EFF’s Guide to Protecting Electronic Devices and Data at the U.S. Border

Store the information you need somewhere else, then download it when you reach your destination. Store your confidential data on your employer’s servers or with a third party. Then take a clean device on your trip, download the information you need when you’ve reached your destination, and securely delete the files from your device before you return home.

This approach doesn’t offer absolute protection for the data you’ve stored elsewhere. The FISA Amendments Act of 2008 loosened the requirements for government surveillance of people reasonably believed to be located outside the United States, so international communications can now be monitored without a warrant. Furthermore, law enforcement officers can access communications stored by third-party providers through the Electronic Communications Privacy Act as long as they have appropriate legal process, which might not be more than a subpoena in certain circumstances.

If your goal is to keep border agents from perusing vacation photos on your camera, storing your files with a third-party service and then deleting them from your device might be fine. (Note, however, that deleted images on a camera, if not actively overwritten, can be easily undeleted, just like other kinds of computer files.) But if you’re concerned about government access to confidential business email, encrypting your data is a more effective solution. Also use an encrypted VPN, and/or SSH or HTTPS, to send and receive communications and other data while abroad.

Protect the data on your devices with passwords. Many devices such as laptops and phones give you the option to set a password, numeric PIN, pattern or other authentication method to control access to your data. Take advantage of this security feature to give your data a little more protection.

As with encryption keys, border agents can’t force you to turn over passwords. However, researchers have demonstrated flaws that make it easy to get around iPhone passcodes, and Android patterns are often not hard to identify. And, as we discuss below, user-account passwords, if not combined with encryption, can always be bypassed by simply removing the hard drive and putting it in another machine.

You might also consider creating separate password-protected user accounts on your laptop for your personal data and work data. Then you can allow a border agent to examine your own account, while storing client data or trade secrets in a separate account controlled by your employer. Your employer might disclose the password for this account to you only after you reach your destination.

Under certain circumstances, a border agent might be satisfied to take a look at your personal data. But simply storing confidential information in a separate password-protected account will not absolutely shield that data from government scrutiny. Many forensic search tools can access and search unencrypted data in every account on a machine, even if you yourself don’t know the passwords to log in to those accounts or don’t have administrative privileges on the machine. An agent can use these tools, for instance, by taking the hard drive out of your machine and putting it in their investigative machine. This allows reading the data right off the disk, regardless of the file and account permissions in your operating system. Don’t rely on passwords to be your only form of security — encryption is still critically important to protect the information stored on a device.

For more thoughts on protecting data at the border, see Wired’s wiki on how to protect data during border searches, Declan McCullagh’s Security Guide to Customs-Proofing Your Laptop, and Chris Soghoian’s Guide to Safe International Data Transport.

This guide was written by Marcia Hofmann and originally published at the Electronic Frontier Foundation.

Related Posts

MasterCard’s Support for COICA Threatens A Free And Open Internet In the last months of 2010, the WikiLeaks wars reminded transparency activists of something copyright and trademark lawyers know all too well – online...
U.S. Government Seizes 82 Websites: A Glimpse at the Draconian Future of Copyright Enforce... Over the past few days, the U.S. Justice Department, the Department of Homeland Security and nine U.S. Attorneys’ Offices seized 82 domain names of ...
10 Reasons for Developers to Love HP webOS There comes a time in a Linux-loving geek’s life when he or she needs a new challenge. Making desktop apps isn’t hacking it anymore and building yet-a...
Bringing the ‘social’ out of the operator walled gardens A ‘walled garden’ is the term aptly applied to the last decade of mobile operator services. And Facebook is the generic name aptly applied to the soci...
Why I will not buy Google’s Cr-48 Chrome Notebook The Cr-48 is Google's cloud-based notebook computer. It was announced just this week, and is being made available to a select few. In computer-speak, ...
The Revolution Will Not Be Properly Licensed We see it everywhere. Corporations are trying to take control over our communications tools, citing copyright concerns. Frequently, they are assisted ...

We Recommend These Vendors

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

One Comment

  1. Pingback: Tweets that mention EFF’s Guide to Protecting Electronic Devices and Data at the U.S. Border -- Topsy.com

Leave a Comment

Your email address will not be published. Required fields are marked *