Passwords at the Border

The password-manager 1Password has just implemented a travel mode that tries to protect users while crossing borders. It doesn't make much sense. To enable it, you have to create a list of passwords you feel safe traveling with, and then you can turn on the mode that only gives you access to those passwords. But since you can turn it off at will, a border official can just demand you do so. Better would be some sort of time lock where you are unable to turn it off at the border.

There are a bunch of tricks you can use to ensure that you are unable to decrypt your devices, even if someone demands that you do. Back in 2009, I described such a scheme, and mentioned some other tricks the year before. Here's more. They work with any password manager, including my own Password Safe.

There's a problem, though. Everything you do along these lines is problematic, because 1) you don't want to ever lie to a customs official, and 2) any steps you take to make your data inaccessible are in themselves suspicious. Your best defense is not to have anything incriminating on your computer or in the various social media accounts you use. (This advice was given to Australian citizens by their Department of Immigration and Border Protection specifically to Muslims pilgrims returning from hajj. Bizarrely, an Australian MP complained when Muslims repeated that advice.)

The EFF has a comprehensive guide to both the tech and policy of securing your electronics for border crossings.

Posted on June 1, 2017 at 10:59 AM • 59 Comments

Comments

JaredTheGeekJune 1, 2017 11:18 AM

How sad is it that if I went out of the country again I would just clear my equipment prior to entering since I keep most items in the cloud. Just hand them a wide open phone or computer. That or keep it all on an encrypted thumb drive in your checked bag. The likely hood of that being a concern is low. Its pretty disgusting that as a citizen they get to treat us this way because no enough people care.

Oskar SigvardssonJune 1, 2017 11:26 AM

You're misrepresenting the 1password travel mode a little bit. It's not that there's a big button in the app that says "Travel mode is on, passwords are hidden!". It's a setting you make on the website for their cloud service, where you can select which vaults are "safe for travel" and which aren't. Enabling travel mode deletes all vaults that aren't travel safe from your devices, but there's no way to tell from the device that travel mode is enabled (the non-safe for travel vaults are also deleted from the file system).

Yes, you are right, if the border guard SPECIFICALLY asks you if you have travel mode enabled, you're going to be put in a position where you either have to lie about it, or admit that you're "trying to hide something". This is true for ANY scheme where you're trying to protect your data. This is made for the case of a border guard that says "unlock your phone and password app so I can inspect it". Before, that put you in an incredibly awkward position, but now you can just go "sure, here you go!". I also imagine there might be some differing laws regarding data you're carrying vs. data in the cloud, though I guess arguing those legal technicalities to a border guard seems like a bad idea.

In addition, 1password has some sort of corporate account thing, so you can honestly say "my supervisor turns on travel mode for our password apps, I have no ability to turn it off".

Obviously it's not perfect, but for the vast majority of threat models people will face when traveling, this seems like a very good solution to a very uncomfortable potential situation.

Dr. I. Needtob AtheJune 1, 2017 11:30 AM

Many years ago I devised something I call a "Password Grid." Basically, it's an 8 x 8 grid of randomly generated characters printed on a small sheet of paper. You read your very long and unmemorable password by following a memorized pattern on the grid, and as long as you haven't inadvertently memorized the password, destroying the printed grid eliminates your ability to recover it.

It probably wouldn't be difficult to adapt this strategy to border crossings.

Ken HaglerJune 1, 2017 11:44 AM

Your best defense is not to have anything incriminating on your computer or in the various social media accounts you use.

That advice is actually dangerous for a couple of reasons. First, it's impossible to know what is incriminating, because it's impossible to know what the laws are. Second, if you've brought your computer physically into the enemy's presence, you've just made it very easy for them to take it into the next room and put spyware on it.

Better to simply not have any electronic devices on you while crossing the US border.

WinterJune 1, 2017 11:48 AM

What about simply having two password managers, say 1Password and LastPass. One "real" and one for travel. This only works if the real one can be accessed purely over the internet/cloud.

It is obvious that you also should use different social media accounts for public and private/sensitive matters.

But what if you have no facebook or twitter accounts, but a common name?
"Yes I am John Smith, but this is not my account."

Xavier LagraulaJune 1, 2017 12:06 PM

Considering that passwords not selected as safe for travel are destroyed from the central DB, one should turn the option on then off, then travel. Customs have no way to know that other passwords even exist. Obviously, these destroyed password can then be fetch back from another local copy made beforehand.

ChrisJune 1, 2017 12:12 PM

You can only turn this back on from the web interface which you could easily ensure you do not have full credentials to memorized/on the computer. In the short term it removes the passwords from the computer.

Jim ShapiroJune 1, 2017 12:15 PM

There is an even easier away to encrypt information without having to give up the key to authorities. It's called MMPC and you can find a link to it at my web page. In it's simplest form you would encrypt two different and completely unrelated sub-files into one master file, each with a different and again completely unrelated password. To all the world this looks like one (encrypted) file. To de-encrypt the file for your own use, you would use the password for that file; To de-encrypt the bogus file, you would supply the matching bogus password. No lying required.

I can't confirm this, but I believe, after reading one of their white papers, that Wikileaks uses MMPC.

MMPC is open-source software. I have written a front-end and have been using it for over 10 years on my Apple systems with no problems.

Jabba the HutJune 1, 2017 12:17 PM

Oh what a tangled web we weave when first we practice to deceive.

@ken

"Better to simply not have any electronic devices on you while crossing the US border."

If you are under 50 years old that itself can be suspicious behavior. Fundamentally, the first thing you wrote is the real problem: one cannot possibly read the mind of the custom's official and what he or she is or is not going to like. I remember vividly an incident from 30 years ago. I had the audacity to travel from Turkey to Greece by bus and the border officer was not amused in the slightest by a "Westerner" cavorting with what he perceived to be the enemy. He made my life miserable for over an hour, including forcing me to take every single item out of my luggage and shake it out before him to show him I wasn't trafficking anything.

So no matter what you do there is a risk that some authoritarian type is going to object to it. All attempts to look innocent are equally awful, just awful in different ways.

BobJune 1, 2017 12:26 PM

@Ken Hagler

Precisely. And in the way you propose it is made clear that a good use of technology is inconsistent with the ilegalization of ideas or information, better no use at all.

Ergo SumJune 1, 2017 1:01 PM

Just wondering, since border patrols can ask you to unlock/decrypt your devices and access your social networking sites at border crossing...

Are they permitted to access your cloud accounts as well? For example, everyone with an i-Device (present/past) has an iCloud account. The similar goes for Android and Windows phones as well. Is the border patrol allowed to access these accounts as well? And what if one does not have x-Cloud account set up and/or replication disabled on the on the device? What about emails, can they ask to login to view and receive emails?

I for one, who had never stored my data in the cloud, be that OEM and/or third-party. Will that mean I'll become one of the "suspicious traveler"?

Our world is messed up beyond fixing. There's a better word for it, but rather use it for a more pleasurable experience...

BardiJune 1, 2017 1:15 PM

"Better would be some sort of time lock where you are unable to turn it off at the border."

How about a location lock. Only certain "passwords" are available until one gets to a designated location.

MilanJune 1, 2017 1:20 PM

Next time I go to the US, my plan is to create a new empty GMail account, set up an autoresponder telling people to use it for any urgent messages, change my normal GMail password to a random 25 character string, and then leave a written copy of the string somewhere safe in Canada for use after I return. I don't think I would bring a cell phone with me either.

Reports that border agents are checking up on what people have said about the Trump administration are especially chilling. It's hard to believe that such checks have any security value. Rather, they seem authoritarian and like a deliberate effort to create chilling effects on discourse.

Jeffrey GoldbergJune 1, 2017 1:21 PM

I work for AgileBits, the makers of 1Password.

The idea of 1Password's Travel Mode is not to hide data or to help you deceive nor lie to border officials. That would be a very bad thing. Instead it is a convenience mechanism to genuinely remove certain data from your device.

In designing this, we have been very mindful of EFF and ACLU's advice on these matters: Don't lie to border officials, but try to carry less with you. That is what Travel Mode is intended for.

WarhawkeJune 1, 2017 1:29 PM

TrueCrypt used to have a silent panic code for encrypted volumes whereby entering a specific, alternate password would open a different partition where one would presumably have stored plausibly - but-not-actually - sensitive data. Unlike other forms of panic codes that destroy data (e.g. wipe phone to factory), this one didn't tip the hat to non-compliance.

I'm surprised more adoption and improvement hasn't been made in this area. It's the best mechanism I've seen for avoiding Munroe's $5 Wrench Razor.

Gilbert Lam, Hero of the DHSJune 1, 2017 2:01 PM


Or you could sack up and do this.

http://www.aljazeera.com/indepth/opinion/2017/05/prison-privacy-170517123142625.html

Leaving it to heroic Moslems guarantees that your rights will be eroded.

US border goons are falsely indoctrinated to believe that the state can negate your rights at border crossings. Bribed and blackmailed US judges have also been made to follow that party line. Make them try to prove in court that ICCPR Articles 17 and 14(g) do not apply - under the watchful eye of treaty bodies, charter bodies, and special procedures.

D-503June 1, 2017 2:33 PM

@Ergo Sum
The short answer to all of your questions: Yes.

The longer answer: If you're a US citizen, and have a strong support community within the US, you can say "no" to the customs agents, and then launch a 4th Amendment challenge in court. I've met someone who's done it successfully. But in the meantime, expect your electronic devices to be confiscated for forensic analysis (likely), expect to be detained for 2-8 hours (likely), and be prepared to be refused re-entry to the US (less likely, but it does happen to significant number of US citizens each year).

On the other hand, if you're not a US citizen, or if you're a brown-skinned US citizen*, or a US citizen who's suspected of being muslim*, all kinds of crazy unconstitutional shit can happen to you, occasionally, at the hands of overenthusiastic border officers. Best not to give them an excuse.

*Current CBP policy forbids racial, religious, and political profiling, but I've seen it happening anyway on the ground.

EuanJune 1, 2017 2:53 PM

@Jeffrey

The idea of 1Password's Travel Mode is not to hide data or to help you deceive nor lie to border officials. That would be a very bad thing. Instead it is a convenience mechanism to genuinely remove certain data from your device.

A convenience mechanism? That's a joke and a lie.

The whole purpose of Travel Mode is to hide information "when crossing borders" - that's how your company has described it in your own blog post [1]. There's nothing wrong with that aim but call it what it is and be honest.

If your password manager is as secure as you purport it to be then there would be no need to remove any information from the device unless the intention is to hide it from CBP.

iPhones are encrypted and so is the 1Password database so your data is reasonable safe and there is no real reason to remove password unless you're intending to hide it from CBP.

You'd be better off implementing a duress password which would load a dummy database. At least there's some plausible deniability there and let the customer take the risk of failing to disclose the correct password (at their risk).


[1] https://blog.agilebits.com/2017/05/18/introducing-travel-mode-protect-your-data-when-crossing-borders/

Just an Australian June 1, 2017 3:27 PM

The Australian politician referred to is just generally bizarre and incompetent

TimHJune 1, 2017 3:40 PM

How about simply removing the laptop HDD and keeping it in your pocket, probably a small SSD anyway, and putting a tiny bootable Linux memory stick in one of the USBs. Useful to do at the end of the flight if you've worked on stuff during the flight.

No good for imprenetrable i-products tho'.

trentJune 1, 2017 3:53 PM

> Your best defense is not to live in or travel to/from countries that regard information security as an obstruction rather than a necessary component of modern society.

Fixed with an impractical idealism: I can't claim to know how to implement my own
advice.

@D-503
> CBP policy forbids racial, religious, and political profiling, but I've seen it happening anyway on the ground

Yeah, but we've also seen it in Executive Orders too. There's a Wikipedia page just for the legal challenges!
https://en.wikipedia.org/wiki/Legal_challenges_to_Executive_Order_13769

Jeffrey GoldbergJune 1, 2017 4:26 PM

Euan,

Duress mode is a terrible idea. Let me quote from a comment on our blog

We have talked about duress passwords in the past on our forums. While technically this can be done, it only makes sense in terms of rather unlikely threat model. It assumes an attacker who can coerce you into decrypting your data, but isn’t capable of determining that you gave them false data and retaliating upon that discovery. That seems like a very unlikely set of circumstances.
Anyone who suggests trying to trick or mislead border officials has not really thought through the power asymmetries that exist.

And speaking of threat models, we are considering an attacker who can compel you to decrypt data (including 1Password data) on the devices that you carry with you through the border. 1Password's cryptography does not withstand rubber hose cryptanalysis. But if (as is often the case) this attack is limited to the devices you have with you then removing the data from the device ahead of time is a perfectly reasonable thing to do.

Will England June 1, 2017 4:33 PM

Our company requires us to leave our electronic device in country and check out a specific international laptop and phone for overseas travel. Just recently started this policy too...

Jeffrey GoldbergJune 1, 2017 4:46 PM

I would like to follow up a bit more about why I emphatically agree with Bruce (and the EFF and the ACLU) and so many others that it would be unwise to attempt to trick or deceive border officials by hiding data or by presenting fake data. This is why we (at AgileBits) designed Travel Mode to simply be about having less data with you when you travel.

From my comments on our (AgileBits) forums


Travel Mode is not about concealing the existence of some data. And it certainly isn't about presenting fake data to authorities. That would be dangerous, and we do not want to put our customers in danger.

People who have the power to compel you to unlock your devices and unlock what is on those devices are people with a lot of power. You do not want to play games with them. You do not want to try to lie to, mislead, or trick them. They have power, they have resources, and institutionally they have a lot of knowledge. Attempting to mislead them would be pinning your future on the hope that those people are either incapable of detecting an attempt at deception or are unable to retaliate against you once such deception is detected.

Seriously, do you imagine that if sometime after the fact (or during the encounter) they discover an attempt at detection they are going to say, "Well, it looks like you won this time with your clever little trick. I guess you are free to go now." ? They aren't. Anything that even looks like an attempt to deceive them would (correctly) lead them to apply more pressure and escalate the situation. They wouldn't be doing their jobs otherwise.

If you really want to try to trick an entity that has the power to compel you to decrypt data, you had better be extremely confident about your chances of success, because the consequences of getting caught are large. And note that "getting caught" doesn't mean getting proven guilty. A reasonable suspicion that you have been lying to border officials enough to make things very bad for you.

(Sorry for the weird paragraph breaks in there, but it seems that blockquotes here don't like blank lines in them.)

ab praeceptisJune 1, 2017 4:50 PM

As far as I'm concerned, the solution is a simple one: Do not enter those countries like us of a (and, so it seems, uk). Simple as that.

The problem is not a technical but a legal one. And the solution in my minds eye is to apply the very rules those people make against themselves, i.e. to in some way get at all their data and to then bring them to (a real) court.

Logically/technically speaking all those "how to bring ones electronics and data across the border intact" solutions do not solve but rather *shift* the problem because one then is within the jurisdiction of regimes with a criminal attitude (like the us of a) which translates to them getting at your data after the border within their territory.

So. Simply stay away from regimes like the us of a. Problem solved.

Jim ShapiroJune 1, 2017 5:18 PM

I am going with my earlier comment. Unless the adversary who demands your password can crack SHA256, they will have no way of decrypting your information or, more importantly, even knowing that there is any information aside from what you reveal with your bogus password. And if they can crack SHA256, believe me, they won't be spending their time working at an airport checking computers.

It is also a good idea to make the bogus information look interesting and real.

//ChrisJune 1, 2017 5:25 PM

Hi guys, i have lived in countries that opress/oppressed different aspects of life.
the main problem is how to communicate without getting any attention.

Passwords over borders, is easy just give it to them, how to safeguard data getting in and out to and from an "oppresive" country, electronically is not done with data at rest, its done prior you leave and after you come back via internet "cloud services"
if there is no internet connection then its somewhat problematic but its all about hiding data.

Mitigate and adapt, there is no real answer to it, it depends on the situation.
but, the most important thing is to go under the radar.

if you work in a bigger company you can also use the legislation, and tell them to call the layer at number xyz. and take your xanax and relax,
//Chris

grahamJune 1, 2017 5:29 PM

"Bizarrely, an Australian MP complained when Muslims repeated that advice.)"

The MP in question has a reputation in Australia for being one of the stupider politicians we have. We have politicians that are every bit as stupid as the best that the US or anywhere else can produce. Not something that most of us are proud of.

BTW, that politician's nickname is "Mr Potatohead". Follow the link and look at his photo and you will understand why. His utterances usually live up to the IQ that nickname suggests.

//ChrisJune 1, 2017 5:34 PM

Oh anyways a routine control is just that, they dont know what you are doing.
they just do what they are trained to do. Aka border crossing.

So if they search or ask something without a reason, and out of the ordinary then you are fucked anyway so a border crossing should never be a problem, if it is, then they allready know.

Go to Israel and through Bengurion, they know what they are doing.
Border control is a point where the counter intelligence is put to the test kindof, and its not about passwords into your computer trust me.

AndyJune 1, 2017 7:00 PM

Especially for those using password managers, wouldn't it be easier to change your password after getting through security?

call girlJune 1, 2017 7:02 PM

1Password has just implemented a travel mode that tries to protect users while crossing borders. It doesn't make much sense.

No it does not. Nothing "clever" at the border adds security.

passwords you feel safe traveling with,

This is too patronizing. Feelings and intuition are, frankly, not worth much for safety. Facts, a sober, drug-free mind, and a lucid awareness of one's surroundings and political environment go much further for personal safety online as well as off.

I’m sorry but we had to blow up your laptopJune 1, 2017 7:27 PM

@//Chris
"Go to Israel and through Bengurion, they know what they are doing."
Gotta admire the non-nonsense, straighforward approach.
Why ask for a password when you can... well, let's put it this way: What says "Welcome to Israel" more loudly, and more succinctly, than the sound of hot lead ripping through a tourist's laptop computer?
https://lilysussman.wordpress.com/2009/11/30/im-sorry-but-we-blew-up-your-laptop-welcome-to-israel/
You could say it serves her right for using a Mac instead of a PC.
At least it wasn't a Linux machine... that would have required a nuclear warhead, which Israel doesn't have... officially ;-)

Meanwhile, one of my co-workers accidentally brought a live ammo clip in his carry-on bag, and no one at Bengurion noticed...

D-503June 1, 2017 8:38 PM

@Peter: At border crossings, the reverse is true.
Those who have the least to hide have the most to fear.
Border guards are trained to use their vivid imaginations to fill any gaps in a traveller's electronic devices and online profile.

I've been subjected to electronic device inspection only once, and the impression I got was that the CBP officers weren't at all interested in finding incriminating data – all they seemed interested in was to quickly verify that I was telling them the whole truth. That's why a lot of the tricks and games and schemes proposed in this thread sound dangerous. On-duty border officers have a very broad definition of what constitutes lying or non-co-operation, much broader than a layperson's definitions. If an officer senses that something that's normally there is missing, you're in for a world of pain.
Off duty, border officials have a sense of humour and a sense of humanity and just plain common sense. On duty, less often so.

I'm going to hold off on unnecessary travel to the US for the time being. I don't have a cell phone. And I haven't memorised the passwords for most of my social media accounts (How many people actually do that? I have better things to do with my time than to blog and tweet and post every bowel movement or whatever.) 95% of the times I've travelled to the US I've had no hassles, but now the risk is just too high.

supersaurusJune 1, 2017 8:43 PM

when traveling, no laptop, no phone, no problem. otherwise the universal decryptor, a crowbar applied to your kneecaps or, worst case, a bucket of water and a rag, work rather well for getting access to anything you have the means to access, including stuff you have to make a phone call or exercise other remote controls to release. if you sent your keys separately to be used after you get where you are going, good luck explaining that one; I imagine a little persuasion can get most people to call the recipient and get the relevant content emailed to your friendly interrogator. and if you neglect to explain that 3 failed login attempts will result in your device being wiped, good luck explaining that one too, I'm sure you'll get time to think it over in some hellhole jail where the other 19 people in your cell will all give you their utmost sympathy in between choir rehearsals.

contrary to @jabba the hut, I've never had any problem entering non-US countries nor returning to the US while electronically naked. the only border incident I ever had involved an extra set of batteries for the flash. I assumed the searcher wanted them for himself, but oddly enough he let me put the fully charged spares into the flash and then he took the used ones. this made no sense, but I didn't argue the point. of course YMMV...

Adam June 1, 2017 9:16 PM

>"Your best defense is not to have anything incriminating on your computer or in the various social media accounts you use."

For many, this advice means: stop voicing your opinions. Or, Don't communicate your thoughts if they can be recorded. How do you extend this line of thought to a world that's becoming exclusively digital and recordable?

ThothJune 2, 2017 12:42 AM

@all

Using online password managers residing on others' infrastructure is already a huge security breach let alone mentioning about some fanciful travel mode.

The TLAs do not need to ask users for passwords. They already have robust backdoors and golden keys that they can simply abuse which we cannot resist (i.e. Intel AMT/SGX, AMD SP, ARM TZ ..).

The first step in ensuring sanity of your passwords is to not use online password managers in the first place.

The next step is to not carry your password vault when travelling unless you want to invite trouble.

Finally is to have a separate phone for travelling which you DO NOT use for personal contacts and if you have office work, use some sort of tunneling to tunnel your travel phone securely to as much degree as possible back to corporate DMZ and your phone should be used in Thin Client mode and never download stuff from corporate DMZ to phone except serving as a phone based networked Thin Client over ciphered tunnel.

If possible, use some sort of secure Thin Client technology and host the stuff you want to access overseas in the DMZ zone. It can be documents or images that can be left im the server side and also for browsing webpages, use the virtual Thin Client's web browser to access other websites.

To secure the entire login, the Thin Client Server can be configured to prevent any login until a certain time frame and also GPS location transmitted from phone. That means if the attackers wants to get at a traveller's data, due to Thin Client reliance, almost nothing is stored on the smartphone (Secure Thin Client) and the attacker must bebforced to breach the privately hosted Thin Client Server.

A self-hosted password manager on the Thin Client Server side can provide password manager access over the Thin Client Browser.

To physically secure the Thin Client Server, a smart card enabled with 256 bit symmetric master key can be used to encrypt all the contents on the Thin Client Server's physical or virtual file system or drive. Also for client identification for certificate login, the smart card can hold the client's public key for certificate pinning.

Those are not very high assurance but they are simple and OK enough for most people to get away with for most use cases.

RachelJune 2, 2017 1:21 AM

D-503
you wrote
and be prepared to be refused re-entry to the US (less likely, but it does happen to significant number of US citizens each year).

genuine question:
citizens are not allowed back into their own country? Where do they go?
What law supports this refusal of entry?

WinterJune 2, 2017 1:54 AM

Can I summarize a consensus?

If you want to smuggle in sensitive information, look above for suggestions and pray to $DEITY that they don't notice.

If not, get yourself fresh burner hardware that only contains the minimal information and software needed. Also keep separate social media accounts for public and private contacts where you hope you can divert attention from your private accounts.

If you suspect you might have sensitive information interesting to the country you plan to go to, don't go.

EnterpreneurJune 2, 2017 2:39 AM

I suppose that there is a new business opportunity here.

Rent a "ready build up" fully compliant account for your trip...

WinterJune 2, 2017 3:02 AM

"I suppose that there is a new business opportunity here."

Not exactly new, I think. I have seen several movies already where the "hero" supplies a fully covert alibi conference or holiday for people who want to have an afair. Then, it included museum and theater tickets, conference programs, pictures and other "evidence" that ther were elsewhere.

I asume social media accounts are parts and parcel of this work.

aboniksJune 2, 2017 3:09 AM

If you're using an online password manager, you may as well just tattoo your secrets on your forehead.

Greg McMullenJune 2, 2017 4:10 AM

A "time lock" won't work either - they can just seize the device and hold it until the timer runs out. This will be standard practice once the 1Password feature makes its way into a border guard newsletter.

HillaJune 2, 2017 7:56 AM

The mere existence of this post is proof that you are no longer living in a free country. Of course, by that measure, there is no free country left anyway.

TMJune 2, 2017 9:29 AM

Euan and others: removing data from a mobile device is not hiding or lying at all. It's just common sense and in fact it would be good security even without the threat of border agents running wild, in the same sense that you shouldn't carry more money or valuables than necessary while traveling.

TMJune 2, 2017 9:43 AM

"when traveling, no laptop, no phone, no problem"

Exactly. My worry nowadays is that those of us who survive mostly without social media, who use phones mainly to make phone calls and can even live without one for a while - we are now automatically suspicious. "No officer I don't use a smart phone. Never have. No officer I don't have a facebook account. I don't care about this nonsense." "Please step aside, we have some additional questions for you."

D-503June 2, 2017 11:32 AM

@Rachel
"Where do they go?"
Most often, sent back to the country they were travelling in.
One of my US friends was permanently exiled to a third country overseas he had never been to before, didn't know the language at all, and had no ties to. But that's very unusual.

"What law supports this refusal of entry?"
Normally, none.
Under international law, countries are required to allow their citizens to return. There are countries that flout that law, but the US isn't one of them.
Usually - if not always - refusal of entry for a citizen is due to the back luck of encountering a border officer who's having a bad day. The border force has increased exponentially over the last couple of decades, and one of the consequences of mass recruitment is that there are a number of officers who are inexperienced, poorly trained, uneducated, or have unresolved emotional problems.
If things do go badly in secondary inspection, a traveller can ask to speak with the port of entry's supervisor. This often results in a fairer hearing. Best of all is if you can get the supervisor to talk on the phone with either your employer or your lawyer. Most border personnel mean well: if a traveller insists on his or her rights in a calm, professional manner, many border officers will respect that. Most important is to stay calm, and de-escalate any hostile confrontation the officers may stage.

thompsonJune 2, 2017 1:33 PM

@Jabba the Hut

"I had the audacity to travel from Turkey to Greece by bus and the border officer was not amused in the slightest by a "Westerner" cavorting with what he perceived to be the enemy."

It was just profiling :-) "Westerners" traveling by bus were and still are prime suspects for carrying drugs (at that time primarily heroin). They still catch drug traffickers also going from Greece to Turkey (eg carrying a variety of pills) or from Turkey into Greece carrying knives or bullets eg
http://www.independent.co.uk/news/uk/three-britons-arrested-in-greece-after-more-than-200000-bullets-found-a6873166.html

Try to land to Athens airport from Colombia or Venezuela through Amsterdam...

albertJune 2, 2017 2:02 PM

@Jim Shapiro,
"...MMPC is open-source software. I have written a front-end and have been using it for over 10 years on my Apple systems with no problems...."

Until now, that is. :)

@Will England,
"...Our company requires us to leave our electronic device in country and check out a specific international laptop and phone for overseas travel. Just recently started this policy too..."

Best idea so far. Works best for companies that have satellite offices overseas. Not so good for handling customers, esp. in dodgy countries.

The idea of carrying -anything- important or secret around the world in a laptop is foolish in todays environment. Today, you can't even trust a thumb drive as safe.

@Unruly Masses,
IIRC, 'Live' CDs don't need the hard drive. True?

. .. . .. --- ....

VSJune 2, 2017 9:46 PM

The problem and its solution are simpler than that:

When you carry both the encrypted data and the decryption keys to the turf of a much powerful adversary, you put the data at a significant risk. That's a bad situation. Even if you can somewhat mitigate the risk with above tricks, you can never guarantee your own or your data's safety while physically at the premise of a powerful opponent.

To be safe, the solution is to lose the data or the keys or both. All of these will keep you safe, the single best choice is the one that best works for your particular situation and responsibilities.

CallMeLateForSupperJune 3, 2017 10:53 AM

claims @albert
"IIRC, 'Live' CDs don't need the hard drive. True?"

That is true for
Tails v1.6 (very old, dated September 2015)
and for
Mageia v5.1 (the latest, dated December 2016)

I physically remove the one HD from my system before I boot either of those, so I know that neither requires a storage device.

My short experience with the Live CDs of two flavors of "buntu" was so long ago (8-0 years?) that I can't comment about current ones


Related note: Tails claims that it never writes to any storage device unless the user specifically tells it to do so. I have yet to figure out how to do that: Tails never acknowledges the existence of any USB device I plug in!

ORWJune 4, 2017 12:46 AM

"Your best defense is not to have anything incriminating on your computer or in the various social media accounts you use."

It's a little surprising to hear this just from you, Bruce.

Sounds like: If you are not doing something wrong, why should you withhold anything form the government?

With the same argument, you could abandon secrecy and encryption altogether, not just when it comes to crossing borders.

ab praeceptisJune 4, 2017 2:08 AM

ORW

No, I don't think that's surprising. I think that Bruce Schneier actually gave good advice.

We may discuss about whether it's acceptable how the situation is. We may discuss whether the current situation is respecting the constitutiion. There's a lot to discuss there.

But things being what and how they are, Bruce Schneiers advice is correct.

Scott LewisJune 4, 2017 9:59 AM

Isn't the best feature of an online password manager the fact that they can be removed?

I have very complex passwords. The one complex password I memorized first was my email account. Number two was my password manager. The rest, who cares.

When I travel internationally, I use a SIM card that's just for overseas. So if I removed my password manager off my phone and laptop, removed my work email off the computer and phone, removed my documents folder off my computer, and left just my personal email (nothing in there I care about), I'd be fine.

I could attempt to access my password manager, but without my home SIM the two factor is not possible.

If I needed access to work doc's (sitting at home) or work email (easily readded), I could leave my SIM at home with a burner phone and have a trusted friend standing by (but not that day I travel), to read me the two factor code and let me get back online from a hotel.

I'm sure someone more paranoid than me will find a hole here somewhere, but honestly I don't do anything so sensitive that if they did access my files I'd be screwed.

And if my laptop was removed from my presence, my immediate assumption is spyware or malware. And I wouldn't do anything until reformatting and reinstalling.

One could include a bootable OS installer thumb drive in your travels bag.

albertJune 4, 2017 11:28 AM

@CallMeLateForSupper,

"...Tails never acknowledges the existence of any USB device I plug in!..."

Interesting and a good thing. Shall I assume you tried: 'lsusb'?
What about booting from USB? (where the USB device functions as the (absent) hard drive would).

All my computers are old and slow, so live booting is not an option.

. .. . .. --- ....

AnonJune 7, 2017 2:33 PM

Ignoring theft of corporate secrets or personal information of the traveller, if you were to traverse a border with illegal/incriminating documents/files/social media posts, then surely you only have one of two options:

Either sanitize the device(s) you're traveling with, or don't travel?

If you have a server somewhere, and remember the details to connect to it later, and just have normal business documents etc.. on your device (but not for example, the latest notes on your new invention), then you should be fine?

If this discussion is getting into the realm of "we are expecting to see X, Y, and Z, but only have Z - you must be hiding something", then surely it is game-over for society anyway? How would they know X, and Y should be present, if they're missing?

It seems that we are also maybe heading in the direction that if you're knowledgable enough to enable encryption on your laptop (Apple Mac are not encrypted by default, though iDevices are), or use a 3rd party WDE package on your Windows computer (not BitLocker), or just demonstrating above-average technical ability, that you must be hiding something.

What is the argument for CBP to access the passwords in a password manager, anyway?

JardaJune 9, 2017 11:47 AM

Should I have the misfortune to have to travel to USA, it would be with freshly reinstalled compuuter (after zeroing the disk with dd) and no data on it. Should I need access to something, I'd use a sftp server out of USA.

jayJune 15, 2017 9:29 AM

Time again to look at stenography.

Someone suggested you hide your important stuff staganographically in a weakly protected folder of soft porn. 'Obviously' that's what you're hiding.

nycmanJune 20, 2017 1:32 PM

The problem is the authorities are well trained to ask overly broad questions designed to catch you in a lie. It starts with "Do you have anything to declare?" "Is that all?". Multiple social media accounts wont help. They can simply ask for all accounts you've ever had access to. "Is this your primary Facebook account?" "What other e-mail accounts do you use?" "Do you have any other electronic devices with you?"

The best kind of evidence is what's found "on the perp" or what the perp gives them access to. Evidence they stumble upon on their own in some remote warehouse or cloud service is less valuable because there's no obvious link to the perp. But found on the perp or perp gives access by providing password = easily provable guilt. This is why they love border checks.

If you've been selected, chances are they're looking for excuses to detain and question you even longer. They already had a few hours to pull your dossier when you boarded your flight, if not after you made the reservation or checked in online. Catching you in a lie is an old tactic.

It's too late to do all your countermeasures at the border. You should be continuously sanitizing everything - wiping things you no longer need from social media, e-mail, cloud, etc. Encrypt everything, keep your e-devices clean. Prepare plausible reasons for countermeasures before going through the border - "why the wiped phone?" - don't want the OTHER country snooping around, afraid of ID theft if phone gets lost, etc. "As far as I can recall, I can't recall" and other generic responses are better than absolute responses because they can't prove you're lying. Advice for U.S. citizens will be different from non-citizens.

Detention is not considered punishment. Many people are spending years in jail because they were afraid of a few hours in detention, started talking too much, hoping the authorities will let them go after they explain, but they ended up implicating themselves of some crime. Better to wait for the lawyer.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.