EFF’s Guide to Protecting Electronic Devices and Data at the U.S. Border

Store the information you need somewhere else, then download it when you reach your destination. Store your confidential data on your employer’s servers or with a third party. Then take a clean device on your trip, download the information you need when you’ve reached your destination, and securely delete the files from your device before you return home.

This approach doesn’t offer absolute protection for the data you’ve stored elsewhere. The FISA Amendments Act of 2008 loosened the requirements for government surveillance of people reasonably believed to be located outside the United States, so international communications can now be monitored without a warrant. Furthermore, law enforcement officers can access communications stored by third-party providers through the Electronic Communications Privacy Act as long as they have appropriate legal process, which might not be more than a subpoena in certain circumstances.

If your goal is to keep border agents from perusing vacation photos on your camera, storing your files with a third-party service and then deleting them from your device might be fine. (Note, however, that deleted images on a camera, if not actively overwritten, can be easily undeleted, just like other kinds of computer files.) But if you’re concerned about government access to confidential business email, encrypting your data is a more effective solution. Also use an encrypted VPN, and/or SSH or HTTPS, to send and receive communications and other data while abroad.

Protect the data on your devices with passwords. Many devices such as laptops and phones give you the option to set a password, numeric PIN, pattern or other authentication method to control access to your data. Take advantage of this security feature to give your data a little more protection.

As with encryption keys, border agents can’t force you to turn over passwords. However, researchers have demonstrated flaws that make it easy to get around iPhone passcodes, and Android patterns are often not hard to identify. And, as we discuss below, user-account passwords, if not combined with encryption, can always be bypassed by simply removing the hard drive and putting it in another machine.

You might also consider creating separate password-protected user accounts on your laptop for your personal data and work data. Then you can allow a border agent to examine your own account, while storing client data or trade secrets in a separate account controlled by your employer. Your employer might disclose the password for this account to you only after you reach your destination.

Under certain circumstances, a border agent might be satisfied to take a look at your personal data. But simply storing confidential information in a separate password-protected account will not absolutely shield that data from government scrutiny. Many forensic search tools can access and search unencrypted data in every account on a machine, even if you yourself don’t know the passwords to log in to those accounts or don’t have administrative privileges on the machine. An agent can use these tools, for instance, by taking the hard drive out of your machine and putting it in their investigative machine. This allows reading the data right off the disk, regardless of the file and account permissions in your operating system. Don’t rely on passwords to be your only form of security — encryption is still critically important to protect the information stored on a device.

For more thoughts on protecting data at the border, see Wired’s wiki on how to protect data during border searches, Declan McCullagh’s Security Guide to Customs-Proofing Your Laptop, and Chris Soghoian’s Guide to Safe International Data Transport.

This guide was written by Marcia Hofmann and originally published at the Electronic Frontier Foundation.

Related Posts

The Message of Firesheep: “Baaaad Websites, Implement Sitewide HTTPS Now!” The Firesheep Firefox extension has been scaring users across the Internet since its introduction at the Toorcon security conference this past weekend...
Top 10 upcoming Android tablets Contrary to popular belief, the iPad 2 isn’t the only tablet computer in the world. Yes, it is rather wonderful, and the game support is staggering, b...
The top 10 best Android games of 2010 The history books will doubtless look back on 2010 as the year the whole Google mobile platform idea really took off. As the year closes out, the qual...
Why I will not buy Google’s Cr-48 Chrome Notebook The Cr-48 is Google's cloud-based notebook computer. It was announced just this week, and is being made available to a select few. In computer-speak, ...
No, iPhone location tracking isn’t harmless and here’s why It didn’t take long for the blogosphere to respond to research presented on Wednesday that detailed a file in Apple iPhones and iPads unknown to the v...
Clear evidence that cell phone use increases the incidence of head cancers We believe that urgent action is needed to protect our children and young people from a epidemic of brain and other tumours in 10 to 30 years time. Th...

We Recommend These Vendors

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).


One Comment

  1. Pingback: Tweets that mention EFF’s Guide to Protecting Electronic Devices and Data at the U.S. Border -- Topsy.com

Leave a Comment

Your email address will not be published. Required fields are marked *

*