net.work

The Way Business Is Moving

net.work published by
Issue Date: July 2008

Crossing borders

1 July 2008
Bruce Schneier*

Last month a US court ruled that border agents can search your laptop, or any other electronic device, when you are entering the country. They can take your computer and download its entire contents, or keep it for several days. Customs and Border Patrol has not published any rules regarding this practice, and I and others have written a letter to Congress urging it to investigate and regulate this practice.
But the US is not alone. British customs agents search laptops for pornography. And there are reports on the Internet of this sort of thing happening at other borders, too. You might not like it, but it is a fact.
So how do you protect yourself?
Encrypting your entire hard drive, something you should certainly do for security in case your computer is lost or stolen, will not work here. The border agent is likely to start this whole process with a 'please type in your password'. Of course you can refuse, but the agent can search you further, detain you longer, refuse you entry into the country and otherwise ruin your day.
You are going to have to hide your data. Set a portion of your hard drive to be encrypted with a different key - even if you also encrypt your entire hard drive - and keep your sensitive data there. Lots of programs allow you to do this. I use PGP Disk (www.pgp.com). TrueCrypt (www.truecrypt.org) is also good, and free.
While customs agents might poke around on your laptop, they are unlikely to find the encrypted partition. (You can make the icon invisible, for some added protection.) And if they download the contents of your hard drive to examine later, you will not care.
Be sure to choose a strong encryption password. Details are too complicated for a quick tip, but basically anything easy to remember is easy to guess. Unfortunately, this is not a perfect solution. Your computer might have left a copy of the password on the disk somewhere, and (as I also describe at the above link) smart forensic software will find it.
[A discussion on selecting passwords is available at www.schneier.com/essay-148.html.]
So your best defence is to clean up your laptop. A customs agent cannot read what you do not have. You do not need five years’ worth of e-mail and client data. You do not need your old love letters and those photos (you know the ones I am talking about). Delete everything you do not absolutely need. And use a secure file erasure program to do it. While you are at it, delete your browser’s cookies, cache and browsing history. It is nobody’s business what websites you have visited. And turn your computer off - do not just put it to sleep - before you go through customs; that deletes other things. Think of all this as the last thing to do before you stow your electronic devices for landing.
Some companies now give their employees forensically clean laptops for travel, and have them download any sensitive data over a virtual private network once they have entered the country. They send any work back the same way, and delete everything again before crossing the border to go home. This is a good idea if you can do it.
If you cannot, consider putting your sensitive data on a USB drive or even a camera memory card: even 16 GB cards are reasonably priced these days. Encrypt it, of course, because it is easy to lose something that small. Slip it in your pocket, and it is likely to remain unnoticed even if the customs agent pokes through your laptop. If someone does discover it, you can try saying: “I do not know what is on there. My boss told me to give it to the head of the New York office.” If you have chosen a strong encryption password, you will not care if he confiscates it.
Lastly, do not forget your phone and PDA. Customs agents can search those too: e-mails, your phone book, your calendar. Unfortunately, there is nothing you can do here except delete things.
I know this all sounds like work, and that it is easier to just ignore everything here and hope you do not get searched. Today, the odds are in your favour. But new forensic tools are making automatic searches easier and easier, and the recent US court ruling is likely to embolden other countries. It is better to be safe than sorry.
Addendum: Many people have pointed out to me that I advise people to lie to a government agent. That is, of course, illegal in the US and probably most other countries - and probably not the best advice for me to be on record as giving. So be sure you clear your story first with both your boss and the New York office.
*Bruce Schneier is the author of the best sellers 'Beyond Fear', 'Secrets and Lies', and 'Applied Cryptography', and an inventor of the Blowfish and Twofish algorithms. He is the chief security technology officer of BT (BT acquired Counterpane in 2006), and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). http://www.schneier.com.


Others who read this also read these articles

Search Site





Subscribe

Previous Issues