EFF Answers Your Questions About Border Searches
Readers of my deeplink on safeguarding your laptop and digital devices from warrantless searches at the border responded with both questions and answers. Some readers wondered whether you have an obligation not to destroy information on your laptop. Others pointed out that U.S. citizens may be detained, but not turned away, at the U.S. border. Many technologists wrote to offer cryptographic solutions, or warnings about encryption schemes that are not as secure as they should be. In this post, I answer the question about destruction of information and reproduce or summarize, with permission, others' suggestions about protecting your laptop from arbitrary searches. I haven't done any independent analysis of these techniques or tools, so your mileage may vary.
- Duty to delete? A complete discussion of the federal law of destruction of evidence, and of state law on the topic, is beyond the scope of this post (see here for a textbook on the subject). However, individuals who are not anticipating being sued and who do not know they are under criminal investigation generally have no obligation to preserve information on their laptops. If you have notice of an impending civil suit or government investigation, then you are obligated to preserve relevant material. Failure to preserve evidence for a civil suit can result in any of the potential sanctions for discovery violations, including fines and adverse jury instructions. Under federal criminal law, knowing destruction of evidence relevant to a pending judicial proceeding or administrative investigation can be punished with up to twenty years in prison. Further, destroying evidence in furtherance of an illegal scheme may also be aiding and abetting, or conspiracy.
In sum, international travelers trying only to protect privileged information, trade secrets or private communications or photos, have no obligation under federal law to preserve these documents on a laptop so that they may be reviewed by border guards.
- Secure passwords: As for techniques to protect yourself and your privacy, security expert Bruce Schneier offers a guide to securing passwords against an offline password-guessing attack.
- Whit Diffie's advice to Mac users: Don't allow passphrases for encrypted disk files to be saved on your keychain.
Crypto pioneer Whitfield Diffie observes that while the Mac Disk Utility encryption offers perfectly fine AES128 encryption, you must opt out to avoid having the key you give stored on you keychain, i.e., encrypted in your login password. Since login passwords are rarely more than a few characters long the effect is render your encrypted file vulnerable to a forensic study of the disk. Once a key has been written on the disk, you have to scrub the whole disk very carefully before you can be sure it is gone.
- Gone but not forgotten: EFF co-founder John Gilmore warns that merely deleting files will not remove them from your hard drive. You must overwrite the file contents. Macs have a "Secure Erase Trash" and Linux machines have "shred -u", that also overwrites the file contents and the file names before removal. A variety of Windows secure wipe utilities are available online.
John adds that secure erasure doesn't work on flash drives (which have an extra layer of data allocation software to do "wear leveling" so that lots of writing to particular parts of the chip don't wear out that part prematurely). There are technical ways to physically erase some parts of some flash drives, but I don't know any file systems that can actually do it.
- Power off before the border: Shut your machine down totally before taking it through customs, ideally many minutes in advance so that the RAM storage insecurity discovered by EFF, Princeton University and other researchers cannot be used to get your disk encryption keys.
- Eight steps to secure data: Chris Soghoian, a graduate student at the School of Informatics at Indiana University, offers his "Guide to Safe International Data Transport." (Disclosure: I represented Chris pro-bono in connection with his boarding pass generator in 2006 and 2007.)
- Truecrypt: Finally, many people wrote in about Truecrypt and its provision of "plausable deniability." A user can have an encrypted partition (which can be hidden as any file on your hard drive) and within that partition hide another partition. One password will reveal one partition and another separate password will reveal the other. Because of the way Truecrypt encrypts the partition table itself, an observer cannot detect a hidden partition even if she has access to the "regular" encrypted share. This gives a traveler something to decrypt if a Customs official asks, while keeping the rest of your information secure. Remember, however, that lying to a federal law enforcement officer about material facts is a crime, so if you choose to answer a question about whether there are additional encrypted partitions, you are obligated to answer truthfully.
I hope these pragmatic tips help people keep their data secure from arbitrary searches at the border.