Tips For Taking Your Laptop Into and Out of the US? 940
casualsax3 writes "I'm going to be taking a week long round trip from NYC to Puerto Vallarta Mexico sometime next month, and I was planning on taking my laptop with me. I'll probably want to rip a few movies and albums to the drive in order to keep busy on the flight. More important though, is that I'm also going to be taking pictures while I'm there, and storing them on the laptop. With everything in the news, I'm concerned that I'll have to show someone around the internals of my laptop coming back into the US. The pictures are potentially what upsets me the most, as I feel it's an incredible violation of my privacy. Do I actually need to worry about this? If so, should I go about hiding everything? I've heard good things about Truecrypt. Is it worth looking into or am I being overly paranoid?"
If you're that worried... (Score:5, Informative)
...encrypt it. Full disk encryption is relatively cheap, easy, and unobtrusive.
You gave one such example in your post.
But uh, mind if I ask: exactly what kind of pictures are you planning on taking on your vacation? ;-)
mail it. (Score:4, Informative)
problem solved.
Flash mem (Score:1, Informative)
keep an SD card in ur wallet
don't take data across the border (Score:5, Informative)
Throw a clean install on your laptop, and put your critical data on a server so you can just log in and download it when you arrive.
When you're about to fly back, re-upload your data and wipe the drive.
You could also just mail encrypted DVDs with substantial insurance.
Re:If you're that worried... (Score:4, Informative)
According to briefing my boss gave me recently, Truecrypt would not help: If they really wanted to see your content they could ask you to show it to them or alternatively confiscate your laptop and decrypt it themselves. The latter would mean you would probably not see your laptop again.
Let me tell you: As a European scientist I am even more frigthened now to go or even move to the US.
Yes, you're being overly paranoid (Score:2, Informative)
Just passed through security with a laptop... (Score:4, Informative)
Upon my return to the states, the check-in process wasn't any different than it had been a couple of years ago. They asked no questions about my laptop, or if I even had one. The only time my laptop left my bag was when I put it through the X-ray machine.
That being said, it never hurts to encrypt your data anyway.
Comment removed (Score:5, Informative)
Re:If you're that worried... (Score:5, Informative)
No, they cannot "sieze your laptop" if you don't give them the encryption password; a strict reading of the policy is that the laptop can be seized in any event, encryption or no. There is NO REQUIREMENT to provide anyone with an encryption password under any circumstances. The existing policy doesn't even speak to encryption. In fact, leading privacy advocates recommend encryption [cnet.com] as the most deisrable solution.
You guys do realize that customs agents at the border have ALWAYS had the right -- without a warrant -- to perform reasonable search and inspection of all physical objects and persons coming into the United States; this policy was designed to expand those longstanding inspection rights to electronic data.
In its current state, it's a poorly written policy. The fact is, no one is going to look at the contents of your laptop, much less be seizing it. (Do you guys actually travel internationally?)
Re:Tip #1: (Score:3, Informative)
So, wait a minute. You were worried enough about being searched that you chose to bring your "noncritical laptop" (I'm assuming that's oposed to your critical one). And you packed this laptop right next to your drug stash?
Also, last time I was on a cruise they had bomb/drug dogs checking the bags both while loading and unloading, so I'm not sure how safe it is to pack contraband on your way out of the country either. Though they weren't checking bags if you carried them onto the boat yourself so I guess that's just one more example of security theater.
Re:If you're that worried... (Score:5, Informative)
Yes, I was going to recommend plausible deniability as well.
Here's a little more info about how it works. Basically, you set up a container and a hidden volume. Each has its own passphrase. To open the hidden volume, you use its passphrase when opening the container. To open the container with dummy data, you type its passphrase. It's very simple and quite hidden if done correctly. To be safe, it's best to access the hidden volume from a live CD so the OS doesn't break your deniability by storing temporary files or "recently accessed documents" etc.
However, there is one big note of caution. Do not back up the container. Ever. An attacker could look at the change over time and determine there is a hidden volume. That's probably too paranoid for your case but it's worth mentioning.
Re:If you're that worried... (Score:3, Informative)
confiscate your laptop and decrypt it themselves.
They could confiscate the laptop, but as for decrypting it? Doubtful. A brute force attack on Rijndael (which is the default for TrueCrypt) is just not worth the effort assuming that it can even be done. As far as is publicly known Rijndael has not been broken via brute force attack and if the laptop is not in the "on" state when they confiscate it then they are looking at either brute force attack, rubber hose cryptanalysis, or forget it (i.e. you don't have your laptop anymore and they don't have your data). Probably the best solution that I have heard is to have a hidden partition (a feature of TrueCrypt) with the secure operating system and an main unencrypted partition for the public operating system whereby the secure operating system is only booted if a "key" (typically a USB memory module or other USB device) is inserted during the boot process AND then the corresponding password entered at the prompt. That way when the laptop is presented for inspection the public OS is booted automatically (as expected) while there is no indication that a hidden secure OS even exists. The border police on duty likely have no knowledge of TrueCrypt and its various technical modes (that information is above their pay grade) so they won't suspect that there is anything more than meets the eye with regard to your laptop and will simply waive you by.
Re:If you're that worried... (Score:5, Informative)
No, they cannot order you to provide the keys to decrypt or force you to decrypt the hard drive/files yourself. There was a recent case (I think it was United States v. Boucher [wikipedia.org]) regarding this issue, but here in the U.S. (for the time being) you are not required to aid law enforcement officials in essentially self-incriminate yourself. In the U.K. you are required to hand over your encryption keys if law enforcement demands it, I think--someone correct me if I am wrong there.
Re:Best defense (Score:3, Informative)
I've had the same experience. A few sex toys in the carry on will greatly expedite any terminal searches you wind up going through.
-Rick
The Supreme Court agrees (Score:5, Informative)
Darned border search exception [wikipedia.org].
"travelers may be stopped [and searched] at . . . the border without individualized suspicion even if the stop [or search] is based largely on ethnicity[.]" United States v. Montoya de Hernandez, 473 U.S. 531, 538 (1985), United States v. Martinez-Fuerte, 428 U.S. 543, 562-563 (1976)
and
"may [...] conduct searches of the traveler's body -- including strip, body cavity, involuntary x-ray, and in some jurisdictions, patdown searches -- if the Customs officer has reasonable suspicion" to do so. United States v. Flores-Montano, 541 U.S. 149, 152-53 (2004), United States v. Johnson, 991 F.2d 1287, 1291-92 (7th Cir. 1993)
Re:Boot to shell (Score:5, Informative)
Just came back from Puerto Vallarta in May (Score:1, Informative)
And I was concerned about the same things. Turns out that concern was needless. Mexico doesn't care what's on your laptop or in your luggage -- my luggage wasn't even seriously searched there. A Mexican Federale rifled around in my main suitcase looking for bottles of liquor and foodstuffs on my way back to the states (he only found one, haha) but that was it. They didn't even bother to check my laptop bag at all. I flew out through Atlanta, and the only searching I had to go through stateside was routine x-rays. Laptop out of the case and in a tray by itself, run through the machine, and that's it. They didn't blink when it went through.
If my experience is any indication, the only thing you'll have to worry about is getting a good wireless signal while you're there. Not that you'll want to be on your computer, it's one of the most beautiful places I've ever been. I don't think you have anything to worry about. Take your ATM and/or credit card with you too. You can use it in most places down there -- even in ATMs which dispense pesos at the current official exchange rate, meaning you won't have to haggle with anyone about how many pesos your $10 bill is worth.
Oh yeah, and you want to take the zipline tour through the jungles. That and the Catalina excursion if you can. Well worth the cost.
Re:Tip #1: (Score:3, Informative)
If ever a comment needed to be AC'ed it was this one. You'll probably be getting a knock at the door any moment now.
I went on a cruise last year and the day we were to disembark we had to stay in our rooms an hour while the police with drug sniffing dogs arrested several passengers for drug possession.
Re:If you're that worried... (Score:3, Informative)
It is not a good idea to lie to border security. Wipe your laptop and install a plain Linux system so that you can show that the computer works. Encrypt your data and transfer it over the internet or by mail.
Re:Well, who are you... (Score:1, Informative)
We recently had a laptop confiscated from a white, middle aged, morbidly obese man while entering the US via a flight from Canada. I don't think it matters what you look like, they just take what they want.
Doesn't seem to be a problem (Score:3, Informative)
Re:If you're that worried... (Score:3, Informative)
Ok, I'll bite. Name one US citizen this has happened too. I'm not saying there isn't injustice - but from what I can see the courts still operate in full public view. Laws are by and large still in effect, and we're not gassing women and children.
Can you explain what frightens you? (Score:3, Informative)
You're frightened because the Customs has always had the power to search persons and physical objects at the border without a warrant, or that someone actually thought it might be a good idea to extend the longstanding and repeatedly upheld border search exception [wikipedia.org] to include data on electronic devices [cbp.gov]? If it has always been acceptable (and repeatedly upheld by the Supreme Court[1]) to search for anything else illegal at the border without a warrant, can someone make a good argument why data on one's person or in one's possession at the time of border crossing should be excluded under those same provisions?
Or are you frightened because you subscribe to the idea that the US has turned into a fascist regime, when the EU and individual European nations have their own laundry list of controversial laws and provisions attempting to grapple with how to handle electronic data in a legal sense in the continually emerging Information Age?
[1]:
United States v. Montoya de Hernandez, 473 U.S. 531, 538 (1985)
United States v. Martinez-Fuerte, 428 U.S. 543, 562-563 (1976)
United States v. Flores-Montano, 541 U.S. 149, 152-53 (2004)
United States v. Johnson, 991 F.2d 1287, 1291-92 (7th Cir. 1993)
TWiT Episode #163 (Score:2, Informative)
TWiT 163: MitNicked [twit.tv]
I won't say your paranoid... (Score:2, Informative)
Re:If you're that worried... (Score:3, Informative)
International mail is more likely to be opened going across the border than the probability you have of having the computer searched.
The #1 thing is, remove the computer from its bag before they tell you to. They're getting increasingly angry at people for not doing that.
A low tech way to discourage searches is to not bring the battery (buy a new one when you get there) and not clean the keyboard and/or screen.
I travel outside the United States all the time and I've never had a problem (other than the single time I did not take the computer out of the bag), nor have I seen someone undergoing a computer search.
Re:If you're that worried... (Score:5, Informative)
Actually it was recently demonstrated that you can positively identify a hidden volume exists within a TrueCrypt volume, defeating plausible deniability. In addition, it was also recently demonstrated [springerlink.com] that regardless of the encryption algorithm used, it's possible to get a silhouette of high contrast encrypted images.
So if they really wanted, they could identify the hidden volume exists, then apply this second technique to identify that images exist on it. To border agents, this is probably tantamount to admitting on the spot that you're smuggling kiddy porn across the border, and you may find that it's more than your laptop which is detained.
Your best protection is to transfer the images separately from your laptop. Store them on Amazon S3 with a tool such as JungleDisk, and download them when you get home (this is a good idea in case something damages your laptop while traveling too).
Re:Known Your Adversary (Score:3, Informative)
Truecrypt provides plausible deniability - the capability to create a hidden encrypted volume within another encrypted volume, thereby allowing you to grant access to unimportant/dummy data when a password is asked for without the attacker knowing additional information even exists.
To do this you need the TrueCrypt bootloader installed...
No. You don't. -1 Wrong.
You only need the boot-loader if you're doing full-disk encryption. But you can boot up unencrypted and create as many volumes as you'd like with or without hidden volumes inside with just the normal TrueCrypt software.
Re:Tip #1: (Score:3, Informative)
Having worked on cruise ships for several years, I can offer some advice if you'll be there a while (not just your average passenger):
* We were warned about Coast Guard inspections days in advance. The contraband was placed into film canisters, and those film canisters were washed thoroughly. They were then hidden in PUBLIC areas of the ship -- if found, it would be difficult to determine just who had put them there. As far as I know, none were ever found.
* Make friends with security. Remember that when you are on shore having fun in port, they are standing in the doorway checking everyone. They don't get to go shopping, or out to shoot pool or hit nightclubs. Something as simple as doing their shopping for them once in a while could net you one very valuable ally.
Other points should work for anyone:
* If you are trying to take goodies back OFF the ship, separate these goodies from anything personally identifiable. The way the dogs mark the bags to be checked is to piss on them, so if you see your bag is wet or sitting in a puddle at the pickup point, just walk away.
* If you are bringing goodies ONTO the ship, you should only bring enough to last you until your first port, not the whole trip -- this should make it easier to keep them on you personally and not in your luggage. Re-stock once outside the U.S. where the inspections will be much less intensive. If going to Mexico, the guys who will weave a wristband with your name in it for $5 will also happily set up a transaction for you for an appropriate fee.
* Take one more bottle of booze than you are entitled to, and DECLARE IT. Nothing looks more like cooperation than voluntarily paying $3 in taxes. If you want to take more than that, feel free -- the one extra is just a minimum to make sure you have something to declare, and even with taxes you'll generally pay less for a liter bottle on-board than for a 750ml bottle of the same thing on land. Spread the most expensive bottles around, one to a person, to be their "freebie", and pay taxes on the cheaper ones.
Mal-2
NO data, NO encryption (Score:1, Informative)
Sorry, but if you take your laptop and any part of it is encrypted (especially if you have full disk encryption where you need to enter the password just to decrypt the drive and boot) you are GUARANTEED to get it seized because you must have "something to hide".
The only solution is to have a minimal install of windows xp (since that's what TSA drones will recognize) with NO DATA onboard. Keep all your data out on S3 (jungledisk) or some other service, and get access to it when you get to where you're going. That way if your laptop gets stolen (other than by the TSA who thinks he'd like your shiny new laptop) they don't have access to anything.
Re:Seriously (Score:5, Informative)
While having someone look at my vacation pictures wouldn't especially bother me, having some Homeland Security dweeb who can't find the power switch impound my PC because he thinks that maybe, possibly, there is a chance there is something questionable scares the hell out of me.
Customs (and others?) can seize laptops, disks, media, etc, FOR NO REASON AT ALL, and there is little or no legal recourse to get the stuff back. If that's not worth being paranoid over....
EFF Links (Score:1, Informative)
There are a few good articles from the EFF:
EFF Answers Your Questions About Border Searches
http://www.eff.org/deeplinks/2008/05/border-search-answers
Protecting Yourself From Suspicionless Searches While Traveling
http://www.eff.org/deeplinks/2008/05/protecting-yourself-suspicionless-searches-while-t
Re:Seriously (Score:5, Informative)
because you didn't visit argentina during late 70s or early 80s when our neighbors (well, we too, and ALL the rest of south america) were under a ruthless dictatorship that used to load anyone they didn't like into C-130s and drop them in the midle of the ocean.
BTW, that regime ? sponsored by the US, with CIA's planning. as were all the dictatorships in the continent.
More disks. (Score:3, Informative)
photographing landmarks (Score:5, Informative)
One lesson from an incredibly expensive joke of a "terrorist" case in Australia is that a photograph of a landmark is proof you are going to blow it up. Be careful with those holiday snapshots!
I don't know if there's anything like it in Australia but in the US we have this handbook, "The Photographer's Right" [krages.com], photographers started to carry. In a photography class in college I was taking when 911 happened, we heard about how photographers started to go through questioning when they were taking photos. One student there was working on a class assignment when police or private security personnel tried to confiscate his camera. It was a bizarre tyme for photographers then.
Falcon
Re:Seriously (Score:3, Informative)
To be fair, it's way more likely that someone will steal his laptop out of the hotel room while he's on vacation.
Re:If you're that worried... (Score:2, Informative)
... And extending off of that...
Those "netbook" mini-notebooks are practically semi-disposable price-wise, now, plus they're small and great for traveling. Buy one of those for trips where it might get lost (either at the border or forgotten, or swiped). Put most of your data on USB sticks, and do the Internet connectivity thing (some of them have 3g cell connectivity if you wish) and upload to some online storage site (even attach them to mail and google-mail them) periodically (depending on how long you're gone and how many pics you take) and before you return. You can encrypt before you upload if you're worried about someone snagging them as you upload or off whatever site.
That way you aren't taking anything thru customs that worst case, you can't afford to lose. Similarly with losing your laptop at the airport or from your hotel room or whatever. The 300-ish you spend on the netbook isn't something you probably want to spend for every trip, but then the odds are you won't lose it on every trip... and if you lose it on one trip, oh, well. Meanwhile, your data too is backed up, since you uploaded it over the net, and can retrieve it once you get home if the physical copy gets snagged (either at customs, or as I said, from your hotel room or the airport or whatever).
As for the encryption choice you can try gpg/pgp and possibly legitimately say you use it for mail, but they can ask for your key. (FWIW, unlike Britain, it's illegal/unconstitutional to demand it in the US including clearing customs, according to a recent court case, but illegal hasn't seemed to stop a lot of the Gov't thugs recently.) But the Truecrypt solution provides plausible deniability if you do it correctly (the recent /. headlines to the contrary not withstanding, see the discussion threads), and it's open source, so it should be reasonably secure from No Such Agency trojans or the like.
But the little netbook solution, combined with (encrypted) net based storage, should pretty much solve the problem. And if the worst happens and you lose it... you've limited your loses.
Re:If you're that worried... (Score:3, Informative)
Actually, that's not true. You can only get the silhuette under certain very spesific scenarios. Namely that the analyst has access to two *different* copies of the picture (say one with the contrast adjusted) both encrypted with the same key and the same initialization-vector. Oh yeah, and the picture must be stored a a bitmat, if it's stored in an compressed or compressed-and-lossy format like png or jpg (like basically all digital photos are) the attack don't work.
It's an interesting theorethical result. Not terribly important in the real world. (easily defeated by changing the IV when rewriting a block, for example, and no issue at all in usage-scenarios where one can use CBC or similar)