Hacker News new | past | comments | ask | show | jobs | submit login

I really wish Apple would put something in place where you effectively have two user accounts. If you type your actually passcode, it's just your normal account. If you type another specific passcode, it's a burner account with minimal apps and information. It has enough info to make it look like it's being used, but nothing important.

Obviously border control would quickly know about this, but there's no way to verify.

Attempting to deceive CBP through hidden volumes and the like is not recommended.


It's worse than that in some cases. I used to work for a big 4 consulting firm and they had some horror stories about border device searches.

The company policy for travel outside the EU was simple... Your own laptop would go into a server room and become a remote desktop host, you'd be given a blank laptop. When you got to your destination safely you'd call up IT who'd tell you where to download the VPN software and provide you login details. If asked why you laptop was blank by border agents you were instructed to give them a copy of the company IT policy.

Which is all well and good border agents demand you go through the above process and log in to the VPN and then remote in to your own laptop. It happened on multiple occasions in several countries and in most cases the employee was deported after refusing to comply.

It might've been better to respond with the fact that you had only just received that laptop from the company, which was the truth.

A new clean laptop is in itself suspicious, especially if you are on a business trip.

I think the expensive legal brains the company employs decided it is better to simply admit that they do it this way to stop border inspections. Better a deportation of a single employee rather than risk compromising their IT systems and data.

> border agents demand you go through the above process and log in to the VPN and then remote in to your own laptop

empty laptop or no, that brings up a general issue - border agent asks you to VPN into your corp network and to give them access into it (which beside a slew of corporate policies may also violate a bunch of laws like GDPR, HIPAA, SOX, EPA Clean Water and PCI compliance, etc - IANAL, so who knows what laws can be violated, all those corporate compliance and business conducts emails are so scary). Me being a little guy doing as i told/ordered to by the ones with authority, I'd just call corp IT security, some bozo high up the chain, and let them do their job - sort it out and make the decision. Sucks though for small companies without that fat and important corp IT security and all those C[compliance|information|customer privacy|security|sustainability|etc.]Os around.

The solution could be for the company to give the VPN password to the employee by phone some time after they arrive at the destination. Then the employee literally has no way to access the VPN when detained.

Then the employee may be subject to indefinite detention? That would be an absolutely unthinkably bad policy.

Why did the big 4 consulting firm think that it was so important to hide the laptop data from the government during the border search?

Many companies have policies, especially when visiting China, to send in users with blank devices and wipe the devices on return.

The big 4 consulting firms aren't single entities. Each country has its own independent branch that shares a global brand, set if principles and objectives.

The Irish branch has to comply with EU and Irish law. Think GDPR and various other laws relating to keeping financial data secure. Plus they would also have very strict contracts with their bigger clients guaranteeing the security and privacy of their super sensitive commercial data.

You would be unwise to assume that the data retrieved through a customs search of your laptop or phone wouldn't end up in your rivals possession.

Because otherwise any information on the laptop would have to be considered compromised.

What about if I put an encrypted backup of my phone into some online storage and factory reset it? Probably not a workable solution for frequent travelers.

This probably would raise suspicion and CBP will detain you, as will bringing no phone at all.

This is the EFF's statement regarding wiped devides:

We don’t recommend disk wiping as a border crossing security measure for most travelers. It’s a less common data protection technique than the other ones highlighted in our guide, which include encryption and minimizing data that you carry. Wiping your computer will make it unusable to you. Also, it may draw the attention of border agents, since it is unusual for travelers to carry blank devices with them. This may be of particular concern to travelers who are not U.S. citizens, who may receive more scrutiny from border agents. Again, you should consider your risks and security needs carefully before deciding how best to secure your data for border crossings as everyone’s individual risk factors and data security needs are different.


That's basically using your own phone as a burner phone.

You could probably stick a few innocuous photos and messages on it and claim you'd just upgraded or something.

Can I claim that I don't like my laptops searched so I reinstalled it from the scratch? It's truth. Can they force me to reveal my gmail password or something like that?

You can't beat the government or law with clever technological tricks. So you pull that stunt, then the border agent reminds you that lying to a federal border agent is a crime. You give a hesitant, non-confidant, shift your eyes wrong and you're detained. Heck they might even just detain you for shits and giggles because there is no repercussions to them.

Have fun.

So your best bet is to just let the government invade your privacy? Or travel without your actual phone, and take some random cheap Android device?

or you could go out and Vote!

How do I vote against US policies if I’m not US based?

Vote with your $/£/€/etc.

How does that work? You're saying I shouldn't travel to that specific country, correct?

> there's no way to verify

Obscuring in this manner likely counts as lying to a federal officer, particularly if they catch on and ask if this is your main profile.

Doesn’t matter. If there’s truly no way to verify, there’s nothing they can do in a scalable way to determine people are lying about their main accounts.

The only thing they can do is use fear to get you to comply, or make you doubt your deniable encryption scheme is truly secure.

If they really wanted to could they find out? Perhaps. Maybe if they use CCTV footage and extract your phones screen and do comparisons or something. If you are an individual though who has done something to warrant that level of scrutiny, perhaps the additional crime of lying to a Fed isn’t a big deal compared to whatever crime you have done.

> Doesn’t matter. If there’s truly no way to verify, there’s nothing they can do in a scalable way to determine people are lying about their main accounts.

It doesn't have to be scalable; border control already isn't scalable and relies on uniformed officers making decisions on the spot. It's not hard to add additional point in training that says, "if a person has suspiciously empty phone and the phone is a model X, ask them to unlock the second account; if they refuse or pretend they don't have one, apply 3-30 hours of pressure". This would probably cover 99% of cases.

You’re literally describing a way to make it scalable.

INAL but I don't think that legally it would be lying. I believe lying requires more than not complying. Plus, we always have the right to remain silent.

Even if true, border officials will start asking everyone "is this your main profile". I guess you could refuse to answer, but that will make the answer obvious.

Any time you say to the officer something you know is not true is lying. It may not necessarily be immediately grounds to detaining or turning you from the border but it may cause further escalation. Never tell a lie to the police and never offer any information unless directly asked for it.

The right to remain silent isn’t the right to intentionally lie.

> Plus, we always have the right to remain silent.

No you don't. Not at the border.

Untrue. People who crack jokes about "constitution free zones" at the border are just uninformed. There are some obvious broad waivers on searches to enable the enforcement of import/export and immigration laws, but other rights that don't relate to the particulars of border enforcement are not impacted.

> There are some obvious broad waivers on searches to enable the enforcement of import/export and immigration laws

Except those searches can be done at the behest of other law enforcement agencies and any information found can be shared with them.

Incorrect. CBP has a policy to destroy any digital data collected during a search unless it is relevant to an investigation of customs/immigration crimes or is related to terrorism, which can be broadly construed as related to immigration law insomuch as one of the primary purposes of a border is to keep out unwanted persons.

I recommend reading through this document assembled by the EFF about various kinds of border searches and the constitutionality thereof.


I fail to see anything in your link to back up your claim.

Here's what the EFF does say about the CPB doing exactly what I described.

> The evidence includes ICE and CBP policies and practices that authorize border officers to conduct warrantless and suspicionless device searches for purposes beyond the enforcement of immigration and customs laws. Officials can search devices for general law enforcement purposes, such as enforcing bankruptcy, environmental, and consumer protection laws, and for intelligence gathering or to advance pre-existing investigations. Officers also consider requests from other government agencies to search devices. In addition, the agencies assert the authority to search electronic devices when the subject of interest is someone other than the traveler—such as when the traveler is a journalist or scholar with foreign sources who are of interest to the U.S. government, or even when the traveler is the business partner of someone under investigation. Both agencies further allow officers to retain information from travelers’ electronic devices and share it with other government entities, including state, local, and foreign law enforcement agencies.


You absolutely do have the right to remain silent at the border.

Your statement is untrue. You have the right to remain silent at the border as well.

Wouldn’t it be safer to:

1) Backup phone then reset to factory before flying 2) Restore once through customs.

Have you tried to restore your phone? Especially while on LTE/3G or hotel WiFi? It's an absolute pain in the ass, takes a couple of hours, not to mention you have to set up Apple Pay again. Deal with 2FA changes because you can't back up Google Authenticator.

If this was an independent review I would take it more serious, but it comes from authy directly.

Serious question tho, can Authy be used on any website that supports Google Authenticator?

There is also microsoft authenticator which supports the same things as Google Authenticator. They just added a backup to onedrive feature too.

Do they support any other backup options? I have no interest in signing up for yet another account, just for one specific app.

Google Authenticator is essentially just RFC6238 - TOTP: Time-Based One Time Password Algorithm.



Cool, didn't know that. I definitely like that Authy has backups.

I did it each time I got new iPhone before "transfer data to the new device" was available. No issues.

That would imply having your other phone available. The original suggestion was to clean your phone, and then restore it from a backup. So the whole "transfer data to the new device" wouldn't work.

That's historically been referred to as as duress code.

It would be exceptionally hard to make it look like the phone is being used with the 2nd account. For one thing, having current email would be pretty mandatory to pass a sniff test.

Not recommended to rely on in court but if your friend wants to borrow your phone, there are androids that can unlock to different accounts depending on what finger you use to unlock with the fingerprint sensor.

Well 1Password does have a "travel mode"


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact