "You can maintain your privacy, but not if you want to travel" "You can buy a phone that doesn't collect metadata about you, you just have to break a $50 billion dollar lobby and manufacture your own IC. You still have the freedom of choice"

You know what, you really don't. Your rights aren't supposed to be just a legal burden to circumvent with various tricks, they're supposed to hold in all domains of public life. I want to be able to fly in a plane without having some asshole dig through my personal life. You think someone is dangerous? Check for bombs. Check for weapons. Why are they checking for beliefs? What kind of bullshit is this?

Yeah. We accept that “if you don’t like it, you should just move” is a bad excuse for bad laws. But people still think they are so urbane and clever when they say “oh, if you don’t like (service X), just don’t use it.”

Unfortunately the same requirement isn't generally understood to hold in these circumstances.

For example, the 9th circuit court of appeals in U.S. vs Davis[1] held that airport searches are "administrative searches" and are permissible in much broader ways than searches while being arrested.

[1] http://cdn.ca9.uscourts.gov/datastore/opinions/2005/06/07/04...

From the section [7] of the conclusion (your link, last page):

> The procedure is geared towards detection and deterrence of airborne terrorism [...] This was a limited search, confined in its intrusiveness (both in duration and scope) and in its attempt to discover weapons and explosives.³

> ³This would, perhaps, be a different case if there were improper motives established by the record below or argued in the briefs.

I'd like to know what "weapons and explosives" that might be useful for "airborne terrorism" the TSA thinks it might find buy searching the data on a laptop or phone.

I'm sure they would reply with some number of times that evidence of evil was found by a laptop search (in completely unrelated circumstances).

> the same requirement must also hold for Terry stops and simple safety inspections.

You must show your work here.

> Terry stops


A narrow search for weapons is permitted without probable cause, if the officer has "specific and articulable facts" that someone "may be armed and presently dangerous". Terry stops can allow a pat down for weapons; an actual search outside the scope of the immediate safety of the officer still requires probable cause and a warrant as usual (where the Riley decision would apply).

I'd like to know what kind of weapons the TSA might be looking for if the consider someone with a laptop or phone "armed and presently dangerous".

> simple safety inspections.


Briefly, Michigan Department of State Police v. Sitz allowed a brief questioning to gain "reasonable suspicion" of a crime (i.e. drunk driving), but only because it negligibly impacted 4th Amendment rights. Actual searches still required probable cause or arrest (Riley again), or the infamous "plain view" exception. Don't leave anything incriminating in "plain view" on your device's screen.

This article seems like it’s written to be deliberately confusing.

If I understand it correctly, the TSA is not forcing anyone to unlock devices. They take the devices away for some period, but if they’re securely locked, TSA won’t be able to get anything from them.

However, the article drops border searches which do require an unlock right into the middle of the article, then goes on to say that they have no specific examples of TSA doing the same thing. This implies that they have reason to believe it’s happening, but as far as I can see there’s no justification for that.

The big question is: what are they doing with these things? If it’s some fancy explosives sniffing (like they already do to my contact lens solution) then it’s nothing interesting. If it’s an electronic search if unsecured devices, that’s bad. If it’s an attempt to force travelers to unlock secured devices, that’s horrible. The article seems to want to portray it as the last one, while only giving evidence for one of the first two.

> They take the devices away for some period, but if they’re securely locked, TSA won’t be able to get anything from them.

It is well documented that there is no cell phone that cannot be unlocked.

And once it's unlocked, who knows what the real goal is. On the surface, one suspects that it's to examine its contents. But other possibilities include sideloading spyware, or even targeted viruses. Some random NGO secretary may not be the actual target, but could be the vector that allows a program to spread to one or more other targets within or without the organization.

I liked it better when this was the sort of thing that people on shortwave radio with tinfoil hats would rant about. Now it's almost weekly headlines in the NY Times, Guardian, WSJ, etc...

> It is well documented that there is no cell phone that cannot be unlocked.

Citation needed?

For iPhones: https://www.forbes.com/sites/thomasbrewster/2018/02/26/gover...

For every other phone, Google is your friend.

So that's what's happening? The TSA takes your phone, teleports it to cellebrite who unlock and clone it in ten minutes, then they teleport it back?

Can you think of a better location to place a phone's unlocking and cloning machine than the TSA's examination office? Do they really need to teleport the phone?

It's unlikely to be a push-button machine. It's more likely to be a complicated procedure involving desoldering chips and placing components in specialized harnesses, which would be difficult to replicate at an airport.

That's a difficult thing to cite, I would say it's more along the the lines of the saying "There's no such thing as non-buggy code" or "there's no un-hackable system."

I get it, burden of proof. The blanket statement by OP also doesn't consider the ol' "baseball bat" ceiling of hacking strategies - at what point is it easier to just break someone's fingers until they tell you what you want to know?

(don't break someone's fingers that's not good)

I’m not aware of anything better than brute force attacks for any vaguely recent iPhone.

To my knowledge this hasn’t been either verified or disproven, and no methods disclosed, but apparently CellBrite claims to be able to unlock iOS 11.


When that was discussed on HN, the consensus seemed to be that Cellebrite had found a way to allow brute forcing passcodes, but that they would be ineffective against a good password.

> It is well documented that there is no cell phone that cannot be unlocked.

Ok, probably true, but that doesn't necessarily mean that any unlock can happen quickly, or that the TSA has that capability broadly deployed to agents, or that the TSA even wants to unlock devices.

> If I understand it correctly, the TSA is not forcing anyone to unlock devices.

I'm sure they also don't shrug their shoulders and say "Locked? Oh well.". Varying degrees of coercion, threat, implicit or otherwise, relying on passenger ignorance to their rights.

I wonder how many have unlocked it at their request too, which is specifically different from "forced".

What makes you so sure of that? I’ve had them swab electronics for explosives before and they never even try to turn the things on. I’m pretty sure I’ve had them ask me once or twice to prove that a laptop was real by turning it on, and they never asked for it to be unlocked.

That’s my whole point: this article appears to be written to make you assume that a lot more is going on than they actually describe.

This. I've had TSA request "a personal device, like a phone or laptop" twice at the Austin airport. The first time, I (pretty defensively) refused and started asking why they needed it. Turns out I had been randomly selected for an explosives swab, and they wanted to test my devices rather than my person. Both times the test was performed with the devices powered off, and with me present.

I have been always asked to turn my devices on after a search for explosives (and whatever other substances they look for). They do that "to be sure you don't only carry the structure of the device to hide stuff inside". This happens in european flights.

>coercion, threat

This is what bothers me the most about TSA and Border Agents stamping on rights - there's the implicit "we're going to waste at least 1,300$ of your money by forcing you to take another flight and rebook hotels." I get so stressed about it I show up at least 3 hours early for any flight, sometimes even 4 for international.

>>They take the devices away for some period, but if they’re securely locked, TSA won’t be able to get anything from them.

You have no way of knowing that, or if they are doing anything to the hardware, cloning the SIM, adding tracking, or simply cloning the flash for possible evaluation later

Further it should be considered unconstitutional for them to even take it for 1 second.

> If it’s some fancy explosives sniffing (like they already do to my contact lens solution) then it’s nothing interesting.

I would find it interesting and "bad", they should not need to remove the device from your view to do explosive sniffing.

It is very troubling to me how much invasion of and infringement on a persons liberties the average person is willing to accept in the name of Security Theater

Al-Shabaab used a laptop bomb on a plane out of Somalia after successfully getting it through X-ray machines. It blew a hole in the plane, but they managed to land it successfully.

Swabbing laptops for explosives doesn’t sound like security theatre to me.


Something being a valid attack vector does not make their security process and procedure valid, effective nor anything other than Theater to make people feel safe.

Countless of time they have failed Red Team testing, TSA is useless if your goal is actual security, they are pretty good if you want to shift people in to accepting more and more intrusive violation of their rights...

I trust the crypto used by my devices.

Searching electronics for explosives isn’t security theater. That’s a real threat vector and an effective counter to that threat.

It is theatre if it is applied randomly. It is not if all devices are tested equally. The same goes for testing of people. Unless all are tested, random checks are just about useless, since there will be a pattern to the selection of people for "random" testing.

If the screening is being rendered ineffective by bad profiling, then it’s the profiling that’s theater, not the screening being profiled for.

If you are relying on "profiling" as a precursor to screening then you have made all of it theatre. You either screen everyone or screen no-one. To "randomly" choose someone to screen by the use of "profiling" makes nobody "safe", you may as well not screen anyone.

Sure. But it can be done right (screening everyone, or using actual randomness), and if it’s not, that’s a problem with the profiling, not with the actual screening of actual potential bomb casings.

Domestic flights? Wow.

Since this is a different agency than typically conducts (similarly intrusive and seemingly illegal) searches in the case of international flights, I wonder if they are following a common protocol? If so, who creates that?

I'm about to fly internationally for the first time in a while; anybody have any advice on how to handle my devices?

hidden partitions, and/or storing all your important data off-device are the two pieces of advice that get suggested the most.

I would strongly recommend the latter. Hidden partitions are trivial to find.

I recommend one of these:


Keep it encrypted and in your pocket.

The bigger problem with hidden partitions is the TSA agent asks you if there is a hidden partition and then if they are able to find out they you have lied you have committed a crime.

> TSA agent asks you ... and then if they are able to find out they you have lied you have committed a crime.

Not sure that's the case: TSA agents are not police or any other law enforcement any more than the gate agent is,and can't make arrests or anything like that. Pretty sure you can say what you like (though please, be polite!).

I once pulled out my phone to photograph the badge of an agent who was particularly obnoxious, not just to me but to others. I planned to fill out the complaint card. He freaked out, told me photography was not allowed, grabbed me by the arm and called for the cop. The cop came over and told him in no uncertain terms to let go of me, that photography is fine, asked me if I got a clear photo and made sure I got a photo of the badge. And handed me a complaint form. I assume he already knew that the TSA guy was a jerk.

> TSA agents are not police or any other law enforcement any more than the gate agent is,and can't make arrests or anything like that. Pretty sure you can say what you like (though please, be polite!).

Aren't TSA agents government, federal, employees?


> Except as otherwise provided in this section, whoever, in any matter within the jurisdiction of the executive, legislative, or judicial branch of the Government of the United States, knowingly and willfully—

> (1) falsifies, conceals, or covers up by any trick, scheme, or device a material fact;

> (2) makes any materially false, fictitious, or fraudulent statement or representation; or

> (3) makes or uses any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry;

Does this provide a layer of security outside of say, adding a strong password to your phone and keeping it powered off, assuming my phone's data is encrypted?

Yes. It provides protection against monkey wrench attacks.


Of course the TSA is not so unsubtle as to actually hit you with a wrench, but they have other ways of making your life miserable.

How? They can also plug your usb drive in and say, “unlock it or else wrench...”

Maybe I’m being obtuse but can you explain how it protects against a wrench attack?

The idea is to stop them from suspecting that you even have it in your possession.

Preventing you from boarding your plane for starters

I don’t understand. Can’t they do this whether I have an encrypted phone or an encrypted usb drive?

TSA makes you empty your pockets when going through security.

Hm, good point. I forgot about that because I have pre-check.

So maybe one of these instead:


Even pocket lint will show up on the Backscatter machines in use in US airports. I know, I've been pulled aside for it.

They're not exactly trivial to find - but they are trivial to use. Why not use one if you are concerned?

> They're not exactly trivial to find

I guess it depends on your definition of "trivial", but I wouldn't want to bet my privacy on the TSA's inability to locate a hidden partition any more than I would want to bet it on their basic honesty and respect for my Constitutional rights.

Most people access email through their phone.

Giving up your phone also means they get a complete copy of your email.

If you use a VPN to access company servers they will swoop up that information as well, and by extension all server side data your VPN credentials Grant access.

They may not be doing all that, but it's only a matter of time and knowledge given their lack of constraints.

Presumably whatever forensic tools they have will easily detect hidden partitions.

The advice I hear for international travelers is disk encryption + FedEx'ing your laptop to its destination.

Whole disk encryption should really be standard. No point deleting data if it's encrypted. At that point it's more clear-cut in becoming whether you surrender a key or not, no gray zones.

> easily detect hidden partitions.

Even hidden volumes in encrypted partitions? Has that feature of VeraCrypt been cracked?


It's a big bunch of random noise. Of course it's trivially easy to see the drive image is not like other drive images, which is all they're looking for. Go to jail until you hand over the passphrase.

Hidden volumes, though, enable you to place what theoretically appears to be a big bunch of random noise (unless you know the key) in an even bigger bunch of random noise with a legitimate, demonstrable purpose (an encrypted volume.)

Would you seriously attempt to convince US government agents that your 512 GB hard drive contains only a 256 GB filesystem because you're a random noise enthusiast?

It looks like there's 512GB of space committed, but contains less than 256GB of content. There is no protection against the hidden volume being overwritten, if the content in the explicit volume grows too large.

They dont use tools. For inspection of random phones from non-suspects they just poke around by hand. Only when they find something do they employ actual tools.

Do you have a source on this? Preferably one that will be updated if the policy and practices change?

The only safe assumption is the worst case.

Why would they do this rather than simply image the device? How do you know what their protocol is?

Because opening a phone and looking at the first few texts/emails is faster than imaging. One cannot take a phone and properly image it in the 5-10 minutes they spend with the average phone.

10 minutes is more then enough time to image most devices. Various groups have had stuff like this around for quite a while now. http://www.thenewspaper.com/news/34/3458.asp

potentially naive question, but doesn't apple encrypt devices? and will my iphone X be good if i refuse to open it for law enforcement?

Sure, if you remember to disable Face ID before going through the checkpoint. Good luck getting on the plane after refusing to unlock it with a passcode, though.

You can instruct the Secure Enclave to forget your passcode by rapidly pressing the power button 5 times. This inherently disables Face ID and Touch ID.

Just make sure you have Auto Call off in Settings > Emergency SOS, or it'll automatically dial 911.

Also, you can have a digit pin code longer than 6 digits by using a passphrase with only digits.

Are you a white, casually-dressed male with an American-sounding name? If so, it is very unlikely your devices will be scrutinized at all. Outside of that, the probability increases (sometimes by a lot). Hacker News likes to see the long arm of the law reaching into their personal lives where it almost never does. This isn't to say we should like--nor even tolerate--when it does, but you can probably just pack all your usual travel items as you normally would for a domestic flight, and simply be on your way, unmolested.

Are you trying to bring 3 phones, 2 laptops, a tablet, 4 chargers, and assorted other electronics with you? Be prepared for the long arm to reach into your life because you're attracting suspicion. You would be attracting suspicion even without the current political climate, because that much equipment is outside the bounds of normal for your average traveller.

Be an average traveller and no one will give you a second glance.

Stop flying so much and tell them when the time comes fuckoff and come back with a warrant or at least get an officer who can explain under what authority do they conduct domestic searches without a warrant, ergo, unconstitutionally?

Ah, you know what, I get it. They want to bring back the 90's cryptowars. They will lose again.

> Stop flying so much and tell them when the time comes fuckoff and come back with a warrant

In other words, stop flying completely. Because with that reaction, you're not getting in the plane.

But at least your settlements will pay for your lawyers and bus fare after a few years of foot-dragging litigation.

This is terribly dangerous advice for a border crossing.

On the other hand, a big part of nonviolent resistance as preached by figures like Gandhi and MLK Jr. is acknowledging that your actions may get you detained by a civil power. You'd be relying on the arbitrary, capricious, and in your view reprehensible nature of the charges to sway public opinion and stoke outrage.

It's not good advice if you are an individual who just wants to avoid the inside of a prison cell, and it's definitely dangerous, but I'd still admire anyone with the strength of character to follow through with it.

It's also terrible advice in countries where the preferred solution is simply to murder loud activists. At least you can theoretically be released from prison.

That's true, and a good point. And if someone tried to organize a movement to resist capricious border treatment, I think that would be laudable.

I'm less sure about an individual reading that advice and swearing at a border guard. Both Ghandi and MLK used mass resistance to achieve their ends.

Depends on who you are, whose border, and which direction.

If you're an American returning from abroad, my understanding is the most they can do is detain you (briefly) and confiscate your electronic devices for a limited period of time. Americans can't be denied re-entry to the US. So go ahead and refuse as a political statement, the worst that could happen is you'll miss your connection and you'll have to use a temporary phone for a bit.

But if you're a foreign citizen, it's probably best to swallow your pride and comply.

As it relates to an American returning from abroad, it doesn't appear what "briefly" means. From about 5 minutes of Googling, it appears anywhere up to 12 hours of detention is possible (based on a 2008 CBP internal memo).

Detentions have lasted more than 24 hours though, sometimes for days:

"Median Number of Hours Individuals Were Held in Detention, by Sector"


> "One woman who shared her story with the ACLU told the Guardian that in the last year, she has twice had her electronics searched while flying within California. The 64-year-old, who works in nonprofits and requested anonymity for fear that she could face further scrutiny from TSA, said that on one occasion last year, TSA agents pulled her aside to pat her down multiple times and eventually asked to see both her iPhones – a work and personal one."

I suspect it would be very revealing which nonprofit is involved here; this kind of harassment through scrutiny is a classic tactic against progressive groups.

It's also a classic tactic against conservative groups.


What a non story. The real story is that congress passes impossible to enforce legislation that cannot properly define which groups are political and which not.


> A federal watchdog has identified scores of cases in which the Internal Revenue Service may have targeted liberal-leaning groups for extra scrutiny based on their names or political leanings, a finding that could undermine claims that conservatives were unfairly targeted under President Barack Obama.

This is the kind of scandal the right clings to -- gov't bureaucrats trying to do their job.

"Classic tactic" for the gov't to target conservatives? You need to provide some real evidence or another example that pans out before making those kind of claims.

> "Classic tactic" for the gov't to target conservatives? You need to provide some real evidence or another example that pans out before making those kind of claims.

In case you didn't notice, that was a repeat of the exact words used in the comment that was being responded to. Unless you're planning to call out the initial comment in the same way, since it actually provided no evidence, whether you think it worthwhile or not, perhaps you should consider why out of the two statements, you felt compelled to respond to the one that actually provided some backing.

It's a little disturbing that I had to vouch for gowld since they were flagged and dead. I may not necessarily agree with them, but voting to oblivion and flagging them does not seem the appropriate response.

People who make outrageous claims need to be prepared to defend them. There is enough disinfo out there already.

Then apply the same standard to all, including members of your own tribe.

You will need to post something of substance if you want a substantial response.

Sorry, are you equating needless bureaucratic red tape in a non-profit's application for tax-exempt status to the seizure of a private citizen's phone and laptop?

Sorry, are you equating a private citizen having their phone out of their sight for 10 minutes with over a year of delays in permitting an organization to accept tax-exempt donations from thousands of citizens?

Frankly, BOTH are unreasonable and the government should not be engaging in EITHER ONE. I think there is little to be gained by debating which is "worse" -- could we instead agree to cease doing both?

No. There are degrees of "worseness": we have a priority queue of issues that must be addressed given spare time and resources.

In that context: and individual's right to privacy and to be left alone is much much more important than any organization getting tax exempt status.

An organization is allowed to collect donations when it files for tax-exempt status. It's donors are simply not allowed to take deductions for those donations until the exemption is approved. Once approved, the exemption is retroactive to the date of the application.

SO, no, the two situations are nothing similar in nature or scope.

"Tax-exempt" status is completely invented by the government, and carries no natural or Constitutional rights.

Being secure in your personal effects is a natural right and protected by the 4th Amendment.

I think they are equating "this kind of harassment through scrutiny" as stated specifically in the top level comment.

And that point falls down when the "scrutiny" isn't equivalent. The grandparent was clearly jumping in to make a partisan point (e.g. to say that there is no partisan lean to the demographics subject to this harrassment). And the evidence simply doesn't back that up.

The government harrasses minorities and progressive groups with this kind of tactic far more than it does white middle class folks, and trying to pretend that playing games with a 501(c)(3) application is somehow "the same" is just laughable.

> The government harrasses minorities and progressive groups with this kind of tactic far more than it does white middle class folks

How did progressive/conservative turn into minorities and "middle class white folks"? I'm in no way sure that progressive groups face more scrutiny than conservative groups, especially given some of the really odd and extreme conservative groups out there. I say this as someone that considers themselves a staunch progressive (if moderate liberal).

I wouldn't say "classic" since you're referring to fairly recent events. If I had to guess, the OP was speaking about mid-20th century targeting of progressive groups by US law enforcement agencies (e.g. sending MLK fake hate mail whose intent, according to many, was to induce suicide).

It's not "classic" since the example used happened less than 10 years ago as well as also being applied to left-wing groups as well. [0]

What is classic about it is right wing media (especially in the talk radio era) hyperventilating and manufacturing a scandal where "conservatives" are the victims.

Furthermore individuals/groups claiming tax exempt status where none exists is one of the things that the IRS should be looking for as an agency.


Remember the 5th Amendment applies to passwords. No law enforcement officer may EVER compel you to log in to a device with a password / pass code / unlock pattern, for any reason.

This is the way things should work. But, there was a widely reported case recently where a man accused of possessing child pornography has been held in jail for a long time [0]. From what I can tell, he's been in jail for contempt of court for nearly 2 and a half years!

[0] https://arstechnica.com/tech-policy/2017/03/man-jailed-indef...

If it's been 2 years, can they even prove that he can still remember the password? He hasn't had to use it for over 2 years, it would be entirely probable his memory of it has faded.

How about this theoretical situation: I place an encrypted file in a hard drive belonging to someone I dislike, and then frame them circumstantially with the likely possession of contraband data on said hard drive. Since he owns the device, he may be so unlucky as to have the authorities believe he knows how to decrypt the file despite him claiming he has no knowledge of how the file came to be or how to decrypt it. If they will not accept that argument, this seems like a good way to place a political opponent in jail indefinitely by someone with the means to craft such a scenario

That's because the issue is more complicated than any absolute statements.

One case decided that law enforcement can compel you to turn over documents that it knows you have possession of, regardless of where they exist. You're not testifying against yourself; you're turning over evidence.

Another case has decided that they can't compel you to turn over a password so they can search for evidence.

> can compel you to turn over documents that it knows you have possession of,

The only way to positively know that one has possession of the documents in question is to read them. If they need someone's help to decrypt the documents, then they at best have a very strong suspicion/circumstantial evidence of possession.

Even if they intercepted transmission of the documents in question, they don't know if the documents are still in possession or have been deleted until they've gotten the suspect to cooperate and decrypt all of the suspected documents.

If one had a hidden encrypted partition filled only with copies of the U.S. bill of rights, and the government used sworn testimony of definite knowledge that the hidden partition contained contraband in order to force disclosure of decryption keys, what's the likelihood that a good lawyer could get enough damages out of the government to make it worthwhile to sit in detention for a month or two while things got sorted out?

That's true. Nothing is guaranteed. That's actually what I'm trying to say, too. Normally, 5A covers passwords. But it didn't in this case, because somehow the court was able to decide that this hard drive undeniably has CP on it.

So, it's not incriminating yourself to decrypt something everyone already knows you have. That's kinda weird and concerning, depending on how they proved the hard drive's contents without decrypting it. I mean, if it's just someone saying "I saw it on his computer" then that's problematic in my opinion. Whereas if they have server logs, or logs from a different hard drive of his detailing the contents of the encrypted drive, or something more concrete than hearsay, I don't see an issue.

Edit: I guess the issue is: why do they need the contents of the drive if they can already prove the contents of the drive enough to convict?

In other words, don't enable touch id or face unlock.

I'm trying to find the article now, but I recall reading that in the USA it's a lawful order to have you unlock your phone with a thumbprint, but not to unlock with a PIN code. God knows why.

Here: https://blogs.wsj.com/digits/2014/10/31/judge-rules-suspect-...

Unsure about federal application, actually. We as country need to get our shit together regarding device privacy. You should need a warrant to look at a phone, laptop, whatever, with or without a password. The security of the device should be meaningless.

As for me, I'm grateful that I have the resources to push back should this ever happen to me, jailtime or included. That's a luxury probably very few Americans can realistically afford (seeing as they can just throw you in jail for 48 hours).

> I recall reading that in the USA it's a lawful order to have you unlock your phone with a thumbprint, but not to unlock with a PIN code. God knows why.

I believe the rationale was that they can't ask you to incriminate yourself (give up your passcode), but you don't have to say anything for them to force you to give your fingerprint.

My understanding is that it stemmed from them being able to compel you to take your fingerprints. In the old days you'd put your fingers in ink then put them on paper so they could record your fingerprint. I guess a judge ruled that putting your thumb on your phone isn't substantially different than that.

That said, you shouldn't ever rely solely on biometrics. In addition to the legal reason, an adversary could also unlock your phone if you were unconscious / etc using your thumb.

on iOS anyway, you can enable face id/touch id but specifically disable it from being able to log into the phone with it. You can then use face/touch id for authentication in apps.

Or at any checkpoint, simply shut down your device (or click power button 5x). Then they can have it, but it requires a passcode that is protected by the 5th amendment.

On iPhone X, all you have to do is "squeeze" the phone, or press the side and volume buttons at the same time.

What's the latest case law on this? I thought it was still unsettled, and there were a lot of confusing edge cases. E.g. https://www.inc.com/will-yakowicz/smartphone-passwords-const...

It's possible the TSA will claim that taking a device for some amount of time and giving it back doesn't qualify as a (4th amendment) search.

However, from a security perspective it would be awful if they could disappear with your device whenever they wanted - that certainly makes me uncomfortable.

>>It's possible the TSA will claim that taking a device for some amount of time and giving it back doesn't qualify as a (4th amendment) search.

Not likely to work: "We just want to search your house for 30 minutes" or "you can have your document back after we photocopy it, so no warrant needed."

The idea is that they cannot do certain things without a warrant.

I think the fear is that the TSA will deny having searched the phone and the complaintant will have not way of proving that they did.

Having the system have an ability to log all accesses after switching on get past this problem. As the logs will be proof the system was searched while not in your hands.

Does the system have such an ability?

I can't exactly go re-write iOS or Android (technically, I suppose I could do the latter) in order to add this feature.

>"We just want to search your house for 30 minutes" or "you can have your document back after we photocopy it, so no warrant needed."

This scenario would be quite a bit more akin to "let me have that locked briefcase you're carrying through security, no need for you to unlock it" and then returning it to you locked after 10 minutes.

Was that a 4th amendment search if they claim that they didn't look through your briefcase?

> Was that a 4th amendment search if they claim that they didn't look through your briefcase?

It's a seizure whether or not they looked through it, and it's a search if they examined—by any means, technical or otherwise—the contents in a way they wouldn't have been practically able to without seizing it, irrespective of whether they opened it (and even more independent of whether they claim they opened it.)

> taking a device for some amount of time and giving it back doesn't qualify as a (4th amendment) search

If it's optional and I can and will refuse, fine. If it's not,and I'm not attempting to cross a border, they can get stuffed.

For domestic travel, they do not need to examine the data - only the physical device needs to be examined to rule out security risk. They can do that non-intrusively with imaging and chemical analysis technology.

The idea that someone could claim that a limited intrusion into the contents of my communications isn't an intrusion at all is absurd.

I should clarify: If them looking through my data is not optional and I can't refuse, and I'm not at a border crossing (which is still bullshit imo, but well trodden precedent), they'd better have goddamn signed warrant.

I've got a question: to what extent can they dish up the "Terms of Service" argument? That is, can they refuse to fly you (domestic) if you refuse to comply because it's a "term of service"?

Is there any niddling contract law in purchasing plane tickets?

Isn't the argument that every international airport constitutes a border, and every mile of beach, and every mile of an actual border? That zone covers the majority of the population of the US constantly.

Don't you mean any area within 100 miles of the borders? That means some states are completely within this region and are all subject to border searches.

I would love to see the government attempt to defend such a stance in front of the supreme court. I have a sneaking suspicion there'd be a major judicial shitfit on that.

Chief Justice would probably be all: "LOL, you did wut? ಠ_ಠ"

The problem is that they don't have to (yet). They do it now and get away with it and currently with impunity. If I recall correctly, there is a case in Texas about the matter, but that is the only one I know of at the moment.

This is a concern, yes.


deleting this comment as i will by flying a few weeks

this is exactly what you shouldn't be afraid of.

>It's possible the TSA will claim that taking a device for some amount of time and giving it back doesn't qualify as a (4th amendment) search.

I wonder how long it would take to clone a phone and give back a ringer with some extra software installed. It's not like most people know the serial number of their phone. And if the phone's in a case, then put the ringer in the target phones case, and it has the same look and feel.

What about authentication details held in the "secure enclave", or equivalent? If they can unlock my phone, I think it would be faster and easier to just install their "extra software", rather than the technical difficulties involved in transparently replacing the hardware with a new copy of the same thing.

Especially if I've got a semi-obscure phone in an unpopular color. That's at the level of a targeted attack against an individual.

Surveillance Self-Defense https://ssd.eff.org/

If I bring any personal equipment when I travel it's a "burner". I have a Chromebook running Debian that never has anything on it I care about (and only access personal stuff remotely via SSH, using a PGP key on a YubiKey). I carry an old phone, again with nothing on it I care about. Both devices are encrypted and powered off through security (and left off as much as possible when at the airport in general).

The most important characteristic of these devices is that I'm 100% happy to just walk away from them (and there are no easily recovered credentials for any "cloud based" services I use).

If I'm traveling for work (and have equipment that belongs to my employer with me), I am equally happy to walk away from those devices (though I'll also leave the contact info for my company's lawyer).

Who here thought this was eventually going to happen for domestic flights after this started happening on international flights?

Yet another reason to not fly through the US

The number of searches has increased quite a bit from 2016 to 2017


No special knowledge, but willing to bet they are doing this on the basis of a specific threat. Much theatre, hoping it gets press, and intended as a deterrent based on information they've got they are concerned about. Otherwise its a lot of work for nothing.

I wonder if they're imaging the device for later analysis.

I suspect they're not installing implants but it would make me nervous all the same about using that device in the future...

idea: scrub all data and accounts from your electronics before flying.

leave your phone unlocked, but primed with a goatse booby trap so that the agents get an unpleasant surprise that's totally legal and comes with total deniability -- hey, you just loved goatse so that's why it's on your phone and laptop.

if the agent is offended, perhaps they should have minded their own fucking business.

>> so that the agents get an unpleasant surprise

YOU will get the surprise: if you're a US citizen they cannot deny you entry to the USA but they can make your life miserable by searching and delaying you every single time.

If you're not a US citizen and try to be a "smartass," they have all the power to deny you entry in the USA. No appeals.

why would i get a surprise? i'm just an innocent citizen who loves goatse. there's no reason to single me out for harassment -- or if there IS, there's a lawsuit ready to go

Of course you are. And they're just doing their job, they suspect you might try something. Just suspect, so to protect and to serve they have to check you, every single time. Better safe than sorry.

A lawsuit for being searched more carefully? Good luck.

> if the agent is offended, perhaps they should have minded their own fucking business.

Exposing government agents to obscene or indecent content is not going to improve the outlook of your day.

Or the outlook of the rest of your life.

Is there an easy way to do this for Android devices that isn't horribly painful to relogin to everything with?

If office issued electronic devices (which presumably have to undergo routine organization-specific scrutiny, and may contain non-public info) are snatched by the TSA for random sniffing, why can't an organization sue the TSA for compromising security?

They can have my device if necessary, however I will not give them the passcode without torture. They can add it to the pile.

They can't have my device without a warrant. I'm not comfortable with them even taking it out of my sight or connecting it to anything. This is an agency that absolutely cannot be trusted.

You'll miss your flight if you refuse. That's a lot of power they have over many people. It's expensive and you might not get to whatever was so important you flew there for.

A devil's advocate argument, for people to have something explicit to rebut here:

One of the guises state police operate under in America is the "highway patrol"—a force that searches for terrorists and drug trafficking and the like.

And presumably, air travel is a privilege, not a right, just like driving a car is. (Or is it? Taking public transit is a right that can't be denied to someone unless they explicitly break a rule of the system. But airports are private companies...)

So, given that, is there a legal reason that there is no "airway patrol"?

I'm not suggesting they have the powers of random search & seizure that the TSA seems to have, mind you. But should there be state police that are stationed at airports, who search people when they have probable cause?

> Presumably, air travel is a privilege, not a right, just like driving a car is.

Freedom of movement is a privilege, not a right? What can you possibly be talking about?

Did I miss a memo? The United States (and other common law societies) have a long history of enshrining freedom of movement as a fundamental right.


Also, be reminded that the USA voted in favor of the UDHR, which reads in part:

* a citizen of a state in which that citizen is present has the liberty to travel, reside in, and/or work in any part of the state where one pleases within the limits of respect for the liberty and rights of others


* and that a citizen also has the right to leave any country, including his or her own, and to return to his or her country at any time.

You can move, but not necessarily in car. Or on a plane. And you can't walk on the highways or near the rail road tracks or in the road. And you will be stopped if an officer sees you walking alone on a country road. And that's probable cause right there. Don't go wandering in the woods, lots of privately owned property there as well.

I'm sorry, you said something about moving?

I don't think they can stop you from moving in a car. They can stop you from driving one, though...

Yes you can pre-arrange a ride. Hitch-hiking is illegal in some states. You can pay for a taxi, buy a train or plane ticket. The latter provided you are not on any lists and don't mind your things being x-rayed and/or searched.

Really paying for rides in a car is the last great bastion of free movement (provided you don't get randomly stopped and searched in a checkpoint of some kind) in the U.S. Although, most of those either won't take you on the highway or are prohibitively expensive to do so. Making inter-city and greater travel difficult. But bonus points if you can pay with cash.

I understand, though. There are just so many common sense reasons to restrict free travel. How could one resist?

> Hitch-hiking is mostly illegal in most states

No it isn't. There are only a few states where it's illegal.

You are correct. While it is outright illegal in 6 states and has many different specifications per state, it is not mostly illegal.

I have amended my original comment to reflect this after doing some research.

freedom of movement \neq freedom to fly though

In a modern society, disallowing to fly doesn't give full movement rights for a person. You are much less likely to travel to Europe if you have to use a transaltlantic boat for example. :p

yes but you could say that of cars too (and courts have ruled mandatory DUI tests legal)

Just because courts have ruled something legal doesn't make it Constitutional. See: 100 mile border zones that are "exempt" from the 4th Amendment.

Not to mention, just because something is legal doesn't make it right.

what SCOTUS says defines what is constitutional. you may disagree with their ruling but they are the meaningful authority.

DUI tests are only mandatory for people driving a car, not for people who are simply traveling in one.

freedom to "use technology" is the freedom to "participate in society" which is the whole point. In the 80s it may have been permissible to ban those convicted of hacking crimes from computers and touch tone telephones, but today?

ask the supreme court

I'm sure we will.

Freedom of movement was a privilege in the old soviet union. Maybe we are slowly becoming the USSR?

Freedom of movement no more guarantees your right to purchase a ticket aboard a private, commercial flight, than freedom of speech guarantees your right to post to a private, commercial forum.

What freedom of movement does guarantee, to be clear, is that you're:

1. allowed to own your own plane;

4. allowed to fly said plane over pretty much any American airspace, other than specific little zones cordoned off by the military;

2. allowed to have your own airfield to launch and land your plane;

3. allowed to use the airfield of any American airport to launch/land your plane (at least in an emergency.)

With your own plane—just like with your own car—you have freedom of movement in the US.

> Freedom of movement no more guarantees your right to purchase a ticket aboard a private, commercial flight, than freedom of speech guarantees your right to post to a private, commercial forum.

It is the government that prevents you from flying on the private commercial airline. Not the airline owner. If the government was preventing people from posting certain messages on private commercial form, that would certainly be a violation of the First Amendment.

It is the government, via TSA, ICE, etc., and not Delta or Lufthansa or whoever, that most impedes the feasibility of air travel. Let us put to bed the notion that freedom of movement means only the freedom to walk on foot or to take absurd measures to avoid contracting with private or public entities that exist expressly for the purpose of serving travelers.

You cannot buy a plane and fly it without first asking the government.

The existence of a pilots license necessary to fly a plane makes this incorrect off the get go

That seems reaching to me. After all, highway patrol cannot simply start going through your belongings without probable cause which has a potential to be tested in court. Same rights are clearly not afforded to the air travelers in TSA interactions which seem to exist in a legal limbo right now.

actually they can and do every day!


"In May 2010 a couple was driving from New York to Florida and they were stopped by police because of a cracked windshield. During questioning, the officer decided that $32,000 cash in the van was "probably involved in criminal or drug-related activity", seized it, shared it with federal authorities under equitable sharing. The victim hired a lawyer to get back the seized money who urged settling for half of the seized amount, and after the lawyer's fees, the victim got back only $7,000."

As a followup to this (and response to preceding comment), a quick Google search shows that all airports aside from one in the US are owned by the government, which I believe must meet certain standards that we don't require of private entities in terms of rights of access.

that quick google search brings up a site that cites no sources for that claim...

Digging around found a source but I highly doubt its the one that site used. https://www.faa.gov/airports/airport_compliance/privatizatio...

> It occurs to me that America has, in every state, a state-run "highway patrol" that searches for terrorists and drug trafficking and the like.

The state-run highway patrol is still subject to the 4th amendment (search and seizure.)

If you get pulled over by a LEO - they need consent, probable cause, or a warrant in order to rifle through your belongings.

> they need consent, probable cause, or a warrant in order to rifle through your belongings.

which they can invent with no problem if they feel like it.

nobody who declines to a search gets away with it; they just call a drug dog to alert and then they can search anyway.

Not consenting to a search isn't really about preventing the search. The police are, by definition, they application of force; if they want to search you, they will. However, not consenting forces them to make up some sort of justification for their actions and gives your lawyer a much better chance of getting the fruits of the search thrown out.

My city Boston will tresspass you from the subway and bus system if you refuse to submit to a search of your bags at the checkpoints they set up at certain stations. So I don't think you are correct about public transportation.

How come that thing that is a thing isn't a thing?


4,000 law enforcement officers.

But that is separate from what powers we as a society should allow them.

The Air Marshals are literal peace officers—there to stop crime that happens in the air. Completely separate from the idea of a highway patrol, which is there—in essence—to be a permanent dragnet for BOLOs, and to (probabilistically) be witness to statutory crimes/regulatory violations (e.g. dumping of industrial waste) where no individual victim is going to report them.

So the Highway Patrol is there to stop crime that happens on highways, and that's totally different?

I am TOTALLY ok with TSA reading my last text messages before I go on a flight.

Those last few texts someone sends before committing a terrorist action, could send an extremely strong signal to authorities and possibly prevent a disaster.

If the extra security results in a strange TSA agent getting to enjoy some surprise dick pics, well that's the price of freedom Jerry.

>If the extra security results in a strange TSA agent getting to enjoy some surprise dick pics, well that's the price of freedom Jerry.

I wouldn't say that someone has 'freedom' if they're being forced to possibly have their body visibly exposed to strangers against their will.

If regular people wanted freedom, they would just fly private!

This guy get it.

"The law, in its majestic equality, forbids the rich as well as the poor to sleep under bridges, to beg in the streets, and to steal bread."

( https://en.wikiquote.org/wiki/Anatole_France )

isn't that what those scanners do lol?

They highlight where there are extraneous objects on one's body, but they do not reveal what's underneath your clothes. The OP that I responded to explicitly states s/he would be fine with TSA agents ruffling through your most recent messages on your phone, and that it should be OK for them to see nude photos of yourself that you may have just sent someone.

There's a big difference between going, "Hey, the computer put a red square on the left thigh of a generic outline of a human, it suggests we should look there to see if you have anything," and, "Hmm, let's see what Johnny sent Sally yesterday. Oh look, his dick! And this lady who isn't even traveling with him sent him six pictures of her breasts!"

Also they supposedly black out sensitive areas.

I mean sure, my parents grew up knowing that the secret police was listening to every phone call and opening every letter, but it was fine because you know, whatever keeps the motherland safe I guess!

If dick picks are fair game I think we should all be required to strip naked and submit to cavity inspections for the security screening process. Because that's how we've managed to keep our prisons 100% contraband free.

The TSA's own research points out that their criteria for search doesn't work[1]. The whole thing is a sad farce that adds no real security.


Do you really think random terrorists are dumb enough to send text messages like "so how's your terrorist attack going?" or "don't forget the bomb!"?


Perhaps not in those terms, but amateur OPSEC failures have sunk more than one criminal enterprise.

>I am TOTALLY ok with TSA reading my last text messages before I go on a flight.

That's cool, and I respect that. But I am NOT OK with the TSA performing such a search of my devices. (Unless they have a warrant. Then I'm fine with it. It's really that I'm a stickler about this old document called the "Constitution")

Are you willing to stand up for MY right for my (electronic) papers and effects to be secure from unreasonable searches? If not, are there other parts of the Constitution you would be willing to jettison?

(For what it's worth, this is a genuine question not just a complaint. There are parts of the Constitution that I would prefer to change -- just not this particular one.)

At that point you might as well advocate for the NSA to preapprove all text messages before being relayed to the recipient (provided that isn't already the case). Maybe the TSA could sell that as another perk to get through security faster. I'll take more privacy over a fake sense of security, thank you.

Not sure if you're kidding, but if you're not, there'd be no terrorist attacks at all if we were all locked in our own individual rooms with only telescreens to communicate with each other through.

Maybe we should take a serious look at that. It could seriously protect tens of thousands!

"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."

Soon to be in the terrorist's opsec handbook: don't fly with the phone you use to talk terrorist ringleaders.

Is every person in your contact list ok with it?

Is your partner, who sent you private pictures, ok with it?

Is your company ok with internal emails being read by the TSA?

Does giving access to your accounts on certain apps and websites to the TSA violate the TOS of any of those apps or websites?

The price of freedom cannot be freedom itself.

But it could be a reference to freedom. :)

I'm not sure what you are saying here.

Since price is a property of the concept of freedom, the price property cannot have a value which itself is the concept of freedom. The compiler will bail because the inner concept of freedom would have an incomplete type.

The way around this is to define the price property as a reference to the concept of freedom. That way you hold a memory addy to the concept of freedom within the struct and can compile and run your program with impunity.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact