Many have been alarmed about the US Department of Homeland Security’s desire to not just examine the social media profiles of some travellers, tourists and visa holders – but to also permit border agents and immigration officials to demand account passwords, so that they can rifle through non-public posts, private messages and online financial transactions.
As John Kelly, the newly-appointed United States Secretary of Homeland Security, told the House Homeland Security Committee this week:
“We want to say ‘what kind of sites do you visit and give us your passwords,’ so we can see what they do. We want to get on their social media with passwords – what do you do, what do you say. If they don’t want to cooperate then they don’t come in. If they truly want to come to America they’ll cooperate, if not then ‘next in line’.”
This is clearly not just an obvious massive intrusion into people’s privacy, but also raises worrying questions about how much care the border agencies will take in ensuring that passwords and private information does not fall into the wrong hands, or is misused.
"We found videos on your phone that are against us.." Canadian denied US entry after questions about religion, Trump https://t.co/3ghzOUHmlC pic.twitter.com/QyiV0h6QTy
— Joseph Lorenzo Hall, PhD (@JoeBeOne) February 9, 2017
Indeed, your reaction may be that if this is the way a country plans to treat its visitors, you may politely decline to travel to the country at all.
Fortunately, iOS security expert Jonathan Zdziarski has put together a great guide designed to help people protect their devices and privacy when they pass through border controls:
You might think that you can simply change your passwords after a border encounter, but what you may not realize is that a forensics tool is capable of imaging potentially your entire life from a single access to your account. Whether it’s old iPhone backups sitting in iCloud that can date back years, or your entire Facebook private message history, once an API is wired into a forensics tool, that one moment in time exposes all of your historical data to the border agent, which ultimately exposes all of your historical data to an intelligence database.
It’s well worth a read.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
6 comments on “Crossing border security? Here’s how you protect your data”
The Zdziarski is technically correct but it somewhat misses the point.
As John Kelly has said "If they don't want to cooperate then they don't come in…" What then is the point in locking down your accounts?
Whilst Zdziarski's suggestions SHOULD be used routinely by computer users it makes no difference at the border where (in some cases) you can be compelled to provide access (or face imprisonment) or, at best, you'll be refused entry.
So in summary Zdziarski gives good advice but is inapplicable when crossing the US border.
The best advice I can give is:
1. Take a disposable pre-paid phone
2. If asked to provide access to your email: give over the credentials to an account that you use for spam/signing up to newsletters
3. Have a duplicate social media account
These new checks are not only against the Terms and Conditions of Facebook, Instagram, Twitter etc. but they're entirely unnecessary, counterproductive and intrusive.
One final suggestion:
4. If it's essential you have a laptop/tablet: take a cleanly wiped device perhaps with a bit of music or photos stored on it for plausibility. Any important files that you need access to should be kept in the cloud on a service not linked to that device.
It annoys me that people have to think like criminals just to maintain their privacy. Most of us have 'nothing to hide' in the sense that we're not persons of interest but we do have want to keep our personal lives private/hidden.
Once you've handed over this "cleanly wiped device", had it examined and then had it returned, do make sure that you never use it for anything, as you now have zero guarantees that it hasn't been compromised during examination and will continue to allow access to your data. OTOH, simply don't go to the USA, this behaviour is one of the biggest selling points for conferences and businesses in Canada and Europe
The EFF have some really excellent, detailed guides on personal information security at https://ssd.eff.org/en .
There's quite a lot to read in there (start with "Overviews" > "Introduction to threat modelling"), but it emphasises thinking about threat and risk rather than making using a generic cookie-cutter checklist approach of "turn this on, turn that off". (The scenario-based advice does provide specific recommendations for technical configuration and communications and data storage security.)
@Bob : I was thinking just about the same. Since authoritarian regimes (to which the USA seems to be willing to enlist to now) will simply regard any lock-down of a device that way as being "illegal to us", "criminal" etc. etc. For any human (with functioning brains) this is, of course, the world upside-down. By the way – in many countries prepaid phones are no longer available. To counter "Terrorism!" , of course.
And @Adrian correctly noticed that any device that you would hand over will very likely be injected somehow. (Remember the "injection-by-WiFi-by-default" on Canadian airports?) There is nothing to be trusted about this anymore.
So yes, alas – this free world is quickly coming to an end. We may even see it in OUR lifetimes, perhaps not even our childrens'.
Anyway – the best thing to do is to be skipping any American visit for decades to come (and if you're visiting Canada, make sure to be in out your forest first, before firing up your devices safely again – just as a matter of precaution :-).
Too bad, "Land of the Free". Bye bye.
The Ruined States of America