A Guide to Getting Past Customs With Your Digital Privacy Intact

A Guide to Getting Past Customs With Your Digital Privacy Intact

By ANDY GREENBERG 02.12.17 7:00 AM.

WHEN RYAN LACKEY travels to a country like Russia or China, he takes certain precautions: Instead of his usual gear, the Seattle-based security researcher and founder of a stealth security startup brings a locked-down Chromebook and an iPhone SE that’s set up to sync with a separate, non-sensitive Apple account. He wipes both before every trip, and loads only the minimum data he’ll need. Lackey goes so far as to keep separate travel sets for each country, so that he can forensically analyze the devices when he gets home to check for signs of each country’s tampering.

Now, Lackey says, the countries that warrant that paranoid approach to travel might include not just Russia and China, but the United States, too—if not for Americans like him, than for anyone with a foreign passport who might come under the increasingly draconian and unpredictable scrutiny of the US Customs and Border Protection agency. “All of this applies to America more than it has in the past,” says Lackey. “If I thought I were likely to be a targeted person, I would go through this same level of protection.”

In the weeks since President Trump’s executive order ratcheted up the vetting of travelers from majority Muslim countries, or even people with Muslim-sounding names, passengers have experienced what appears from limited data to be a “spike” in cases of their devices being seized by customs officials. American Civil Liberties Union attorney Nathan Wessler says the group has heard scattered reports of customs agents demanding passwords to those devices, and even social media accounts. And newly sworn-in Department of Homeland Security Secretary John Kelly told Congress earlier this week that the agency is considering requiring foreign travelers from seven Muslim-majority countries to hand over their social media passwords or be refused entry.

“Requesting passwords is just beyond the pale,” says Wessler. He points out that the practice doesn’t just affect individual travelers, but everyone they’ve communicated with, potentially reducing the overall trust and security of social media in general. “If this were to go forward, it would risk really wreaking havoc with tourism and business travel to the US. What traveler is going to want to lay bare every intimate detail of their social media history, exposing years of their lives?”

In fact, US Customs and Border Protection has long considered US borders and airports a kind of loophole in the Constitution’s Fourth Amendment protections, one that allows them wide latitude to detain travelers and search their devices. For years, they’ve used that opportunity to hold border-crossers on the slightest suspicion, and demand access to their computers and phones with little formal cause or oversight.

Even citizens are far from immune. CBP detainees from journalists to filmmakers to security researchers have all had their devices taken out of their hands by agents.

As those intrusions become more common and aggressive in the Trump era, WIRED has assembled the following advice from legal and security experts to preserve your digital privacy while crossing American borders. But take all of these strategies with caution: Given CBP’s unpredictable and in many areas undocumented practices, none of the experts WIRED spoke to claimed to have a privacy panacea for the American border.

Lock Down Devices

If customs officials do take your devices, don’t make their intrusion easy. Encrypt your hard drive with tools like BitLocker, TrueCrypt, or Apple’s Filevault, and choose a strong passphrase. On your phone—preferably an iPhone, given Apple’s track record of foiling federal cracking—set a strong PIN and disable Siri from the lockscreen by switching off “Access When Locked” under the Siri menu in Settings.

Remember also to turn your devices off before entering customs: Hard drive encryption tools only offer full protection when a computer is fully powered down. If you use TouchID, your iPhone is safest when it’s turned off, too, since it requires a PIN rather than a fingerprint when first booted, resolving any ambiguity about whether border officials can compel you to unlock the device with a finger instead of a PIN—a real concern given that green card holders are required to offer their fingerprints with every border crossing.

Keep Passwords Secret

This is the tricky part. American citizens can’t be deported for refusing to give up an encryption or social media password, says the ACLU’s Wessler. That means if you stand your ground and don’t reveal passwords or PINs, you may be detained and your devices confiscated—even sent off to a forensic facility—but you’ll eventually get through with your privacy far more intact than if you divulge secrets. “They can seize your device, even for months while they try to break into it,” says Wessler. “But you’re going to get home.”

Be warned, however, that denying customs officials access can at the very least lead to hours of uncertain detention in a bleak, windowless CBP office. And for visa and even green card holders, the right to enter the US is far less clear. “If they truly want to come into America, then they’ll cooperate,” DHS secretary Kelly told Congress last Tuesday. “If not, you know, next in line.” If the DHS does adopt that hardline policy of privacy invasion, it could leave non-citizens without easy answers.

Phone Home

Before going into customs, alert a lawyer or a loved one who can contact a lawyer, and contact them again when you get out. If you are detained, you may not be able to access your devices or otherwise have the opportunity to reach the outside world. And in the worst case scenario of a lengthy detention, you’ll want someone advocating for your release and legal representation.

Make a Travel Kit

For the most vulnerable travelers, the best way to keep customs away from your data is simply not to carry it. Instead, like Lackey, set up travel devices that store the minimum of sensitive data. Don’t link those “dirty” devices to your personal accounts, and when you do have to create a linked account—as with iTunes for iOS devices—create fresh ones with unique usernames and passwords. “If they ask for access and you can’t refuse, you want to be able to give them access without losing any sensitive information,” says Lackey.

Social media accounts, admittedly, can’t be so easily ditched. Some security experts recommend creating secondary personas that can be offered up to customs officials while keeping a more sensitive account secret. But if CBP agents do link your identity with an account you tried to hide, the result could be longer detention and, for non-citizens, even denial of entry.

Deny Yourself Access

Better than telling customs officials that you won’t offer access to your accounts, says security researcher and forensics expert Jonathan Zdziarski, is to tell them you can’t. One somewhat extreme method he suggests is to set up two-factor authentication for your sensitive accounts, so that accessing them requires entering not only a password but a code sent to your phone via text message. Then, before you cross the border, make sure you don’t have the SIM card that allows you—or customs officials—to receive that text message, essentially denying yourself the ability to cooperate with agents even if you wanted to. Zdziarski suggests mailing yourself the SIM card, or destroying it and then recovering the accounts with backup codes you leave at home (for American residents) or keep in an encrypted account online. “If you ditch your SIM before you approach the border, you can give them any password you want and they won’t be able to get access,” Zdziarski says. He cautions, however, that he’s never tested that know-nothing strategy in the face of angry CBP agents.

Those more involved subversion techniques, warns University of California at Davis law professor Elizabeth Joh, also create the risk that you’ll also arouse more suspicion, making CBP agents all the more likely to detain you or deny entrance to the country. But she has no better answer. “There’s not that much you can do when you cross the border in terms of the government’s power,” she admits.

In fact, the issue of privacy rights for digital devices at the border remains troublingly unsettled, Joh says. While the Supreme Court decision in Riley vs. California in 2014 declared warrantless searches of devices at the time of arrest unconstitutional, no case has set such a precedent for the American border—much less for non-Americans seeking those same privacy rights.

Until such a precedent is set, that border zone will remain in a kind of legal limbo. The government has the power to open bags crossing into its territory or even dismantle cars to search for contraband, she points out. “What does that mean in an age when people bring their digital devices across borders? The Supreme Court hasn’t spoken to that issue,” Joh says. “The real problem here is there’s still no good set of protections for a portal into your private life.”


https://www.wired.com/2017/02/guide-getting-past-customs-digital-privacy-intact/?mbid=social_fb

Comments

Post a Comment

Popular posts from this blog

BMW traps alleged thief by remotely locking him in car

BMW traps alleged thief by remotely locking him in car Stealer's Wheel? Seattle police department quotes "Watchmen" movie in a recap of the recent arrest. Tech Culture by Gael Fashingbauer Cooper December 4, 2016 5:00 PM PST It's maybe the most satisfying arrest we can imagine. Seattle police caught an alleged car thief by enlisting the help of car maker BMW to both track and then remotely lock the luckless criminal in the very car he was trying to steal. Jonah Spangenthal-Lee, deputy director of communications for the Seattle Police Department, posted a witty summary of the event on the SPD's blog on Wednesday. Turns out if you're inside a stolen car, it's perhaps not the best time to take a nap. "A car thief awoke from a sound slumber Sunday morning (Nov. 27) to find he had been remotely locked inside a stolen BMW, just as Seattle police officers were bearing down on him," Spangenthal-Lee wrote. The suspect found a ke...
Read more

Report: World’s 1st remote brain surgery via 5G network performed in China

World’s 1st remote brain surgery via 5G network performed in China Published time: 17 Mar, 2019 13:12 ·           A Chinese surgeon has performed the world’s first remote brain surgery using 5G technology, with the patient 3,000km away from the operating doctor. Dr. Ling Zhipei remotely implanted a neurostimulator into his patient’s brain on Saturday, Chinese state-run media  reports . The surgeon manipulated the instruments in the Beijing-based PLAGH hospital from a clinic subsidiary on the southern Hainan island, located 3,000km away. The surgery is said to have lasted three hours and ended successfully. The patient, suffering from Parkinson’s disease, is said to be feeling well after the pioneering operation. The doctor used a computer connected to the next-generation 5G network developed by Chinese tech giant Huawei. The new device enabled a near real-time connection, according to Dr. Ling.  “You barely feel that th...
Read more

New ATM's: withdraw money with veins in your finger

New cash machines: withdraw money with veins in your finger Cash machine technology that reads the pattern of finger veins is already available in Japan and Poland   By Telegraph Reporters 6:59PM BST 15 May 2014 Cash machines could soon be installed with devices that identify customers by reading the veins in their fingers. The technology is already being rolled out in Poland, where 1,730 cash machines will this year be installed with readers, negating the need for a debit card and Pin. Developed by Hitachi, the Japanese electronics firm, the machines read the patterns of the veins just below the surface of the skin on your finger using infra-red sensors. The light is partially absorbed by haemoglobin in the veins to capture a unique finger vein pattern profile, which is matched to a profile. The technology is used by Japanese banks and also in Turkey, offering “groundbreaking levels of accuracy and speed of authentication”, Hitachi said, which in t...
Read more