[conspire] Your computer data and the crossing of (any) international borders

[Rick Moen]

Our friends at EFF (/me waves at Seth Schoen) have just produced some
excellent guides to digital privacy at the US border.  Comprehensive
article is here:

https://www.eff.org/wp/digital-privacy-us-border-2017
https://www.eff.org/files/2017/03/10/digital-privacy-border-2017-guide3.10.17.pdf  (same, but as downloadable PDF)
or URL-shortened version at 
https://www.eff.org/border-search

  Digital Privacy at the U.S. Border:
  Protecting the Data On Your Devices and In the Cloud

  by Sophia Cope, Amul Kalia, Seth Schoen, and Adam Schwartz


Handy print-and-fold pocket guide is here:
https://www.eff.org/files/2017/03/08/border-guide.pdf

  EFF’S POCKET GUIDE
  TO PROTECTING YOUR DATA AT THE U.S. BORDER


EFF's pieces primarily concern travel into the USA, but many of the
themes and bits of practical advice should apply to entry into other
countries as well.  


The subjects covered have recently been on my mind because my family
just took a trip to the Caribbean.  I took several measures to that
no border officials (either US or other) would have either the ability
or the motivation to pry into my online affairs.

(I've put _no_ political advocacy into this post.  If you think you saw
some, please read again.)

As 'Digital Privacy at the U.S. Border' is a long and comprehensive
piece,  I'll just highlight / make personal comments about a few things.


1.  It's useful to ponder (a) what (some country's, not necessarily
ours) nosy border officials could find on your personal electronics, (b)
what they can do _to_ your electronics, and (c) what they could do to
your files.  Some countries have been known to take laptops,
smartphones, tablets, e-book readers, digital cameras, DVD players,
electronic games, etc. for 'inspection' and return them with ROMs
reflashed to have dubious contents, and one business traveler reported
that his laptop upon return turned out to have an entirely different
motherboard.  (I'm not saying that US officials do this.  I'm just
pointing out that border officials have this ability, and that some
countries take full advantage of their ability to intrude.[1]  For more
about this topic, look up 'evil maid attack.')

Electronics in checked luggage, or that has been removed from your
custody for 'inspection' can be first bit-imaged and then
security-compromised before you see it again.  There is breaking news
(thus, not yet well confirmed) that dramatically underlines that point,
for all travellers on 13 carriers flying from Africa and the Middle-East
to the USA:
http://livefromalounge.boardingarea.com/2017/03/20/complete-electronics-ban/

  [TSA] will prohibit the carriage of any electronic or electrical
  devices on board a flight which is supposed to depart or arrive from the
  United States of America. The ban will be in effect from March 21, 2017,
  and seems to be applied on 13 carriers across the Middle East.

'On board', here, means carry-on, so all electronic devices would need
to go into checked luggage -- our of your custody and out of your sight.
(As the article points out, if true, this new regulation also creates a
significant Catch-22, because USA regulations already prohibit having
any Li-Ion battery in your checked luggage.  So, now you may not have it
as a carry-on item, either?)


2.  If you live in the Bay Area, you dwell within what U.S. Customs &
Border Protection (CBP) classifies as the 'border zone' that exists
conceptually 100 miles within the border -- because you live less than
100 miles from the Pacific Ocean.  CBP asserts (based on a 1953 DoJ 
rulemaking that spoke of a 'reasonable distance' from the border, which
CBP interprets to mean 100 miles) its legal right to conduct searches
without warrant or probable cause in the border zone.  The law on this
matter is unsettled[2], and CBP agents' scope of inspection has often
even more invasive than that.

ACLU white paper & factsheet:
https://www.aclu.org/other/constitution-100-mile-border-zone
https://www.aclu.org/other/aclu-factsheet-customs-and-border-protections-100-mile-zone

(CBP have not been known, to date, to conduct 'border zone' searches in
the Bay Area other than for travelers entering the USA at our airports 
and seaports.  However, they have done so in other places, notably
Florida.   In the 'border zone' away from ports of entry, they would
need to be able to prove they had 'reasonable certainty' that the person
or thing to be searched crossed the border or had meaningful contact
with someone or something that crossed the border, and reasonable
suspicion of criminal activity or immigration violation.  Neither a
warrant nor probable cause is required for such searches.
https://www.reddit.com/r/IAmA/comments/5gnu8e/we_are_the_aclu_we_are_here_to_talk_about_the/
Note:  19 U.S.C. § 1595(b) also authorises officers to enter private
lands and buildings within a 25-mail border zone, e.g., much of the Bay
Area, 'other than a dwelling house', to perform warrantless border
searches and seizures.)

By contrast, CBP _at_ the border do not need a warrant or probable cause
or even showing of some degree of suspicion, only entry to the US from
outside.  State v. Rirard, 57 N.C. App. 672, 292 S.E.2d 174 (1982)

CBP's flyer about inspection of electronic devices:
https://www.cbp.gov/sites/default/files/documents/inspection-electronic-devices-tearsheet.pdf


3.  The law about border agents compelling persons to reveal passwords 
is also unsettled.  However, it _is_ settled that law officers can
compel suspects to perform biometric authentication (e.g., fingerprint
readers), so don't rely on those.  

If you are betting against being compelled to reveal passwords, you can
store data on LUKS (Linux Unified Key Setup) / dm-crypt filesystems
(https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt).  But note
today's contempt of court judgement in the Third Circuit (Pennsylvania)
against a man who claimed to have 'forgotten' full-disk encryption that
the court had good objective reason to think concealed child porn.
https://regmedia.co.uk/2017/03/20/appeals_court_ruling.pdf


4.  It's worth spending some time pondering the use of your devices as
'portals' to your computing elsewhere including cloud computing, VPNs,
and social media.  This includes autologin abilities you left enabled,
and going through your data state to do what in security we call
'resource discovery' -- things elsewhere worth poking into.  Your
devices being powered off for border transit reduces the amount of
device state that can be mined in various ways, and would be A Good
Thing.


5.  Regular file (and filesystem) deletion isn't anywhere near
sufficient.  EFF's guide has details.  SSDs and other flash media raise
particular concerns for reasons of their wear-leveling techniques among
other things.


6. Steganographic (data-hiding) measures are legally reckless in this
context.  As the EFF guide points out, any technical measure apparently
devised to deceive or mislead Federal agents risks prosecution for
violating 18 U.S.C. § 1001, one of the big hammers of Federal law
enforcement: lying, false statements, concealment (etc.) to a Federal
officer on a material matter within the jurisdiction of that officer,
and can get you sent to prison on a felony conviction for five years.
https://en.wikipedia.org/wiki/Making_false_statements
http://corporate.findlaw.com/litigation-disputes/how-to-avoid-going-to-jail-under-18-u-s-c-section-1001-for-lying.html

In general, if answering any question from a Federal officer on matters
that may be within that officer's jurisdiction, one wants to tell the
exact plain truth as one knows it, and then _stop_.  (Stop talking.  Do
not elaborate, do not fill the silence by continuing, do not say 'I
don't know' if you _do_ know, do not make up an answer, and never _ever_
say 'no' when the correct answer is 'yes', or vice-versa.)


7.  Be aware that agents frequently assert that they have rights they
lack.  E.g., ICE (Immigration and Customs Enforcement) and CBP agents
are reported to sometimes cite a Homeland Security policy
(https://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_cbp_laptop.pdf)
claiming that a Federal statute (19 U.S.C. § 507) empowers them to
'demand the assistance of any person' in carrying out a search, and then
claim that this means you must do and tell them anything they ask, which
IMO is a tortuous overreading of that statute, and their interpretation
IMO has no chance of standing up in court.  (19 U.S.C. § 507 does
require you to assist in the officer carrying out his/her lawful duties,
though.  E.g., if the officer says 'Dig out and hand my your cell
phone', you must comply or can be charged with a misdemeanour and fined
$1000.[3])

Recently, CBP officers blocked passengers from disembarking domestic
flight Delta 1583 from SFO (S.F. International) to JFK (John F. Kennedy
Airport, NYC) and requested display of government photo ID, with at
least the implication that they'd be detained if they didn't.  All
passengers complied.  CBP actually had _no_ legal power to compel showing
papers before getting off a domestic flight, but without passenger
refusal, CBP could claim this was voluntary and consensual.
https://www.washingtonpost.com/news/post-nation/wp/2017/02/23/federal-agents-ask-domestic-flight-passengers-to-show-ids-in-search-for-undocumented-immigrant/
http://www.upi.com/Top_News/US/2017/02/24/Border-patrol-agents-check-IDs-of-domestic-flight-passengers-in-New-York/6741487906527/

More broadly, the easiest way to lose your legal rights is to waive
them.  Not waiving them usually requires saying 'No, I do not consent, 
I do not agree, and let's take the question to a judge.'  And:


8.  When in doubt, say less.  Closed mouth gathers no foot.




On my recent trip, I chose to leave most computing devices at home,
carry only a previously unused cellular telephone with little on it, and
reduce greatly the amount of data and code I brought, and all my devices
were shut down (and backed up).  My browser history was cleared, and
other state deliberately reduced.  The results of such measures 
are imperfect on numerous grounds, so a more comprehensive approach
would have been to bring a different laptop from my regular one, with a
fresh hard drive in it -- or no hard drive and use a flash drive or live
CD/DVD.  (Laptops with user-accessible storage bays have an advantage,
here.)  A truly paranoid traveler would be prepared, upon return, to
reflash all ROMs and reload mass storage from backup.

I made sure I could honestly and believably say I didn't know and could
not produce on demand most passwords, those being at home and out of my
reach.  (More-complex measures include ensuring that you are delivered
valid passwords after crossing borders you're concerned about, but
deliberately lacking them during the crossing.)  If asked for my ssh
credentials for ssh'ing into linuxmafia.com, I would have said, yes, I
do know that one, and no, I refuse to provide it.

My entry back into the US was at the end of a flight from Princess
Juliana International Airport, Sint Maarten (SXM) to Newark Liberty
International, Newark, NJ (EWR), and a connecting flight to SFO.  
I warned my family in advance that I might be bumped from the latter
flight if delayed in Customs:  My plan was to present a scrupulously
accurate customs declaration form and my US passport, be friendly, warm,
relaxed, and cheerful, but very politely decline to answer all questions
if asked any.  Presenting a valid US passport and accurate customs
declaration (along with permitting inspection) is all that a returning
citizen is required to do.  Then, be patient, as CBP have every right to
make sure you're not importing contraband, carrying illegal goods, etc.
(Saying as little as feasible to Federal officers also reduces 
18 U.S.C. § 1001 'lying to Federal officials' dangers.)  

As EFF point out, the best choice of approach for a returning citizen 
is likely to differ _markedly_ from that of a non-citizen (visitor or
Green Car holder) visiting the USA, for various reasons they discuss,
and in particular that ICE and CBP do legitimately ask pointed
questions of arriving non-citizens, e.g., to verify that they're
entering the country for legitimate reasons, complying with the rules
for your class of visitor.
http://travel.stackexchange.com/questions/11323/what-questions-should-i-be-able-to-answer-when-entering-usa
But being respectful and polite is always a good idea regardless of your
citizenship or whose border you're crossing, both on pragmatic grounds
and in acknowledgement that border officials have highly legitimate and
reasonable duties[4] to carry out, and usually do so courteously and
professionally.

(CBP have the right, if they have grounds for suspicion of crimes, to
seize your electronics for remote analysis.  It will be available for
you recovery after some days or weeks or months, and you will need to
pay for shipping.  Of course, this situation is radically less likely if
your devices raise no suspicions because they contain very little.)

_If_ ordered to carry out actions for which I believe CBP lacks legal
authority, my plan was to politely refuse and say 'I don't think you
have the legal power to require that.  I guess we'll have to ask a
judge.'  However, I also did my best to ensure that any legally
questionable order, e.g., providing passwords I carefully did not
possess, would also be legitimately impossible for me to carry out.
(Another approach EFF recommend considering on orders you think
questionable is to comply but state that you do not consent and are
complying under protest.)  

Worst case, even if they didn't like the cut of my jib, CBP would have
had no choice but to let me enter, as I was a citizen with a valid
passport -- but if they wished could easily have detained me long enough
to miss my connection, and could retain my electronics for offsite
scrutiny.  (As it happened, I had zero troubles, as usual.)



[1] Picture a worst-case scenario where (e.g.) business travel is
necessary to whatever you deem your least-favourite dictatorial state,
North Korea -- or Marvel's fictional Latveria, dealing with Victor von
Doom's border officials.
https://www.schneier.com/blog/archives/2012/02/computer_securi_2.html


[2] At road CBP checkpoints such as one encounters on I-5 north of San
Diego, CBP needs probable cause (or driver consent) before it may search
contents of a car.  United States v. Ortiz, 422 U.S. 891 (1975) and 
Almeida-Sanchez v. United States, 413 U.S. 266 (1973).

[3] This law was passed as part of the 1986 Anti-Drug Abuse Act.
https://twitter.com/OrinKerr/status/831726892923441153
As Prof. Kerr points out at that link, many of the demands for
'assistance' under this statute obviously cannot be justified from the
law's purpose, such as CBP compelling giving up passwords to cloud
computing or social media contents far from the border.  But again, the
best way to make a non-issue of demands for such 'assistance' is make
sure in advance that you are genuinely unable to comply, e.g., all the
required passwords are outside of your reach.

[4] Counterfeit goods, illegal drugs, child pornography, evidence
relating to terrorism and other national security matters, human and
bulk cash smuggling, and information about financial and commercial
crimes, such as those relating to copyright, trademark, and export
control violations.  Also preventing import of agricultural pests and
diseases.  In theory, a requirement to seize 'seditious material' is
also still on the books, so it's a good thing CBP don't read carefully
the complete works of Terry Pratchett on my e-book reader, as pterry was
a troublemaker.  ;->