Sophos Cloud Optix
The American Civil Liberties Union has brought a suit against the US government over its seizure of the laptop of a computer security consultant – a seizure carried out at a Chicago airport about a year ago without a search warrant or any charges of crimes.
According to a report in Sunday’s Boston Globe, the consultant – a former MIT researcher, David House – was returning from rest and relaxation in Mexico when federal agents seized his laptop.
According to the Globe, the government wanted to know more about House’s connections to Bradley Manning, the US Army private accused of leaking classified information to WikiLeaks.
The seizure comes as no surprise. As Globe writer Katie Johnston notes, United States ports of entry are dubbed “Constitution-free zones” by civil liberties advocates.
Barring invasive techniques such as strip seizures, government agents are free to disregard Fourth Amendment protection against unreasonable search and seizure. They don’t need reasonable suspicion or probable cause, and they can take what they like, be it laptops or smart phones.
And nab gadgets they most certainly do. Johnston writes that last year alone, 5,000 devices were seized:
The Customs and Border Protection agency says the power to seize laptops is necessary to find information about terrorists, drug smugglers, and other criminals trying to enter the country. Of the more than 340 million people who traveled across the US border in 2011, about 5,000 had laptops, cellphones, iPods, or cameras searched.
Forget privacy rights. They’re gone at ports of entry.
And what guarantees do travelers have regarding the careful treatment of their data?
On House’s laptop, that data included contact information for WikiLeaks donors, House’s bank account passwords and family photos, and coding he had done in Mexico, Johnston writes. On other laptops, that data can include not only personal data but trade secrets.
Customs and Border Protection agency spokeswoman Joanne Ferreira told Johnston that customs officers are obligated to comply with the Trade Secrets Act, which prohibits federal employees from disclosing confidential business information.
One assumes she was referring to the Uniform Trade Secrets Act, an act put forth to provide legal framework for improved trade secret protection for industry in all 50 US states.
Well, maybe that’s some measure of protection. More likely, it’s cold comfort. For one thing, all 50 states did not sign on to the act. As of 2010, Massachusetts, New Jersey, New York, North Carolina and Texas hadn’t adopted it.
Even if all 50 states ever do sign on to the act, would it protect our seized data from disclosure?
It’s hard to imagine that it would, given, for one, the recent peek we got into the pockmarked approach to data security that’s employed by government and military agency personnel.
That sloppy security was evidenced by Anonymous’ Stratfor attack, the astonishing number of customers whose information was stolen in that attack, and the feeble, easily guessed passwords used by many in the military and government agencies that make up Stratfor’s clientele.
“Swordfish” as a password used by somebody working for the US Marines? Please.
House admitted to Johnston that the suit will be hard to win. It’s one of two the ACLU is bringing in an attempt to stop the U.S. government from seizing and searching devices without a reasonable suspicion of illegal activity.
House isn’t seeking damages; rather, he wants the government to give him back his data or destroy it. He also wants to know who, exactly, the feds allowed to access it.
Resisting the government isn’t a viable approach to protecting your data in these legal seizures. Johnston lists a few approaches that businesses are taking to keep trade secrets from such seizures:
- Wipe laptops clean before you travel.
- Move sensitive information to the cloud and retrieve it later.
- Move information to a flash drive or external hard drive.
To which I would add three additional recommendations:
- Encrypt whatever device to which you transfer sensitive information. All you have to do is poke through the lost & found at a transit station to realize that USB drives, at least, fall from our pockets like leaves from autumn trees.
- If you travel frequently, consider buying a second laptop to bring in order to leave your personal computer at home.
- Make sure everybody at your organization knows the current state of federal power in this matter.
Johnston notes that a recent survey by the Association of Corporate Travel Executives found that nearly half of the participating companies didn’t have a clue about how vulnerable their employees were to having their gadgets inspected, copied or confiscated.
So now we know. Spread the word.
Put sensitive data in the cloud? Really? I can't believe that's the advice Sophos is offering. Try using TrueCrypt – free, open source software that makes what amounts to an invisible drive on your computer. The feds can look but they won't even see what's there, so they can't demand a password. This is a MUCH more secure option than putting sensitive info into the (insecure & corporate) cloud.
Personally, I would create a TrueCrypt container and store that in the cloud, then download it when I reached my destination. Storing sensitive data in the cloud is not a bad idea, per se, as long as you encrypt it. Which you should always do with sensitive data anyway. So, you're both right. 🙂
It is unlikely that the feds would not be aware of the hidden/invisible TrueCrypt drives. Detecting the existance of the hidden/invisible drive is trivial and they have the power to demand your passwords.
The TrueCrypt drive could be stored in the cloud out of the reach of the feds.
Doesn't TrueCrypt have a "substitutional drive" feature, when it mounts the fake drive if a secondary password is entered?
Customs Agent: “I demand you give me your password.”
Me: “I forgot my password.”
The End
Ok, we will seize your device…..
This is what they did to me, BTW. Oh, wont unlock it, then we shall detain it indefinitely.
True but if they start poking around they can tell that the partition size isn't showing correct, evidence of a hidden drive. You can put it in the cloud, just encrypt it first.
I too wish that Sohos had given more thoughtful advice. TrueCrypt came to mind immediately.
"Put sensitive data in the cloud? Really? I can't believe that's the advice Sophos is offering."
Sophos didn't offer that advice. It came from one Katie Johnston, a writer for the Boston Globe. Then the author of this article, Lisa Vaas, who seems to be a freelance writer/blogger, suggested three additonal steps that can be taken to protect data.
Agreed, though perhaps information that is not so sensitive should be uploaded?
It's safe if Encrypted in the cloud. And the government will not have an encrypted usb drive to hassle you about.
As others have mentioned, hard disks or drives can be read directly without the need for any password or interface. Your hidden or locked parts of your computer are not at all protected as soon as they take the hard drive out and read it directly (without Windows or Mac OS).
Keep this is mind : all your data that you make invisible or password protected on your computer is not really protected. It only stops someone who opens your computer normally.
Encryption, though, is another matter. Encrypted data remains encrypted even if stolen directly from the hard disk. Then again, US agencies might be able to crack some types of encryption software.
Back-ups, stored in various areas, is the way to go for non secret data. For secret data, encryption stored beyond the border and truly wiped before you reach the border.
All this work to evade the USA where the rule of law is no longer the foundation of democracy.
As Ben already stated, Sophos did not give the advise to use cloud services – but it would also be alright if they did – have a look for Sophos Cloud Encryption – a Software which encrypts your cloud data …
Our government is forgetting that the nature of our nation (the nature upon which this nation was founded) was to prefer liberty over security.
USA is not the land of the free my unitedstatian friend, is the land of the money.
Land of the money? Last time I checked, economic freedom is an essential freedom we Americans enjoy.
Granted, the U.S. Government is doing NOTHING that any government or ruling body has not pulled since Man stepped out of those caves; and yes, when you have been scared by tragedy you don't always see clearly or are you able to reason as you should…but…this is really stretching the limits of casual insanity!…each time something new is pulled on its own citizens, the U.S. Government is inching closer and closer to the cliff's edge — like they're getting ready to join the out of control Lemmings!!…:-(…hmmnn…ANTIDISESTABISHMENTARIANISM!!!…
Whenever I plan to blow up parliament, as indeed I often do, I always carry documents detailing my nefarious plans around on laptop and smart phone. Especially when I travel. Don't we all? Us terrorists, I mean…
Really? You're complaining that "Swordfish" is a poor password for a marine logging into an open source website?
Come on, that's a pretty weak complaint. It's not a classified system or database, and sure, it's dumb to use an english word as a password but it's not like having your Stratfor account hacked is a matter of national security.
I have great passwords for places where it matters. For things like Stratfor, meh.
Debbie: what good it is to encrypt a hidden data store on your laptop if the laptop gets seized? You still lose the data. But an encrypted data store in the cloud means you can still access it, and there is less to find to make them want to seize your laptop.
Its not like we're playing button, button, who's got the button. Using True-Crypt Free to hide a file from detection is an excellent way to encrypt that data and to hide that portion of your hard drive, but it can't fool your computer into thinking that space is free to use. Simple math will alert anyone with at least a 3rd grade education that the difference between the sticker on your lap top that touts a 1TB hard drive and clicking on computer and seeing only 50GB of free space, will probably want to know why the limited apps and programs listed in the menu leave a significant amount of 'dark matter' unaccounted for. Or they can simply look at your disk management and do the math. The idea is the guy or gal doing the checking might not understand what it means, but its enough to make him or her want to confiscate it in order to earn bonus points. The people that he or she would turn it over to, definately have the ability to extract at least enough information to make torturing you worth while. If you don't want to it to be found, don't carry it.
Bravo- great summary Ronald!
, you are absolutely right the best thing with trade secrets etc is dont carry it across borders !, in this day and age all you can do is have sensitive data encrypted and stored on servers were it can be accessed via VPN by people with the right credentials using multi factor authentication. No method is 100% fullproof but at least it will cut out a lot of nasty scenarios. Another thing is if the laptop gets stolen the implications of the data on it are immense compared to when it gets siezed by the feds
What really shocked me about this story was the fact that the guy is a security consultant ( who has worked at MIT ! ) and he had bank account passwords, family photos and names of contacts on a laptop he was travelling with ! What if the laptop had been stolen by nastier people with malicious intent !!
Ronald,
You are ignorant of how hidden volumes work.
When an encrypted volume is created all unused space is filled with random data.
When an encrypted volume with a hidden volume is created, the “random” data is actually a hidden, encrypted volume.
Since an unmounted hidden volume appears random, there is no way to determine if the unused space in the encrypted volume is actually random data, or is a second, hidden encrypted volume.
Neither “simple math”, nor “disk management” is helpful here.
Read the details specific to True Crypt here: http://www.truecrypt.org/hiddenvolume
Stig, you assume (or imply that you assume) that terrorists don't carry information about their plans with them on their computers. How do you know they don't?
Well, of course it’s impossible to know that, so I don’t. Same as I’m pretty sure that you don’t know that they do.
I do know that if I were a terrorist, I certainly wouldn’t… I’m sure some of the more stupid terrrorists are doing it, though. But is it really the stupid ones that we should be worried about?
As always, simple-mindedness simply leaves the TSA itself vulnerable to attack. If I were a terrorist, I might find it ironically delightful to load a laptop with C4 (the battery area would be a nice size, leaving enough room for one or two cells to “boot” the laptop) and gladly provide a “password” to my victims. If I used a 17″ laptop I could probably get more than two sticks of dynamite worth of explosives in that space.
Congratulations.
You are now an official terrorist.
This is very old news. It’s not just the states any country can demand access at their borders in respect of protecting their country. You choose to enter or not. People should not be carrying data across borders they do not wish the authorities to have access to.
Why should we take solace in the fact that the Trade Secrets Act exists and that the Agents will "honor" it when they don't even honor the Bill of Rights?
Uncontrolled search and seizure is one of the first and most effective weapons in the arsenal of every arbitrary government. Among deprivations of rights, none is so effective in cowing a population, crushing the spirit of the individual and putting terror in every heart.
Justice Robert Jackson, chief U.S. prosecutor at the Nuremberg Trials
The US federal government has repeatedly and systematically during both Republican and Democratic control prevented local law enforcement from deporting illegal aliens.
Many planes are cleaned by illegal aliens. Allot of food is handled by illegal aliens. These are severe security risks but the federal government instead is going though hard drives looking for copies of songs that get played on the radio for free anyway.
They are not working to secure the US for citizens. They are working to secure profits for the plutocracy.
Under the Taliban, opium production was almost totally wiped out.
After 10 years of US occupation, Afghanistan now produces over 90% of the entire world's opium. The fields are so big you can see them from space on Google Earth but the US government claims they can't find them.
Our government is infested with organised crime at the highest levels.
To all of you who mentioned TrueCrypt: Got it. Hear you loud and clear. Thanks for that. And also, for the record, yes I am an independent journalist, so please don't blame Sophos for my omissions, but please do continue to give me all this valuable feedback.
Our government is forgetting that the nature of our nation (the nature upon which this nation was founded) was to prefer liberty over security.
Yep. DB Cooper took advantage of that and how is that working for the US now?
what about transferring non-important information (photos, etc) to 2-3 memory cards or portable storage devices? Clean up your laptop/telephone completely (backup important phone numbers by PRINTING your information on paper. Finally MAIL all information to yourself. Is this feasible? Inconvenient method but they want to play “hide and seek” lets see who wins their game! When asked for the reason your computer was wiped out, say “I printed my pictures and mailed them to myself” so if my computer is confiscated I will not lose my trip’s precios moments. Would they still ask if I have a second memory storage device with ME?!