Schneier on Security
A blog covering security and security technology.
« Suspect in 2001 Anthrax Attacks Kills Self |
| Friday Squid Blogging: Jumbo Squid Photo »
August 1, 2008
U.S. Government Policy for Seizing Laptops at Borders
Amazing. The U.S. government has published its policy: they can take your laptop anywhere they want, for as long as they want, and share the information with anyone they want:
Federal agents may take a traveler's laptop or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed. Also, officials may share copies of the laptop's contents with other agencies and private entities for language translation, data decryption, or other reasons, according to the policies, dated July 16 and issued by two DHS agencies, US Customs and Border Protection and US Immigration and Customs Enforcement.
DHS officials said that the newly disclosed policies — which apply to anyone entering the country, including US citizens — are reasonable and necessary to prevent terrorism.
The policies cover 'any device capable of storing information in digital or analog form,' including hard drives, flash drives, cell phones, iPods, pagers, beepers, and video and audio tapes. They also cover 'all papers and other written documentation,' including books, pamphlets and 'written materials commonly referred to as "pocket trash..."
It's not the policy that's amazing; it's the fact that the government has actually made it public.
Here's the actual policy.
Slashdot thread. My previous essay on crossing borders with laptops, and how to protect yourself.
Although honestly, the best thing is probably to keep your encrypted archives on some network drive somewhere, and download what you need after you cross the border.
Posted on August 1, 2008 at 12:21 PM
• 109 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
It IS the policy that's amazing.
The fact that they disclosed the policy only confirms what is already well known: an authoritarian agency with no accountability doesn't care about maintaining even a pretense of due-process.
Perhaps it's the classic bargaining opener of asking for way more than you really want? Knowing that Congress is likely to address this matter soon, maybe they are intentionally publicly over-reaching so that they can "compromise" down to close to what they really want, anyway. Otherwise, they could end up with a law that requires them to (shudder) adhere to the Constitution.
so if I post my hard drive to my destination they have nothing to search; right?
I can run my laptop off a live CD just fine for travel.
What will happen if EU will use the same policy against US citizens? How US government will respond?
I agree that it IS the policy that is unbelievable. Its only a short step from doing this at the border to doing this anywhere. I mean, why not - we are protecting against terrorism. Surprisingly, child pornography was not cited as a reason also. Until Americans (and the western world in general), demands that government be focused only on protecting our true rights (not made up ones) will the encroaching police state be rolled back.
So, when Exxon geologists return from an exploration trip, their laptops can be seized and turned over to, say, Texaco geologists for "other reasons", and vice versa. Not to mention what happens to Shell geologists.
What a fascinating way to bolster public/private partnerships for espionage.
I love the fact that due to the strategic placement of appropriate candidates in the judiciary this:
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
"Federal agents may take a traveler's laptop or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed. Also, officials may share copies of the laptop's contents with other agencies and private entities for language translation, data decryption, or other reasons, according to the policies, dated July 16 and issued by two DHS agencies, US Customs and Border Protection and US Immigration and Customs Enforcement."
Rumpis, the US is doing this to US citizens. It's doubtful they would even care....
The most stunning aspect is "without any suspicion of wrongdoing" -- unfortunately I'm speechless beyond this.
I'm speechless. We are so doomed here in the US.
What is the saying: Soap box, Ballot box, Jury box, Ammo box
We're at the latter folks....
I couldn't find that paragraph in the PDF your linked to. Was this supposed to be a quote, or your summary of the policies listed in the PDF?
MikeD - there is a small difference. If US government does something against US citizens it is US internal problem mostly. If some foreign government will do something wrong to US citizen, government should respond.
There is something really wrong when a veteran security expert has to say the most secure way to travel with data is to make it accessable to the internet rather than carrying it with you in encrypted form.
Does the government have some way to crack AES-256 that we don't know about? If they do, did they just confirm the fact that they do/can in this policy? Bugger NSA!
Though the document is geared towards border crossings, it is not limited to that.
"In the course of a border search, and absent individualized suspicion, officers can review and analyze the information transported by any individual attempting to enter, reenter, depart, pass through, or reside in the United States, subject to the requirements and limitations provided herein."
So your stuff can be taken if you are "attempting to... reside in the United States" AKA all citizens! RIP 4th Amendment.
"... CBP will protect the rights of individuals against unreasonable search and seizure."
Sounds nice. I've got some nice beach front property in Kansas that I'd like to sell you!
So I suppose even using whole disk encryption will be reason to confiscate the computer. And when you refuse to give them your password, they'll subpoena you despite having no suspicion of a crime.
This is worrying, especially since I just experimented with shareware to rescue off my camera card a JPG I deleted. It undeleted the JPG, along with 300 other older photos taken in the last year, including those very nasty images I let the husband take on a lark after too much wine. So not only is current stuff vulnerable to scrutiny, so is, potentially, every file I ever deleted. Oh, this is just swell till I go figure out how to obliterate that stuff. Whimpers.
I think we've all missed the big picture.
Now that the government can search and seize all data on physical media coming across the border, what's to stop them with electronic media (i.e. the wires that bring it into the country)? Technically, every switch and router used when the fiber comes up in the US is a data storage device (stores a packet, routes it on, etc). What is to stop CBP agents from analyzing, forwarding on, and acting upon any data entering the US now that they can search other data storage media?
This could be the precursor to the Great Firewall of the United States...
Bruce, your comment about placing it on a network drive fascinates me. It's an obvious solution that works. What fascinates me is the implications for the customs agents -- why do they bother? What is the purpose of guarding against data entering the US on a hard disk, in the Internet age?
I suppose the government answer is to monitor all data transfers over the internet as well. And I suppose the rumor is that that's what AT&T has been contracted to do -- right? As part of the telecom spying scandal? So maybe the network drive is not an answer after all...
Soap box, Ballot box, Jury box, Ammo box
1) Soap box: nobody's listening, and "they" have very good PR people.
2) Ballot box: too much of the populace has been brainwashed into voting how they're told (by union, church, party, whatever).
3) Jury box: the courts are already suborned.
@Jan - just fill the card with something else then delete it. It'll be erased.
Honestly, if the cops ever insisted that I erase the photos on the camera, I'd argue a bit, but not much. I'd just use the "erase all" function - then switch cards. When I got back home, it's a matter of minutes to recover all the images.
And this isn't Unreasonable Search and Seizure - how?
The reason they bother is that this is all just theater. They're not really trying to catch anyone, they're just making it look like something's being done. The only people they have a chance of even inconveniencing are people who aren't doing anything wrong. Anyone who really has anything to hide can trivially just put an encrypted file up on an FTP server and retrieve it when they get to their destination. Even if for some reason you wanted to carry incriminating evidence with you, you can put a lot of data on a TrueCrypt volume on an 8GB MicroSD card, then delete the file (which can easily be recovered later) and the card can be either put in a phone or camera (and can be shown to be empty) or they're so small you could hide them almost anywhere; sewn into the top of the tongue of a shoe, heck, crammed into the cap of a black marker pen.
Regardless of it being made public or kept in secret - this policy by the unaccountable is amazingly horrible.
@Roxanne (and others):
Border searches are not subject to 4th amendment rules. This is long-settled case law. (They don't need probable cause to look in your suitcase, or under your car seat, either.) See Wikipedia article on "Border search" for a summary.
The fact that the policy is somewhat cavalier about the duration of seizure and the wide latitude of distribution they claim with respect to the data they retrieve is, to me, the big problem.
They ought to covenant that copied data is only used for intelligence and law enforcement purposes, and is otherwise maintained in confidence. Implementation would presumably follow the government's well-known ability to do this sort of thing properly. ()
This is just the immigration control version of the drive by shooting.
You can just imagine the meeting where they decided on the policy, "It might catch a very stupid prospective terrorist so that's how we justify it. On the other hand there are a lot of stupid sex tourists who we'll catch and that will make our statistics look great!"
So, when all the perfectly ordinary tourists come back with gigabytes of pictures of London, Paris and Rome exactly how happy will they be when the camera and memory disappears into the system for 6 months and is eventually declared lost (which usually means stolen)?
Wouldn't network traffic across borders qualify for some kind of surveillance under the 'new and improved' FISA?
Waiting for the inevitable, "If you're not doing anything wrong, you have nothing to hide ..."
@JRR -- interesting. I do understand why security theater is in play in airports. Flying triggers a lot of people's fear buttons even without the terrorism aspect, and so it doesn't take much for people to freak out about it. And there are large business interests at stake in keeping people flying. We mock it, and I think that's fair, but it does serve a purpose for its agents, even if it is not truly in the public interest.
But I'm less sure why it's useful to deploy security theater when people come into the USA. What business interest is being served? How afraid are people when they're driving back into the country? Are so many people agitating for Something to Be Done in this way?
Of course there is the obvious exception of the diplomatic pouch. Diplomats may traffic in weapons of mass destruction, terrorist attack plans, child pornography, untaxed cigarettes, undeclared overseas purchases, untaxed luxury cars, bulk narcotics, and home furnishings without worrying about searches or seizures. After all, gentlemen do not read other gentlemen's mail.
So, if they take a laptop from a US Navy officer and find an encrypted file, which they don't know contains defense secrets, then give a copy to a multinational corporation, which brute-forces the decryption and sells the results, without being executed for treason? Or did I miss something?
Do imagine what the stink would be in the NY Times et al., were this to have been Chinese Government policy?
So, who wants to be the first test case? Shouldn't take more than a cheap laptop and a few every-other day trips into Canada or Mexico before they think you're up to something and do the confiscation thing.
And when they find a laptop full of encrypted copies of the Constitution and other "revolutionary" papers, they'll realize that they were setup...
"they can take you [sic] laptop anywhere they want" ... Should be "your".
Also, if that's the policy for seizing laptops at Borders, what's the policy for seizing laptops at Barnes and Noble?
@jdw242b: "so if I post my hard drive to my destination they have nothing to search; right?"
Sure they do. Customs has long had the same rights to inspect international mail.
@StickyWidget: "Great Firewall"
Exactly. Sweden recently made this very argument when they implemented wiretapping of all international data traffic. And they were completely taken by surprise by the outcry over such practices.
After all, isn't the internet just a series of tubes where it is reasonable that all parcels crossing the border must be inspected by customs?
It's fascinating that this policy violates the classical, typical case of an illegal law: it is a "taking", a policy that simply allows the government to take citizen's property away from them. In the early 20th C., the supreme court determined that a "taking" could be legal if it furthered some great moral good (New Orleans vs some of its butchers). What is the greater good here? Govt employees who spend time investigating random PCs cannot possibly be spending enough time looking for terrorists!
This policy is unconstitutional.
- toby robison
My terror plots... uhm confidential data resides on my iPod with the filename GodSaveAmerica.mp3.
Warning: iTunes will choke on the file.
@ You Laptop
In face of this policy, your biggest issue is a typo?
What will happen if I bring a 200 lb server across the border from Canada? Will they confiscate that and copy my 3 TB of data?
Cheap way to recycle old computers? "No, thank you, you can keep it. I reported it lost and purchased a new one..."
This is illegal and unconstitutional in my eyes...until then:
1. Keep you data on an encrypted thumbdrive or other media and hide it.
2. Use a service like Carbonite. You encrypt your data and upload it to a site to download later.
3. Write and hound your Congressmen
I look at this from a wildly different angle: How can a government effectively access the data (or if you prefer, violating the "rights" ) of people who attempt to bring data across international borders?
If they are so concerned with the right to obtain physical access at the border crossing, they must feel that they have any electronic data transfer all sewn up.
That would include all forms of Internet including VoIP, international phone calls (and their data equivalents point to point dialup), wire transfers, Telex, faxes and other electronic mechanisms. Satellite phones? Amateur radio? Other radio?
The Great American Firewall must not be 'coming' . . . it must already be here, built into the network infrastructure when it was designed.
How about trying the insurance angle on this? Get an insurance company to insure your computer against theft and loss. Then, when your laptop is seized, report the theft when you make your claim. (Describe the thief as nondescript, wearing dark pants and white shirt, impersonating security personnel. By the time you realized it was in reality stolen, it was too late to chase after the thief.)
As the insurance companies rankle at having to pay out claims because of malicious governmental policies, they will use their clout to change the policies.
It takes Big Money to fix things. Or a large army.
I'm wondering if there's a business angle on this.
Mechanism is image the laptop and put the encrypted upload somewhere. Fly to the US. Get your hands on the same type of laptop and download and load the image into it.
Something like instead of leasing the corporate laptops from Dell, you lease them from some company that does that. Provides a push of a button mechanism to create and upload the image, you hand in the cleaned laptop and they give you a blank one back in the other country.
Obviously you now have to trust that company. Maybe just laptop rental like cell phone rental...
But it's effectively what I do when I travel. All my files are encrypted and downloadable via ssh from a server. When I arrive I grab them and upload them back when I'm done and delete from the laptop before leaving. Main difference is I take the laptop with me, but if it was taken I could buy a new one at the nearest computer store and be up and running.
> Great American Firewall
*If* it exists, it doesn't deny you access like the Chinese one right? It'd be better called the Great American Pervewall
I'm no legal expert, but doesn't this policy blatantly violate the 4th amendment?
Pilota: Re expansion of this practice domestically - this is already in force in the UK - research RIPA Part III. There was a variant steganography project named m-o-o-t intended to counter RIPA III, but I'm afraid it has gone dormant (or perhaps the architect has been granted an all-expenses-paid vacation via Air Rendition) Re surprise that "child pornography" (whatever that term has been distorted to mean this week) was not cited as a justification - I saw a related article on an interview with Chertoff about this policy in which he did exactly that.
For the rest of you - when will you face up to the fact that this is exactly what government (any and all government) does? Coercion is its very essence. That is why there was a Second Amendment, and also why that Amendment has been castrated. The only effective vote against this kind of abuse would be from the rooftop, if that is still possible. OTOH, while it is impossible to find a truly free society to expatriate to, it may still be possible to find one in which the corruption is sufficiently nascent that it remains comprehensible and manageable; that is surely no longer the case here.
Question: What are you going to do about it?
If the U.S. thinks they have electronic frontiers sewn up as well, what's next? Converting flying model airplanes to autonomous delivery systems to carry those commie (oops wrong era) - terrorist secrets across our nations borders?
How about passenger pigeons? Can we expect headlines about 'terrorists' being caught smuggling homing pigeons OUT of the country?
Who left these bird brains in charge, anyway?
Oh well, I just can not wait until the gov can seize you and subject anybody to a full MRI brain scan and 'test' during border crosses.
What a waste of resources, time and the USA.
The democrats will abuse this power as well. GRR.
What is really going to suck is when ITAR rules come back stronger.
All these bad rules destroy USA business.
Rome sure must have loved Nero, and his Wisdom...
I have an idea ... let's just boycott travel to the US (sorry, I know this doesn't help US citizens ...). I am prepared to spend my tourism and work dollars elsewhere.
It’s a very timely move by the DHS. You never know when someone might invent a global, unregulated data network that could allow evildoers to entirely bypass such checkpoints, making them nothing more than a sham way for border police to rake through people’s private data and copy their mp3 collections.
I recently traveled through Canada from Detroit to Niagara Falls, spending three days in Toronto. My conversations with the border folks were both less than 30 seconds. They never even asked if I had a laptop.
I don't know if people have seen the news coverage about the beheading on a Canadian Greyhound bus, but I did not see it mentioned on this blog.
As such, I wrote a post on my blog similar to what I would have expected Bruce to write:
I guess some of the above posters have started to realise why I have said in the past,
"We do not live in a democracy we live in a representational democracy which is the same as voting for a monkey in a suit"
If you have ever wittnessed a "chimps tea party" at a zoo you will begin to get the idea.
The important thing to note is that although there is an "alpha male/female" monkey who thinks they are in charge it is actually the zoo keeper who is.
Which also highlights the relationship between unelected government officers (keepers) and elected (monkeys).
However most monkeys although very self interested have to for their own protection live in groups. This gives rise to a significant vertical structure with your postion on the ladder determind by amongst other things who's back you scratch and who scratches yours, (and of course sex or breading privelages).
The two important things to note are, those at the top will use any means possible to stay there, and those outside the group are always treated as hostile / source of food / not worthy of interest (which explains why as the sole source of food the zoo keeper is realy in charge).
The alpha monkey at the top of the ladder has two types of ultimate punishment for members of "their group", execution and banishment. They are also fully aware that this is also their fate as well.
I could go on drawing parellels between government and monkeys in a zoo but you get the general idea.
Your attention should realy be on the "keepers" who control the source of food (money etc) to the politicos.
They come in three basic types,
1, Suppliers of money.
2, Suppliers of information.
3, Suppliers of votes.
Which is the most important at any time depends on a number of factors. For instance GWB is not personaly going to be interested in suppliers of votes as he knows he is about to be banished to the world of "elder statesmen". So he is most likley to be influenced by those who can offer him the best position as a "keeper" (yup the inmates do get to run the asylum board).
There are a number of books written by European and Asian "keepers" from times past (ie before the U.S. got going). Later works tend to suffer from hiding behind to much moralising ;)
Yes it does mention child pornography. Section A states: "[E]xaminations of documents and electronic devices are a crucial tool for detecting
information concerning terrorism, narcotics smuggling, and other national security matters; alien admissibility; contraband including child pornography, monetary instruments, and information in violation of copyright or trademark laws; and evidence of embargo violations or other import or export control laws."
In other words, while "terrorism" and "child pornography" are the Unspeakable Evils that make this draconian policy incontrovertibly necessary, it's actually an open-ended fishing expedition with a broad net to catch any possible violation of any law. Given the proliferation of laws in this country, it's a license for CBP, Homeland Security, or the local United States Attorney to troll for whatever quota is necessary.
If a terrorist or a child pornographer doesn't find his way into the net, a copyright violation will have to do. Can you provide proof beyond a reasonable doubt that every song on your iPod was legally purchased, or that every file on your laptop is fully compliant with all terms of the publisher's EULA? If not, you forfeit your device (I hope the agent's kid enjoys it); and if the local federal prosecutor needs to curry favor with the RIAA this week, you might face criminal copyright infringement charges.
Could someone please explain to me (a) how an open-ended fishing expedition "absent individualized suspicion" does anything to protect the Homeland from any threat; and (b) how a nation whose Unitary Executive grants itself that power differs in any significant way from totalitarian countries such as the former USSR or the Third Reich?
Answer to both questions: Not a whit.
this all comes from the McCarran-Walter Act of 1952.
Remember the Birch Society and the Commies under the bed?
The supreme court has upheld this stuff over and over since.
There are no constitutional rights at the border.
YMMV, of course.
Found a nice text.
To all uninformed and brainwashed Americans: Your homes can be searched without warrant and without your presence. You can be arrested without giving reasons to you. You can be held arrested for an unlimited time and without contact to a lawyer, and you can be lawfully tortured. All under the suspection that you could be -- maybe -- a terrorist.
Study the Patriot Act of 2001.
"Federal agents may take a traveler's laptop or other electronic device to an off-site..."
road to isolation...
I cannot believe the audacity and reach of this new policy by none other than the US Government.
This policy breaks established covenants built into the Constitution to safeguard the rights and freedoms of a people.
This nefarious policy must be usurped or it will be like the proverbial hole in the dam-with a deluge of more restrictive legislation on the rights and freedoms of individuals sauntering right behind it.
@Davi, I think you miss ForReal's intention.
I too believe that the media were to jump on this if the Chinese would be (are) doing this. Now it is kind of silent (also here in Europe). We just accept the policy, because it is (supposedly) for _our_ own good done by a (supposedly) civilized, western government.
Keep your data downloadable across the network and also remember to keep some money in the bank for buying a new laptop if they sieze it!
I remember when the army sent people to the markets around bagram afganistan to buy up all the pilfered thumbdrives that were appearing for sale to the afganis who had computers and the electricity to use them, Apparently the drives were just full of classified information. but with size of a micro one gig card now being about the size of your little fingernail, it makes me think of some heinlen story I read long ago where the guy had a loyal assistant who had a pouch surgically created in her belly button just for data smuggling. or perhaps some william gibson novel where the data is plugged into the guys brain for travel purposes. All you guys around military bases or wash dc
should ask the homeless aluminum collectors to bring you any thumb drives, cd's and floppies they find, for hobby sifting to find gold, yes gold in information form that you can sell or ransom.
Please don't tell the DHS that data can be stored on iPods and cell phones.
time to start carrying around that big freaking magnet again.
Interesting that no-one has queried the 'need' to seize the whole laptop when, by definition, if the unit is off and thus ram is clear, they can remove the hard drive and other storage media, and there is simply no way for you to have any contraband in what's left.
Maybe the lesson then is to take the relevant small screwdriver with you and abandon your HD if challenged. Unless your PC is a non-standard model, at least doing that makes a policy of seizing any more far more difficult for CBP to defend either politically or judicially.
@ God save the USA
Have *you* read the USA PATRIOT Act? It's not easy reading, as it is essentially a legal diff file, changing a few words or sentences here and there in the US Code.
Noting a drift toward a surveillance society where freedom of expression and information is threatened, officials of many organizations throughout the world call for an action day on October 11, 2008.
Protest marches, festive events, workshops … Each country will participate in its own way to the action day “Freedom not Fear 2008″ 
In France, more and more organizations  prepare this day, and invites organizations defending privacy and freedom of expression and information to participate in this project 
Only a worlwide action can now fight against informational totalitarianism : More and more countries around the world are now joining this movement, which has yet to spread. We call all those who have contacts with activists of countries not yet participating to invite them to contact the Freedom not Fear coordination .
 Odebi, Big Brother Awards, Marsnet, Globenet, the RAIDH Network, Artisnotdead, Propagande.org, Wireless Marseille, contre-conference.net
 email contactAThumanrights21.org or http://www.humanrights21.org/?page_id=21
link : http://www.humanrights21.org/?...
Those were 'Friday' and 'Johnny Mnemonic' respectively (the latter made into a gawd-awful movie with Keanu Reeves).
But really this whole laptop thing is pretty small potatoes to most of the sheeple that make up the electorate in this country (how often do you suppose Joe Six-pack has been out of country at all, let alone with a laptop??): if you want to get his attention talk about the "secret room" that the whistle blower told the world about last year (hint: Big Brother was watching you surf for Pr0n there Bubba); think about the bill that just passed congress that let the telco's off the hook for doing something that they KNEW was illegal (turning over records for data mining) at the time that they did it (remember the words of Nixon: "If the President does it then it's NOT illegal.") and then, just for kicks and giggles, go to Google Maps (or Windows Earth or whatever), flip it to "Satellite View" and type in your home address, zoom in all the way, and then count how many cars are in your driveway (I only see one in mine ... apparently one of us was out of the house the last time they snapped a shot). See that? Now think about the fact that those ARE THE PUBLICLY AVAILABLE IMAGES!!! How much tighter can DHS zoom in??
Between the Eye In The Sky, the GPS in the cell phone, the Packet Sniffer at the local internet hub they already have a record of every call you make, every book you check out of a library, and how many kids showed up at the neighbor's pool party last summer. They can make Wikileaks disappear from the nations DNS Servers at the whim of a Judge in CA and wipe Usenet from the internet (at least servers in NY) just by saying the magic words "It's For The Children!"
And the big news on the Mainstream Media? Obama broke down and put on a %#@-ing 'Flag Pin.'
I run full disk encryption. If they try to seize the laptop they will ask for a password. I will refuse. My laptop will be seized. For being a smart-ass, my belongings will be searched. I will be detained for a t least several hours. I will not be allowed access to a lawyer.
Since I am a citizen, I cannot be refused entry (Supreme court has already said that de-naturalization is a violation of the 8th amendment and is "cruel and unusual")
However I can be harrassed. I will also most likely be subjected to a full cavity search. My government will sodomize me. No make that: Ass-rape me. Just to teach me obedience.
Then eventually, after the ACLU and EFF show up (my employer tracks my return time and if I don't show up calls the lawyers, this is already arranged)
I make the worst possible test case for the DHS. I am white, safe, intelligent and educated. If I can be ass-raped for protecting my company's security so can you. That will make great headlines. Then they will lose. I am putting my ass on the line. Literally. What about you?
"I run full disk encryption. If they try to seize the laptop they will ask for a password. I will refuse."
Don't try that in the UK, Anon. It's 2-to-5 now for such dissent over here.
"I make the worst possible test case for the DHS. I am white, safe, intelligent and educated."
Oh, you mean like the Duke lacrosse boys? Times have changed, Anon. I suspect you're male for starters. A big no-no these days.
With all the political correctness that pervades both our countries, I suspect the worst possible test case is now a 28-ish, upper middle class (i.e. articulate) white (for now) mother of (moderately handicapped/disadvantaged, but not so much as to be too un-photogenic) toddlers going through a divorce from an 'abusive' and philanderous husband.
Increasingly, Anon, you and others like you (and me!), are merely guilty but not yet convicted.
FDE, why run it to protect from those who can break it?
FDE is only to protect from your kids, and not your kid sister...
Dell, used to claim worlds most secure laptop. GRR...just having FDE means little.
All laptops suck, some suck more, some really suck.
Call IT what IT is. Backdoored microcode and other BAD BAD stuff going on for some.
Have equipment seized = ruined hardware.
It must really suck for international business types. Why haven't more people complained?
"Interesting that no-one has queried the 'need' to seize the whole laptop when, by definition, if the unit is off and thus ram is clear, they can remove the hard drive and other storage media, and there is simply no way for you to have any contraband in what's left."
Compared to the size of the current designs for smal flash cards (think smaller than your little pinky nail) there is one heck of a lot of space in the case of a modern laptop.
So no taking out the hard disk is not going to remove possible contraband.
Further on most laptops the BIOS is in flash chips soldered directly to the motherboard you could easily hide many encryption keys or other contraband in the slack space in there.
Basicaly "bits" are to easy to hide, just be thankfull they have not thought about implanted RFiDs as they might decide to keep your body on ice indefinatly...
FYI, the July 16 internal memo linked at the Washington Post and other sources is a formality in reaction to the U.S. vs Arnold case.
See the Electronic Frontier Foundation's perspective here.
I think everyone needs to read the "purpose" paragraph more carefully. It doesn't just specify "computers ... and other electronic or digital storage devices"; it also includes "documents, books, pamphlets, and other printed material". This would be bad enough in itself, but the paragraph goes on to say why these things may be inspected. It's not just to detect narcotics trafficking or child pornography; it's also for the sake of "detecting
information concerning ... monetary
instruments, and information in violation of copyright or trademark laws; and evidence of
embargo violations or other import or export control laws. "
Any device capable of storing information: that goes without saying, as do paper notebooks and books themselves. But this policy is aimed at information, not devices, and one of the stated reasons is to detect information "in violation of copyright and trademark laws". It's at least arguable that this policy covers anything with a printed logo. If an agent took that line and was later proven wrong - well, it's now a year later and what are you going to do?
If I had a choice, I would never cross the Canada/US border again except for short, trivial trips where I don't actually bring anything along with me (eg.: to pick up something that I ordered and shipped to the US or to visit a friend, for example).
Unfortunately, for me, this is not an option. I am required, for health reasons, to frequently travel in and out of the United States. Sometimes these trips can be extended, so, of course, I bring with me my laptop, digital camera, PDA, etc.
Want to know how to stop this? No, don't write your representative. Don't bother. When is the last time your representative actually did something in DC that you thought represented you, or, at least, the majority of constituents the area? ...yeah, that's what I thought.
The key is to find a way to make stopping invasive border searches an attractive proposition to an industry with big influence (read: lots of money to play ventriloquist with politicians). Think RIAA, MPAA, insurance companies, pharmaceutical giants...anyone who has ever "influenced" the US Government to the point of drafting law.
Roy's idea on the "insurance angle" was pretty interesting and just might work if there is enough of a concerted effort.
Yup, our leaders lead the populace to the positions where they themselves have been led. We can let them be led by corporations and other monied interests, or those of us in the U.S. can assume our responsibility as citizens.
I highly recommend joining a new, long-term grassroots effort coordinated by the Bill of Rights Defense Campaign. It doesn't hawk partisan crap, and isn't about preaching to the converted. It's about the Constitution, the Bill of Rights, and Citizen action.
@brasscount, We've got (the word hardly fits) Justices like Scallia, who saves torture isn't torture. The Founding Fathers assumed that judges wouldn't be so obviously corrupt. You can understand that. In 1776 people only put up with so much crap. These days most people don't care. "I've got nothing to hide" is a common argument.
The US Populace has largely surrendered their personal rights, so they don't deserve any.
I guess I should pose a question here...
How do we know the computer companies and parts manufacturers haven't made our computer with a "back door" at the directions of the Feds? How do we know they are secure?
I have what I think could be the ultimate "oh crap!" question. Is it possible that the Feds have coerced computer companies and part manufacturers to put "back doors" in our retail available computer systems? Is this one reason they may be seizing them at the borders and copying the contents...because they know they can easily see the contents or use a "back door" to access everything? Or, could they be installing some new, strong malware or spyware why they have our machines so they can monitor actions later?
In my business we frequently receive proprietary information from potential customers, partners and suppliers. In all cases these data are protected by Proprietary Information Exchange Agreements (PIXA) or Non-Disclosure Agreements (NDA). A typical PIXA or NDA will include requirements to the effect that we, the holders of such info, will take all reasonable care to preclude its disclosure to unauthorized parties.
Until now, we have satisfied such requirements through the use of Whole Disk Encryption on all company laptops and VPN connections for electronic transmittal.
However, in publicizing this policy, DHS has made it clear that the proprietary information and intellectual property we carry on our laptops (et. al.) is subject to seizure and unrestrained disclosure without regard for the nature of the information or its impact on our enterprise.
Seems to me we can no longer cross US borders with protected commercial information without knowingly violating the intent of the PIXA's and NDA's that we have executed. Yes, there are alternatives, such as encrypted data links and the like. But the overall impact is yet another handicap for the businessman trying to keep up in a challenging face-paced world.
How sad that it's all just to support a facade.
Reasonable care, well costs and effectiveness matter, but computer insecurity has crossed all reasonableness for NDA and PIXA data.
If the NDA data is worth 10K, well, spending some % might be reasonable.
If the PIXA is worth 10Mill or more, well best of luck. You can spend without and relation to quality.
Anon@1:59 PM, well one can use different computers with OpenBSD, just move the disk. Point, gets harder to subvert. Nothing like seizing HD and putting microcode and other nasties on bad blocks. Other nasty things are better left unsaid, and are still EASY for high schoolers. POINT, intelligence agencies can really have fun.
There is no spoon...
Given how leaky the US military is, and how widely they would (mis) use a tool such as easy decryption of modern encryption systems, I think it is safe to say that easy decryption of modern encryption systems isn't possible.
So, I think that this is a similar sort of ploy to a number of other American characteristics, namely the utter inability to see a policy is a hiding to nothing despite having it repeatedly pointed out (see also the War on Drugs). The American Establishment is apparently very keen on embarking on gormless boondoggles which are unwise, counterproductive and mostly unwinnable.
I think this is just another such boondoggle. I don't think there's an ulterior motive, I think that the Homeland Security people really are stupid enough to think that the policy is a vaguely good idea (or if not a good idea, a "doing something" displacement activity to substitute for doing something useful) and thus this policy will continue until it gets forcibly banged on the head by legal action.
As to evading it, just travel without a laptop, buy the equipment you need in the USA and pull the encrypted material over from overseas via SSH. For the most part, even if the US authorities are operating a pervasive sniffing operation, they are most unlikely to spot this as being suspicious and in any case you're probably not worth it as a target.
Travel empty & refill is an interesting idea, assuming you will have high bandwidth available at your destination.
... Just make sure that while the government has your laptop they have not installed any keyloggers or backdoors which they can then duplicate your download & reinstall efforts with.
They do this to their own people as well (not just us creepy aliens) ?
That's nice, without this no average US-citizen would care.
It's just to much fun:
Bruce Schneier himself suggests the same way to enter data into the US as it is common to enter data into the Peoples Republic of China. (At least if you want your business data to be kept secret)
It's amazing how much US Government want everyone away from his country.
It's easy to say 'Foreigns, please, don't come to here, you aren't welcome'.
I used to go to US once a year at least, now I change my destination and I'm having fun in places where I'm so welcome like EU.
If this is the purpose of US Government, take the people away, they got it.
And for people who are not american, this is nothing with american people. They are very nice and used to receive us (foreign) very well. This is all about government.
Sorry, * they* can't seize it anywhere the want. Only at Customs. It is a long-established constitutional principle that Customs has far broader search-and-seizure powers regarding international travelers than street cops have regarding citizens on the street. Single, middle-aged guys leaving for Bangkok have also had laptops inspected for kiddie porn by Customs. BTW, while the article I read featured an Anglo citizen 'victim' in the lede, the rest of the 20-odd 'victims' cited were all Muslim foreigners, doubtless returning from Waziristan.
If you're coming in to the U.S., why not just send your laptop & iPod in to your destination address by mail a week before you arrived?
Or use FedEx?
Is the only problem with that the fact that you'd be without your laptop for a few days?
You know, you can use your clothes as an analogue storage device.
Bruce, you numb-skull. Why the hell squander the platform you hold as an expert by validating a flawed policy of secrecy, by saying that it's "amazing" that a document is public? We should demand and EXPECT openness from our government. You are setting up the opposite kind of expectations. Expectations lead to real change, and you are moving the expectations needle in the wrong direction.
Can anyone recommend a good tool that will: (1) auto-multiple-erase every file you delete; (2) multiple-erase the free space on your hard drive, preferably in the background; and (3) wipe all the leftover stuff in your Windows swap file after you've run encryption software?
This policy is total overkill. If they vigorously enforce it, it will actually damage US interests. People can't be traveling to the US fearful that their laptops will be seized. For most decent people it is a gross violation of privacy. For businesses it is an extra cost. They will send their people with clean laptops.
It reaks of some 1970's style banana republic policy... Where is the US going!
The policy is useless and an the very best a big inconvenience. There are numerous ways around this policy. When the policy is enforced it will deliver bad publicity, possible petty violations and NOT protect US security interests at all.
I would believe that US customs has the right to inspect packages that go into the country.
You will save yourself the inconvenience of a search while you have to wait, but your data won't be more secure.
Perhaps the answer is simple: the title of this thread has the "B" in borders capitalized... Should we just go to Barnes & Noble?
Better yet, buy gear locally when you arrive and RETURN it before you leave (a la Costco or other big box stores with a 14-30 day guarantee).
I think the most sinister aspect of this is the potential for abuse. Once they've got your laptop out of your sight, there's nothing to stop them from hiding some kiddie porn on it. Then, at some later time, they can 'find' it - and use it to toss you into a federal prison for ten or fifteen years.
Oh, but they would never do something like that, would they?
I wonder if my travel insurance will cover me for this kind of event?
Glad I am not residing in the USA. Or the need to travel to that hemisphere. I cannot imagine how on earth can a country draft such a stupid policy.
This is one more policy that US is KILLING the economy of the US. No one will travel to US and so the US will slowly SHUT itself to the rest of the world and ROT itself to death.
I think a movie :- "Case of the Missing Laptop" should be made.
It will be the highest grossed film ever.
Or I might just established a business renting laptops to all travellers instead of Cars. I will have shops all across airports and boarders within the USA. I will make a billion bucks.....
Hey, maybe a new law required that all persons travelling to th the USofA to be NAKED.
That way, you're safe from any hassle of getting your devices confusicated.
Ha Ha Ha.
Isn't it a good job ? Your laptop is seized, you need to work, you need to buy a new one immediately... Hey, let's increase the US GDP. I would open a computer shop close to every airport if I had a company there.
From the recent interview on Wired with Chertoff:
Chertoff: That's being litigated. I think our view is that you can be required to open it up, in much the same way, that if you have a briefcase and it is locked and you don't want to open the lock. And the hunch is that's a circumstance where the laptop might be seized and taken elsewhere to be decrypted.
[In response to a follow-up e-mail, spokesman Russ Knocke clarified. "Constitutionally, U.S. citizens are permitted entry into the country. However, if they are carrying contraband such as illegal narcotics, they may be taken into custody. In the hypothetical circumstance that a U.S. citizen is entering the country with an encrypted laptop, and that individual is even referred to secondary in the first place, and then that individual refuses to cooperate by providing a password (again, even if we were to get this point), then the laptop could be seized and de-encrypted."]
So the TSA is saying that the 5th ammendment doesn't apply at the border either. Whole disk encryption won't protect you from laptop seizure - the only option is to take a clean machine through customs, and access data via VPN.
Finally, the actual policy on laptop searches is posted. And I am amazed. In postal searches, a distinction has been historically been made by the courts between goods (currency, drugs, child porn) and private information (documents). Here, we have a blanket right to search all documents. Now why should not apply to electronic data streams (phone calls) crossing the border as well? We've turned into Bolshie Russia. Note that in the government's document, it says: > officers may not read or permit others to read in sealed letter class mail ... without an appropriate warrant [but private couriers like FedEx are deemed not to be mail !?] This is amazing. I get the sense that Constitutional privacy rights were carved out for paper mail, and now they are trying to deny those rights to anything analogous to mail. ie, restricting the Fourth Amendment to colonial era technology. This won't stand court scrutiny.
I totally disagree with those so called security laws. I am thinking their effect in a few years when antiChrist will be in charge al all. Us Christians will be sen as terrorists. So we will not be able to travel anywhere. There is only a step to implement this in malls, superstores and even small stores. You are allowed only if you show your ID. They scan it and see that you are a Christian and kill you. We are approaching the end of times.
All those measures are to encourage the so called terrorist to become more inventive. All those restrictions raise the rage. Go and see why are they terrorists, what do they want? Try to understand them and talk.
All this security policy started with 7/11. Actually it was all planned upfront. There were no terrorists then. It was an artificial cause to create all those so called security measures. Those measures restrict us to have a free life. They are stepping with their boots on our constitutional rights actually.
DebConf10 will be in the USA :(
It is very easy for authorities to order electronic wiretapping on someone if a group of people say or sign to do it - such as a bias employer may engage a group of staff to convince the authorities who will order wiretapping, spread officers around the suspect victim. The employer may contact the residential area of the victim and impress them to follow the suit i.e. to call up the authority/ies against the suspect victim. This way one after another, the authorities may receive calls about the suspect victim and may like to continue the wiretapping and spread of officers around all the time. This continues and continues over and over again. The gesture made by anyone else is acceptable but the same gesture by the suspect victim may result in misinterpretation and false suspicion – just because the victim is targeted for all types of suspicion.
Other idea is to make a victim a SUBJECT and gather research data on a human being at no compensation but only harm.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.