The Privacy of Your Laptop at International Borders
The blogosphere has been bubbling over the past few weeks over the subject of laptop searches and seizures at international borders. The source of the buzz? A couple of recent court cases.
First, The Ninth Circuit recently held in United States v. Arnold that the Fourth Amendment does not require government agents to have reasonable suspicion before searching laptops or other digital devices at the border, including international airports. The privacy and free speech implications of this decision are very significant because many of us store a wide range of private information on our laptops.
US Customs agents now have free reign to search through all the photos of your personal life, emails to your friends and family, all the e-books you have purchased, and your entire music library. If you have confidential work information about clients, patients, breaking news stories, or business deals, US Customs may attempt to view those materials. And if you try to keep that information private through the use of encryption, you may face a further problem with US Customs.
In a second case currently working its way through District Court in Vermont, United States v. Boucher, the federal government is arguing that it can legally compel someone crossing an international border to enter their data decryption password, in order to search the encrypted files on a laptop computer.
While the right to keep your encrypted data to yourself is making its way through court, there are several documented instances of US customs pressuring travellers into typing in their passwords to enable a "voluntary" search of their data. The Washington Post recently reported this:
A few months earlier in the same airport, a tech engineer returning from a business trip to London objected when a federal agent asked him to type his password into his laptop computer."This laptop doesn't belong to me," he remembers protesting." It belongs to my company." Eventually, he agreed to log on and stood by as the officer copied the Web sites he had visited, said the engineer, a U.S. citizen who spoke on the condition of anonymity for fear of calling attention to himself.
And if you say no to the US Customs agent requesting your data? You may miss your flight (at your own expense). Again, from the Washington Post:
Maria Udy, a marketing executive with a global travel management firm in Bethesda, said her company laptop was seized by a federal agent as she was flying from Dulles International Airport to London in December 2006. Udy, a British citizen, said the agent told her he had "a security concern" with her. "I was basically given the option of handing over my laptop or not getting on that flight," she said.
Legal minds have chimed in on the issues that these cases present. Jennifer Granick of the Electronic Frontier Foundation has weighed in a couple of times, while the gang at the Volokh Conspiracy have discussed the cases at length.
On the technology side of things, CNET's Declan McCullagh and Christopher Soghoian have also given their own advice to avoiding a border search, as has security guru Bruce Schneier. Finally, father of crypto Whitfield Diffie and cyber-activist John Gilmore have further suggestions.
As unfortunate as it is, there doesn't seem to be any disagreement that if you have data on your laptop, US customs may try look at it. The real question is whether or not to try to maintain confidentiality of data through encryption. There are essentially three different methods:
- Encrypt your data with one of many off-the-shelf encryption tools. Most modern operating systems (Mac OS X, Windows Vista, and Linux) include disk encryption support out of the box.
- Encrypt the data with TrueCrypt, or one of the other encryption suites specializing in plausibly deniable encryption. TrueCrypt has multiple layers of encryption, which can be peeled back depending on the situation. When stopped by law enforcement, a TrueCrypt user would simply peel back the first layer, which would only reveal a collection of innocent and boring files. Other more confidential files could still be behind additional layers of data.
- Encrypt the data, and either email it to yourself, upload it to an online storage service, or burn it to DVD, and mail it to your final destination. Then, securely erase your laptop, re-install a fresh operating system onto the machine, and pass through US Customs, calm and content with the knowledge that you are not in possession of anything that could cause you legal problems.
The first solution is very problematic. A US Customs agent will turn on your laptop, see the encrypted partition or folder, and ask you for your password. If you are a US citizen, saying no may lead to you losing your laptop. If you are not a US citizen, you may be rejected entry to the US. No matter what happens, the mere presence of encryption software is likely to lead to you being exposed to significantly more suspicion.
The second solution, while an innovative application of technology, also has many problems. If a user has hidden the entire encrypted folder, or has opted to use the multiple levels of plausibly deniable encryption, they can still be undone with two simple questions: "Sir, do you have any encrypted data on this disk?" and "Sir, do you have any additional encrypted data on this disk?"
This can put you in a very bad situation-disclosing the data or lying to law enforcement. Lying to US Customs or other law enforcement officer may result in criminal prosecution. Just ask Martha Stewart, who was indicted, under Title 18, United States Code, Section 1001, for lying to federal government agents.
So, the only way to protect your confidential information until the law is settled may be option number three. Prepare and encrypt your data ahead of time, and upload that encrypted data to the Internet. When you do get stopped by a US Customs agent, you will be able to truthfully state that you have no sensitive or encrypted data at all on the computer. With a clean laptop, you can travel through customs with confidence that confidential data will remain protected.
Nicole A. Ozer is the Technology & Civil Liberties Policy Director at the ACLU of Northern California.