More Fun With Laptop Detention

|

As Mike Riggs notes below, the Department of Homeland Security now claims the right to seize your laptop "absent individualized suspicion" for as long as it deems "reasonable" whenever you dare cross an international border. Back in June, Ohio State University Law Professor Peter Swire slowly explained (pdf) the stupidity of this approach to the Senate Committee on the Judiciary. First, the futility:

Laptop searches will not succeed at a technical level at preventing data from entering or leaving the United States. Computer security researcher Chris Soghoian in May posted a story called "Keep Your Data Safe at the Border. Soghoian presents an eight-point checklist for how to get your data legally across the border without being searched. The primary trick is to send encrypted files to yourself once you get to your destination country.

The Soghoian article shows the futility yet burden imposed by laptop searches at the border. Any terrorist who is even moderately well-informed can learn how to send the crucial files legally and safely across the border. In addition, a terrorist who is willing to lie to the customs agent (certainly a possibility worth considering) can use TrueCrypt or other software that does the following trick—it allows you to encrypt a secret cache of data inside your encrypted hard drive. Then, when an investigator forces you to open your encrypted files, the secret cache remains invisible to the investigator. This TrueCrypt approach requires lying to the custom agent about whether you have opened up all of your files, but it is a technical measure already available with widely available software.

The evildoers wouldn't lie to a customs agent, would they? It's always a good sign when your strategy relies on the moral integrity of terrorists. Swire's testimony also includes a list of the kind of material one might not want to share with some guy at the airport: "diaries, love letters, a lifetime of saved email, private photos, passwords, financial and medical records," trade secrets, campaign secrets, journalists' notes and so on.

As commenter "nothinghead" (not a helpful handle, but hey) mentions below, visitors headed to China are being advised to either encrypt or wipe data before flying out. Sam Brownback (R—Kan.) complains that Americans "will be subjected to invasive intelligence-gathering" by China's Public Security Bureau. Imagine that.

Via Thinkprogress.

NEXT: The "Surge" Cures All

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. The evildoers wouldn’t lie to a customs agent, would they? It’s always a good sign when you’re strategy relies on the moral integrity of terrorists.

    Pffff! It’s way worse than that. Unless the file is titled “Terrorist plans: DO NOT SHOW TO DHS!!!!” It’s a safe bet they could let them look at any file they wanted. Conversely, someone who recently googled “getting though customs” to prepare for their trip could get flagged for special questioning.

    This is the whole problem with searching without probable cause. 99% of the people that get harassed are completely innocent, and 99% of guilty people slip right on by.

  2. Whoa. Inverted italics. How’d I do that?

  3. I can zip a bunch of files, encrypt it, and give it no extension, and that’s all without special software. You really think a TSA goon will be able to figure out what I did, much less even find it?

    These people are retarded.

  4. Not to be a bitch about it, but because nobody likes typos under their name: *your.

  5. It’s always a good sign when you’re[sic] strategy relies on the moral integrity of terrorists.

    Actually, it’s predicated on the supidity and laziness of terrorists. Ask any police detecitve, they’ll tell you that if they weren’t so stupid, most criminals would never get caught.

  6. I can zip a bunch of files, encrypt it, and give it no extension, and that’s all without special software. You really think a TSA goon will be able to figure out what I did, much less even find it?

    No, your front-line TSA goon won’t be able to, but he’ll be the one deciding that you need to be singled out for special attention. Presumably they use either in-house specialists, or contract the job out to the firms that specialize in this sort of thing.

  7. They can’t send out a laptop for examination every time the front-line TSA goon who knows nothing gets suspicious.

  8. They can’t send out a laptop for examination every time the front-line TSA goon who knows nothing gets suspicious.

    First of all, TSA has nothing to do with border crossings, that’s Customs.

    Second, Customs claims the right to detain a laptop without suspicion of wrong-doing. So that means random detention or whatever the whim of the agent is that day.

  9. ICE goon then, fine. The point is that they don’t have the budget to be sending laptops out for hella expensive screenings willy-nilly.

    Personally, I should create an encryption application that sets up two passwords. If you give it password A, it decrypts the data. If you give it password B, it coughs up a bunch of fake bullshit from somewhere else on the drive, but that looks to the user like it is the real deal.

  10. The point is that they don’t have the budget to be sending laptops out for hella expensive screenings willy-nilly.

    The issue is not to search a laptop today, but to detain and copy the content. We are already monitoring and data mining vast quantities of commuications. You really think someone won’t get the bright idea to randomly sample laptop data and feed it into the data mining process?

  11. I fully expect the presence of undeclared, encrypted content on a laptop to become a basis for claiming probable cause.

  12. I have to be completely cynical and ask how many business laptops is Customs going to have to confiscate before this changes? If I’m traveling with the company’s laptop, I’ll be more than happy to not violate company policy by giving up the password. If Customs subsequently keeps the laptop, oh, well, that’s what corporate counsel is for. No skin off my back either way.

    Personal travel? I’ll encrypt that thing six ways from sunday with multiple layers of fake directories. They can go piss up a rope for all the good it’ll do them.

  13. Personally, I should create an encryption application that sets up two passwords. If you give it password A, it decrypts the data. If you give it password B, it coughs up a bunch of fake bullshit from somewhere else on the drive, but that looks to the user like it is the real deal.

    TrueCrypt already does that.

  14. The issue is not to search a laptop today, but to detain and copy the content.

    Good point, but they can do Jack and Shit about encrypted stuff, and Jack left town.

    I fully expect the presence of undeclared, encrypted content on a laptop to become a basis for claiming probable cause.

    I think you are being a little hyperbolic. That seems to be in the air today.

  15. “””I can zip a bunch of files, encrypt it, and give it no extension, and that’s all without special software. You really think a TSA goon will be able to figure out what I did, much less even find it?”””

    Episiarch, Yahoo seems to block encrypted zip files in Yahoo emails. I’ve been sending my work partner encrypted zipped files with the extention changed and he said that Yahoo started blocking them in June. I would be interested if anyone elses experience is different.

  16. Episiarch, Yahoo seems to block encrypted zip files in Yahoo emails. I’ve been sending my work partner encrypted zipped files with the extention changed and he said that Yahoo started blocking them in June.

    It may just be that encrypted files look like binaries to the scanner and they are blocking binaries to prevent the spread of executables.

    Or they’re blocking encryption, but that seems like a dumb move on their part.

  17. I think you are being a little hyperbolic.

    Maybe

    The US government bullies telecoms in to assisting in spying on residents of the US, then passes legislation to exempt them from prosecution.

    The US government decides that the nearly trivial requirements to get a FISA warrant are optional and proceeds accordingly.

    The US government publishes position papers, in secret, saying torture is OK and proceeds accordingly

    Etcetera, etcetera, etcetera . . .

    But it’s the close of business on Friday, so let the drinks flow and drown the paranoia.

  18. (buys kinnath a Mind Eraser)

  19. Mind Eraser

    Ooooh, I’ve never had one of those before.

  20. They sound better than the ingredients come out.

  21. They sound better than the ingredients come out.

    Not particularly appetizing.

    Better for getting rapidly shit-faced on the weekend would be:

    1 part vodka
    1 part blue curacao
    1 part lemon sweet & sour
    Ice and enough 7up to top off the glass

    Goes down like kool-aid.

  22. After this week, it’s shots of Jack chased with Shiner Black. May not go down like kool-aid, but by round three, I don’t much care.

  23. Shiner Black is one of the best beers out there, no question.

  24. Sam Brownback (R-Kan.) complains that Americans “will be subjected to invasive intelligence-gathering” by China’s Public Security Bureau.

    They can’t do that to our pledges; only we can do that to our pledges.

  25. Episiarch | August 1, 2008, 4:53pm | #

    I fully expect the presence of undeclared, encrypted content on a laptop to become a basis for claiming probable cause.

    I think you are being a little hyperbolic. That seems to be in the air today.

    I dunno Episiarch this is the same government who raids homes with “excess electricity usage” and use uncorroborated phone calls to raid and then separate members of a religious sect. Granted these are not exact incidences by the ICE yahoos but still, it is not out of the realm of possibility.

  26. Since it has been mentioned on this thread a couple of times here is a link to TrueCrypt, its Documentation (written for the lay person) and some basic info from the venerable Wikipedia:

    TrueCrypt is a software application used for on-the-fly encryption. It can create a virtual encrypted disk in a file (container), which can be mounted as if it were a real disk. TrueCrypt also supports device-hosted volumes, which can be created on either an individual partition or an entire disk. As of version 5.0, it can encrypt the Windows boot partition or entire boot drive. Version 6.0 even offers the possibility to create and run an encrypted hidden operating system whose existence is impossible for attackers to prove. It is open source software, distributed under the TrueCrypt Collective License. TrueCrypt is available for Microsoft Windows, Mac OS X and Linux.

    Two things of note:
    The first is that when using TrueCrypt with encrypted containers, they are mounted as virtual hard drives via the encryption front end. When the machine is powered off, these “drives” automatically unmount. This is a good thing. Not as good as full system encryption mind you, but definitely not a minus.

    Secondly, because TrueCrypt is a software based encryption scheme it is vulnerable to the “cold boot attack” method. However, in the context of ICE or TSA being able to utilize it effectively, I have my doubts. Funding and competence being what it is, I don’t think that ICE would be able to get your laptop to a specialist before the VRAM lost it’s data, particularly if you shut it down properly after booting it up for them.

  27. “””I think you are being a little hyperbolic. That seems to be in the air today.”””

    10 years ago I would have agreed. The name of the game today is governments’ desire to leave no stone unturned in the hunt for terrorst information of any sort.

    “””I fully expect the presence of undeclared, encrypted content on a laptop to become a basis for claiming probable cause.”””

    I expect encrypted content will one day become a crime, but not in the near future. It’s not just the DHS that wants to define privacy as the ability to protect your data. The more they improve “privacy” the less you will need a personal use for encryption. I wouldn’t be suprised if the government used the excuse, encrypting your data prevets us from protects everyone elses.

    The governments thrist for our data is too great.

  28. Other encryption schemes are layers of many of these things. Keep all your sensitive data in predetermined folders. Encryption program requires the correct password, if a ‘trick’ or incorrect password is entered, a background process begins which starts secure-wiping all data in said folders.

    The problem isn’t whether we can or can’t keep our data safe from government snoops (in this particular case), it’s the crackpot-ness of this scheme. The only people who will get their data successfully searched by TSA snoopers are:

    1. Technically unsavvy innocent people.
    2. Incompetent evildoers.

    If drugs were as easy to hide as data is, the drug war would be an even bigger joke than it already is.

  29. Or they’re blocking encryption, but that seems like a dumb move on their part.

    I don’t see how, unless they’re looking for specific encryption types in the headers. I’m thinking this isn’t the case.

    BTW, sidenote: Comcast stops traffic shaping enctyped streams. They don’t know what’s in it, so they just pass packets.

  30. What? You’re supposed to show them ALL your files?!?! I have 52731 individual files in my home directory on my laptop…

  31. The primary trick is to send encrypted files to yourself once you get to your destination country.

    I love it. It’s like tapping one of the border goons on the left shoulder and then walking around on the right, whistling the whole time. The goon then shrugs and moves onto the next victim.

    Don’t bother with email. Use a free online FTP service, like box.net or xdrive (or gspace in Firefox, but that’s more obvious). Just remember to blow away your browser cache and to securely wipe free space before coming home.

  32. I fully expect the presence of undeclared, encrypted content on a laptop to become a basis for claiming probable cause.

    Why would they bother? Customs doesn’t need probable cause to search and seize whatever they please from people entering the country. They could randomly take your car apart panel by panel and then hand you a bag of bolts and send you on your way, and you have NO legal recourse.

  33. Step one: Purchase external USB drive.

    Step two: Install Ubuntu Linux on external USB drive.

    Step three: Pack USB drive with laptop.

    Step four: Travel, have fun.

    Step five: Boot Ubuntu from external drive. Use Partimage to back up laptop hard drive to external drive. Encrypt backup file if you like, or encrypt entire Linux partition with TrueCrypt.

    Step six: At end of trip, ship USB drive to self @ home. Wipe internal laptop hard drive with DBAN.

    Step seven: Go through customs with clean system.

    Step eight: Arrive home, boot Ubuntu from external drive, restore PartImage backup to internal laptop drive.

  34. Step nine: Curse the shipping company when they lose your package and can’t track it.

    It almost makes sense to have 2 laptops, one for home and one for travel (yeah, like most any of us could afford that). Consider it as the old Marines marching song: “This is my rifle, this is my gun. This is for shooting, this is for fun.”

  35. .. when I travel between Las Cruces, New Mexico (part of the US since 1912) and Deming, New Mexico (part of the US since 1912) I have to pass inspection from government agents with guns asking, “where are you going” .. it doesn’t seem much of a stretch to have those same Men With Guns saying, “let’s see that laptop” ..

    .. Annoyed Hobbit

  36. They aren’t looking for terrorists… they’re looking for child pornographers. Thousands of people travel outside the US every year for the express purpose of having sex with children in countries where this is pretty easy to hook up. Some of these geniuses bring back videos of their exploits on their laptops. My bet is that traveling alone to certain countries, like Thailand, dramatically increase the chances of your laptop being searched.

  37. Buy a cheap, used laptop for international travel and load only essential programs and data on it. Leave your laptop with your illegally downloaded MP3s and pr0n at home. It’s not worth the hassle! Same thing with cell phones and MP3 players. Leave what’s important to you at home and take spares you could care less about on your international travels.

  38. “The evildoers wouldn’t lie to a customs agent, would they?”

    Huh? The evildoers are the customs agents!

  39. I know the JBTs can steal a computer at the port of entry without even pretending to honor the fourth or fifth amendments, but if the data on that computer’s drive is encrypted, how can they compel you to divulge the key?

    -jcr

  40. they’re looking for child pornographers.

    Bullshit. They’re looking for opportunities to bully the traveling public for the sake of security theater.

    -jcr

  41. Mail your laptop, cellphone and iPod to the destination beforehand, walk into the airport empty-handed.

  42. “Step six: At end of trip, ship USB drive to self @ home. Wipe internal laptop hard drive with DBAN.

    Step seven: Go through customs with clean system.”

    Eh? You think the postal service doesn’t pass stuff through customs as well? What good does that do to solve this problem?

  43. The question we should be asking is why they bother. If I were a black-hat and wanted to smuggle any type of data into or out of the
    US illegally, the last thing I would do is cross the border with it physically.

    The easiest way would be to burn an encrypted CD or DVD and mail it.

    Also fairly easy would be to create a throwaway e-mail account on Hotmail or Yahoo, e-mail the stuff there as an encrypted attachment, then go to a cyber-cafe or Kinko’s in the destination country and download it there.

    I don’t know whether any kind of data smuggling is, or may become, enough of a danger to our country’s security that CBP (or DHS) needs to implement the kind of controls that would block these two methods. But unless and until they do, messing around with travelers’ PCs serves no purpose except to demonstrate to the world that the agencies are a bunch of incompetent Barney Fifes.

Please to post comments

Comments are closed.