This week, Tara McKelvey from BBC News Magazine again reminded us that government agents at borders are universally allowed to inspect, and in most cases detain our possessions as we enter countries – this of course includes laptops, iPods, USB sticks, digital media, memory cards etc.
In the USA for example, the Customs and Border Patrol can formally detain your electronic devices with or without suspicion, and for an extended period of time (days, weeks even), and they can transmit your electronic information to other agencies etc. There’s nothing I know of though which forces you to disclose any passwords, usually the Fifth Amendment applies (the right not to incriminate yourself), though there’s a couple of interesting cases – http://en.wikipedia.org/wiki/In_re_Boucher and http://en.wikipedia.org/wiki/United_States_v._Fricosu where Judges have argued this right away.
You can find out the full conditions from the CBP website – http://www.cbp.gov/linkhandler/cgov/travel/admissibility/elec_mbsa.ctt/elec_mbsa.pdf
The UK is much the same, Schedule 7 of the Terrorism Act 2000 allows for seizure of electronic goods, data, storage etc with or without suspicion at the agents discretion. However the UK is one of the few countries where failing to disclose a key or password is a criminal offense (carrying a maximum of 2 years in jail) – the RIPA 2000 http://en.wikipedia.org/wiki/Regulation_of_Investigatory_Powers_Act_2000
There needs to be some reasonable suspicion of Terrorism etc before RIPA can be used, but it’s something to bare in mind as you get off a 20 hour flight into Heathrow, cranky, and come face to face with an over enthusiastic customs official.
So, say it happens and they take your laptop/USB Stick/iPad out of your sight for 10min, then bring it back and say “Thank you sir”. What do you do next?
Here are my two top tips if this happens
1. Assume they copied everything off the device and are going to browse it at their leisure, copy it to other agencies and generally analyze your life.
Change all your online passwords in case they were cached on your device – for example Google Chrome browser (and others) store and remember your web passwords, so anyone with your device now has access to all your online services.
2. Assume they now “own” the device – they could have inserted software, or even hardware into it so it can be tracked/accessed/used in the future.
Talk to your CISO, security team etc BEFORE you turn the device on again. Certainly don’t connect it to your corporate network, even using a VPN. It could be completely compromised.
And my three top tips to make it a non-event
1. Store your data somewhere other than the device
A secure cloud service perhaps – consider the devices you are carrying as “disposable” – you can even email it to a cloud email provider if needed. Just don’t carry it with you.
2. Travel with a “loaner” device that is fresh so there’s nothing stored on it
And of course, wipe it before you return home (after copying the data into a cloud storage system)
3. Use Encryption
Contrary to Hollywood’s beliefs, most modern encryption products are quite able to defeat government inspection – McAfee Device Encryption or McAfee Managed Native Encryption ca be used to secure your information (though, this won’t help you if the UK border demand your password)
Just remember, don’t use “123456”, “password” or your birthdate as your password.
Please feel free to tweet me, Simon Hunt, @CTOGoneWild