fedops blog

Privacy in Computing

Wed 03 October 2018

Crossing Borders With Data

Posted by fedops in Privacy   

In this week's news are two juicy tidbits that give food for thought.

New Zealand

First, New Zealand has [enacted new legislation on "digital strip searches"] (https://slashdot.org/story/346566) through which travellers who refuse to unlock their devices can now be fined. Furthermore, in such a case their devices would be confiscated and forensically searched, with all that entails. Notably exempt (for now) is a requirement to provide account credentials for online resources, such as cloud storage and web mail.

The thought process behind the law isn't completely unreasonable, as all baggage and other physical belongings of a traveller are and have been subject to search pretty much since the advent of international travel.

Other countries have similar legislation in place with sometimes rather more arduous consequences for non-compliance; such as Great Britain "offering" indeterminate detention.

Australia seem to be following New Zealand's lead in this matter.

United States

Secondly, the FBI has - probably for the first time - forced a suspect to unlock a device using something else than a passwort or PIN code; in this case, FaceID on an iPhone. Warrant in hand, they forced his face in front of the phone's camera to unlock it.

This case holds two interesting factoids:

  • First, this wouldn't have worked with something like a passcode because so far in most US states, passwords are considered testimony and can as such be legally withheld. One exception to that is Florida, others might be following. The US is somewhat singular in this regard anyway, as the testimony clause doesn't apply in many other countries.
  • Second, a fingerprint or indeed your face is a physical asset that, given enough physical force and/or a legal background, can be wrestled from and used against you. Depending on the device in question that may not actually work, but after having lost a limb that may not matter much to you.

So...?

The time-honoured advice on travel remains true:

  • travel light, carry only what you need (physically speaking)
  • clean up ypur devices, and travel light (in terms of the data you carry)
  • uninstall apps you don't need; remember that if a customs officer finds the Facebook/Twitter/... apps on your phone, they might force you to give up your credentials for those services
  • consider using online storage to hold (encrypted) copies of the data you may need while traveling
  • use password managers to hold your passwords, memorize (don't write down) the master password for those vaults, and make the vaults available in a secret online location
  • do the same for your valuable documents, using tools such as GnuPG
  • do not keep bookmarks for those online locations on your device

Once you are in your destination country you could easily reinstall your apps, download the encrypted vaults of data you need, etc. as required. Restore your devices to travel mode before you embark on your inbound journey.

Obviously the usual best practices apply:

  • do not save passwords that you care about in your browser
  • do use separate account IDs and passwords for the different online services you use
  • do use an offline password manager that is open source and has a proven track record
  • use separate browsers and Firefox's Multi-Account Containers to keep account data separate
  • do clean up your browser histories, trashed files, temporary data
  • make regular backups and test them

Stay safe when traveling!

Note that I am not a lawyer nor do I play one on the Internet. No part of this blog should be construed as holding legal advice.