Needing to protect your data from customs searches is now a thing...

[julianhigginson]

Interesting article on the realities of what can happen to personal (and business) data these days.

So far it's one documented case in the US, but this could just as easily be China, India, or any place I've been with a bunch of commercial in confidence information and my own personal device with all my own personal stuff on it.

https://medium.freecodecamp.com/ill-never-bring-my-phone-on-an-international-flight-again-neither-should-you-e9289cde0e5f#.5kcdz9qu6

For Android phones, a full ADB bootloader unlock/lock wipe, then setup a new google account before getting on the plane looks like the minimum necessary precaution before making trip through customs now.

A laptop would be a bigger problem. If you couldn't just not take one, you'd need a brand new traveller machine, which has had no accounts logged in (well, the same new google account would be OK I guess..) and no files or programs except bare minimum required for the trip, copied in via LAN or USB.

And you would be putting it all straight into e-waste for recycling after a customs incident like that.

I wonder how many corporations who operate in the US are implementing rules about this sort of thing right now? Automated cloning of work email accounts minus secret/confidential discussions for the purposes of having real data in devices without also having to risk anything critical.

[skylinrcr01]

Interesting article on the realities of what can happen to personal (and business) data these days.

So far it's one documented case in the US, but this could just as easily be China, India, or any place I've been with a bunch of commercial in confidence information and my own personal device with all my own personal stuff on it.

https://medium.freecodecamp.com/ill-never-bring-my-phone-on-an-international-flight-again-neither-should-you-e9289cde0e5f#.5kcdz9qu6

For Android phones, a full ADB bootloader unlock/lock wipe, then setup a new google account before getting on the plane looks like the minimum necessary precaution before making trip through customs now.

A laptop would be a bigger problem. If you couldn't just not take one, you'd need a brand new traveller machine, which has had no accounts logged in (well, the same new google account would be OK I guess..) and no files or programs except bare minimum required for the trip, copied in via LAN or USB.

And you would be putting it all straight into e-waste for recycling after a customs incident like that.

I wonder how many corporations who operate in the US are implementing rules about this sort of thing right now? Automated cloning of work email accounts minus secret/confidential discussions for the purposes of having real data in devices without also having to risk anything critical.

You could also just swap hard drives, and run a thin build of linux on your existing laptop, kind of a pain, but a lot better than having 2 separate computers.

[HAL-42b]

Anyone who has the power to decrypt the data by definition also has the ability to plant any 'evidence' they like. If they want to find child porn on your phone they can, and you can't do anything about it.

 

[julianhigginson]

That was my first thought RE the computer, but my laptop is expensive as it's a high powered Lenovo built for doing heavy CAD work. So while the risk of incident is currently very low, the cost of an incident would be high.

I guess for me in my current situation, personally, as long as this doesn't become a regular thing, I could swap out the drive in my personal time, and install a brand new windows, and copy files, and on average, be better off than if I had bought a new low power traveller computer.

But where I've travelled with a work computer, paying me or IT to have to swap out the drive, reinstall windows, blah blah blah, it's going to add up to the point where a cheap burner is likely cheaper in the first place.

[EEVblog]

I guess if you had a fast enough pipe on both sides you could encrypt the drive, upload somewhere, travel with a blank hard drive, and reload once there?
PITA I know...

[julianhigginson]

Anyone who has the power to decrypt the data by definition also has the ability to plant any 'evidence' they like. If they want to find child porn on your phone they can, and you can't do anything about it.

Not so worried about obviously planted child porn... That situation would obviously be terrible for someone who experienced it, but it's not something that can happen very often to be statistically significant without someone realising that certain people always get busted with the same kinds of files in the same place by the same investigators...

I'm much more worried about a coming world of industrial scale harvesting of computer and phone data that then gets handed out to every gimp with a government employee number (or worse!) and the ways this can then be abused as it's completely unprotected when used the way law enforcement eventually wants access to it.

See the current push for the scale at which all Australian telecomunications metadata is now wanted to be used, when on rollout of the metadata retention system, they originally said it was only for *worst of the worst* criminal investigations at the highest level, now maybe it's going to be OK for people running civil cases against other people to have access to the other people's historical location and communication records.

[EEVblog]

If this happened to me and I was stopped at the US border and asked to hand over my passwords, I'd just head back home. Screw that.

[julianhigginson]

I guess if you had a fast enough pipe on both sides you could encrypt the drive, upload somewhere, travel with a blank hard drive, and reload once there?
PITA I know...

Definitely possible! I mean that's basically what you'd do with your android or apple phone... flush everything off it, have the dummy account on there, then when you get to where you are going, sign back in with the real accounts and boom - it's all back there (That might be problematic in china if you use google though! - do they still block some google IPs?)

And depending on what work materials you have to take over, it's definitely going to be best if you can cloud/server it and not take a physical copy at all.

I also guess for things like manufacturing handover, or presentations for meet and greet with new possible suppliers, it's often quite possible to just ditch a computer completely and just travel with the minimum files in an encrypted zip file on a couple of dvds for redundancy. they could demand the passwords to those zip files and take the data but then you're no worse off than if you had the PC compromised, and you don't have a computer with the possibility of malware at every level, from the peripheral controllers up... :-)

[julianhigginson]

If this happened to me and I was stopped at the US border and asked to hand over my passwords, I'd just head back home. Screw that.

Yes, but that decision could be hard to explain to your CEO if the business was depending on you going somewhere to do something..

Also it's particularly hard to manage if the country doing this is meant to be your home, like it was with this NASA guy..
:-)

[james_s]

Passwords for what? I don't even have a facebook account, so they can ask for the password to that until they're blue in the face and I can't give it to them. Clear the logins and browser history and how are they going to know what to look for? I have at least 10 email addresses, which one are they going to check? I'm no fan of the whole cloud fad but this is one situation where storing my data elsewhere may actually have advantages. Of course I don't personally have anything on my laptop or phone that the border patrol would have any interest in but I'd still rather not have them poking around. If I have to travel internationally I'll bring a laptop that has only what I need for the trip on it. My personal phone doesn't have roaming anyway so I pick up a $20 prepaid phone when I reach my destination.

[EEVblog]

Also it's particularly hard to manage if the country doing this is meant to be your home, like it was with this NASA guy..

In that case you refuse point blank.
They cannot refuse citizens entry into their own country.
They can detain you of course for some time under some ridiculous law, but not indefinitely. You just have to be willing to wait them out.
They will eventually either have to charge you with a crime and arrest you, or let you go.
And not giving up your passwords when asked is not a crime, only refusing a court order becomes crime, and even that is of course contestable.

[DimitriP]

Statistically insignificant.

What is significant is that NASA doesn't seem to have a protocol in place  so that its people know how to handle situations such as this.

But it makes a great article that everyone will click on and get outraged and share and tweet, and link and folllow  etc etc etc ...it's what keeps the internet going...unfortunatelly.

[EEVblog]

What is significant is that NASA doesn't seem to have a protocol in place  so that its people know how to handle situations such as this.

I bet they do now.

But it makes a great article that everyone will click on and get outraged and share and tweet, and link and folllow  etc etc etc ...it's what keeps the internet going...unfortunatelly.

It's fun to play "what if".

[Halcyon]

Standard encryption on Android and Apple handsets are enough provided you use a strong password (at the moment). A 4-digit PIN offers little protection against brute force attacks.

And not giving up your passwords when asked is not a crime, only refusing a court order becomes crime, and even that is of course contestable.

To clarify, a court can order you to give up your password or anything to unlock/disable encryption under certain circumstances. As you mentioned, refusal or not doing so is a further crime. Any Police officer (Constable) in Australia can apply to a magistrate for such an order.

Code: [Select]

CRIMES ACT 1914 - SECT 3LA

Person with knowledge of a computer or a computer system to assist access etc.
             (1)  A constable may apply to a magistrate for an order requiring a specified person to provide any information or assistance that is reasonable and necessary to allow a constable to do one or more of the following:

                     (a)  access data held in, or accessible from, a computer or data storage device that:

                              (i)  is on warrant premises; or

                             (ii)  has been moved under subsection 3K(2) and is at a place for examination or processing; or

                            (iii)  has been seized under this Division;

                     (b)  copy data held in, or accessible from, a computer, or data storage device, described in paragraph (a) to another data storage device;

                     (c)  convert into documentary form or another form intelligible to a constable:

                              (i)  data held in, or accessible from, a computer, or data storage device, described in paragraph (a); or

                             (ii)  data held in a data storage device to which the data was copied as described in paragraph (b); or

                            (iii)  data held in a data storage device removed from warrant premises under subsection 3L(1A).

             (2)  The magistrate may grant the order if the magistrate is satisfied that:

                     (a)  there are reasonable grounds for suspecting that evidential material is held in, or is accessible from, the computer or data storage device; and

                     (b)  the specified person is:

                              (i)  reasonably suspected of having committed the offence stated in the relevant warrant; or

                             (ii)  the owner or lessee of the computer or device; or

                            (iii)  an employee of the owner or lessee of the computer or device; or

                            (iv)  a person engaged under a contract for services by the owner or lessee of the computer or device; or

                             (v)  a person who uses or has used the computer or device; or

                            (vi)  a person who is or was a system administrator for the system including the computer or device; and

                     (c)  the specified person has relevant knowledge of:

                              (i)  the computer or device or a computer network of which the computer or device forms or formed a part; or

                             (ii)  measures applied to protect data held in, or accessible from, the computer or device.

             (3)  If:

                     (a)  the computer or data storage device that is the subject of the order is seized under this Division; and

                     (b)  the order was granted on the basis of an application made before the seizure;

the order does not have effect on or after the seizure.

Note:          An application for another order under this section relating to the computer or data storage device may be made after the seizure.

             (4)  If the computer or data storage device is not on warrant premises, the order must:

                     (a)  specify the period within which the person must provide the information or assistance; and

                     (b)  specify the place at which the person must provide the information or assistance; and

                     (c)  specify the conditions (if any) determined by the magistrate as the conditions to which the requirement on the person to provide the information or assistance is subject.

             (5)  A person commits an offence if the person fails to comply with the order.

Penalty for contravention of this subsection:        Imprisonment for 2 years.



[MarkS]

They can detain you of course for some time under some ridiculous law, but not indefinitely. You just have to be willing to wait them out.

ROTFL! Oh wait... You're serious.

[mtdoc]

As long as you keep your self away from social movements or anything political or the espionage shit, and be a quiet businessman or engineer, I see no reason why you should be afraid of it.

Yes. Of course. Just be good, obedient (and quiet) slaves worker bees.

Remember:

“If you want to keep a secret, you must also hide it from yourself.”

[james_s]

As long as you keep your self away from social movements or anything political or the espionage shit, and be a quiet businessman or engineer, I see no reason why you should be afraid of it.

Yes. Of course. Just be good, obedient (and quiet) slaves worker bees.

Remember:

“If you want to keep a secret, you must also hide it from yourself.”

You can do whatever you want, but keeping a low profile is a good way not to arouse suspicion and will save a lot of hassle. I've never really had any trouble with law enforcement or border patrol, doesn't mean I always agree with what they do but I'm just polite and cooperative, though I don't volunteer any information they don't ask for. The less reason I give them to dig any deeper, the less I have to exercise my legal rights. Be aware of what they're looking for and try not to fit the profile, there *are* people out there with bad intentions and weeding them out without impacting the innocent is not a trivial task. I do think that going through phones and asking for passwords and such should require probable cause and a warrant though.

[JPortici]

But it makes a great article that everyone will click on and get outraged and share and tweet, and link and folllow  etc etc etc ...it's what keeps the internet going...unfortunatelly.

medium dot com. i know what you mean.

[EEVblog]

I do think that going through phones and asking for passwords and such should require probable cause and a warrant though.

It does. That doesn't stop them from asking in a very intimidating way and tricking you into thinking they have the authority to demand it. They rely on people caving in.

[SingedFingers]

For ref this is a problem in the sector I work in (financial).

We carry dumb machines as terminals and our desktops are entirely hosted inside Amazon AWS.

We only carry dumbphones on company business.

[RGB255_0_0]

As long as you keep your self away from social movements or anything political or the espionage shit, and be a quiet businessman or engineer, I see no reason why you should be afraid of it.

Yes. Of course. Just be good, obedient (and quiet) slaves worker bees.

Remember:

“If you want to keep a secret, you must also hide it from yourself.”

You can do whatever you want, but keeping a low profile is a good way not to arouse suspicion and will save a lot of hassle. I've never really had any trouble with law enforcement or border patrol, doesn't mean I always agree with what they do but I'm just polite and cooperative, though I don't volunteer any information they don't ask for. The less reason I give them to dig any deeper, the less I have to exercise my legal rights. Be aware of what they're looking for and try not to fit the profile, there *are* people out there with bad intentions and weeding them out without impacting the innocent is not a trivial task. I do think that going through phones and asking for passwords and such should require probable cause and a warrant though.

Hard to not fit into the profile if you're not white.

Even a school teacher was denied entry to the US because he was Muslim.

I wouldn't give an employer my password to social media and neither the governments of the countries I visit.

[Delta]

See the current push for the scale at which all Australian telecomunications metadata is now wanted to be used, when on rollout of the metadata retention system, they originally said it was only for *worst of the worst* criminal investigations at the highest level, now maybe it's going to be OK for people running civil cases against other people to have access to the other people's historical location and communication records.

That is the big worry, the constant creep of how such surveillance / information gathering laws and systems can be used.

Here in the UK we have more CCTV cameras per head of population than anywhere else (AFAIK), all done on the pretence of public safety, crime prevention, etc. And to be fair, a lot of criminals have been convicted based on CCTV evidence, but then councils got access to the cameras and started using them to dish out parking tickets.

Even if things are introduced with genuine good intentions, if it can be abused, it WILL be.

[Ampera]

I hate this shit. Leave us the heck alone, you're not stopping any terrorists at the airport by scanning their phones.

How about a full encryption of everything, but you don't know the key? If you encrypt it and store something like a bitlocker key with family via secure email, then you can retrieve the key once you get there and decrypt everything.

Or maybe a red herring installation? Install a second copy of windows, hide the other behind bitlocker or another version of partition encryption, and when asked for something like this, give them the password for the red herring installation. Hide the other partition as best you can, and put some dummy fake accounts and red herring applications on the installation to keep them happy.

You could also do the extreme and send the encrypted device or hard drive overseas by airmail (TAKE BACKUP FIRST). If it's really critical you can use something like 2-3 day shipping. Could cost a bit, but so does traveling in general.

[Halcyon]

I hate this shit. Leave us the heck alone, you're not stopping any terrorists at the airport by scanning their phones.

How about a full encryption of everything, but you don't know the key? If you encrypt it and store something like a bitlocker key with family via secure email, then you can retrieve the key once you get there and decrypt everything.

Or maybe a red herring installation? Install a second copy of windows, hide the other behind bitlocker or another version of partition encryption, and when asked for something like this, give them the password for the red herring installation. Hide the other partition as best you can, and put some dummy fake accounts and red herring applications on the installation to keep them happy.

You could also do the extreme and send the encrypted device or hard drive overseas by airmail (TAKE BACKUP FIRST). If it's really critical you can use something like 2-3 day shipping. Could cost a bit, but so does traveling in general.

TwoOfFive; With all due respect, law enforcement, customs, national security etc... etc... aren't interested in you unless you've come under notice for something before.

As for "not stopping any terrorists at the airport", that couldn't be further from the truth. Most of it isn't reported to the public so you wouldn't have any idea. There have been several instances in this country where plots have been foiled and those are just the ones I know about. There is much more at play. Police and National Security agencies are doing a pretty good job at keeping you safe if you live in the US, UK, AU, NZ...

[tszaboo]

So searching your phone is a bigger scare for people, than cavity search.
And some think, the US does not have acess to all the information you need? Sure have my phone. There is no password on it, swipe up, like this, and have fun. Read my SMSes, and my contact list, that is what is interesting for you, isnt it. Everything else in on my gmail account, you have that already. I even upload all my photos to the cloud,  I hope you checked that I'm not burning your precious flag, and I dont behead people. I have nothing to hide.