US customs can and will seize laptops and cellphones, demand passwords

Filed Under: Data loss, Featured, Law & order, Privacy

CustomsThe American Civil Liberties Union has brought a suit against the US government over its seizure of the laptop of a computer security consultant - a seizure carried out at a Chicago airport about a year ago without a search warrant or any charges of crimes.

According to a report in Sunday's Boston Globe, the consultant - a former MIT researcher, David House - was returning from rest and relaxation in Mexico when federal agents seized his laptop.

According to the Globe, the government wanted to know more about House's connections to Bradley Manning, the US Army private accused of leaking classified information to WikiLeaks.

The seizure comes as no surprise. As Globe writer Katie Johnston notes, United States ports of entry are dubbed "Constitution-free zones" by civil liberties advocates.

Barring invasive techniques such as strip seizures, government agents are free to disregard Fourth Amendment protection against unreasonable search and seizure. They don't need reasonable suspicion or probable cause, and they can take what they like, be it laptops or smart phones.

And nab gadgets they most certainly do. Johnston writes that last year alone, 5,000 devices were seized:

The Customs and Border Protection agency says the power to seize laptops is necessary to find information about terrorists, drug smugglers, and other criminals trying to enter the country. Of the more than 340 million people who traveled across the US border in 2011, about 5,000 had laptops, cellphones, iPods, or cameras searched.

Forget privacy rights. They're gone at ports of entry.

Department of Homeland SecurityAnd what guarantees do travelers have regarding the careful treatment of their data?

On House's laptop, that data included contact information for WikiLeaks donors, House's bank account passwords and family photos, and coding he had done in Mexico, Johnston writes. On other laptops, that data can include not only personal data but trade secrets.

Customs and Border Protection agency spokeswoman Joanne Ferreira told Johnston that customs officers are obligated to comply with the Trade Secrets Act, which prohibits federal employees from disclosing confidential business information.

One assumes she was referring to the Uniform Trade Secrets Act, an act put forth to provide legal framework for improved trade secret protection for industry in all 50 US states.

Well, maybe that's some measure of protection. More likely, it's cold comfort. For one thing, all 50 states did not sign on to the act. As of 2010, Massachusetts, New Jersey, New York, North Carolina and Texas hadn't adopted it.

Even if all 50 states ever do sign on to the act, would it protect our seized data from disclosure?

It's hard to imagine that it would, given, for one, the recent peek we got into the pockmarked approach to data security that's employed by government and military agency personnel.

CustomsThat sloppy security was evidenced by Anonymous' Stratfor attack, the astonishing number of customers whose information was stolen in that attack, and the feeble, easily guessed passwords used by many in the military and government agencies that make up Stratfor's clientele.

"Swordfish" as a password used by somebody working for the US Marines? Please.

House admitted to Johnston that the suit will be hard to win. It's one of two the ACLU is bringing in an attempt to stop the U.S. government from seizing and searching devices without a reasonable suspicion of illegal activity.

House isn't seeking damages; rather, he wants the government to give him back his data or destroy it. He also wants to know who, exactly, the feds allowed to access it.

Resisting the government isn't a viable approach to protecting your data in these legal seizures. Johnston lists a few approaches that businesses are taking to keep trade secrets from such seizures:

  • Wipe laptops clean before you travel.
  • Move sensitive information to the cloud and retrieve it later.
  • Move information to a flash drive or external hard drive.

To which I would add three additional recommendations:

  • Encrypt whatever device to which you transfer sensitive information. All you have to do is poke through the lost & found at a transit station to realize that USB drives, at least, fall from our pockets like leaves from autumn trees.
  • If you travel frequently, consider buying a second laptop to bring in order to leave your personal computer at home.
  • Make sure everybody at your organization knows the current state of federal power in this matter.

Johnston notes that a recent survey by the Association of Corporate Travel Executives found that nearly half of the participating companies didn't have a clue about how vulnerable their employees were to having their gadgets inspected, copied or confiscated.

So now we know. Spread the word.

, , , , , , ,

You might like

33 Responses to US customs can and will seize laptops and cellphones, demand passwords

  1. Debbie · 835 days ago

    Put sensitive data in the cloud? Really? I can't believe that's the advice Sophos is offering. Try using TrueCrypt - free, open source software that makes what amounts to an invisible drive on your computer. The feds can look but they won't even see what's there, so they can't demand a password. This is a MUCH more secure option than putting sensitive info into the (insecure & corporate) cloud.

    • Stig Rudeholm · 835 days ago

      Personally, I would create a TrueCrypt container and store that in the cloud, then download it when I reached my destination. Storing sensitive data in the cloud is not a bad idea, per se, as long as you encrypt it. Which you should always do with sensitive data anyway. So, you're both right. :)

    • Andy · 835 days ago

      It is unlikely that the feds would not be aware of the hidden/invisible TrueCrypt drives. Detecting the existance of the hidden/invisible drive is trivial and they have the power to demand your passwords.

      The TrueCrypt drive could be stored in the cloud out of the reach of the feds.

      • Sco76 · 834 days ago

        Doesn't TrueCrypt have a "substitutional drive" feature, when it mounts the fake drive if a secondary password is entered?

      • Paul Rubino · 779 days ago

        Customs Agent: "I demand you give me your password."

        Me: "I forgot my password."

        The End

    • IT-Guy · 835 days ago

      True but if they start poking around they can tell that the partition size isn't showing correct, evidence of a hidden drive. You can put it in the cloud, just encrypt it first.

    • Bob · 835 days ago

      I too wish that Sohos had given more thoughtful advice. TrueCrypt came to mind immediately.

    • Ben · 835 days ago

      "Put sensitive data in the cloud? Really? I can't believe that's the advice Sophos is offering."

      Sophos didn't offer that advice. It came from one Katie Johnston, a writer for the Boston Globe. Then the author of this article, Lisa Vaas, who seems to be a freelance writer/blogger, suggested three additonal steps that can be taken to protect data.

    • Jss · 835 days ago

      Agreed, though perhaps information that is not so sensitive should be uploaded?

    • Intrepid · 835 days ago

      It's safe if Encrypted in the cloud. And the government will not have an encrypted usb drive to hassle you about.

    • Michael Lessard · 835 days ago

      As others have mentioned, hard disks or drives can be read directly without the need for any password or interface. Your hidden or locked parts of your computer are not at all protected as soon as they take the hard drive out and read it directly (without Windows or Mac OS).

      Keep this is mind : all your data that you make invisible or password protected on your computer is not really protected. It only stops someone who opens your computer normally.

      Encryption, though, is another matter. Encrypted data remains encrypted even if stolen directly from the hard disk. Then again, US agencies might be able to crack some types of encryption software.

      Back-ups, stored in various areas, is the way to go for non secret data. For secret data, encryption stored beyond the border and truly wiped before you reach the border.

      All this work to evade the USA where the rule of law is no longer the foundation of democracy.

      • CypherU · 833 days ago

        As Ben already stated, Sophos did not give the advise to use cloud services - but it would also be alright if they did - have a look for Sophos Cloud Encryption - a Software which encrypts your cloud data ...

  2. ConcernedAmerican · 835 days ago

    Our government is forgetting that the nature of our nation (the nature upon which this nation was founded) was to prefer liberty over security.

    • Leo · 835 days ago

      USA is not the land of the free my unitedstatian friend, is the land of the money.

      • Artemis · 834 days ago

        Land of the money? Last time I checked, economic freedom is an essential freedom we Americans enjoy.

  3. Alex Van Schuylen · 835 days ago

    Granted, the U.S. Government is doing NOTHING that any government or ruling body has not pulled since Man stepped out of those caves; and yes, when you have been scared by tragedy you don't always see clearly or are you able to reason as you should...but...this is really stretching the limits of casual insanity!...each time something new is pulled on its own citizens, the U.S. Government is inching closer and closer to the cliff's edge -- like they're getting ready to join the out of control Lemmings!!...:-(...hmmnn...ANTIDISESTABISHMENTARIANISM!!!...

  4. Stig Rudeholm · 835 days ago

    Whenever I plan to blow up parliament, as indeed I often do, I always carry documents detailing my nefarious plans around on laptop and smart phone. Especially when I travel. Don't we all? Us terrorists, I mean...

  5. Grashnak · 835 days ago

    Really? You're complaining that "Swordfish" is a poor password for a marine logging into an open source website?

    Come on, that's a pretty weak complaint. It's not a classified system or database, and sure, it's dumb to use an english word as a password but it's not like having your Stratfor account hacked is a matter of national security.

    I have great passwords for places where it matters. For things like Stratfor, meh.

  6. John Smith · 835 days ago

    Debbie: what good it is to encrypt a hidden data store on your laptop if the laptop gets seized? You still lose the data. But an encrypted data store in the cloud means you can still access it, and there is less to find to make them want to seize your laptop.

  7. Ronald Eskelson · 835 days ago

    Its not like we're playing button, button, who's got the button. Using True-Crypt Free to hide a file from detection is an excellent way to encrypt that data and to hide that portion of your hard drive, but it can't fool your computer into thinking that space is free to use. Simple math will alert anyone with at least a 3rd grade education that the difference between the sticker on your lap top that touts a 1TB hard drive and clicking on computer and seeing only 50GB of free space, will probably want to know why the limited apps and programs listed in the menu leave a significant amount of 'dark matter' unaccounted for. Or they can simply look at your disk management and do the math. The idea is the guy or gal doing the checking might not understand what it means, but its enough to make him or her want to confiscate it in order to earn bonus points. The people that he or she would turn it over to, definately have the ability to extract at least enough information to make torturing you worth while. If you don't want to it to be found, don't carry it.

    • Dan Cartell · 835 days ago

      Bravo- great summary Ronald!

      , you are absolutely right the best thing with trade secrets etc is dont carry it across borders !, in this day and age all you can do is have sensitive data encrypted and stored on servers were it can be accessed via VPN by people with the right credentials using multi factor authentication. No method is 100% fullproof but at least it will cut out a lot of nasty scenarios. Another thing is if the laptop gets stolen the implications of the data on it are immense compared to when it gets siezed by the feds

      What really shocked me about this story was the fact that the guy is a security consultant ( who has worked at MIT ! ) and he had bank account passwords, family photos and names of contacts on a laptop he was travelling with ! What if the laptop had been stolen by nastier people with malicious intent !!

    • Jason · 835 days ago

      Ronald,

      You are ignorant of how hidden volumes work.

      When an encrypted volume is created all unused space is filled with random data.

      When an encrypted volume with a hidden volume is created, the "random" data is actually a hidden, encrypted volume.

      Since an unmounted hidden volume appears random, there is no way to determine if the unused space in the encrypted volume is actually random data, or is a second, hidden encrypted volume.

      Neither "simple math", nor "disk management" is helpful here.

      Read the details specific to True Crypt here: http://www.truecrypt.org/hiddenvolume

  8. R0nin · 835 days ago

    Stig, you assume (or imply that you assume) that terrorists don't carry information about their plans with them on their computers. How do you know they don't?

    • Stig Rudeholm · 835 days ago

      Well, of course it's impossible to know that, so I don't. Same as I'm pretty sure that you don't know that they do.

      I do know that if I were a terrorist, I certainly wouldn't... I'm sure some of the more stupid terrrorists are doing it, though. But is it really the stupid ones that we should be worried about?

  9. Innocent Bystander · 835 days ago

    As always, simple-mindedness simply leaves the TSA itself vulnerable to attack. If I were a terrorist, I might find it ironically delightful to load a laptop with C4 (the battery area would be a nice size, leaving enough room for one or two cells to "boot" the laptop) and gladly provide a "password" to my victims. If I used a 17" laptop I could probably get more than two sticks of dynamite worth of explosives in that space.

    • Mike from Illinois · 835 days ago

      Congratulations.

      You are now an official terrorist.

  10. Andrew Rice · 835 days ago

    This is very old news. It's not just the states any country can demand access at their borders in respect of protecting their country. You choose to enter or not. People should not be carrying data across borders they do not wish the authorities to have access to.

  11. Mike · 835 days ago

    Why should we take solace in the fact that the Trade Secrets Act exists and that the Agents will "honor" it when they don't even honor the Bill of Rights?

  12. panhead20 · 835 days ago

    Uncontrolled search and seizure is one of the first and most effective weapons in the arsenal of every arbitrary government. Among deprivations of rights, none is so effective in cowing a population, crushing the spirit of the individual and putting terror in every heart.

    Justice Robert Jackson, chief U.S. prosecutor at the Nuremberg Trials

  13. Angry Voter · 835 days ago

    The US federal government has repeatedly and systematically during both Republican and Democratic control prevented local law enforcement from deporting illegal aliens.

    Many planes are cleaned by illegal aliens. Allot of food is handled by illegal aliens. These are severe security risks but the federal government instead is going though hard drives looking for copies of songs that get played on the radio for free anyway.

    They are not working to secure the US for citizens. They are working to secure profits for the plutocracy.

    Under the Taliban, opium production was almost totally wiped out.

    After 10 years of US occupation, Afghanistan now produces over 90% of the entire world's opium. The fields are so big you can see them from space on Google Earth but the US government claims they can't find them.

    Our government is infested with organised crime at the highest levels.

  14. Lisa Vaas · 834 days ago

    To all of you who mentioned TrueCrypt: Got it. Hear you loud and clear. Thanks for that. And also, for the record, yes I am an independent journalist, so please don't blame Sophos for my omissions, but please do continue to give me all this valuable feedback.

  15. roy jones jr · 830 days ago

    Our government is forgetting that the nature of our nation (the nature upon which this nation was founded) was to prefer liberty over security.

    Yep. DB Cooper took advantage of that and how is that working for the US now?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.