Keep your data safe at the border

There is no right to privacy at international borders. For those of us with laptops, this presents a pretty major problem: How do we get through U.S. Customs with our beloved portable devices, without having Uncle Sam peeking at every e-mail we've sent, every MP3 we've listened to, and every "home movie" we've made?

The obvious solution, encryption, is not enough. Non-Americans have no right to enter the U.S. Don't want to hand over your encryption keys? No problem--but you will be put on the next airplane back to your home country (if you're lucky...If the government really doesn't like you, you may end up getting sent to Syria).

Those of us "lucky" enough to have a U.S. passport may be forced to enter the password for the data, if we want to avoid having the devices seized and never returned.

For travelers heading to countries other than the U.S., it can be even worse. Refusing to hand over your encryption key to a lawful request by British Police can result in jail time. Ouch.

CNET News.com's Declan McCullagh posted a guide to securing laptops for border searches back in March. The Electronic Frontier Foundation's Jennifer Granick wrote a blog post on the subject recently, in which she broke down the case law and offered a bit of advice. While both of these are interesting reads, neither includes the practical solution which I use.

Chris' Guide to Safe International Data Transport

1. Before going on any international trip, back up all of your important and potentially embarrassing, incriminating, or troubling data. This includes any copyrighted content which you may not be able to prove you own.
2. Create an encrypted disk image/encrypted folder of that data. This can be done with Pretty Good Privacy, Truecrypt, or software built into many operating systems.
3. Remember the password. This is very important, as if you forget it, you lose all your data.
4. Upload the encrypted data to a reliable place on the Internet (or two). Personally, I use Amazon S3, which charges 15 cents per GB-month of storage plus 17 cents per GB of data transfer.
5. Wipe your laptop clean (do this properly, or the data may be accessible after the fact with forensics software), and install a fresh copy of your OS onto it.
6. Travel. You should have no problem at U.S. Customs (or in any other country) as you won't have anything problematic on your computer.
7. At your hotel/office, fire up your Web browser and download the encrypted data file from Amazon's servers.
8. Decrypt the data.

Once you are done with your trip, you can simply re-encrypt the data, upload it to Amazon again, and wipe the disk clean.

For those of you traveling to countries (or places in the U.S.) with slow Internet connections, you may wish to burn your encrypted data to a DVD and FedEx it to your destination. Do it a few days before you leave, and you should know before you get on the airplane if the disk made it to your destination safely by checking the delivery status online.

I realize that I take paranoia to a more extreme level than most, but I find that this technique works really, really well for me. For those of you who are even more paranoid, and are worried about customs agents being able to recover the deleted data from your laptop disk, you may wish to avoid keeping the decrypted data on your laptop at all (while on the trip). Portable flash drives are quite cheap these days, and can be easily destroyed (a microwave, a hammer, driving over them in a rental car, etc.) once your trip is done.

Disclosure: Jennifer Granick represented me, pro-bono, in my civil troubles with TSA back in 2006 and 2007.

[Dalkorian]

"Those of us "lucky" enough to have a US passport may be forced to enter the password for the data, if we want to avoid having the devices seized and never returned."

Simple solution to that, thanks to repukes. "I don't recall". They get away with everything with that little phrase. See, the problem is forcing you to disclose your passwords is unconstitutional. I know the Constitution means nothing to the current cabal, but the good news is soon that cabal will be removed from power. The next administration, assuming it's not McShame, will overturn this and we will be able to enjoy the protections of our Constitution once again.

[JJ_FLA]

What an incredibly naive series of comments -

A) I agree that sometimes the execution is lame but the US has to do what it can to protect against any and all threats and is scrambling to do the best it can.

B) If you think that victory by either of the two Democratic candidates will allow you to "enjoy the protections of our Constitution once again", you are delusional. Do you remember a failed social experiment called the "Soviet Union"? That's what we'll be in for if either of these Socialist stooges win.

Welcome to reality, Comrade - JJ

[Travis Ernst]

A little overly paranoid are we? Most of us don't have items to hide, and in turn won't have problems with the TSA. As long as it boots up they tend to be happy. There were some idiots at TSA with the new flash hard drives that couldn't understand how it could work without a traditional hard drive, but thats due to poor education.

If you have content that is a problem I'd not bring it where it needs to be inspected. Access keys work similar. Don't carry it on you if you use that to have your PC protected. Put it in your checked bag and pray it doesn't get lost.

[trademann69]

apparently you're missing the point...

[rcrusoe]

I totally agree. I'm a Google Apps user so my mail and non-sensitive word processing and spreadsheet files reside there. So far, I've gotten by storing the files I need while traveling as encrypted dmg files mailed to myself, but S3 is a good idea when I need something more than the 20mb limit on gmail.

If they demand access to my email, they are welcome to browse the spam in my Hotmail account.

[cryptographer]

Thank you for your interesting article. Much of what you said is valid and makes sense, however, wiping a hard drive, completely, for many of us is not feasible. Following your advice to the T for a typical user would add dozens of hours of work to their life.

First of all, i think Travis is totally off. You can't count on the TSA being stupid, and many people do have information that is sensitive.

Personally, I don't want the government looking at ANYTHING on my computer, not my letters to my grandma, not my music collection, not my patent applications, proprietary corporate information, customer records or anything else I may have.

While encrypting everything and then uploading it to Amazon S3 or another online storage solution makes sense for small documents, it doesn't for large collections of files - say anything over a few hundred MB (imagine you are coming to the states, or leaving them, for three days, with meetings every day, how many hours can you afford to spend downloading before you can get to work? And what if something goes wrong with your internet connection?).

Another viable option is to use TrueCrypt's hidden volume option. You mentioned TrueCrypt in your article, but hidden volumes are different from plain TrueCrypt volumes - A hidden volume is an encrypted disk-within-a-disk, and it provides what TrueCrypt calls "plausible denyability", because hidden volumes are indistinguishable from empty space on TrueCrypt encrypted volumes.

For more on hidden volumes, check out http://www.truecrypt.org/hiddenvolume.php

Also, rcrusoe: to learn how to protect your Gmail and Google Apps from indexers, hackers and the government, check out MailCloak and DocCloak

[bgjff]

The problem with all of this, as Dalkorian and cryptographer mentioned, is that the government does not have the right to to invade your laptop. This is the electronic epitome of unreasonable, and (not to mention) unwarranted search and seizure. It is a catch 22- forfeit your rights to the governmental authorities, or have your laptop taken away. Even worse, get arrested. The only way around it I see is for the laptop to be shipped to your destination and have it waiting on you when you arrive, and have a ghosted copy of the hard drive in case you lose your laptop. This criminalization of American citizens is just plain worng.

[jdzions]

bgjff, sadly, you're incorrect. Before you've entered the US, even as a citizen of the US, Customs has the legal right to invade your laptop. The US Supreme Court has held they have that right *at the border*. If they can't read your disk and you "forgot" your password, they have the legal right to confiscate the drive and/or entire system and, at their leisure, crack your password for you. If they see your laptop has a 160GB hard drive but the only visible volume is 80GB, they have the right to keep the drive and find your invisible volume.

For folks who have material they do not want revealed to the US government, the only option is to encrypt and store on-line and hope you can pull the content at your destination. And hope the government hasn't cracked your encrypted content on S3.

[ev61]

why not save yourself the constant hassle of reinstalling your OS and get an inexpensive Asus laptop? store your important files online and acquire those that you need while out of the country.

[SwankGD]

Interesting that you're willing to go to this level of extra work due to paranoia, and yet you're perfectly willing to let your data sit on some Amazon server cloud somewhere in an era when the government is doing a fine job of obtaining data from companies like Amazon all the time.

My laptop is a dumb terminal, all of my data sits at home on a NFS server, backed up nightly to RAID-5. There's nothing to find on my laptop because when it's off my home network, there's nothing on there. Much preferable, imho, than trusting my data to Amazon.

[csoghoian]

SwankGD,

I have a high confidence in Amazon's ability to back up my data.

Frankly, I don't care if the government orders Amazon to hand the data over... as it's encrypted.

The whole point here, is that the government can only really ask you to hand over your decryption key to data on a laptop. They can't force you to hand over a key to decrypt data held on a server somewhere on the Internet.

Yes, tools like TrueCrypt exist. However, what you really want, is to be suspicion free. The best way to get that, IMHO, is to have a squeaky clean fresh install of the OS on your laptop, with nothing else on it.

[wrongcrowd]

> Most of us don't have items to hide, and in turn won't have problems with the TSA. As long as it boots up they tend to be happy.

I believe CUSTOMS AGENTS are doing these searches, not the TSA. They are a lot more powerful.

> The problem with all of this, as Dalkorian and cryptographer mentioned, is that the government does not have the right to to invade your laptop.

The problem is, THEY DO have the right, legally, if not ethically. All kinds of wacky searches are legal at the BORDER. This specific issue, the laptop, has been through the courts, and it was upheld. Your laptop is legally considered to be more like a suitcase than a diary.

I am not saying it is good. It SUCKS. But it is reality. I would be shocked if the matter went to a higher court. Behavior at borders has been a legal issue since we HAD borders, and is pretty ironclad.

[PastaFagioli]

I would imagine that if you are online, that the government has already stored everything you sent/looked at online and has peaked, or hope it has the man/computer power to peak at it soon! Just assume that anything on Google, Amazon, Yahoo etc. can be and probably has been filtered with any questionable (and non) stuff being forwarded to Big Brother.

I agree: "This criminalization of American citizens is just plain wrong."

[jackbutler5555]

I think it would be a reasonable expectation that a new follow-on product would be an indisputable enhancement of the product it replaces. Can you imagine Toyota coming out with their 2009 Camry with the equivalent shortcomings? That might be because Toyota has strong and capable competition. It is not a de-facto monopoly.

[jackbutler5555]