Tuesday, July 8, 2008

Border Secuirity & Searches of Laptops, e-Devices

Border Searches of Electronic Devices, Laptops, Cellphones, etc.

The recent Ninth Circuit’s decision, Border Searches of Electronic Devices:

HELD: "reasonable suspicion is
NOT needed for customs officials to search a laptop or other
personal electronic storage devices at the border."

The Ninth Circuit’s decision, U.S. v. Arnold, held that the U.S. government has the authority to search the contents of electronic devices (e.g. laptops, blackberries and cellphones) of persons entering the U.S. -- including U.S. citizens -- without reasonable suspicion.

This decision may affect the manner of travel for lawyers and businesspersons who may wish, or are required, to keep confidential information stored in electronic devices. Furthermore, it is unclear where and how confiscated devices and content will be managed and retained once seized.

Critics argue that there must be some suspicion of wrongdoing before the government can search potentially sensitive personal, professional, or commercial information at the border and that some of the searches appear to be based on ethnic or religious profiling done in the name of national security.

The Ninth Circuit, however, agreed with precedents supporting the border search doctrine and found the searches to be legal. No suspicion in wrongdoing or reasonable suspicion is needed in order to search an individual's electronic devices when they enter the USA.

------------------

*** US v. Arnold (9th Cir.) [ http://www.ca9.uscourts.gov/ca9/newopinions.nsf/6D5D931898D8168188257432005AC9B8/
$file/0650581.pdf?openelement ]

On April 21st, the Ninth Circuit held in United States v. Arnold that the Fourth Amendment does not require government agents to have reasonable suspicion before searching laptops or other digital devices at the border, including international airports. Customs and Border Patrol are likely to use the opinion to argue that almost every property search at the border is constitutionally acceptable.

EFF filed an amicus brief in the case, arguing that laptop searches are so revealing and invasive that the Fourth Amendment requires agents to have some reasonable suspicion to justify the intrusion. Not only are laptops capable of storing vast amounts of information, the information tends to be of the most personal sort, including letters, finances, diaries, photos, and web surfing histories. Prior border search cases distinguished between "routine" suspicionless searches and invasive "non-routine" searches that require reasonable suspicion. Our amicus brief and the lower court opinion relied on these cases to say that the government must also have some cause to search laptops. The Ninth Circuit panel rejected our argument that the privacy invasion resulting from searching computers is qualitatively different from, and requires higher suspicion than, searching luggage or other physical items.

The opinion is almost certainly wrong to classify laptop searches as no different from other property searches. Fourth Amendment law constrains police from conducting arbitrary searches, implements respect for social privacy norms, and seeks to maintain traditional privacy rights in the face of technological changes. This Arnold opinion fails to protect travelers in these traditional Fourth Amendment ways.

The defendant has time to petition the Ninth Circuit to rehear the case en banc, and the Court might agree to do so. The panel included a District Court judge sitting by designation. Additionally, the opinion sets up Arnold's reliance on cases protecting highly private areas like the home from suspicionless searches as a straw man and then knocks the argument down by pointing out "the simple fact that one cannot live in a laptop". This strained and strange argument suggests that Arnold is not the last word on border searches of laptops. In the meantime, travelers carrying their corporation's trade secrets, personal emails, or health and financial information are at risk of arbitrary and capricious fishing expeditions at the border.

-----------------------
Copyright Electronic Frontier Foundation - see at
http://www.eff.org/cases/us-v-arnold

-------------------------
June 25, 2008

Congress Must Investigate Privacy Violations at U.S. Borders

This morning, EFF Senior Staff Attorney Lee Tien testified in a Senate hearing on laptop searches and other privacy violations faced by Americans at the U.S. border. Lee's testimony [PDF] outlined the dangers of random and invasive searches of travelers' digital devices, and urged more congressional investigation and oversight.

Today's hearing comes as Americans are increasingly complaining about how the Department of Homeland Security searches laptops, cell phones, and other digital devices as they come home from overseas travel. Agents often confiscate the devices, copy the contents, and sometimes even provide a copy of the data to the Department of Justice -- even when the traveler is not suspected of criminal activity.


------------------------------
http://www.eff.org/deeplinks/2008/06/congress-must-investigate-privacy-violations-u-s-b

-----------------------------

TIPS: HOW TO PROTECT THE CONTENTS OF YOUR LAPTOP ON THE BORDER & WHILE TRAVELING.

In the meantime, how can international travelers protect themselves at the U.S. border, short of leaving their laptops and iPhones at home?

Many travelers practice security through obscurity. They simply hope that no border agent will rummage through their private data. Too many people enter the country each day for agents to thoroughly search every device that crosses the border, and there is too much information stored on most devices for agents to find the most revealing and confidential tidbits. But for travelers who may be targeted based on their celebrity, race or other distinguishing factor, obscurity is not an option. As last week's news that Microsoft is giving away forensic tools that can quickly search an entire hard drive on a USB “thumb drive” shows, it won't be long before customs agents can efficiently perform a thorough search on every machine. So long as there are no protocols or oversight for these searches, every traveler's personal information is at risk.

Encryption is one (imperfect) answer.

If you encrypt your hard drive with strong crypto, it will be prohibitively expensive for CBP to access your confidential information. This answer is imperfect for two reasons—one is practical, the other is technological.

Practically, the government has not disclosed CBP's laptop search practices, despite our Freedom of Information Act lawsuit for these documents. We don't know what a border patrol agent will do when confronted with an encrypted machine. One possibility is that the agent will simply give up and let the traveler pass with her belongings. Other possibilities are that the agent will turn the traveler and her machine away at the border, or that he will seize the laptop and allow the traveler to continue on. I suspect that on most occasions, CBP agents confronted with encrypted or password-protected data tell the owner to enter the password or get turned away, and the owner, eager to continue her voyage or to return home, simply complies.

If you don't want to comply, CBP cannot for you to decrypt your data or give over your password. Only a judge can for you to answer questions, and then only if the Fifth Amendment does not apply. While no Fifth Amendment right protects the data on your laptop or phone, one federal court has held that even a judge cannot for you to divulge your password when the act of revealing the password shows that you are the person with access to or control over potentially incriminating files. See In re Boucher, 2007 WL 4246473 (D. Vt. November 29, 2007).

If, however, you don't respond to CBP’s demands, the agency does have the authority to search, detain, and even prohibit you from entering the county. CBP has more authority to turn non-citizens away than it does to exclude U.S. persons from entering the country, but we don't know how the agents are allowed to use this authority to execute searches or get access to password protected information. CBP also has the authority to seize your property at the border. Agents cannot seize anything they like (for example, your wedding ring), but we do not know what standards agents are told to follow to determine whether they can and should take your laptop but let you by.

Technologically, encryption is imperfect because even strong crypto can be cracked when someone obtains the keys. Border agents can demand the keys from travelers unwilling to face seizure or detention. Agents may also be able to extract and use keys that are stored on the machine itself. Generally, if you keep your keys with the laptop, in your head or on your disk, then the encryption is easier to socially engineer or break than if you keep the keys elsewhere. (Discussion of what encryption techniques to use or avoid is beyond the scope of this post.)

Encryption aside, there may be other ways you can show CBP that your laptop is indeed a normal computer and that you mean no harm while keeping confidential information from prying eyes. Most operating systems let users to create multiple accounts on a single machine. A traveler could allow CBP to examine his own account, while storing client data or trade secrets in a separate account “owned” by his law firm or corporation. Under typical border search circumstances, this might satisfy CBP concerns. However, simply storing information in a different account—even one protected by a password—is not the same as encrypting it. If CBP is interested, the most commonly used forensic search tools can access and search non-encrypted data in every account on the machine.

Law firms, corporations and other entities that routinely deal with confidential information are handing their business travelers forensically clean laptops loaded with only what the traveler needs for that particular business trip. Leaving unnecessary data, like five years of email, behind may be the best thing. Of course, if trade secrets or client information are the reason for the trip, this plan will not help.

Another option is to bring a clean laptop and get the information you need over the internet once you arrive at your destination, send your work product back, and then delete the data before returning to the United States. Historically, the Foreign Intelligence Surveillance Act (FISA) generally prohibited warrantless interception of this information exchange. However, the Protect America Act amended FISA so that surveillance of people reasonably believed to be located outside the United States no longer requires a warrant. Your email or telnet session can now be intercepted without a warrant. If all you are concerned about is keeping border agents from rummaging through your revealing vacation photos, you may not care. If you are dealing with trade secrets or confidential client data, an encrypted VPN is a better solution.

Finally, however useful these techniques might be to protect laptops, travelers do not have this array of options for protecting data stored on less configurable smart phones. Of course, many phones do have a lock or password protection option, which travelers might consider enabling before heading to the airport.

In sum, while you must submit yourself and your electronic devices to warrantless and suspicionless searches at the border, you are not legally obligated to decrypt information or reveal passwords. However, if you fail to do so, the border agents may detain or search you, or even seize the device. There are no options that provide perfect privacy protection, but there are some options that reduce the likelihood that a legitimate international traveler's confidential information will be subjected to arbitrary and capricious examination.

Example Security Precaution

Attorney Alice needs to have confidential attorney-client privileged information overseas. Before departure, she removes unnecessary information, encrypts her hard drive with strong crypto and sets up a login for a protected account and a travel account on her computer. To access the confidential data, one would need to first login to the protected account, and then open the encrypted files. Only Alice’s employer (The Law Offices of Bob) knows the passwords to the account and encrypted data, and keeps them secret until Alice arrives at her destination. Bob then sends the passwords to Alice in an encrypted email message.

-----------------------------
COPYRIGHT Electronic Frontier Foundation
http://www.eff.org/deeplinks/2008/05/protecting-yourself-suspicionless-searches-while-t

No comments: