There is no right to privacy at international borders. For those of us with laptops, this presents a pretty major problem: How do we get through U.S. Customs with our beloved portable devices, without having Uncle Sam peeking at every e-mail we've sent, every MP3 we've listened to, and every "home movie" we've made?
The obvious solution, encryption, is not enough. Non-Americans have no right to enter the U.S. Don't want to hand over your encryption keys? No problem--but you will be put on the next airplane back to your home country (if you're lucky...If the government really doesn't like you, you may end up getting sent to Syria).
Those of us "lucky" enough to have a U.S. passport may be forced to enter the password for the data, if we want to avoid having the devices seized and never returned.
For travelers heading to countries other than the U.S., it can be even worse. Refusing to hand over your encryption key to a lawful request by British Police can result in jail time. Ouch.
CNET News.com's Declan McCullagh posted a guide to securing laptops for border searches back in March. The Electronic Frontier Foundation's Jennifer Granick wrote a blog post on the subject recently, in which she broke down the case law and offered a bit of advice. While both of these are interesting reads, neither includes the practical solution which I use.
Chris' Guide to Safe International Data Transport
- Before going on any international trip, back up all of your important and potentially embarrassing, incriminating, or troubling data. This includes any copyrighted content which you may not be able to prove you own.
- Create an encrypted disk image/encrypted folder of that data. This can be done with Pretty Good Privacy, Truecrypt, or software built into many operating systems.
- Remember the password. This is very important, as if you forget it, you lose all your data.
- Upload the encrypted data to a reliable place on the Internet (or two). Personally, I use Amazon S3, which charges 15 cents per GB-month of storage plus 17 cents per GB of data transfer.
- Wipe your laptop clean (do this properly, or the data may be accessible after the fact with forensics software), and install a fresh copy of your OS onto it.
- Travel. You should have no problem at U.S. Customs (or in any other country) as you won't have anything problematic on your computer.
- At your hotel/office, fire up your Web browser and download the encrypted data file from Amazon's servers.
- Decrypt the data.
Once you are done with your trip, you can simply re-encrypt the data, upload it to Amazon again, and wipe the disk clean.
For those of you traveling to countries (or places in the U.S.) with slow Internet connections, you may wish to burn your encrypted data to a DVD and FedEx it to your destination. Do it a few days before you leave, and you should know before you get on the airplane if the disk made it to your destination safely by checking the delivery status online.
I realize that I take paranoia to a more extreme level than most, but I find that this technique works really, really well for me. For those of you who are even more paranoid, and are worried about customs agents being able to recover the deleted data from your laptop disk, you may wish to avoid keeping the decrypted data on your laptop at all (while on the trip). Portable flash drives are quite cheap these days, and can be easily destroyed (a microwave, a hammer, driving over them in a rental car, etc.) once your trip is done.
Disclosure: Jennifer Granick represented me, pro-bono, in my civil troubles with TSA back in 2006 and 2007.
Public interest groups, academics and members of the press have hammered Google for its lax privacy policies. The criticism has mostly focused on the log deletion practices and browser cookie policies at the search giant. Google claims that search quality and user privacy are a zero-sum game: deleting log data makes it more difficult to improve search results. Perhaps the company is right. However, there are several other pro-privacy steps that Google could take to significantly protect its customers--which it has not done, and continues to reject.
Over the last few months, a number of Google's engineers have issued public statements on the company's public policy blog to defend its much criticized log data retention policies. The company claims that the data can be used to hunt down malware, to catch people defrauding its advertising system, and can be used to improve search results.
These high-profile Googlers make the case that user privacy and search quality are a zero sum game: deleting logs to protect customer privacy makes it far more difficult to provide a good search experience.
While I personally think this is a load of rubbish, I'm going to give them the benefit of the doubt today, because I want to focus on a different issue. Namely, that Google could take a few easy steps in other areas to protect customers from the prying eyes of AT&T, the NSA, or the pervert next door reading your e-mails sent over a wireless network.
Search terms
Imagine a normal search situation. A user will visit Google.com, type in a few words, "security blogs," perhaps, and click on the search button. From the search results page, a user will click on a link, taking them to www.some-website.com. Due to the way that Google has designed its search engine, Web site owners are given the search terms that brought each Web surfer to their site.
A more technical explanation of this is as follows: Google embeds the search terms that the user issued into the Web URL of the search response page. That is, an example search URL will look like http://www.google.com/search?q=security+blogs . This is known as a HTTP GET request. When a user clicks on one of the search results on that page, the Web site owner will be told the exact address of the referring Web site. Due to the fact that Google embeds the search terms in its results URL, the Web site owner learns which terms lead a user to their page.
Google could very easily stop including the search terms in the URL and thus stop passing on the search terms to the Web sites that users click on from a Google results page. It could do so by requesting that the user's browser send the terms to a Google server in a more discrete way. Many Web sites do this, especially those dealing with private information. Amazon.com and other e-commerce sites do not transmit the customer's credit card information by sending it in the URL--even on a SSL-encrypted Web session. To do so would needlessly endanger the user.
A switch to this more privacy-protecting method of Web data submission, known as a HTTP POST, would be a trivial change for Google's engineers. Furthermore, it wouldn't lead to any additional data processing resources for its vast number of servers. For Google, such a change would cost the company essentially nothing yet it would give its customers an immediate increase in privacy.
The only downside to such a change, would be the loss of information for Web masters. Companies would like to know which search terms drew a customer to their Web site, especially if that visit resulted in a sale. While no doubt useful for marketers, this is not something they deserve to know. Furthermore, Google's responsibility is to the users with the eyeballs. At the very least, if a firm wants to know what people are searching for--let it buy an advertisement from Google. Right now, Google gives this data away to every Web site owner, for free.
Encrypted mail
By default, all Google searches as well as e-mail sent and read via Gmail are transmitted in the open, over an unencrypted session. What that means, is that the data can be seen by anyone with access to the network--anyone else using the Wi-Fi connection at Starbucks, your Internet service provider, or any government agency that has tapped the Internet backbone.
All Web browsers support the SSL encryption standard. Google even offers encrypted access to Gmail users, if they know to ask for it. Users simply need to visit https://www.gmail.com, and their e-mail entire session will be safe from prying eyes.
Unfortunately, encryption is expensive, at least in terms of computing power. Turning SSL on by default for the millions of Gmail users would mean that Google would have to dedicate more computers to the service. Those computers cost money. A Google spokesperson confirmed this, telling me that "we have not made SSL the default due to capacity and latency issues."
Google has made a shrewd business decision: Those users who care enough about their privacy to read the company's FAQ can get a bit of protection for their e-mail, while those users who presumably don't care, are left exposed to hackers and snoops.
Google should change its policies with regard to SSL and e-mail. At the very least, it should mention the secure Web mail option and provide a link on the main Gmail log-in page. This information is currently hidden in one of the help pages. In an ideal world, Gmail would enable SSL by default.
Searches, exposed.
While the company offers encrypted Web mail, it does not do the same for searches. Currently, there is no way to keep your search terms secret from those who might be watching the network. Could the company offer this? Sure, but it has chosen not to. Primarily, because of cost.
Luckily, someone else has taken steps to fill the search privacy gap left by Google.com. A Texas man named Daniel Brandt has created a Google-powered privacy-preserving search engine: Scroogle.org.
Scroogle submits search queries to Google on a user's behalf, scrapes the results, and displays them to the user. Scroogle's search data policies are fantastic: no cookies, no search-term records and all access logs are deleted within 48 hours. The site uses HTTP POST requests by default, which helps to keep the search terms a secret between the user and the search engine. Furthermore, for those users willing to put up with the 1- or 2-second delay required to initiate an SSL connection, encrypted searches are available to users via https://ssl.scroogle.org/.
Over 130,000 searches per day are made through the Scroogle site, 10 percent of which use SSL. In an e-mail conversation, Daniel told me that his "ultimate goal is for Scroogle to survive long enough so that the public sector gets the idea that all major search engines should be treated like public utilities."
Daniel Brandt seems like a great guy. He's doing this for free--and accepts tax deductible donations on the Scroogle site. However, for users who don't trust Daniel's claims, they may wish to use the anonymizing TOR proxy in parallel with Scroogle.
What Daniel's site shows, is that privacy preserving search is possible. While Scroogle doesn't show any ads, if Google offered this service, they could still make a buck on it. Imagine that--making money, while not being evil.
Disclosure: I'm paid as a technology policy fellow by the Electronic Privacy Information Center, a public interest group that has repeatedly criticized Google for its privacy policies. Furthermore, I interned for Google in 2006, and have received a $5,000 fellowship from the company, both in 2006 and 2007.
With a stroke of the Governor's pen on Monday, Indiana became one of the few states in the country to provide strong incentives for businesses to encrypt sensitive customer data. Unlike many of the laws that pass through state legislatures - this one was not ghost written by lobbyists or special interests. It was co-written by a tech-savvy state legislator, and a blogger constituent .... me.
One of the biggest problems in the hundreds of data breach and data loss incidents that have been reported over the past few years is that so little of the data is encrypted. If a laptop containing sensitive medical information is stolen, the thief merely needs to turn it on to read through a goldmine of personal data.
Some government agencies have taken action following particularly heinous incidents. After the state of Ohio lost backup tapes containing 160,000 social security numbers that were kept in a summer intern's car, the state purchased McAfee disk encryption software for every state employee. Likewise, after the hugely embarrassing data loss incident at the Department of Veterans Affairs in 2006, the Bush Administration issued new standards mandating encryption for all federal agencies.
Laptop password loophole
Indiana passed a data breach reporting law in 2006. However, the law had a number of problems. The biggest of these involved laptop passwords.
Many state data breach laws are written in a way to incentivize businesses into protecting their customer data. It would be exceedingly difficult to pass a law forcing all businesses to encrypt their data, and so states opt for the carrot and the stick.
Businesses are given a choice: If you protect your customers' data, and you lose a laptop containing sensitive information, you won't have to spend the money and suffer the reputation hit by telling the public. That is, as long as you've protected the data sufficiently.
Indiana's law created this incentive by narrowly defining a data breach incident. The giant loophole in the law stated that businesses would not have to report an:
"Unauthorized acquisition of a portable electronic device on which personal information is stored, if access to the device is protected by a password that has not been disclosed."
As a computer security researcher, the problems in this sentence immediately jumped out at me. A password doesn't mean encryption, it merely means a password. Windows login passwords would satisfy the law, even if they did nothing to protect the data on the disk. An attacker could start up the device with a recovery CD, or use one of many software tools to break the Windows password -- which will take just a few seconds to do.
Changing the law
In mid 2007, I contacted my State Representative Matt Pierce and asked him to look into fixing the law. He liked the idea, and asked me to compile a list of the problems in the existing rules and suggested fixes.
In January 2008, Representative Pierce submitted a bill to committee that fixed the data encryption flaw, as well as requiring the attorney general of the state to post a copy of every data breach incident impacting 1 or more Indiana residents to an official website.
The bill passed through committee, and then passed unanimously through the Democratically controlled House, 94-0. Unfortunately, once the bill arrived in the state Senate, it had attracted the attention of lobbyists - some of whom flew in from Washington DC specifically to oppose the website reporting provision in the bill. The experience was eye-opening, and gave me a rapid education in the influence of money in politics. Sadly, the lobbyists from AT&T, Microsoft, and Lexis Nexis got their way.
In the end, the Republican controlled Senate stripped out a number of portions of the proposed law. The bill that came out of the Senate, which included the laptop encryption fix, passed unanimously 46-0.
Finally, on Monday the 25th of March, Governor Mitch Daniels signed the bill into law.
As of July 1 2008, Indiana's data breach law law will be amended, such that a companies will not have to report the:
"Unauthorized acquisition of a portable electronic device on which personal information is stored, if all personal information on the device is protected by encryption and the encryption key:
(A) has not been compromised or disclosed; and
(B) is not in the possession of or known to the person who, without authorization, acquired or has access to the portable electronic device."
I am confident that Indiana's new law will provide an extremely strong incentive to businesses in the state. Either, they can start using encryption to protect customers' data, or when they do lose a laptop, they can pay the financial and reputation costs of having to send out hundreds of thousands of letters to consumers.
No business is being forced to do anything - but the smart ones will most likely start taking additional steps to protect customer data.
All the credit and thanks for this effort should go to Representative Matt Pierce, who fought the good fight, and waged battle against big money lobbyists. While the perfect bill did not pass, the change to the law is positive, and it would not have happened without Pierce's hard work.
- prev
- 1
- next
