How to Secure Your Laptop Before Crossing the Border
By Luigi Benetton
Here’s what you need to know about data searches at he United States border, and how you can protect sensitive data.
August 2009 Update: The U.S. announces revised and sweeping guidelines on border searches of electronic devices: “The U.S. Department of Homeland Security released directives regarding its data search policy on August 27, 2009, which detail what constitutes a lawful search and the process governing devices that are reviewed and/or detained at the border. Solicitor-client material stored on a laptop will not necessarily be exempt from data searches under the guidelines, but it might invoke new procedures that apply to sensitive documents.” View article
Do you regularly travel to the U.S. on business? If you take confidential information of any kind with you, take heed: US policy allows offers of Customs and Border Protection (CBP) to search and confiscate computers, phones, personal digital assistants, cameras, digital music players and other data-storing devices. Operating under the U.S. Policy Regarding Border Search of Information, agents have also downloaded the contents of entire computer hard drives and other storage media for later review. (Note: similar situations occur at the borders of other countries as well.)
For many travelers, CBP reassurances that confidential data is handled carefully ring hollow. And travelers who resist searches, even by insisting that such searches would require a warrant and probable cause if conducted within the United States, can be detained, sent back to their country of origin or otherwise grievously inconvenienced.
These recent developments have many legal experts and others asserting that the “border privacy” playing field is undeniably tilted in favour of border agents.
This article suggests 10 steps you can take to shield sensitive information, like that protected by solicitor-client privilege, when crossing the border. Each one comes with caveats, the most important of which is that there are no guarantees. You should consult an IT security expert to help you choose the best options for your needs.
1. Be Anonymous
Thousands of travelers cart thousands of devices through America’s borders each day. The CBP has to weigh security concerns with the limited time available for searching.
Many travelers believe the odds will stay in their favour. If you aren’t one of these, read on.
2. Travel with a “Bare” Computer
Be “forensically clean”
The CBP can’t read what a computer doesn’t contain. That’s why certain companies give their employees “forensically clean” computers for travel. These computers contain the operating system, required applications, and little or no data.
Once at their destinations, employees work with data stored on company servers via secure virtual private network (VPN). (Secure connections are a must since, under certain circumstances, U.S. law permits interception of e-mail and remote server connections.)
Employees may download files to their computers, upload the results of their work to company servers and “forensically clean” their computers before traveling again.
Given widespread availability of broadband Internet access throughout the United States, traveling with a clean laptop presents few problems unless particularly large files or problematic Internet access hampers the employee’s ability to access data.
Use software with "Saas"
Following in the footsteps of phenomena such as Google Docs, more companies offer software based on the Internet. All their customers need to access these applications is a standards-compliant web browser.
Conceptually, customers use software as a service (SaaS – on the software developer’s servers) rather than as a product (on a computer’s hard drive). And, importantly, the data resides on the same server as the SaaS application.
This tactic is less secure than total forensic cleanliness for several reasons, not the least of which is your web browser. It records your Internet activity using cookies, history and other data. Delete all these traces of your Internet activity before you board your next flight. (For more information, refer to "Files to Delete” sidebar.)
Saas: One issue to Consider
What if border agents really want your data? If a server (your company’s or a SaaS provider’s) resides within America’s borders, the US Patriot Act enables US government agents to access your data (and impel the SaaS company to keep the breach quiet).
Should the data reside outside US borders but the company head office or chief executives reside within, the data must be turned over upon request or the company/executives may face charges.
Files to Delete
Not everybody travels with forensically clean laptops provided by their firms. If this describes you, consider the following list of file types to remove from computers you take across borders.
Documents
Look for all the usual suspects like .doc, .xls, .ppt, .pdf and so forth.
Mac owners: since the Mac does not need to save files with file name extensions, you might miss file types by searching for extensions. Make sure the Mac shows all file name extensions before you search.
E-mail and PIM information
Carefully review your email for messages you can delete.
Personal information managers store calendars, tasks, contact lists, notes and other information – check this as well.
Temporary files and folders
Various programs keep copies of documents and other information in temporary folders, and do not always delete them once you quit the program.
Temp files can reside in several places: a global search on the word “temp” will help find them, as will consultation of the software’s documentation.
Photos
Look for files with extensions like .jpg, .png, .gif and so forth, as well as information inside image handling software you use (e.g. Adobe Photoshop, Apple iPhoto).
Certain digital cameras produce RAW photos, some in proprietary formats with esoteric file name extensions. Check your camera manual for specifics.
Virtual memory
To supplement the RAM, the operating system may use a part of your hard drive as “virtual RAM.”
Windows allows you to turn virtual memory off. If you can’t live with the performance hit, make sure your entire hard drive is encrypted.
Browser data
Whenever you surf the Web, your browser records your wake in its history of pages visited, a cache containing downloaded pages, the cookies any sites might write to your hard drive, the names of any files you downloaded and so forth.
The default settings in most browsers allow a certain amount of this information to build up on your hard drive. Change those options so that the browser promptly deletes all such information once you shut down the browser, or soon after. Recommendation: Mozilla Firefox can automatically delete all surfing traces each time you shut down the browser.
|
3. Turn Off Your Computer, Early
If you must bring data on your computer, turn it off five minutes prior to reaching customs.
While running, computers store unencrypted information in random access memory (RAM). If you walk through customs with a computer in sleep mode, the RAM shows what you were working on.
RAM does not void itself of information until five minutes after the computer has been turned off. So when the “Fasten Seat Belt” sign comes on, turn your computer off.
4. Back Up Your Data
Should border agents confiscate your computer, they won’t stop your ability to work billable hours – as long as you left a copy of your data in a safe place, such as another hard drive or your company’s servers, and you can quickly recover all that data (documents, calendars, e-mail and so forth.)
5. Use a Different User Account to Hold Sensitive Information
Any modern computer can be used by different people, each with their own sets of documents. Users can password-protect their accounts so other users with access to that computer can’t access documents that don’t belong to them.
Privacy application: the traveler can use the computer via a “clean” non-administrative account while in transit and carry sensitive documents in a “safe” account for which the traveler does not know the password. Upon confirmed arrival at the final destination, the colleague who created the “safe” account can send the password to the traveler via secure e-mail.
Meanwhile, all that travelers can do at customs when asked about other accounts is shrug their shoulders. (Remember, all accounts should be encrypted.)
Choose Perplexing Passwords
Is your password your company’s name, your own name, the word “password” or something else that’s easy for you to remember?
Here’s a reality check: modern password-guessing software can generate tens or even hundreds of thousands of guesses a second – and it starts with the most commonly used passwords.
However, if your computer is confiscated, forensic specialists rarely try to “crack” a password. Instead, they look for places where your computer might have written the password to the hard disk (registry, swap files, deleted space), or places where a user may have done so (e-mail, contact file, text file). Strong encryption that covers the whole drive provides a good first line of defence.
Security experts still recommend you make passwords as difficult to crack as possible. Here are a few hints:
- Don’t use actual words, which are susceptible to “dictionary attacks” where programs throw every word in the dictionary at your signin system until one works.
- Choose longer passwords over shorter ones.
- Don’t use passwords like your name, age, address, or any other personal information of yours or of people you know.
- If the software allows, make passwords case-sensitive. Sprinkle upper-case and lower-case liberally throughout the password.
- Again, if the software allows, include numbers, punctuation and special characters as well as letters.
|
6. Partition and Encrypt Your Entire Hard Drive
Hard drive partitioning, like encryption, is a common IT practice that enables people to use a hard drive as though it were two or more drives. These partitions can be encrypted using different passwords. And some of today’s partitioning tools can hide partitions.
Privacy application: Encryption and partitioning, when combined, allow a traveler to decrypt a partition that contains “safe” data for border agents to inspect. Agents might not know to look for other partitions if the partitioning tool hides them – a tactic known as steganography.
To increase the chances this subterfuge will work, buy a larger hard drive for your laptop, make the “safe” partition the same size as that of the drive sold “standard” with the laptop, and put the rest of the hard drive in other partitions.
Even if you don’t partition, strong encryption of an entire computer hard drive, and electronic data of any sort, is a security best practice and should not raise eyebrows.
Why the entire hard drive? Certain programs can record information outside of encrypted areas without a user’s knowledge.
While strongly recommended, encryption is not foolproof: border agents can simply ask you to type your password. The consequences of denying this request could prove onerous.
7. Protect FireWire Ports
FireWire is a type of data port that allows for faster data transfers than are possible via USB. Certain higher-end Windows-based computers and just about every Mac in existence has FireWire.
The CBP can quickly copy an entire hard drive via FireWire. Macs let their owners block this option by setting an Open Firmware Password. Consult your IT provider for advice on how to protect your FireWire port.
8. Store Data on Small Devices
Camera memory cards and USB memory keys can store huge amounts of data. Since they’re small, you can carry them inconspicuously. Also because they’re small, they are easily lost, and just as easily confiscated by border agents if found, so use strong encryption on these devices as well.
The Ironkey is a military-grade USB flash drive that actually self destructs after 10 failed login attempts. (https://www.ironkey.com).
9. Protect Phones and PDAs
Phone records, text messages, emails, documents – today’s phones, particularly smartphones like RIM’s BlackBerry, Apple’s iPhone and Palm’s Treo carry amazing amounts of information.
But keep the device as “clean” as possible if you think it might be confiscated. Also, enable any password locking and encryption tools, if available.
Another possible solution: certain smartphones can be “wiped clean” remotely when they are reported lost. And every one allows users to synchronize the data on them onto their computers so that they can quickly put the data onto a replacement unit should the need arise.
10. Clean Your Laptop When Returned
Border agents might even return confiscated laptops with a little something extra: spyware that tracks the owner’s computer activity and sends log files back to “Big Brother.”
“Fedware” may be invisible to onboard spyware scanners, so the first thing to do when you get your laptop back is to boot it using an external drive and scan the onboard drive for anything that should not be there.
Tools for Protecting Electronic Data
Want to protect your electronic data? Here are a few tools that might come in handy, some of which you might already have. (Comprehensive lists of such tools reside on www.VersionTracker.com and other software lists on the web.)
Encryption and hard drive partitioning
Modern computers ship with their own encryption tools. Microsoft bundles Bitlocker Drive Encryption on certain versions of Windows Vista while Apple includes FileVault on every Mac.
If you need more sophisticated options, PGP Disk and TrueCrypt lead a largely capable pack of hard drive encryption options.
Password generator
Not sure whether your password is up to snuff? Download a password generator that can take away the guesswork.
(Mac owners already have Apple’s Password Assistant, stowed away in the Accounts System Preference application that Apple offers if owners want help creating a password for a new account on the Mac.)
For more information on passwords, refer to the "Choose perplexing passwords" above.
File shredders
When you delete a digital file by emptying the Recycle Bin/Trash Can, the operating system doesn’t actually obliterate the file – it just refuses to recognize its existence and allows other applications to overwrite that section of the hard disk. That’s why files that owners think are long gone can turn up under forensic examination. It’s like the difference between putting a piece of paper in a recycling bin and throwing it into a roaring fire.
In addition to software designed specifically for the purpose, today’s major operating systems ship with “secure delete” features that overwrite specific portions of the hard drive to the point that the original file is unrecognizable and unrecoverable.
|
|
Comments/Discussion
Truecrypt would be one of the best programs to use if you are going through customs. Many times I tell them its a freshly formated hard drive, since I have the boot screen turned off. All that shows up is "Missing Operating System" :-). Works everytime.
By: Anonymous
Posted: 06-18-09
Reply to this Post
Back to Top
|
|
"clean", "encrypt", "delete", all of these mean nothing to the guy with the right software. Best bet, don't travel with the laptop, FED-EX it.
By: Anonymous
Posted: 03-03-09
Reply to this Post
Back to Top
|
|
I use a combination of these techniques along with Truecrypt's option for DENIABLE ENCRYPTION. This was not covered in this article at all. You are able to encrypt a file/partion/drive with a crypted inner and outer layer, the inner layer looking like empty space. It requires two separate passwords. So if forced to reveal one's password, you can keep 'official' looking files within the outer layer of protection, while the inner layer protects you files from prying eyes/equipment. You can do this PKI, designated 'key files' and plain old passwords, or any combination of the three. I would recommend this as the only option when traveling with a production level laptop. Truecrypt can even be installed to a keyfob that is mailed to the destination, with keyfiles being hosted on a https enabled webserver or VPN, that can be anyplace on the planet for even greater protection. It's a shame the US has become Amerika.
By: Anonymous
Posted: 03-03-09
Reply to this Post
Back to Top
|
|
Tip #1 is "Be Anonymous". What does that mean? How does one accomplish that goal?
By: Anonymous
Posted: 01-01-09
Reply to this Post
Back to Top
|
|
IT pro, and american attorney, here ... Add one more: (11) Enable BIOS password. That way they will most likely come to you if they want to be boot the machine. (12) Think twice about storing encrypted material on flash media. Many flash devices use ware-leveling techniques that may compromise your encryption if not first disabled.
By: Richard Abbott
Posted: 12-09-08
Reply to this Post
Back to Top
|
|
Hi You are going to have to find another analogy for Desktop applications soon, already Microsoft offer Outlook as a SaaS ap, and have seen articles that Word, or Office will be launched next year. But as the articles said "Welcome to SaaS Microsoft, see you in a year or so!" You comment on Hard drives is very true, roll on the day we walk around with solid state memory sticks or security usb devices, and plug into just about anything to do our work! ;-)
By: Malcolm Pearson
Posted: 12-09-08
Reply to this Post
Back to Top |
|
Let's say someone gets a hold of your laptop. Is there a way to give them any type of a virus that will shut them down when they try to get into your files ?
By: Anonymous
Posted: 10-24-08
Reply to this Post
Back to Top
|
|
It is important to note that deleting files via the trash or recycling bin does not actually erase them, but merely deletes the files necessary to easily access them. Data is only permanently erased from your hard drive when the space occupied by it is overwritten with other data. With a mac, when deleting confidential files and information, choose "Secure Empty Trash", rather than simply "Empty Trash", from the "Finder" menu. For the truly security-conscious, before travelling with your Mac laptop it is prudent to overwrite "empty" space on your hard drive. To do this, boot your computer from an external drive or CD, run Disk Utility, select your device from the list on the left, select the "Erase" tap near the top of the window, and select "Erase free space". You have the option of Zeroing out data or overwriting it 7 or 35 times. 7 is probably the best balance of practicality and security, but may take several hours with a larger hard drive. Zeroing the data may only take a couple of hours and will likely foil a border guard, and possibly even a data recovery service.
By: Ryan Androsoff
Posted: 10-24-08
Reply to this Post
Back to Top |
|
The wonders of modern technology are also its hydras and medusas. This is ridiculous. There should be a follow up article on CARNIVORE and ECHELON (and there is one other, but I cannot recall the name) which are surveillance systems which sweep all phone calls, e-mails, cell calls and all other forms of communication. How do these systems impact on confidentiality and solicitor client privilege? I imagine that smoke signals are probably safe, as I do not believe that the Earth is observed in real time by those cameras above us, but there really is no way to hide. If it is to be confidential, store it in your wetware (i.e. your brain) and nowhere else. Everywhere else can be intercepted and cracked if the government (or anyone else for that matter) is that interested. Welcome to the world of "Enemy of the State" and "Eagle Eye." These films are not nearly as far fetched as you might think!
By: Anonymous
Posted: 10-24-08
Reply to this Post
Back to Top
|
|
Great article!
By: Anonymous
Posted: 10-24-08
Reply to this Post
Back to Top
|
|
It's sad what we have come to. I work in IT, and have been taking some of the aforementioned precautions, as well as some of my own tricks. Often times, however, I don't go through with it, and I've never been stopped by our Patriot Act-happy Customs Officers.
By: Max
Posted: 10-06-08
Reply to this Post
Back to Top
|
|
There is a case where US authorities insisted that a traveler provide the password to an encrypted hard drive partition on his laptop because they suspected child porn. He refused, citing the 5th Amendment’s protection against self-incrimination. So far the US courts have agreed with the traveler but this case could find itself before the Supreme Court, who will decide whether encrypting hard drives and using complex passwords are good strategies for thwarting US border agents. Click here for a short summary.
By: Sandra
Posted: 09-29-08
Reply to this Post
Back to Top |
|
Is this not an issue with the Canada Border Services Agency when returning to Canada?
By: Anonymous
Posted: 09-29-08
Reply to this Post
Back to Top |
|
What of the extended reach that the US government claims over companies that have operations in the US and that are required to turn over their information. What of entities such as Telus, Shaw etc? How safe is our data when using those services in Canada? Do our privacy laws protect us from intrusion from the US government?.
By: David Mohr
Posted: 09-25-08
Reply to this Post
Back to Top
|
|
Some laptops come with a security feature where they cannot be enabled unless a finger print is taken and processed by the lab top. Would this feature potentially raise any other issues, or additional protection?
By: Brian
Posted: 09-25-08
Reply to this Post
Back to Top |
|
Are we entitled not to tell the US agents our password if they ask? Would they be able to refuse entrance on that basis or would other adverse consequences follow?
By: Tim Kennedy
Posted: 09-25-08
Reply to this Post
Back to Top
|
|
This was an excellent article. Short and to the point. The issue was not on my radar, but should have been. Thanks. A good example of CBA informing its members.
By: Anonymous
Posted: 09-24-08
Reply to this Post
Back to Top |
|
I like the "bare laptop" approach. Given that a lawyer would be expected to have a variety of solicitor-client privileged data on his/her laptop from time to time, what product or operating system function allows you to "shred" that data on your computer, to make it forensically clean ? (I cross borders all of the time, with Client sensitive customs data - problems, audit issues, exposures), which would not be good in the hands of customs itself). A fuller description on that operating system process or software (i.e., how to actually do it), would be helpful. Best regards, Rob.
By: Rob
Posted: 09-24-08
Reply to this Post
Back to Top
|
|
Good article and a must read for all computer users!
By: Jennifer
Posted: 09-24-08
Reply to this Post
Back to Top |
Neither the author nor the CBA should be construed as endorsing any product or website listed in this article. The views expressed in this article are those of the author and do not necessarily reflect the views of the CBA.
In this document, any reference to "jurist" or "lawyer" includes, where appropriate, "Québec notary". |
|
|
Printer Friendly