Archives

February 24, 2017

After the search

harpo2017.JPGProbably most Americans living in foreign countries, whether "migrants" or "expatriates", have spent the last month listening to people panic about traveling to the US. They seem unconsoled by the reflection that travelers have long had very few rights at the border of any country. The latest Department of Homeland Security proposal - to require incoming visitors to disclose their social media passwords - has really amped up these conversations.

The Independent advises leaving smart phones at home. This isn't an option for creative people, business folk, programmers, academics or many others who need to work wherever they are and whose job description is not "terrorist".

Others suggest maintaining a stripped-down travel phone, a more viable option now that you can keep data in the cloud and download it after reaching your destination. That approach requires avoiding services that sync automatically, like Dropbox or iCloud.

At Freedom to Tinker Dan Wallach makes techie suggestions: encrypt your data; set up a sanitized fake profile; arrange a temporary lockout from your account. Wallach also suggests that companies like Facebook could assist by enabling people to temporarily drop friends or delete postings and by providing for dual passwords; the second, "duress", password would delete, selectively display, or encrypt your data. I think these are risky: fake profiles will stick out as new accounts. A different approach might be to advise your social graph that you are planning a trip to the US, so people can withdraw from your friends list if they want.

It's disappointing that Facebook and other social media companies have not stepped up to point out that disclosing your password is contrary to their terms of service. Here's Facebook's ToS, section 4, item 8: "You will not share your password (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account."

gizmos2017-rotated.jpgTop-level resistance is forming. EFF is collecting border search stories and reports that Senator Ron Wyden (D-OR) will introduce legislation that would require a warrant for such searches. Meanwhile, let's assume you've passed the border and resistance was futile. Your devices have been, however briefly, rummaged. Now what?

I'm writing here for average innocent travelers. Members of more vulnerable groups - human rights workers in hostile situations, journalists, activists, and bad people - need better-tailored advice.

You should behave exactly as if you found that you've been hacked. However warm your feelings may be toward the country conducting such a search, good security practice requires you to equate the search with a cyber attack. The longer the device has been held, the more you should assume that back doors and keyloggers may have been left behind and that all data may have been copied and may be read or searched at any time. That includes obvious things like friends lists, search histories, photographs, other media, and old email, but also less-obvious things like deleted files.

So the first thing: before you leave home back up all your data and leave the backups behind. It's good practice anyway, because traveling devices may get lost, stolen, or broken (more likely events than border inspections).

As soon as you can, use a trusted device - not one that has been searched - to change all passwords, beginning with your email account and including the answers to secondary security questions that protect your bank and other accounts. If you use a password manager, change that master password, too. Because you must assume you have now disclosed the email address associated with your various accounts, turn on two-factor authentication (if you haven't); you may even be wise to set up a new email address for that purpose. If you have trusted access to anyone else's network via the searched device, notify them.

If you are the rare innocent average traveler who uses encryption and you have opted for convenience over security so your private keys are stored on your device, assume they may have been copied and revoke your keys and generate new ones. If you've opted for convenience, your private keys may now be in the hands of the people who searched your device, as Stef Marsiske explains, though presumably your passphrase is not. Similarly, if you use WhatsApp or Signal because they build in encryption, if you do not password-protect your phone or turn on encryption for your stored messages, the stored messages can be read by third parties.

Many sites - Tech Radar, for example - offer advice on recovering from hacking attacks. If your oddly-behaving device was held for an exceptionally long time, EFF Citizen Lab may want to perform a forensic examination. Moving on, rebuild your device from as far down the stack as you can, proportionate to the length of time you lost control over it. Start by looking for updated firmware before restoring your operating system, applications, and so on. If you're under deadline you may need instead to buy or borrow something to work on, copying across only your data.

Above all remember. This is not about having things to hide. It's about having things to *protect* - for everyone in your circle, not just for you.

Illustrations:: well-traveled gadets.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.