Slashdot Log In
Tips For Taking Your Laptop Into and Out of the US?
Posted by
timothy
on Thu Oct 09, 2008 03:30 PM
from the hug-a-tsa-agent-with-fervor-and-passion dept.
from the hug-a-tsa-agent-with-fervor-and-passion dept.
casualsax3 writes "I'm going to be taking a week long round trip from NYC to Puerto Vallarta Mexico sometime next month, and I was planning on taking my laptop with me. I'll probably want to rip a few movies and albums to the drive in order to keep busy on the flight. More important though, is that I'm also going to be taking pictures while I'm there, and storing them on the laptop. With everything in the news, I'm concerned that I'll have to show someone around the internals of my laptop coming back into the US. The pictures are potentially what upsets me the most, as I feel it's an incredible violation of my privacy. Do I actually need to worry about this? If so, should I go about hiding everything? I've heard good things about Truecrypt. Is it worth looking into or am I being overly paranoid?"
Related Stories
[+]
Your Rights Online: FISA and Border Searches of Laptops 421 comments
With the recent attention to the DHS's draconian policy on laptop searches at borders, a blog post by Steven Bellovin from last month is worth wider discussion. Bellovin extrapolates from the DHS border policy on physical electronic devices and asks why authorities wouldn't push to extend it to electronic data transfers. "...it would seem to make little difference if the information is 'imported' into the US via a physical laptop or via a VPN, or for that matter by a Web connection. The right to search a laptop for information, then, is equivalent to the right to tap any and all international connections, without a warrant or probable cause. (More precisely, one always has a constitutional protection against 'unreasonable' search and seizure; the issue is what the definition of 'unreasonable' is.)"
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
If you're that worried... (Score:5, Informative)
...encrypt it. Full disk encryption is relatively cheap, easy, and unobtrusive.
You gave one such example in your post.
But uh, mind if I ask: exactly what kind of pictures are you planning on taking on your vacation? ;-)
Re:If you're that worried... (Score:5, Insightful)
Parent
Re:If you're that worried... (Score:5, Insightful)
...encrypt it. Full disk encryption is relatively cheap, easy, and unobtrusive.
And ineffective, unless your privacy is worth more than the cost to piss them off and have to replace your laptop.
Parent
Re:If you're that worried... (Score:5, Insightful)
But uh, mind if I ask: exactly what kind of pictures are you planning on taking on your vacation? ;-)
It shouldn't matter what kind of pictures he takes. It is none of their business.
Parent
Re:If you're that worried... (Score:5, Funny)
It shouldn't matter what kind of pictures he takes. It is none of their business.
I think he was more concerned about our amusement than their business.
Parent
Re:If you're that worried... (Score:5, Insightful)
But uh, mind if I ask: exactly what kind of pictures are you planning on taking on your vacation? ;-)
A subtle "if you have nothing to hide then you have nothing to fear" poke. Haha.
It doesn't matter what kind of pictures he takes with him on vacation. He doesn't want a bunch of random law enforcement officials looking at his private pictures. Understandably.
Parent
Re:If you're that worried... (Score:5, Insightful)
There's only one solution that guarantees that nobody will rifle through your data: don't bring it with you through the border crossing. That's what servers are for... and SSL, or at least SSH/SCP/SFTP.
Parent
Re:If you're that worried... (Score:5, Insightful)
Truecrypt would not help: If they really wanted to see your content they could ask you to show it to them or alternatively confiscate your laptop and decrypt it themselves.
Truecrypt provides plausible deniability - the capability to create a hidden encrypted volume within another encrypted volume, thereby allowing you to grant access to unimportant/dummy data when a password is asked for without the attacker knowing additional information even exists.
As for the US government just decrypting the colume themselves, as far as I know they simply don't have that capability. If your boss knows otherwise or has knowledge of ways to defeat Truecrypt's plausible deniability then (s)he should provide some kind of evidence to back that up, otherwise this just sounds like uninformed guesswork or pure tinfoil-hattery.
Parent
Re:If you're that worried... (Score:5, Insightful)
Truecrypt provides plausible deniability - the capability to create a hidden encrypted volume within another encrypted volume, thereby allowing you to grant access to unimportant/dummy data when a password is asked for without the attacker knowing additional information even exists.
Well, there's that, and the fact that no file can be positively identified to be a Truecrypt volume. Until you you give a password it just appears to be random data. High entropy random data, but the guy at the border is looking for a 5 minutes spree tops - I seriously doubt he knows what entropy is let alone enough to check for it.
If you're that worried create a volume with nearly same size as your system RAM, keep it in a directory with some source code (even write a stupid program that will crash if you want) and just name it "core" or "core.dumped". If asked about it tell them when you were testing your program (that does whatever you want to maekup) it crashed and dumped memory to file. It's probably just corrupted nonsense . . .
Parent
Re:If you're that worried... (Score:5, Informative)
Yes, I was going to recommend plausible deniability as well.
Here's a little more info about how it works. Basically, you set up a container and a hidden volume. Each has its own passphrase. To open the hidden volume, you use its passphrase when opening the container. To open the container with dummy data, you type its passphrase. It's very simple and quite hidden if done correctly. To be safe, it's best to access the hidden volume from a live CD so the OS doesn't break your deniability by storing temporary files or "recently accessed documents" etc.
However, there is one big note of caution. Do not back up the container. Ever. An attacker could look at the change over time and determine there is a hidden volume. That's probably too paranoid for your case but it's worth mentioning.
Parent
Re:If you're that worried... (Score:5, Informative)
No, they cannot "sieze your laptop" if you don't give them the encryption password; a strict reading of the policy is that the laptop can be seized in any event, encryption or no. There is NO REQUIREMENT to provide anyone with an encryption password under any circumstances. The existing policy doesn't even speak to encryption. In fact, leading privacy advocates recommend encryption [cnet.com] as the most deisrable solution.
You guys do realize that customs agents at the border have ALWAYS had the right -- without a warrant -- to perform reasonable search and inspection of all physical objects and persons coming into the United States; this policy was designed to expand those longstanding inspection rights to electronic data.
In its current state, it's a poorly written policy. The fact is, no one is going to look at the contents of your laptop, much less be seizing it. (Do you guys actually travel internationally?)
Parent
Re:If you're that worried... (Score:5, Informative)
No, they cannot order you to provide the keys to decrypt or force you to decrypt the hard drive/files yourself. There was a recent case (I think it was United States v. Boucher [wikipedia.org]) regarding this issue, but here in the U.S. (for the time being) you are not required to aid law enforcement officials in essentially self-incriminate yourself. In the U.K. you are required to hand over your encryption keys if law enforcement demands it, I think--someone correct me if I am wrong there.
Parent
don't take data across the border (Score:5, Informative)
Throw a clean install on your laptop, and put your critical data on a server so you can just log in and download it when you arrive.
When you're about to fly back, re-upload your data and wipe the drive.
You could also just mail encrypted DVDs with substantial insurance.
Short Answer (Score:5, Insightful)
You could. (Score:5, Interesting)
Use a clean install and email the photos to yourself while you are there... or put them on an encrypted thumb drive / cd and snail mail it..
Well, who are you... (Score:5, Interesting)
Are you a middle eastern looking young male? A white male returning from Thailand? If so, be paranoid.
If not, no worries.
The Supreme Court agrees (Score:5, Informative)
Darned border search exception [wikipedia.org].
"travelers may be stopped [and searched] at . . . the border without individualized suspicion even if the stop [or search] is based largely on ethnicity[.]" United States v. Montoya de Hernandez, 473 U.S. 531, 538 (1985), United States v. Martinez-Fuerte, 428 U.S. 543, 562-563 (1976)
and
"may [...] conduct searches of the traveler's body -- including strip, body cavity, involuntary x-ray, and in some jurisdictions, patdown searches -- if the Customs officer has reasonable suspicion" to do so. United States v. Flores-Montano, 541 U.S. 149, 152-53 (2004), United States v. Johnson, 991 F.2d 1287, 1291-92 (7th Cir. 1993)
Parent
Let them try to decrypt it. (Score:5, Funny)
Put your files on a few small USB-sticks, or on your home server (for encrypted retrieval once you're in the country). Bring a Live-CD to boot from and then "cat /dev/random > /dev/sda".
Make sure to grow a big beard, learn a few arabic phrases and quote Allah to the security guard in customs.
Then let them have a crack at decrypting your "encrypted" drive.
Just be sure to say "Just kidding" so they don't ship you off to Guantanamo.
Best defense (Score:5, Funny)
...is a good offense.
If you're offended by having your privacy invaded, just make it horribly offensive for the invader as well.
With the right accessorizing and appropriate leather:latex:chainmail ratio, you can ensure even the most intrepid airport screener will breeze you through in record time.
Oh...and, yes, Truecrypt is terrific, but not nearly as fun.
My personal experience (Score:5, Insightful)
circumvention (Score:5, Insightful)
In other news.. (Score:5, Insightful)
Easy Solution (Score:5, Interesting)
Send it to your hotel DHL overnight before you leave, and do the same to get it home.
Problem solved.
Re:Put the dunce cap away (Score:5, Informative)
OK, i'm not AC and I can tell you that they don't have time to check out laptops at most international airports beyond the aforementioned bomb check.
Yes, i've passed into and out of the country several times during the last year. No search.
Parent
Re:Put the dunce cap away (Score:5, Insightful)
No one said it is happening to everyone. That misses the point entirely. Illegally searching even a small percentage of people is unnacceptable. Especially since people affected by this have almost no redress and the DHS doesn't even accurately report when they do this.
I guess its only a problem when it happens to you. Maybe you should pick up a history book and find out how well that attitude worked in the 1930's and many other time periods.
Parent